freeipa.git/ipaplatform/debian, branch fix_ber_scanf FreeIPA patches Use only TLS 1.2 by default 2019-07-01T12:55:29+00:00 Christian Heimes cheimes@redhat.com 2019-07-01T08:41:23+00:00 b57c818fab3bb9627a8c287766cdb5bd8071c837 TLS 1.3 is causing some trouble with client cert authentication. Conditional client cert authentication requires post-handshake authentication extension on TLS 1.3. The new feature is not fully implemented yet. TLS 1.0 and 1.1 are no longer state of the art and now disabled by default. TLS 1.2 works everywhere and supports PFS. Related: https://pagure.io/freeipa/issue/7667 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
TLS 1.3 is causing some trouble with client cert authentication.
Conditional client cert authentication requires post-handshake
authentication extension on TLS 1.3. The new feature is not fully
implemented yet.

TLS 1.0 and 1.1 are no longer state of the art and now disabled by
default.

TLS 1.2 works everywhere and supports PFS.

Related: https://pagure.io/freeipa/issue/7667

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For Fedora and RHEL use system-wide crypto policy for mod_ssl 2019-07-01T12:55:29+00:00 Rob Crittenden rcritten@redhat.com 2019-05-23T14:45:26+00:00 c484d79ecfa1cc284b47b88377a4c2da23b9db2f Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl will use crypto policies for the set of protocols. For Debian systems configure a similar set of protocols for what was previously configured, but do it in a different way. Rather than iterating the allowed protocols just include the ones not allowed. Fixes: https://pagure.io/freeipa/issue/7667 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl
will use crypto policies for the set of protocols.

For Debian systems configure a similar set of protocols for what
was previously configured, but do it in a different way. Rather than
iterating the allowed protocols just include the ones not allowed.

Fixes: https://pagure.io/freeipa/issue/7667

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add helper to look for missing binaries 2019-04-26T10:47:51+00:00 Christian Heimes cheimes@redhat.com 2019-04-26T07:25:37+00:00 5d4a8017f4871e33873734240cb2357b057e1b94 Fedora has merged /usr/bin and /bin while Debian uses distinct directories for /usr/bin and /bin. Debian also uses different directory for libexec files. A new paths.check_paths() helper makes it easier to detect missing or wrong paths. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Fedora has merged /usr/bin and /bin while Debian uses distinct
directories for /usr/bin and /bin. Debian also uses different directory
for libexec files.

A new paths.check_paths() helper makes it easier to detect missing or
wrong paths.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Globally disable softhsm2 in p11-kit-proxy 2019-04-25T10:53:08+00:00 Christian Heimes cheimes@redhat.com 2019-04-24T11:13:45+00:00 74e09087ed0ebf75936d5045eaaad69d71c678d6 The p11-kit configuration injects p11-kit-proxy into all NSS databases. Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes with 389-DS, certmonger, Dogtag and other services. For example certmonger tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at all. It also breaks Dogtag HSM support testing with SoftHSM2. IPA server does neither need nor use SoftHSM2 proxied by p11-kit. Related: https://pagure.io/freeipa/issue/7810 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.

IPA server does neither need nor use SoftHSM2 proxied by p11-kit.

Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Debian: Use RedHatCAService for pki-tomcatd 2019-04-24T12:08:20+00:00 Christian Heimes cheimes@redhat.com 2019-04-23T09:14:45+00:00 0fa692a5265f4764e3e43fda65eced50e7f42448 The RedHatCAService service class contains extra logic to wait for CA service to be up and running. Debian now correctly waits for Dogtag before proceeding with the installation process. Fixes: https://pagure.io/freeipa/issue/7916 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
The RedHatCAService service class contains extra logic to wait for CA
service to be up and running. Debian now correctly waits for Dogtag before
proceeding with the installation process.

Fixes: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Debian: Fix replicatio of light weight sub CAs 2019-04-24T12:08:20+00:00 Christian Heimes cheimes@redhat.com 2019-04-23T07:19:33+00:00 d703f3dbcb992b0f29c5c71c35ec112eadccf2ed The path to ipa-pki-retrieve-key was hard-coded, which broke replication of light weight sub CA keys. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
The path to ipa-pki-retrieve-key was hard-coded, which broke replication
of light weight sub CA keys.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add ODS manager abstraction to ipaplatform 2019-04-24T12:08:20+00:00 Christian Heimes cheimes@redhat.com 2019-04-18T06:02:38+00:00 edaea8865f42f8b6e786f6648ac4cb5c4ddd4f35 OpenDNSSEC 1.4 and 2.x use different commands to initialize kasp.db and manage zones. ipaplatform.tasks abstracts the commands. Note: I added the logic to the base task instead of having different implementations for Red Hat and Debian platforms. Eventually Fedora is going to move to OpenDNSSEC 2.x, too. The design will make it easier to support OpenDNSSEC 2.x on Fedora. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
OpenDNSSEC 1.4 and 2.x use different commands to initialize kasp.db and
manage zones. ipaplatform.tasks abstracts the commands.

Note: I added the logic to the base task instead of having different
implementations for Red Hat and Debian platforms. Eventually Fedora is
going to move to OpenDNSSEC 2.x, too. The design will make it easier to
support OpenDNSSEC 2.x on Fedora.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Debian: Use different paths for KDC cert and key 2019-04-24T12:08:20+00:00 Christian Heimes cheimes@redhat.com 2019-04-17T12:15:49+00:00 8592603ea36375cc0670df1e0b1efb486bafcc82 Co-authored-by: Timo Aaltonen <tjaalton@debian.org> Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Debian: Add fixes for OpenDNSSEC 2.0 2019-04-24T12:08:20+00:00 Christian Heimes cheimes@redhat.com 2019-04-17T12:14:26+00:00 750e658dba1244ad6a386ab70fe309fd910ab419 Debian/Ubuntu use OpenDNSSEC 2.0, which has different commands to manage zones and keys. Co-authored-by: Timo Aaltonen <tjaalton@debian.org> Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Debian/Ubuntu use OpenDNSSEC 2.0, which has different commands to manage
zones and keys.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Debian: Add paths for open-sans and font-awesome 2019-04-24T12:08:20+00:00 Christian Heimes cheimes@redhat.com 2019-04-17T11:52:53+00:00 da2cf1c513ea42dbb38952273421fefdd92d4d0b Debian has different paths and path suffix for font-awesome. Let's have explicit paths for all our fonts. Co-authored-by: Timo Aaltonen <tjaalton@debian.org> Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>