diff options
author | Stanislav Laznicka <slaznick@redhat.com> | 2017-01-13 12:31:29 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-02-17 10:04:00 +0100 |
commit | ac6f573a3014aa09811ca1559d470afe75eadbec (patch) | |
tree | 101a27db733d3df671a6b6ae7db9de658f7ea3f0 /ipalib | |
parent | d0642bfa55e9c24429675f623bc0e35824bc9fb0 (diff) | |
download | freeipa-ac6f573a3014aa09811ca1559d470afe75eadbec.tar.gz freeipa-ac6f573a3014aa09811ca1559d470afe75eadbec.tar.xz freeipa-ac6f573a3014aa09811ca1559d470afe75eadbec.zip |
Explicitly remove support of SSLv2/3
It was possible to set tls_version_min/max to 'ssl2' or 'ssl3',
even though newer versions of NSS will fail to set this as a valid
TLS version. This patch explicitly checks for deprecated TLS versions
prior to creating a TLS connection.
Also, we don't allow tls_version_min/max to be set to a random
string anymore.
https://fedorahosted.org/freeipa/ticket/6607
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/config.py | 27 | ||||
-rw-r--r-- | ipalib/constants.py | 10 |
2 files changed, 35 insertions, 2 deletions
diff --git a/ipalib/config.py b/ipalib/config.py index 20591dbf0..1a5987920 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -41,8 +41,11 @@ from six.moves.configparser import RawConfigParser, ParsingError from ipapython.dn import DN from ipalib.base import check_name -from ipalib.constants import CONFIG_SECTION -from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR +from ipalib.constants import ( + CONFIG_SECTION, + OVERRIDE_ERROR, SET_ERROR, DEL_ERROR, + TLS_VERSIONS +) from ipalib import errors if six.PY3: @@ -578,6 +581,26 @@ class Env(object): self._merge(**defaults) + # set the best known TLS version if min/max versions are not set + if 'tls_version_min' not in self: + self.tls_version_min = TLS_VERSIONS[-1] + elif self.tls_version_min not in TLS_VERSIONS: + raise errors.EnvironmentError( + "Unknown TLS version '{ver}' set in tls_version_min." + .format(ver=self.tls_version_min)) + + if 'tls_version_max' not in self: + self.tls_version_max = TLS_VERSIONS[-1] + elif self.tls_version_max not in TLS_VERSIONS: + raise errors.EnvironmentError( + "Unknown TLS version '{ver}' set in tls_version_max." + .format(ver=self.tls_version_max)) + + if self.tls_version_max < self.tls_version_min: + raise errors.EnvironmentError( + "tls_version_min is set to a higher TLS version than " + "tls_version_max.") + def _finalize(self, **lastchance): """ Finalize and lock environment. diff --git a/ipalib/constants.py b/ipalib/constants.py index fa2062458..e64324f2d 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -283,3 +283,13 @@ ANON_USER = 'WELLKNOWN/ANONYMOUS' # IPA API Framework user IPAAPI_USER = 'ipaapi' IPAAPI_GROUP = 'ipaapi' + +# TLS related constants +TLS_VERSIONS = [ + "ssl2", + "ssl3", + "tls1.0", + "tls1.1", + "tls1.2" +] +TLS_VERSION_MINIMAL = "tls1.0" |