From e1bac92634c2783b4003d496539810a2d993f71d Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 9 Dec 2014 10:33:20 +0000
Subject: [PATCH] Disable TLS 1.2 in nss.conf until mod_nss supports it

---
 install/tools/ipa-upgradeconfig   | 8 ++++++--
 ipaserver/install/httpinstance.py | 4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index cf85f58c26510fcd105b54126152a50474c869b5..2691f0b0f217793243f7a0813f351c4364e2a951 100755
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1276,13 +1276,17 @@ def fix_trust_flags():
 def update_mod_nss_protocol(http):
     root_logger.info('[Updating mod_nss protocol versions]')
 
-    if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls12'):
+    if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls11'):
         root_logger.info("Protocol versions already updated")
         return
 
     http.set_mod_nss_protocol()
 
-    sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)
+    sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls11', True)
+
+    if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls12'):
+        sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12',
+                                     False)
 
 
 def main():
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index cda85ab02b8054748e671935fcfbc3993257c53e..13c44abf59dbaf6f4aef1425992fa8ff181a3007 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -119,7 +119,7 @@ class HTTPInstance(service.Service):
 
 
         self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
-        self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2",
+        self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.1",
                   self.set_mod_nss_protocol)
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
         self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
@@ -214,7 +214,7 @@ class HTTPInstance(service.Service):
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname)
 
     def set_mod_nss_protocol(self):
-        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False)
+        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1', False)
 
     def enable_mod_nss_renegotiate(self):
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
-- 
2.1.0