From b7cda86697cfb8ffc25ab5d3c051f181e145648d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 27 Jan 2010 15:31:51 -0500
Subject: Update dogtag configuration to work after CVE-2009-3555 changes

NSS is going to disallow all SSL renegotiation by default. Because of
this we need to always use the agent port of the dogtag server which
always requires SSL client authentication. The end user port will
prompt for a certificate if required but will attempt to re-do the
handshake to make this happen which will fail with newer versions of NSS.
---
 ipaserver/install/certs.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'ipaserver/install/certs.py')

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 6e7eb82d..4fb794c8 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -570,11 +570,11 @@ class CertDB(object):
             f = open(self.passwd_fname, "r")
             password = f.readline()
             f.close()
-            conn = nsslib.NSSConnection(self.host_name, 9444, dbdir=self.secdir)
+            conn = nsslib.NSSConnection(self.host_name, api.env.ca_agent_port, dbdir=self.secdir)
             conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
             conn.set_debuglevel(0)
 
-            conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
+            conn.request("POST", "/ca/agent/ca/profileSubmitSSLClient", params, headers)
             res = conn.getresponse()
             data = res.read()
             conn.close()
@@ -664,11 +664,11 @@ class CertDB(object):
             f = open(self.passwd_fname, "r")
             password = f.readline()
             f.close()
-            conn = nsslib.NSSConnection(self.host_name, 9444, dbdir=self.secdir)
+            conn = nsslib.NSSConnection(self.host_name, api.env.ca_agent_port, dbdir=self.secdir)
             conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
             conn.set_debuglevel(0)
 
-            conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
+            conn.request("POST", "/ca/agent/ca/profileSubmitSSLClient", params, headers)
             res = conn.getresponse()
             data = res.read()
             conn.close()
-- 
cgit