mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Use system-wide crypto-policies on Fedora
HTTPS connections from IPA framework and bind named instance now use system-wide crypto-policies on Fedora. For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA, they are explicitly excluded. See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925 See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220 Fixes: https://pagure.io/freeipa/issue/4853 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
parent
db2222fee4
commit
90a75f0d43
@ -21,6 +21,9 @@ options {
|
|||||||
bindkeys-file "$BINDKEYS_FILE";
|
bindkeys-file "$BINDKEYS_FILE";
|
||||||
|
|
||||||
managed-keys-directory "$MANAGED_KEYS_DIR";
|
managed-keys-directory "$MANAGED_KEYS_DIR";
|
||||||
|
|
||||||
|
/* crypto policy snippet on platforms with system-wide policy. */
|
||||||
|
$INCLUDE_CRYPTO_POLICY
|
||||||
};
|
};
|
||||||
|
|
||||||
/* If you want to enable debugging, eg. using the 'rndc trace' command,
|
/* If you want to enable debugging, eg. using the 'rndc trace' command,
|
||||||
|
@ -304,9 +304,7 @@ TLS_VERSIONS = [
|
|||||||
"tls1.2"
|
"tls1.2"
|
||||||
]
|
]
|
||||||
TLS_VERSION_MINIMAL = "tls1.0"
|
TLS_VERSION_MINIMAL = "tls1.0"
|
||||||
# high ciphers without RC4, MD5, TripleDES, pre-shared key
|
|
||||||
# and secure remote password
|
|
||||||
TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP"
|
|
||||||
|
|
||||||
# Use cache path
|
# Use cache path
|
||||||
USER_CACHE_PATH = (
|
USER_CACHE_PATH = (
|
||||||
|
@ -56,9 +56,10 @@ except ImportError:
|
|||||||
from ipalib import errors, messages
|
from ipalib import errors, messages
|
||||||
from ipalib.constants import (
|
from ipalib.constants import (
|
||||||
DOMAIN_LEVEL_0,
|
DOMAIN_LEVEL_0,
|
||||||
TLS_VERSIONS, TLS_VERSION_MINIMAL, TLS_HIGH_CIPHERS
|
TLS_VERSIONS, TLS_VERSION_MINIMAL
|
||||||
)
|
)
|
||||||
from ipalib.text import _
|
from ipalib.text import _
|
||||||
|
from ipaplatform.constants import constants
|
||||||
from ipaplatform.paths import paths
|
from ipaplatform.paths import paths
|
||||||
from ipapython.ssh import SSHPublicKey
|
from ipapython.ssh import SSHPublicKey
|
||||||
from ipapython.dn import DN, RDN
|
from ipapython.dn import DN, RDN
|
||||||
@ -335,9 +336,9 @@ def create_https_connection(
|
|||||||
ssl.OP_SINGLE_ECDH_USE
|
ssl.OP_SINGLE_ECDH_USE
|
||||||
)
|
)
|
||||||
|
|
||||||
# high ciphers without RC4, MD5, TripleDES, pre-shared key
|
# high ciphers without RC4, MD5, TripleDES, pre-shared key and secure
|
||||||
# and secure remote password
|
# remote password. Uses system crypto policies on some platforms.
|
||||||
ctx.set_ciphers(TLS_HIGH_CIPHERS)
|
ctx.set_ciphers(constants.TLS_HIGH_CIPHERS)
|
||||||
|
|
||||||
# pylint: enable=no-member
|
# pylint: enable=no-member
|
||||||
# set up the correct TLS version flags for the SSL context
|
# set up the correct TLS version flags for the SSL context
|
||||||
|
@ -42,6 +42,9 @@ class BaseConstantsNamespace(object):
|
|||||||
# WSGI module override, only used on Fedora
|
# WSGI module override, only used on Fedora
|
||||||
MOD_WSGI_PYTHON2 = None
|
MOD_WSGI_PYTHON2 = None
|
||||||
MOD_WSGI_PYTHON3 = None
|
MOD_WSGI_PYTHON3 = None
|
||||||
|
# high ciphers without RC4, MD5, TripleDES, pre-shared key, secure
|
||||||
|
# remote password, and DSA cert authentication.
|
||||||
|
TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP:!aDSS"
|
||||||
|
|
||||||
|
|
||||||
constants = BaseConstantsNamespace()
|
constants = BaseConstantsNamespace()
|
||||||
|
@ -81,6 +81,7 @@ class BasePathNamespace(object):
|
|||||||
NAMED_ROOT_KEY = "/etc/named.root.key"
|
NAMED_ROOT_KEY = "/etc/named.root.key"
|
||||||
NAMED_BINDKEYS_FILE = "/etc/named.iscdlv.key"
|
NAMED_BINDKEYS_FILE = "/etc/named.iscdlv.key"
|
||||||
NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic"
|
NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic"
|
||||||
|
NAMED_CRYPTO_POLICY_FILE = None
|
||||||
NSLCD_CONF = "/etc/nslcd.conf"
|
NSLCD_CONF = "/etc/nslcd.conf"
|
||||||
NSS_LDAP_CONF = "/etc/nss_ldap.conf"
|
NSS_LDAP_CONF = "/etc/nss_ldap.conf"
|
||||||
NSSWITCH_CONF = "/etc/nsswitch.conf"
|
NSSWITCH_CONF = "/etc/nsswitch.conf"
|
||||||
|
@ -16,5 +16,10 @@ class FedoraConstantsNamespace(RedHatConstantsNamespace):
|
|||||||
MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so"
|
MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so"
|
||||||
MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so"
|
MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so"
|
||||||
|
|
||||||
|
# System-wide crypto policy, but without TripleDES, pre-shared key,
|
||||||
|
# secure remote password, and DSA cert authentication.
|
||||||
|
# see https://fedoraproject.org/wiki/Changes/CryptoPolicy
|
||||||
|
TLS_HIGH_CIPHERS = "PROFILE=SYSTEM:!3DES:!PSK:!SRP:!aDSS"
|
||||||
|
|
||||||
|
|
||||||
constants = FedoraConstantsNamespace()
|
constants = FedoraConstantsNamespace()
|
||||||
|
@ -30,6 +30,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
|
|||||||
HTTPD_IPA_WSGI_MODULES_CONF = (
|
HTTPD_IPA_WSGI_MODULES_CONF = (
|
||||||
"/etc/httpd/conf.modules.d/02-ipa-wsgi.conf"
|
"/etc/httpd/conf.modules.d/02-ipa-wsgi.conf"
|
||||||
)
|
)
|
||||||
|
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
|
||||||
|
|
||||||
|
|
||||||
paths = FedoraPathNamespace()
|
paths = FedoraPathNamespace()
|
||||||
|
@ -768,6 +768,13 @@ class BindInstance(service.Service):
|
|||||||
logger.debug("Unable to mask named (%s)", e)
|
logger.debug("Unable to mask named (%s)", e)
|
||||||
|
|
||||||
def __setup_sub_dict(self):
|
def __setup_sub_dict(self):
|
||||||
|
if paths.NAMED_CRYPTO_POLICY_FILE is not None:
|
||||||
|
crypto_policy = 'include "{}";'.format(
|
||||||
|
paths.NAMED_CRYPTO_POLICY_FILE
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
crypto_policy = "// not available"
|
||||||
|
|
||||||
self.sub_dict = dict(
|
self.sub_dict = dict(
|
||||||
FQDN=self.fqdn,
|
FQDN=self.fqdn,
|
||||||
SERVER_ID=installutils.realm_to_serverid(self.realm),
|
SERVER_ID=installutils.realm_to_serverid(self.realm),
|
||||||
@ -780,6 +787,7 @@ class BindInstance(service.Service):
|
|||||||
NAMED_PID=paths.NAMED_PID,
|
NAMED_PID=paths.NAMED_PID,
|
||||||
NAMED_VAR_DIR=paths.NAMED_VAR_DIR,
|
NAMED_VAR_DIR=paths.NAMED_VAR_DIR,
|
||||||
BIND_LDAP_SO=paths.BIND_LDAP_SO,
|
BIND_LDAP_SO=paths.BIND_LDAP_SO,
|
||||||
|
INCLUDE_CRYPTO_POLICY=crypto_policy,
|
||||||
)
|
)
|
||||||
|
|
||||||
def __setup_dns_container(self):
|
def __setup_dns_container(self):
|
||||||
|
Loading…
Reference in New Issue
Block a user