Add TLS 1.2 to the protocol list in mod_nss config

https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-11-25 08:12:53 +00:00 · 2014-11-25 08:12:53 +00:00 · bef1d18878
commit bef1d18878
parent ed3dddab87
2 changed files with 17 additions and 3 deletions
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@ -1227,6 +1227,18 @@ def fix_trust_flags():
    sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)


+def update_mod_nss_protocol(http):
+    root_logger.info('[Updating mod_nss protocol versions]')
+
+    if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls12'):
+        root_logger.info("Protocol versions already updated")
+        return
+
+    http.set_mod_nss_protocol()
+
+    sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)
+
+
 def main():
    """
    Get some basics about the system. If getting those basics fail then
@ -1328,6 +1340,7 @@ def main():
    http.change_mod_nss_port_from_http()

    http.stop()
+    update_mod_nss_protocol(http)
    fix_trust_flags()
    http.start()

--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -115,7 +115,8 @@ class HTTPInstance(service.Service):


        self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
-        self.step("setting mod_nss protocol list to TLSv1.0 and TLSv1.1", self.__set_mod_nss_protocol)
+        self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2",
+                  self.set_mod_nss_protocol)
        self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
        self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
        self.step("adding URL rewriting rules", self.__add_include)
@ -205,8 +206,8 @@ class HTTPInstance(service.Service):
    def __set_mod_nss_nickname(self, nickname):
        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname)

-    def __set_mod_nss_protocol(self):
-        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1', False)
+    def set_mod_nss_protocol(self):
+        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False)

    def enable_mod_nss_renegotiate(self):
        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)