diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-11-25 08:12:53 +0000 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-11-25 12:44:13 +0100 |
| commit | dc443cc4503822cb35c3693e5e525425573140f2 (patch) | |
| tree | c75aa3035524e4e16c10e93943b411c3b5e9ab5c | |
| parent | 538e023107ed307142ca7302ff34106c53afa932 (diff) | |
| download | freeipa-dc443cc4503822cb35c3693e5e525425573140f2.tar.gz freeipa-dc443cc4503822cb35c3693e5e525425573140f2.tar.xz freeipa-dc443cc4503822cb35c3693e5e525425573140f2.zip | |
Add TLS 1.2 to the protocol list in mod_nss config
https://fedorahosted.org/freeipa/ticket/4653
Reviewed-By: Martin Kosek <mkosek@redhat.com>
| -rw-r--r-- | install/tools/ipa-upgradeconfig | 13 | ||||
| -rw-r--r-- | ipaserver/install/httpinstance.py | 7 |
2 files changed, 17 insertions, 3 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index ffb51a977..815fe0465 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1287,6 +1287,18 @@ def fix_trust_flags(): sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True) +def update_mod_nss_protocol(http): + root_logger.info('[Updating mod_nss protocol versions]') + + if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls12'): + root_logger.info("Protocol versions already updated") + return + + http.set_mod_nss_protocol() + + sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) + + def main(): """ Get some basics about the system. If getting those basics fail then @@ -1388,6 +1400,7 @@ def main(): http.change_mod_nss_port_from_http() http.stop() + update_mod_nss_protocol(http) fix_trust_flags() http.start() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 14efa5b93..f9e020039 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -115,7 +115,8 @@ class HTTPInstance(service.Service): self.step("setting mod_nss port to 443", self.__set_mod_nss_port) - self.step("setting mod_nss protocol list to TLSv1.0 and TLSv1.1", self.__set_mod_nss_protocol) + self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2", + self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) self.step("adding URL rewriting rules", self.__add_include) @@ -205,8 +206,8 @@ class HTTPInstance(service.Service): def __set_mod_nss_nickname(self, nickname): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname) - def __set_mod_nss_protocol(self): - installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1', False) + def set_mod_nss_protocol(self): + installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False) def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) |