Enable TLS 1.3 support on the server

urllib3 now supports post-handshake authentication with TLS 1.3. Enable TLS 1.3 support for Apache HTTPd. The update depends on bug fixes for TLS 1.3 PHA support in urllib3 and Apache HTTPd. New builds are available in freeipa-master COPR and in F30/F31. Overwrite crypto-policy on Fedora only. Fedora 31 and earlier have TLS 1.0 and 1.1 still enabled by default. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-11-18 10:40:44 +01:00 · 2019-11-18 10:40:44 +01:00 · 0451db9d3f
commit 0451db9d3f
parent 6a17a91672
6 changed files with 29 additions and 6 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -379,6 +379,13 @@ Requires: python3-pki >= %{pki_version}
 Requires: python3-pyasn1 >= 0.3.2-2
 Requires: python3-sssdconfig >= %{sssd_version}
 Requires: rpm-libs
+# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
+%if 0%{?rhel}
+Requires: python3-urllib3 >= 1.24.2-3
+%else
+Requires: python3-urllib3 >= 1.25.7
+%endif
+

 %description -n python3-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@ -51,7 +51,7 @@ TLS_VERSIONS = [
 ]
 TLS_VERSION_MINIMAL = "tls1.0"
 TLS_VERSION_DEFAULT_MIN = "tls1.2"
-TLS_VERSION_DEFAULT_MAX = "tls1.2"
+TLS_VERSION_DEFAULT_MAX = "tls1.3"

 # regular expression NameSpace member names must match:
 NAME_REGEX = r'^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$'
--- a/ipalib/util.py
+++ b/ipalib/util.py
@ -354,6 +354,10 @@ def create_https_connection(
            # disable all TLS versions not in tls_span
            ctx.options |= tls_cutoff_map[version]

+    # Enable TLS 1.3 post-handshake auth
+    if getattr(ctx, "post_handshake_auth", None) is not None:
+        ctx.post_handshake_auth = True
+
    ctx.verify_mode = ssl.CERT_REQUIRED
    ctx.check_hostname = True
    ctx.load_verify_locations(cafile)
--- a/ipaplatform/fedora/tasks.py
+++ b/ipaplatform/fedora/tasks.py
@ -25,11 +25,22 @@ This module contains default Fedora-specific implementations of system tasks.

 from __future__ import absolute_import

+from ipapython import directivesetter
 from ipaplatform.redhat.tasks import RedHatTaskNamespace
+from ipaplatform.paths import paths


 class FedoraTaskNamespace(RedHatTaskNamespace):
-    pass
+
+    def configure_httpd_protocol(self):
+        # On Fedora 31 and earlier DEFAULT crypto-policy has TLS 1.0 and 1.1
+        # enabled.
+        directivesetter.set_directive(
+            paths.HTTPD_SSL_CONF,
+            'SSLProtocol',
+            "all -SSLv3 -TLSv1 -TLSv1.1",
+            False
+        )


 tasks = FedoraTaskNamespace()
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@ -590,10 +590,10 @@ class RedHatTaskNamespace(BaseTaskNamespace):
        self.systemd_daemon_reload()

    def configure_httpd_protocol(self):
-        # TLS 1.3 is not yet supported
-        directivesetter.set_directive(paths.HTTPD_SSL_CONF,
-                                      'SSLProtocol',
-                                      'TLSv1.2', False)
+        # use default crypto policy for SSLProtocol
+        directivesetter.set_directive(
+            paths.HTTPD_SSL_CONF, 'SSLProtocol', None, False
+        )

    def set_hostname(self, hostname):
        ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -2004,6 +2004,7 @@ def upgrade_configuration():
    http.realm = api.env.realm
    http.suffix = ipautil.realm_to_suffix(api.env.realm)
    http.configure_selinux_for_httpd()
+    http.set_mod_ssl_protocol()

    http.configure_certmonger_renewal_guard()