From f037bfa48356a5fb28eebdb76f9dbd5cb461c2d2 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 1 Mar 2017 17:54:05 +0100 Subject: httpinstance: disable system trust module in /etc/httpd/alias Currently the NSS database in /etc/httpd/alias is installed with the system trust module enabled. This is problematic for a number of reasons: * IPA has its own trust store, which is effectively bypassed when the system trust module is enabled in the database. This may cause IPA unrelated CAs to be trusted by httpd, or even IPA related CAs not to be trusted by httpd. * On client install, the IPA trust configuration is copied to the system trust store for third parties. When this configuration is removed, it may cause loss of trust information in /etc/httpd/alias (https://bugzilla.redhat.com/show_bug.cgi?id=1427897). * When a CA certificate provided by the user in CA-less install conflicts with a CA certificate in the system trust store, the latter may be used by httpd, leading to broken https (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html). Disable the system trust module on install and upgrade to prevent the system trust store to be used in /etc/httpd/alias and fix all of the above issues. https://pagure.io/freeipa/issue/6132 Reviewed-By: Stanislav Laznicka Reviewed-By: Christian Heimes --- ipaplatform/base/paths.py | 1 + ipaserver/install/httpinstance.py | 14 ++++++++++++++ ipaserver/install/server/upgrade.py | 16 ++++++++++++++++ 3 files changed, 31 insertions(+) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 4fde6c66e..9cf160fac 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -165,6 +165,7 @@ class BasePathNamespace(object): BIN_KVNO = "/usr/bin/kvno" LDAPMODIFY = "/usr/bin/ldapmodify" LDAPPASSWD = "/usr/bin/ldappasswd" + MODUTIL = "/usr/bin/modutil" NET = "/usr/bin/net" BIN_NISDOMAINNAME = "/usr/bin/nisdomainname" NSUPDATE = "/usr/bin/nsupdate" diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index b53333a84..ca3bcc87e 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -351,11 +351,25 @@ class HTTPInstance(service.Service): os.chown(pwd_conf, pent.pw_uid, pent.pw_gid) os.chmod(pwd_conf, 0o400) + def disable_system_trust(self): + name = 'Root Certs' + args = [paths.MODUTIL, '-dbdir', paths.HTTPD_ALIAS_DIR, '-force'] + + result = ipautil.run(args + ['-list', name], + env={}, + capture_output=True) + if 'Status: Enabled' in result.output: + ipautil.run(args + ['-disable', name], env={}) + return True + + return False + def __setup_ssl(self): db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, subject_base=self.subject_base, user="root", group=constants.HTTPD_GROUP, truncate=(not self.promote)) + self.disable_system_trust() if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 993835ed1..1706079da 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1521,6 +1521,21 @@ def setup_pkinit(krb): krb.start() +def disable_httpd_system_trust(http): + ca_certs = [] + + db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) + for nickname, trust_flags in db.list_certs(): + if 'u' not in trust_flags: + cert = db.get_cert_from_db(nickname, pem=False) + if cert: + ca_certs.append((cert, nickname, trust_flags)) + + if http.disable_system_trust(): + for cert, nickname, trust_flags in ca_certs: + db.add_cert(cert, nickname, trust_flags) + + def upgrade_configuration(): """ Execute configuration upgrade of the IPA services @@ -1656,6 +1671,7 @@ def upgrade_configuration(): http.enable_kdcproxy() http.stop() + disable_httpd_system_trust(http) update_ipa_httpd_service_conf(http) update_mod_nss_protocol(http) update_mod_nss_cipher_suite(http) -- cgit