Update SSL ciphers configured in 389-ds-base

use configuration parameters to enable ciphers provided by NSS and not considered weak. This requires 389-ds version 1.3.3.2 or later https://fedorahosted.org/freeipa/ticket/4395 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-09-12 12:43:31 +02:00
parent f30eac04e1
commit 93b9d029ce
4 changed files with 12 additions and 8 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -18,7 +18,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.2.16
+BuildRequires:  389-ds-base-devel >= 1.3.3.2
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
@@ -87,7 +87,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.2.20
+Requires: 389-ds-base >= 1.3.3.2
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -124,7 +124,7 @@ Requires: zip
 Requires: policycoreutils >= %{POLICYCOREUTILSVER}
 Requires: tar
 Requires(pre): certmonger >= 0.75.13
-Requires(pre): 389-ds-base >= 1.3.2.20
+Requires(pre): 389-ds-base >= 1.3.3.2
 Requires: fontawesome-fonts
 Requires: open-sans-fonts

--- a/install/updates/20-sslciphers.update
+++ b/install/updates/20-sslciphers.update
@@ -0,0 +1,6 @@
+# change configured ciphers
+# the result of this update will be that all ciphers
+# provided by NSS which ar not weak will be enabled
+dn: cn=encryption,cn=config
+only:nsSSL3Ciphers: +all
+addifnew:allowWeakCipher: off
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -14,6 +14,7 @@ app_DATA =				\
 	20-indices.update		\
 	20-nss_ldap.update		\
 	20-replication.update		\
+	20-sslciphers.update		\
 	20-syncrepl.update		\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -655,11 +655,8 @@ class DsInstance(service.Service):
        conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)

        mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
-               (ldap.MOD_REPLACE, "nsSSL3Ciphers",
-                "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
-+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
-+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
-+tls_rsa_export1024_with_des_cbc_sha")]
+               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+               (ldap.MOD_REPLACE, "allowWeakCipher", "off")]
        conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)

        mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]