p11: enable ocsp checks

This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.

Resolves https://fedorahosted.org/sssd/ticket/2812

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

3 files changed, 4 insertions, 1 deletions

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 60129e6e7..fe2971d99 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -61,6 +61,7 @@ option_strings = {
     'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'),
     'default_domain_suffix' : _('Domain to add to names without a domain component.'),
     'user' : _('The user to drop privileges to'),
+    'certificate_verification' : _('Tune certificate verification'),
 
     # [nss]
     'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index abd4a3925..681d8be96 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -308,7 +308,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
             'fd_limit',
             'client_idle_timeout',
             'diag_cmd',
-            'description']
+            'description',
+            'certificate_verification']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 0c03625bd..89cf8634f 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -26,6 +26,7 @@ full_name_format = str, None, false
 krb5_rcache_dir = str, None, false
 user = str, None, false
 default_domain_suffix = str, None, false
+certificate_verification = str, None, false
 
 [nss]
 # Name service