Use system-wide crypto-policies on Fedora

HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.

For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Christian Heimes 2018-02-09 11:50:32 +01:00
parent db2222fee4
commit 90a75f0d43
8 changed files with 28 additions and 8 deletions

View File

@ -21,6 +21,9 @@ options {
bindkeys-file "$BINDKEYS_FILE"; bindkeys-file "$BINDKEYS_FILE";
managed-keys-directory "$MANAGED_KEYS_DIR"; managed-keys-directory "$MANAGED_KEYS_DIR";
/* crypto policy snippet on platforms with system-wide policy. */
$INCLUDE_CRYPTO_POLICY
}; };
/* If you want to enable debugging, eg. using the 'rndc trace' command, /* If you want to enable debugging, eg. using the 'rndc trace' command,

View File

@ -304,9 +304,7 @@ TLS_VERSIONS = [
"tls1.2" "tls1.2"
] ]
TLS_VERSION_MINIMAL = "tls1.0" TLS_VERSION_MINIMAL = "tls1.0"
# high ciphers without RC4, MD5, TripleDES, pre-shared key
# and secure remote password
TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP"
# Use cache path # Use cache path
USER_CACHE_PATH = ( USER_CACHE_PATH = (

View File

@ -56,9 +56,10 @@ except ImportError:
from ipalib import errors, messages from ipalib import errors, messages
from ipalib.constants import ( from ipalib.constants import (
DOMAIN_LEVEL_0, DOMAIN_LEVEL_0,
TLS_VERSIONS, TLS_VERSION_MINIMAL, TLS_HIGH_CIPHERS TLS_VERSIONS, TLS_VERSION_MINIMAL
) )
from ipalib.text import _ from ipalib.text import _
from ipaplatform.constants import constants
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython.ssh import SSHPublicKey from ipapython.ssh import SSHPublicKey
from ipapython.dn import DN, RDN from ipapython.dn import DN, RDN
@ -335,9 +336,9 @@ def create_https_connection(
ssl.OP_SINGLE_ECDH_USE ssl.OP_SINGLE_ECDH_USE
) )
# high ciphers without RC4, MD5, TripleDES, pre-shared key # high ciphers without RC4, MD5, TripleDES, pre-shared key and secure
# and secure remote password # remote password. Uses system crypto policies on some platforms.
ctx.set_ciphers(TLS_HIGH_CIPHERS) ctx.set_ciphers(constants.TLS_HIGH_CIPHERS)
# pylint: enable=no-member # pylint: enable=no-member
# set up the correct TLS version flags for the SSL context # set up the correct TLS version flags for the SSL context

View File

@ -42,6 +42,9 @@ class BaseConstantsNamespace(object):
# WSGI module override, only used on Fedora # WSGI module override, only used on Fedora
MOD_WSGI_PYTHON2 = None MOD_WSGI_PYTHON2 = None
MOD_WSGI_PYTHON3 = None MOD_WSGI_PYTHON3 = None
# high ciphers without RC4, MD5, TripleDES, pre-shared key, secure
# remote password, and DSA cert authentication.
TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP:!aDSS"
constants = BaseConstantsNamespace() constants = BaseConstantsNamespace()

View File

@ -81,6 +81,7 @@ class BasePathNamespace(object):
NAMED_ROOT_KEY = "/etc/named.root.key" NAMED_ROOT_KEY = "/etc/named.root.key"
NAMED_BINDKEYS_FILE = "/etc/named.iscdlv.key" NAMED_BINDKEYS_FILE = "/etc/named.iscdlv.key"
NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic" NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic"
NAMED_CRYPTO_POLICY_FILE = None
NSLCD_CONF = "/etc/nslcd.conf" NSLCD_CONF = "/etc/nslcd.conf"
NSS_LDAP_CONF = "/etc/nss_ldap.conf" NSS_LDAP_CONF = "/etc/nss_ldap.conf"
NSSWITCH_CONF = "/etc/nsswitch.conf" NSSWITCH_CONF = "/etc/nsswitch.conf"

View File

@ -16,5 +16,10 @@ class FedoraConstantsNamespace(RedHatConstantsNamespace):
MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so" MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so"
MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so" MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so"
# System-wide crypto policy, but without TripleDES, pre-shared key,
# secure remote password, and DSA cert authentication.
# see https://fedoraproject.org/wiki/Changes/CryptoPolicy
TLS_HIGH_CIPHERS = "PROFILE=SYSTEM:!3DES:!PSK:!SRP:!aDSS"
constants = FedoraConstantsNamespace() constants = FedoraConstantsNamespace()

View File

@ -30,6 +30,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
HTTPD_IPA_WSGI_MODULES_CONF = ( HTTPD_IPA_WSGI_MODULES_CONF = (
"/etc/httpd/conf.modules.d/02-ipa-wsgi.conf" "/etc/httpd/conf.modules.d/02-ipa-wsgi.conf"
) )
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
paths = FedoraPathNamespace() paths = FedoraPathNamespace()

View File

@ -768,6 +768,13 @@ class BindInstance(service.Service):
logger.debug("Unable to mask named (%s)", e) logger.debug("Unable to mask named (%s)", e)
def __setup_sub_dict(self): def __setup_sub_dict(self):
if paths.NAMED_CRYPTO_POLICY_FILE is not None:
crypto_policy = 'include "{}";'.format(
paths.NAMED_CRYPTO_POLICY_FILE
)
else:
crypto_policy = "// not available"
self.sub_dict = dict( self.sub_dict = dict(
FQDN=self.fqdn, FQDN=self.fqdn,
SERVER_ID=installutils.realm_to_serverid(self.realm), SERVER_ID=installutils.realm_to_serverid(self.realm),
@ -780,6 +787,7 @@ class BindInstance(service.Service):
NAMED_PID=paths.NAMED_PID, NAMED_PID=paths.NAMED_PID,
NAMED_VAR_DIR=paths.NAMED_VAR_DIR, NAMED_VAR_DIR=paths.NAMED_VAR_DIR,
BIND_LDAP_SO=paths.BIND_LDAP_SO, BIND_LDAP_SO=paths.BIND_LDAP_SO,
INCLUDE_CRYPTO_POLICY=crypto_policy,
) )
def __setup_dns_container(self): def __setup_dns_container(self):