From ab196220fdd886fc2b1998eeee0f8e9a4b384845 Mon Sep 17 00:00:00 2001 From: Ludwig Krispenz Date: Fri, 12 Sep 2014 12:43:31 +0200 Subject: Update SSL ciphers configured in 389-ds-base use configuration parameters to enable ciphers provided by NSS and not considered weak. This requires 389-ds version 1.3.3.2 or later https://fedorahosted.org/freeipa/ticket/4395 Reviewed-By: Nathaniel McCallum --- freeipa.spec.in | 6 +++--- install/updates/20-sslciphers.update | 6 ++++++ install/updates/Makefile.am | 1 + ipaserver/install/dsinstance.py | 7 ++----- 4 files changed, 12 insertions(+), 8 deletions(-) create mode 100644 install/updates/20-sslciphers.update diff --git a/freeipa.spec.in b/freeipa.spec.in index b672ecb03..685b345fe 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -18,7 +18,7 @@ Source0: freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.2.16 +BuildRequires: 389-ds-base-devel >= 1.3.3.2 BuildRequires: svrcore-devel BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: systemd-units @@ -87,7 +87,7 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base >= 1.3.2.20 +Requires: 389-ds-base >= 1.3.3.2 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 @@ -124,7 +124,7 @@ Requires: zip Requires: policycoreutils >= %{POLICYCOREUTILSVER} Requires: tar Requires(pre): certmonger >= 0.75.13 -Requires(pre): 389-ds-base >= 1.3.2.20 +Requires(pre): 389-ds-base >= 1.3.3.2 Requires: fontawesome-fonts Requires: open-sans-fonts diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update new file mode 100644 index 000000000..b0c952f49 --- /dev/null +++ b/install/updates/20-sslciphers.update @@ -0,0 +1,6 @@ +# change configured ciphers +# the result of this update will be that all ciphers +# provided by NSS which ar not weak will be enabled +dn: cn=encryption,cn=config +only:nsSSL3Ciphers: +all +addifnew:allowWeakCipher: off diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 1d912a7d2..026cde049 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -14,6 +14,7 @@ app_DATA = \ 20-indices.update \ 20-nss_ldap.update \ 20-replication.update \ + 20-sslciphers.update \ 20-syncrepl.update \ 20-user_private_groups.update \ 20-winsync_index.update \ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index cc1d32709..0518dd0e0 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -664,11 +664,8 @@ class DsInstance(service.Service): conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password) mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), - (ldap.MOD_REPLACE, "nsSSL3Ciphers", - "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\ -+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\ -+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\ -+tls_rsa_export1024_with_des_cbc_sha")] + (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"), + (ldap.MOD_REPLACE, "allowWeakCipher", "off")] conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod) mod = [(ldap.MOD_ADD, "nsslapd-security", "on")] -- cgit