Turn off OCSP check

The OCSP check was previously turned on but it introduced several issues. Therefore the check will be turned off by default. For turning on should be used ipa advise command with correct recipe. The solution is tracked here: https://pagure.io/freeipa/issue/6982 Fixes: https://pagure.io/freeipa/issue/6981 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-06-01 09:56:16 +02:00
parent 0772ef20b3
commit 566361e63d
3 changed files with 28 additions and 55 deletions
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,24 +21,11 @@

 import syslog
 import traceback
-from ipalib import api
 from ipaplatform import services
-from ipaplatform.paths import paths
-from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
-from ipaserver.install import certs, installutils
+from ipaserver.install import certs


 def _main():
-
-    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
-    api.finalize()
-
-    db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
-    nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
-
-    # Add trust flag which set certificate trusted for SSL connections.
-    db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
-
    syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')

    try:
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -34,8 +34,7 @@ from augeas import Augeas
 from ipalib.install import certmonger
 from ipapython import ipaldap
 from ipapython.certdb import (IPA_CA_TRUST_FLAGS,
-                              EXTERNAL_CA_TRUST_FLAGS,
-                              TRUSTED_PEER_TRUST_FLAGS)
+                              EXTERNAL_CA_TRUST_FLAGS)
 from ipaserver.install import replication
 from ipaserver.install import service
 from ipaserver.install import certs
@@ -67,6 +66,10 @@ NSS_CIPHER_SUITE = [
 ]
 NSS_CIPHER_REVISION = '20160129'

+OCSP_DIRECTIVE = 'NSSOCSP'
+
+NSS_OCSP_ENABLED = 'nss_ocsp_enabled'
+

 def httpd_443_configured():
    """
@@ -156,7 +159,7 @@ class HTTPInstance(service.Service):
                  self.set_mod_nss_protocol)
        self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
        self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
-        self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
+        self.step("disabling mod_nss OCSP", self.disable_mod_nss_ocsp)
        self.step("adding URL rewriting rules", self.__add_include)
        self.step("configuring httpd", self.__configure_http)
        self.step("setting up httpd keytab", self.request_service_keytab)
@@ -263,7 +266,12 @@ class HTTPInstance(service.Service):
        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)

-    def enable_mod_nss_ocsp(self):
+    def disable_mod_nss_ocsp(self):
+        if sysupgrade.get_upgrade_state('http', NSS_OCSP_ENABLED) is None:
+            self.__disable_mod_nss_ocsp()
+            sysupgrade.set_upgrade_state('http', NSS_OCSP_ENABLED, False)
+
+    def __disable_mod_nss_ocsp(self):
        aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)

        aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
@@ -271,22 +279,21 @@ class HTTPInstance(service.Service):
        aug.load()

        path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF)
+        ocsp_path = '{}/directive[.="{}"]'.format(path, OCSP_DIRECTIVE)
+        ocsp_arg = '{}/arg'.format(ocsp_path)
+        ocsp_comment = '{}/#comment[.="{}"]'.format(path, OCSP_DIRECTIVE)

-        ocsp_comment = aug.get(
-                        '{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
-        ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+        ocsp_dir = aug.get(ocsp_path)

-        if ocsp_dir is None and ocsp_comment is not None:
-            # Directive is missing, comment is present
-            aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
-                    'NSSOCSP')
-            aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
-        elif ocsp_dir is None:
-            # Directive is missing and comment is missing
-            aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+        # there is NSSOCSP directive in nss.conf file, comment it
+        # otherwise just do nothing
+        if ocsp_dir is not None:
+            ocsp_state = aug.get(ocsp_arg)
+            aug.remove(ocsp_arg)
+            aug.rename(ocsp_path, '#comment')
+            aug.set(ocsp_comment, '{} {}'.format(OCSP_DIRECTIVE, ocsp_state))
+            aug.save()

-        aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
-        aug.save()

    def set_mod_nss_cipher_suite(self):
        ciphers = ','.join(NSS_CIPHER_SUITE)
@@ -405,8 +412,6 @@ class HTTPInstance(service.Service):
            self.__set_mod_nss_nickname(nickname)
            self.add_cert_to_service()

-            db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
-
        else:
            if not self.promote:
                ca_args = [
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1399,24 +1399,6 @@ def fix_trust_flags():
    sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)


-def fix_server_cert_trust_flags():
-    root_logger.info(
-        '[Fixing server certificate trust flags in %s]' %
-        paths.HTTPD_ALIAS_DIR)
-
-    if sysupgrade.get_upgrade_state('http', 'fix_serv_cert_trust_flags'):
-        root_logger.info("Trust flags already processed")
-        return
-
-    db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
-    sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF,
-                                             "NSSNickname")
-    # Add trust flag which set certificate trusted for SSL connections.
-    db.trust_root_cert(sc_nickname, certdb.TRUSTED_PEER_TRUST_FLAGS)
-
-    sysupgrade.set_upgrade_state('http', 'fix_serv_cert_trust_flags', True)
-
-
 def update_mod_nss_protocol(http):
    root_logger.info('[Updating mod_nss protocol versions]')

@@ -1429,9 +1411,9 @@ def update_mod_nss_protocol(http):
    sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)


-def enable_mod_nss_ocsp(http):
+def disable_mod_nss_ocsp(http):
    root_logger.info('[Updating mod_nss enabling OCSP]')
-    http.enable_mod_nss_ocsp()
+    http.disable_mod_nss_ocsp()


 def update_mod_nss_cipher_suite(http):
@@ -1725,9 +1707,8 @@ def upgrade_configuration():
    update_ipa_httpd_service_conf(http)
    update_mod_nss_protocol(http)
    update_mod_nss_cipher_suite(http)
-    enable_mod_nss_ocsp(http)
+    disable_mod_nss_ocsp(http)
    fix_trust_flags()
-    fix_server_cert_trust_flags()
    update_http_keytab(http)
    http.configure_gssproxy()
    http.start()