freeipa/ipaplatform/base
Jan Cholasta f037bfa483 httpinstance: disable system trust module in /etc/httpd/alias
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-14 17:12:19 +01:00
..
__init__.py ipaplatform: Create separate module for platform files 2014-06-16 19:48:17 +02:00
constants.py Separate RA cert store from the HTTP cert store 2017-02-15 07:13:37 +01:00
paths.py httpinstance: disable system trust module in /etc/httpd/alias 2017-03-14 17:12:19 +01:00
services.py pylint_plugins: add forbidden import checker 2017-03-10 13:04:59 +01:00
tasks.py server install: require IPv6 stack to be enabled 2017-03-09 16:50:21 +01:00