For Fedora and RHEL use system-wide crypto policy for mod_ssl

Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl will use crypto policies for the set of protocols. For Debian systems configure a similar set of protocols for what was previously configured, but do it in a different way. Rather than iterating the allowed protocols just include the ones not allowed. Fixes: https://pagure.io/freeipa/issue/7667 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-05-23 10:45:26 -04:00 · 2019-05-23 10:45:26 -04:00 · c484d79ecf
commit c484d79ecf
parent b2acd65013
4 changed files with 19 additions and 4 deletions
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@ -246,6 +246,10 @@ class BaseTaskNamespace:
        """Configure WSGI for correct Python version"""
        raise NotImplementedError()

+    def configure_httpd_protocol(self):
+        """Configure TLS protocols in Apache"""
+        raise NotImplementedError()
+
    def is_fips_enabled(self):
        return False

--- a/ipaplatform/debian/tasks.py
+++ b/ipaplatform/debian/tasks.py
@ -10,7 +10,9 @@ from __future__ import absolute_import

 from ipaplatform.base.tasks import BaseTaskNamespace
 from ipaplatform.redhat.tasks import RedHatTaskNamespace
+from ipaplatform.paths import paths

+from ipapython import directivesetter
 from ipapython import ipautil

 class DebianTaskNamespace(RedHatTaskNamespace):
@ -69,6 +71,11 @@ class DebianTaskNamespace(RedHatTaskNamespace):
        # Debian doesn't require special mod_wsgi configuration
        pass

+    def configure_httpd_protocol(self):
+        directivesetter.set_directive(paths.HTTPD_SSL_CONF,
+                                      'SSLProtocol',
+                                      'all -SSLv3', False)
+
    def setup_httpd_logging(self):
        # Debian handles httpd logging differently
        pass
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@ -589,6 +589,12 @@ class RedHatTaskNamespace(BaseTaskNamespace):

        self.systemd_daemon_reload()

+    def configure_httpd_protocol(self):
+        """Drop SSLProtocol directive and let crypto policy handle it"""
+        directivesetter.set_directive(paths.HTTPD_SSL_CONF,
+                                      'SSLProtocol',
+                                      None, False)
+
    def set_hostname(self, hostname):
        ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])

--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -123,7 +123,7 @@ class HTTPInstance(service.Service):
        self.step("disabling nss.conf", self.disable_nss_conf)
        self.step("configuring mod_ssl certificate paths",
                  self.configure_mod_ssl_certs)
-        self.step("setting mod_ssl protocol list to TLSv1.0 - TLSv1.2",
+        self.step("setting mod_ssl protocol list",
                  self.set_mod_ssl_protocol)
        self.step("configuring mod_ssl log directory",
                  self.set_mod_ssl_logdir)
@ -244,9 +244,7 @@ class HTTPInstance(service.Service):
        open(paths.HTTPD_NSS_CONF, 'w').close()

    def set_mod_ssl_protocol(self):
-        directivesetter.set_directive(paths.HTTPD_SSL_CONF,
-                                   'SSLProtocol',
-                                   '+TLSv1 +TLSv1.1 +TLSv1.2', False)
+        tasks.configure_httpd_protocol()

    def set_mod_ssl_logdir(self):
        tasks.setup_httpd_logging()