mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Update dogtag configuration to work after CVE-2009-3555 changes
NSS is going to disallow all SSL renegotiation by default. Because of this we need to always use the agent port of the dogtag server which always requires SSL client authentication. The end user port will prompt for a certificate if required but will attempt to re-do the handshake to make this happen which will fail with newer versions of NSS.
This commit is contained in:
parent
c092f3780d
commit
b7cda86697
@ -518,6 +518,18 @@ class CAInstance(service.Service):
|
|||||||
pent = pwd.getpwnam(self.pki_user)
|
pent = pwd.getpwnam(self.pki_user)
|
||||||
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
|
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
|
||||||
|
|
||||||
|
# Update the servlet mapping to so we use the agent interface rather
|
||||||
|
# than the end-user interface. The agent interface always requires
|
||||||
|
# client auth which lets us work work around the NSS change which
|
||||||
|
# disallows renegotation (CVE-2009-3555)
|
||||||
|
#
|
||||||
|
# The spaces here, while ugly, are required because update_file()
|
||||||
|
# escapes the incoming string.
|
||||||
|
installutils.update_file('/var/lib/%s/webapps/ca/WEB-INF/web.xml' % PKI_INSTANCE_NAME,
|
||||||
|
' <url-pattern> /ee/ca/profileSubmitSSLClient </url-pattern>',
|
||||||
|
' <url-pattern> /agent/ca/profileSubmitSSLClient </url-pattern>'
|
||||||
|
)
|
||||||
|
|
||||||
logging.debug("restarting ca instance")
|
logging.debug("restarting ca instance")
|
||||||
try:
|
try:
|
||||||
self.restart()
|
self.restart()
|
||||||
|
@ -570,11 +570,11 @@ class CertDB(object):
|
|||||||
f = open(self.passwd_fname, "r")
|
f = open(self.passwd_fname, "r")
|
||||||
password = f.readline()
|
password = f.readline()
|
||||||
f.close()
|
f.close()
|
||||||
conn = nsslib.NSSConnection(self.host_name, 9444, dbdir=self.secdir)
|
conn = nsslib.NSSConnection(self.host_name, api.env.ca_agent_port, dbdir=self.secdir)
|
||||||
conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
|
conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
|
||||||
conn.set_debuglevel(0)
|
conn.set_debuglevel(0)
|
||||||
|
|
||||||
conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
|
conn.request("POST", "/ca/agent/ca/profileSubmitSSLClient", params, headers)
|
||||||
res = conn.getresponse()
|
res = conn.getresponse()
|
||||||
data = res.read()
|
data = res.read()
|
||||||
conn.close()
|
conn.close()
|
||||||
@ -664,11 +664,11 @@ class CertDB(object):
|
|||||||
f = open(self.passwd_fname, "r")
|
f = open(self.passwd_fname, "r")
|
||||||
password = f.readline()
|
password = f.readline()
|
||||||
f.close()
|
f.close()
|
||||||
conn = nsslib.NSSConnection(self.host_name, 9444, dbdir=self.secdir)
|
conn = nsslib.NSSConnection(self.host_name, api.env.ca_agent_port, dbdir=self.secdir)
|
||||||
conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
|
conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
|
||||||
conn.set_debuglevel(0)
|
conn.set_debuglevel(0)
|
||||||
|
|
||||||
conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
|
conn.request("POST", "/ca/agent/ca/profileSubmitSSLClient", params, headers)
|
||||||
res = conn.getresponse()
|
res = conn.getresponse()
|
||||||
data = res.read()
|
data = res.read()
|
||||||
conn.close()
|
conn.close()
|
||||||
|
@ -1509,8 +1509,8 @@ class ra(rabase.rabase):
|
|||||||
|
|
||||||
# Call CMS
|
# Call CMS
|
||||||
http_status, http_reason_phrase, http_headers, http_body = \
|
http_status, http_reason_phrase, http_headers, http_body = \
|
||||||
self._sslget('/ca/ee/ca/profileSubmit',
|
self._sslget('/ca/agent/ca/profileSubmitSSLClient',
|
||||||
self.env.ca_ee_port,
|
self.env.ca_agent_port,
|
||||||
profileId='caIPAserviceCert',
|
profileId='caIPAserviceCert',
|
||||||
cert_request_type=request_type,
|
cert_request_type=request_type,
|
||||||
cert_request=csr,
|
cert_request=csr,
|
||||||
|
Loading…
Reference in New Issue
Block a user