From 964d13237029e0568f56342917ae386746c0b281 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 1 Feb 2019 10:30:40 -0500 Subject: [PATCH] Update mod_nss cipher list so there is overlap with a 4.x master dogtag updated its cipher list, disabling a lot of ciphers, which causes an overlap problem with a RHEL 6.x IPA master. This update script adds the two available ciphers to the nss.conf so that creating a CA replica is possible. Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- contrib/copy-schema-to-ca-RHEL6.py | 79 ++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/contrib/copy-schema-to-ca-RHEL6.py b/contrib/copy-schema-to-ca-RHEL6.py index 3ed16555e9a63867162b58fe99531db46e867a8b..2b866a52ba99f59db913a127f271c6da63a65b95 100755 --- a/contrib/copy-schema-to-ca-RHEL6.py +++ b/contrib/copy-schema-to-ca-RHEL6.py @@ -31,6 +31,12 @@ from ipaserver.install.dsinstance import DS_USER from ipaserver.install.cainstance import PKI_USER from ipapython import services +# for mod_nss +from ipaserver.install.httpinstance import NSS_CONF +from ipaserver.install.httpinstance import HTTPInstance +from ipaserver.install import installutils +from ipapython import sysrestore + SERVERID = "PKI-IPA" SCHEMA_FILENAMES = ( "60kerberos.ldif", @@ -100,6 +106,77 @@ def restart_pki_ds(): services.service('dirsrv').restart(SERVERID) +# The ipa-3-0 set_directive() has very loose comparision of directive +# which would cause multiple NSSCipherSuite to be added so provide +# a custom function for it. +def set_directive(filename, directive, value, quotes=True, separator=' '): + """Set a name/value pair directive in a configuration file. + + A value of None means to drop the directive. + + This has only been tested with nss.conf + """ + valueset = False + st = os.stat(filename) + fd = open(filename) + newfile = [] + for line in fd: + if line.lstrip().startswith(directive): + valueset = True + if value is not None: + if quotes: + newfile.append('%s%s"%s"\n' % + (directive, separator, value)) + else: + newfile.append('%s%s%s\n' % (directive, separator, value)) + else: + newfile.append(line) + fd.close() + if not valueset: + if value is not None: + if quotes: + newfile.append('%s%s"%s"\n' % (directive, separator, value)) + else: + newfile.append('%s%s%s\n' % (directive, separator, value)) + + fd = open(filename, "w") + fd.write("".join(newfile)) + fd.close() + os.chown(filename, st.st_uid, st.st_gid) # reset perms + + +def update_mod_nss_cipher_suite(): + add_ciphers = ['ecdhe_rsa_aes_128_sha', 'ecdhe_rsa_aes_256_sha'] + ciphers = installutils.get_directive(NSS_CONF, 'NSSCipherSuite') + + # Run through once to see if any of the new ciphers are there but + # disabled. If they are then enable them. + lciphers = ciphers.split(',') + new_ciphers = [] + for cipher in lciphers: + for add in add_ciphers: + if cipher.endswith(add): + if cipher.startswith('-'): + cipher = '+%s' % add + new_ciphers.append(cipher) + + # Run through again and add remaining ciphers as enabled. + for add in add_ciphers: + if add not in ciphers: + new_ciphers.append('+%s' % add) + + ciphers = ','.join(new_ciphers) + set_directive(NSS_CONF, 'NSSCipherSuite', ciphers, False) + root_logger.info('Updated Apache cipher list') + + +def restart_http(): + root_logger.info('Restarting HTTP') + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + http = HTTPInstance(fstore) + http.restart() + + def main(): if os.getegid() != 0: sys.exit("Must be root to run this script") @@ -110,6 +187,8 @@ def main(): add_ca_schema() restart_pki_ds() + update_mod_nss_cipher_suite() + restart_http() root_logger.info('Schema updated successfully') -- 2.20.1