named: Include crypto policy in openssl config

On platforms which have system-wide crypto policy the latter has to be included in openssl config. Fixes: https://pagure.io/freeipa/issue/8094 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-08-13 13:54:40 +03:00
parent ecfaf897b9
commit e2030b8cad
6 changed files with 36 additions and 4 deletions
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -186,11 +186,17 @@ class DNSKeySyncInstance(service.Service):
            conf_file_dict = {
                'OPENSSL_ENGINE': constants.NAMED_OPENSSL_ENGINE,
                'SOFTHSM_MODULE': paths.LIBSOFTHSM2_SO,
+                'CRYPTO_POLICY_FILE': paths.CRYPTO_POLICY_OPENSSLCNF_FILE,
            }
+            if paths.CRYPTO_POLICY_OPENSSLCNF_FILE is None:
+                opensslcnf_tmpl = "bind.openssl.cnf.template"
+            else:
+                opensslcnf_tmpl = "bind.openssl.cryptopolicy.cnf.template"
+
            named_openssl_txt = ipautil.template_file(
-                os.path.join(paths.USR_SHARE_IPA_DIR,
-                             "bind.openssl.cnf.template"),
-                conf_file_dict)
+                os.path.join(paths.USR_SHARE_IPA_DIR, opensslcnf_tmpl),
+                conf_file_dict
+            )
            with open(paths.DNSSEC_OPENSSL_CONF, 'w') as f:
                os.fchmod(f.fileno(), 0o640)
                os.fchown(f.fileno(), 0, self.named_gid)