diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-01-27 15:31:51 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-01-27 17:01:26 -0500 |
| commit | b7cda86697cfb8ffc25ab5d3c051f181e145648d (patch) | |
| tree | eef50ba7005fab34ed00471ec6004b09d7beae75 /ipaserver/plugins | |
| parent | c092f3780df4417e5cf3512a1afedd109183628d (diff) | |
| download | freeipa-b7cda86697cfb8ffc25ab5d3c051f181e145648d.tar.gz freeipa-b7cda86697cfb8ffc25ab5d3c051f181e145648d.tar.xz freeipa-b7cda86697cfb8ffc25ab5d3c051f181e145648d.zip | |
Update dogtag configuration to work after CVE-2009-3555 changes
NSS is going to disallow all SSL renegotiation by default. Because of
this we need to always use the agent port of the dogtag server which
always requires SSL client authentication. The end user port will
prompt for a certificate if required but will attempt to re-do the
handshake to make this happen which will fail with newer versions of NSS.
Diffstat (limited to 'ipaserver/plugins')
| -rw-r--r-- | ipaserver/plugins/dogtag.py | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 9b799d45d..b64636300 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1509,8 +1509,8 @@ class ra(rabase.rabase): # Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._sslget('/ca/ee/ca/profileSubmit', - self.env.ca_ee_port, + self._sslget('/ca/agent/ca/profileSubmitSSLClient', + self.env.ca_agent_port, profileId='caIPAserviceCert', cert_request_type=request_type, cert_request=csr, |