diff options
| -rw-r--r-- | freeipa.spec.in | 3 | ||||
| -rw-r--r-- | install/conf/Makefile.am | 1 | ||||
| -rw-r--r-- | install/conf/ipa-pki-proxy.conf | 25 | ||||
| -rwxr-xr-x | install/tools/ipa-ca-install | 4 | ||||
| -rw-r--r-- | ipalib/constants.py | 10 | ||||
| -rw-r--r-- | ipapython/dogtag.py | 2 | ||||
| -rw-r--r-- | ipapython/nsslib.py | 15 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 13 | ||||
| -rw-r--r-- | ipaserver/install/certs.py | 4 | ||||
| -rw-r--r-- | ipaserver/install/httpinstance.py | 5 | ||||
| -rw-r--r-- | ipaserver/plugins/dogtag.py | 2 |
11 files changed, 74 insertions, 10 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 760100cf4..a691a408e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -303,6 +303,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \ # So we can own our Apache configuration mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf install -m755 ipa.init %{buildroot}%{_initrddir}/ipa %endif @@ -451,8 +452,10 @@ fi %config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf %{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa-rewrite.conf +%{_usr}/share/ipa/ipa-pki-proxy.conf %dir %{_usr}/share/ipa/updates/ %{_usr}/share/ipa/updates/* %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am index e00ad618f..5ee3eddb5 100644 --- a/install/conf/Makefile.am +++ b/install/conf/Makefile.am @@ -3,6 +3,7 @@ NULL = appdir = $(IPA_DATA_DIR) app_DATA = \ ipa.conf \ + ipa-pki-proxy.conf \ ipa-rewrite.conf \ $(NULL) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf new file mode 100644 index 000000000..275f32645 --- /dev/null +++ b/install/conf/ipa-pki-proxy.conf @@ -0,0 +1,25 @@ +ProxyRequests Off + +# matches for ee port +<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://localhost:9447/ + ProxyPassReverse ajp://localhost:9447/ +</LocationMatch> + +# matches for admin port +<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://localhost:9447/ + ProxyPassReverse ajp://localhost:9447/ +</LocationMatch> + +# matches for agent port and eeca port +<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient require + ProxyPassMatch ajp://localhost:9447/ + ProxyPassReverse ajp://localhost:9447/ +</LocationMatch> diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 7bbba4b14..05a05dce9 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -36,6 +36,7 @@ from ipapython import version from ipalib import api, util from ipapython.config import IPAOptionParser from ipapython import sysrestore +from ipapython import ipautil CACERT="/etc/ipa/ca.crt" REPLICA_INFO_TOP_DIR=None @@ -144,6 +145,9 @@ def main(): cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name)) cs.add_cert_to_service() + # We need to restart apache as we drop a new config file in there + ipautil.service_restart('httpd', '', True) + try: if not os.geteuid()==0: sys.exit("\nYou must be root to run this script.\n") diff --git a/ipalib/constants.py b/ipalib/constants.py index 026e07354..51cf566e1 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -136,9 +136,13 @@ DEFAULT_CONFIG = ( # CA plugin: ('ca_host', FQDN), # Set in Env._finalize_core() - ('ca_port', 9180), - ('ca_agent_port', 9443), - ('ca_ee_port', 9444), + ('ca_port', 80), + ('ca_agent_port', 443), + ('ca_ee_port', 443), + ('ca_install_port', 9180), + ('ca_agent_install_port', 9443), + ('ca_ee_install_port', 9444), + # Special CLI: ('prompt_all', False), diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 969535e4b..02f981974 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None): if ca_host is None: ca_host = api.env.ca_host chain = None - conn = httplib.HTTPConnection(ca_host, api.env.ca_port) + conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port) conn.request("GET", "/ca/ee/ca/getCertChain") res = conn.getresponse() doc = None diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index e347d2179..c4d8cdcf6 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): self._create_socket() def _create_socket(self): + + #TODO remove the try block once python-nss is guaranteed to + #contain these values + try : + ssl_enable_renegotiation = SSL_ENABLE_RENEGOTIATION #pylint: disable=E0602 + ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION #pylint: disable=E0602 + ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602 + except : + ssl_enable_renegotiation = 20 + ssl_require_safe_negotiation = 21 + ssl_renegotiate_requires_xtn = 2 + # Create the socket here so we can do things like let the caller # override the NSS callbacks self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) - + self.sock.set_ssl_option(ssl_require_safe_negotiation, False) + self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn) # Provide a callback which notifies us when the SSL handshake is complete self.sock.set_handshake_callback(self.handshake_callback) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5c6c49e4b..d86b3928c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -56,6 +56,7 @@ from ipaserver.install import certs from ipaserver.install.installutils import ReplicaConfig from ipalib import util +HTTPD_CONFD = "/etc/httpd/conf.d/" DEFAULT_DSPORT=7389 PKI_USER = "pkiuser" @@ -70,6 +71,7 @@ EE_CLIENT_AUTH_PORT=9446 UNSECURE_PORT=9180 TOMCAT_SERVER_PORT=9701 + # We need to reset the template because the CA uses the regular boot # information INF_TEMPLATE = """ @@ -537,6 +539,7 @@ class CAInstance(service.Service): self.step("requesting RA certificate from CA", self.__request_ra_certificate) self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) + self.step("Configure HTTP to proxy connections", self.__http_proxy) self.start_creation("Configuring certificate server", 210) @@ -557,6 +560,7 @@ class CAInstance(service.Service): '-tomcat_server_port', str(TOMCAT_SERVER_PORT), '-redirect', 'conf=/etc/pki-ca', '-redirect', 'logs=/var/log/pki-ca', + '-enable_proxy' ] ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) @@ -658,7 +662,7 @@ class CAInstance(service.Service): args.append("-sd_hostname") args.append(self.master_host) args.append("-sd_admin_port") - args.append(str(ADMIN_SECURE_PORT)) + args.append("443") args.append("-sd_admin_name") args.append("admin") args.append("-sd_admin_password") @@ -666,7 +670,7 @@ class CAInstance(service.Service): args.append("-clone_start_tls") args.append("true") args.append("-clone_uri") - args.append("https://%s:%d" % (self.master_host, EE_SECURE_PORT)) + args.append("https://%s:%d" % (self.master_host, 443)) else: args.append("-clone") args.append("false") @@ -1077,6 +1081,11 @@ class CAInstance(service.Service): fd.close() os.chmod(location, 0444) + def __http_proxy(self): + shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf", + HTTPD_CONFD + "ipa-pki-proxy.conf") + + def install_replica_ca(config, postinstall=False): """ Install a CA on a replica. diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index f14efe33f..d3df1681b 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -633,7 +633,7 @@ class CertDB(object): password = f.readline() f.close() http_status, http_reason_phrase, http_headers, http_body = \ - dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) + dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) if http_status != 200: raise CertificateOperationError(error='Unable to communicate with CMS (%s)' % \ @@ -715,7 +715,7 @@ class CertDB(object): password = f.readline() f.close() http_status, http_reason_phrase, http_headers, http_body = \ - dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) + dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) if http_status != 200: raise RuntimeError("Unable to submit cert request") diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index fe5f7aa95..04d1ed402 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -75,6 +75,7 @@ class HTTPInstance(service.Service): self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl) self.step("setting mod_nss port to 443", self.__set_mod_nss_port) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) + self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up ssl", self.__setup_ssl) @@ -160,6 +161,10 @@ class HTTPInstance(service.Service): def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) + def __enable_mod_nss_renegotiate(self): + installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False) + installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False) + def __set_mod_nss_passwordfile(self): installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf') diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index d1234a0d2..23d06abc1 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1514,7 +1514,7 @@ class ra(rabase.rabase): # Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._sslget('/ca/ee/ca/profileSubmitSSLClient', + self._sslget('/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, profileId='caIPAserviceCert', cert_request_type=request_type, |