freeipa/ipaplatform/redhat
Christian Heimes 639bb71940 Don't hard-code client's TLS versions and ciphers
Client connections no longer override TLS version range and ciphers by
default. Instead clients use the default settings from the system's
crypto policy.

Minimum TLS version is now TLS 1.2. The default crypto policy on
RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as
minimum version. The minimum version is configured with OpenSSL 1.1.1
APIs. Python 3.6 lacks the setters to override the system policy.

The effective minimum version is always TLS 1.2, because FreeIPA
reconfigures Apache HTTPd on Fedora.

Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-12-02 16:48:07 +01:00
..
__init__.py Split off generic Red Hat-like platform code from Fedora platform code 2014-10-09 15:37:24 +02:00
authconfig.py authconfig.py: restore user-nsswitch.conf at uninstall time 2019-08-29 17:34:27 +02:00
constants.py Don't hard-code client's TLS versions and ciphers 2019-12-02 16:48:07 +01:00
paths.py Use tasks to configure automount nsswitch settings 2019-08-28 22:15:50 -04:00
services.py Add ExecStartPost hook to wait for Dogtag PKI 2019-04-24 09:09:28 +02:00
tasks.py Enable TLS 1.3 support on the server 2019-12-02 16:48:07 +01:00