From e0b32dac5462164869ab19c3d56c36e80cde4b7b Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 Reviewed-By: Florence Blanc-Renaud Reviewed-By: Rob Crittenden Reviewed-By: Jan Cholasta Reviewed-By: Martin Basti --- freeipa.spec.in | 4 ++++ install/restart_scripts/restart_httpd | 14 ++++++++++++- ipaserver/install/httpinstance.py | 30 +++++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 25 ++++++++++++++++++++++ ipaserver/setup.py | 1 + 5 files changed, 73 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index d7353015a..08b293c05 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -199,6 +199,7 @@ BuildRequires: python-nose BuildRequires: python-paste BuildRequires: systemd-python BuildRequires: python2-jinja2 +BuildRequires: python-augeas %if 0%{?with_python3} # FIXME: this depedency is missing - server will not work @@ -236,6 +237,7 @@ BuildRequires: python3-nose BuildRequires: python3-paste BuildRequires: python3-systemd BuildRequires: python3-jinja2 +BuildRequires: python3-augeas %endif # with_python3 %endif # with_lint @@ -359,6 +361,7 @@ Requires: python-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs Requires: pki-base-python2 +Requires: python-augeas %description -n python2-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -388,6 +391,7 @@ Requires: python3-pyasn1 Requires: python3-dbus Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 +Requires: python3-augeas Requires: rpm-libs Requires: pki-base-python3 diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d16848129..b661b82b8 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + + api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) + api.finalize() + + db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) + nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + + # Add trust flag which set certificate trusted for SSL connections. + db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53bc..ab688a85f 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import pipes import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ class HTTPInstance(service.Service): self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) + self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ class HTTPInstance(service.Service): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) + def enable_mod_nss_ocsp(self): + aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + + aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') + aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) + aug.load() + + path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF) + + ocsp_comment = aug.get( + '{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) + ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + + if ocsp_dir is None and ocsp_comment is not None: + # Directive is missing, comment is present + aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), + 'NSSOCSP') + aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') + elif ocsp_dir is None: + # Directive is missing and comment is missing + aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + + aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') + aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -351,6 +378,7 @@ class HTTPInstance(service.Service): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -375,6 +403,8 @@ class HTTPInstance(service.Service): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() + db.trust_root_cert(nickname, "P,,") + else: if not self.promote: ca_args = [ diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 9aec2d857..7b0476d44 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1392,6 +1392,24 @@ def fix_trust_flags(): sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True) +def fix_server_cert_trust_flags(): + root_logger.info( + '[Fixing server certificate trust flags in %s]' % + paths.HTTPD_ALIAS_DIR) + + if sysupgrade.get_upgrade_state('http', 'fix_serv_cert_trust_flags'): + root_logger.info("Trust flags already processed") + return + + db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) + sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, + "NSSNickname") + # Add trust flag which set certificate trusted for SSL connections. + db.trust_root_cert(sc_nickname, "P,,") + + sysupgrade.set_upgrade_state('http', 'fix_serv_cert_trust_flags', True) + + def update_mod_nss_protocol(http): root_logger.info('[Updating mod_nss protocol versions]') @@ -1404,6 +1422,11 @@ def update_mod_nss_protocol(http): sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) +def enable_mod_nss_ocsp(http): + root_logger.info('[Updating mod_nss enabling OCSP]') + http.enable_mod_nss_ocsp() + + def update_mod_nss_cipher_suite(http): root_logger.info('[Updating mod_nss cipher suite]') @@ -1671,7 +1694,9 @@ def upgrade_configuration(): update_ipa_httpd_service_conf(http) update_mod_nss_protocol(http) update_mod_nss_cipher_suite(http) + enable_mod_nss_ocsp(http) fix_trust_flags() + fix_server_cert_trust_flags() update_http_keytab(http) http.configure_gssproxy() http.start() diff --git a/ipaserver/setup.py b/ipaserver/setup.py index f48cef4b2..96af1a7e8 100755 --- a/ipaserver/setup.py +++ b/ipaserver/setup.py @@ -61,6 +61,7 @@ if __name__ == '__main__': "pyasn1", "requests", "six", + "python-augeas", ], entry_points={ 'custodia.authorizers': [