httpinstance: disable system trust module in /etc/httpd/alias

Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Jan Cholasta 2017-03-01 17:54:05 +01:00 committed by Martin Basti
parent ee6d031a6a
commit f037bfa483
3 changed files with 31 additions and 0 deletions

View File

@ -165,6 +165,7 @@ class BasePathNamespace(object):
BIN_KVNO = "/usr/bin/kvno"
LDAPMODIFY = "/usr/bin/ldapmodify"
LDAPPASSWD = "/usr/bin/ldappasswd"
MODUTIL = "/usr/bin/modutil"
NET = "/usr/bin/net"
BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
NSUPDATE = "/usr/bin/nsupdate"

View File

@ -351,11 +351,25 @@ class HTTPInstance(service.Service):
os.chown(pwd_conf, pent.pw_uid, pent.pw_gid)
os.chmod(pwd_conf, 0o400)
def disable_system_trust(self):
name = 'Root Certs'
args = [paths.MODUTIL, '-dbdir', paths.HTTPD_ALIAS_DIR, '-force']
result = ipautil.run(args + ['-list', name],
env={},
capture_output=True)
if 'Status: Enabled' in result.output:
ipautil.run(args + ['-disable', name], env={})
return True
return False
def __setup_ssl(self):
db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
subject_base=self.subject_base, user="root",
group=constants.HTTPD_GROUP,
truncate=(not self.promote))
self.disable_system_trust()
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = 'CT,C,C'

View File

@ -1521,6 +1521,21 @@ def setup_pkinit(krb):
krb.start()
def disable_httpd_system_trust(http):
ca_certs = []
db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
for nickname, trust_flags in db.list_certs():
if 'u' not in trust_flags:
cert = db.get_cert_from_db(nickname, pem=False)
if cert:
ca_certs.append((cert, nickname, trust_flags))
if http.disable_system_trust():
for cert, nickname, trust_flags in ca_certs:
db.add_cert(cert, nickname, trust_flags)
def upgrade_configuration():
"""
Execute configuration upgrade of the IPA services
@ -1656,6 +1671,7 @@ def upgrade_configuration():
http.enable_kdcproxy()
http.stop()
disable_httpd_system_trust(http)
update_ipa_httpd_service_conf(http)
update_mod_nss_protocol(http)
update_mod_nss_cipher_suite(http)