From 9c2b222571f70cce8b5c1c6c469e3266535b2fc1 Mon Sep 17 00:00:00 2001 From: mharmsen Date: Wed, 25 Feb 2009 00:51:41 +0000 Subject: Bugzilla Bug #485859 - port separation for RA and TPS. git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@243 c9f7a03b-bd48-0410-a16d-cbbf54688b0b --- pki/base/ra/apache/conf/nss.conf | 100 ++++++++++++++++++++++++++++++- pki/base/ra/doc/CS.cfg | 1 + pki/base/ra/lib/perl/PKI/RA/DonePanel.pm | 4 -- pki/base/ra/setup/postinstall | 3 +- 4 files changed, 101 insertions(+), 7 deletions(-) (limited to 'pki/base/ra') diff --git a/pki/base/ra/apache/conf/nss.conf b/pki/base/ra/apache/conf/nss.conf index 02c50509..42085a60 100644 --- a/pki/base/ra/apache/conf/nss.conf +++ b/pki/base/ra/apache/conf/nss.conf @@ -17,6 +17,8 @@ # Listen 0.0.0.0:[SECURE_PORT] +Listen 0.0.0.0:[NON_CLIENTAUTH_SECURE_PORT] + ## ## SSL Global Context ## @@ -59,7 +61,7 @@ NSSSession3CacheTimeout 86400 # General setup for the virtual host #DocumentRoot "/htdocs" -#ServerName [SERVER_NAME]:[SECURE_PORT] +#ServerName [Server_Name]:[Secure_Port] #ServerAdmin you@example.com # mod_ssl logs to separate log files, you can choose to do that if you'd like @@ -90,7 +92,7 @@ NSSCertificateDatabase [SERVER_ROOT]/alias # Client Authentication (Type): # Client certificate verification type. Types are none, optional and # require. -NSSVerifyClient none +NSSVerifyClient require # Access Control: # With SSLRequire you can do per-directory access control based @@ -150,3 +152,97 @@ NSSVerifyClient none + + +# General setup for the virtual host +#DocumentRoot "/htdocs" +#ServerName [Server_Name]:[Non_Clientauth_Secure_Port] +#ServerAdmin you@example.com + +# mod_ssl logs to separate log files, you can choose to do that if you'd like +ErrorLog [SERVER_ROOT]/logs/error_log +TransferLog [SERVER_ROOT]/logs/access_log + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +NSSEngine on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_nss documentation for a complete list. +NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha + +NSSProtocol SSLv3,TLSv1 + +# SSL Certificate Nickname: +# The nickname of the server certificate you are going to use. +NSSNickname "Server-Cert cert-[INSTANCE_ID]" + +# Server Certificate Database: +# The NSS security database directory that holds the certificates and +# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# Provide the directory that these files exist. +NSSCertificateDatabase [SERVER_ROOT]/alias + +# Client Authentication (Type): +# Client certificate verification type. Types are none, optional and +# require. +NSSVerifyClient none + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_nss documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire + + NSSOptions +StdEnvVars +ExportCertData + + + NSSOptions +StdEnvVars + + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +#CustomLog [SERVER_ROOT]/logs/ssl_request_log \ +# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg index 3602addc..831f91a0 100644 --- a/pki/base/ra/doc/CS.cfg +++ b/pki/base/ra/doc/CS.cfg @@ -104,6 +104,7 @@ cs.type=RA service.machineName=[SERVER_NAME] service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] +service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] service.instanceID=[INSTANCE_ID] logging._000=######################################### diff --git a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm index b44f9db8..4bd04cf7 100755 --- a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm @@ -304,15 +304,11 @@ sub display system( "chmod 00660 $instDir/conf/nss.conf.tmp" ); open(NSS_CONF, "<$instDir/conf/nss.conf"); while () { - if (/NSSVerifyClient none/) { - print TMP_NSS_CONF "NSSVerifyClient optional\n"; - } else { if ((/^NSSNickname/) && ($tokenname ne "") && ($tokenname ne "NSS Certificate DB")) { print TMP_NSS_CONF "NSSNickname \"$nickname\"\n"; } else { print TMP_NSS_CONF $_; } - } } close(NSS_CONF); close(TMP_NSS_CONF); diff --git a/pki/base/ra/setup/postinstall b/pki/base/ra/setup/postinstall index 0d1462f2..517c6e44 100755 --- a/pki/base/ra/setup/postinstall +++ b/pki/base/ra/setup/postinstall @@ -44,6 +44,7 @@ fi PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}" SECURE_PORT=12889 +NON_CLIENTAUTH_SECURE_PORT=12890 UNSECURE_PORT=12888 @@ -53,7 +54,7 @@ UNSECURE_PORT=12888 if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ] then - /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} + /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} fi -- cgit