|
 |
760a2f |
From 964d13237029e0568f56342917ae386746c0b281 Mon Sep 17 00:00:00 2001
|
|
|
760a2f |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
760a2f |
Date: Fri, 1 Feb 2019 10:30:40 -0500
|
|
|
760a2f |
Subject: [PATCH] Update mod_nss cipher list so there is overlap with a 4.x
|
|
|
760a2f |
master
|
|
|
760a2f |
|
|
|
760a2f |
dogtag updated its cipher list, disabling a lot of ciphers, which
|
|
|
760a2f |
causes an overlap problem with a RHEL 6.x IPA master.
|
|
|
760a2f |
|
|
|
760a2f |
This update script adds the two available ciphers to the nss.conf
|
|
|
760a2f |
so that creating a CA replica is possible.
|
|
|
760a2f |
|
|
|
760a2f |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
760a2f |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
760a2f |
---
|
|
|
760a2f |
contrib/copy-schema-to-ca-RHEL6.py | 79 ++++++++++++++++++++++++++++++
|
|
|
760a2f |
1 file changed, 79 insertions(+)
|
|
|
760a2f |
|
|
|
760a2f |
diff --git a/contrib/copy-schema-to-ca-RHEL6.py b/contrib/copy-schema-to-ca-RHEL6.py
|
|
|
760a2f |
index 3ed16555e9a63867162b58fe99531db46e867a8b..2b866a52ba99f59db913a127f271c6da63a65b95 100755
|
|
|
760a2f |
--- a/contrib/copy-schema-to-ca-RHEL6.py
|
|
|
760a2f |
+++ b/contrib/copy-schema-to-ca-RHEL6.py
|
|
|
760a2f |
@@ -31,6 +31,12 @@ from ipaserver.install.dsinstance import DS_USER
|
|
|
760a2f |
from ipaserver.install.cainstance import PKI_USER
|
|
|
760a2f |
from ipapython import services
|
|
|
760a2f |
|
|
|
760a2f |
+# for mod_nss
|
|
|
760a2f |
+from ipaserver.install.httpinstance import NSS_CONF
|
|
|
760a2f |
+from ipaserver.install.httpinstance import HTTPInstance
|
|
|
760a2f |
+from ipaserver.install import installutils
|
|
|
760a2f |
+from ipapython import sysrestore
|
|
|
760a2f |
+
|
|
|
760a2f |
SERVERID = "PKI-IPA"
|
|
|
760a2f |
SCHEMA_FILENAMES = (
|
|
|
760a2f |
"60kerberos.ldif",
|
|
|
760a2f |
@@ -100,6 +106,77 @@ def restart_pki_ds():
|
|
|
760a2f |
services.service('dirsrv').restart(SERVERID)
|
|
|
760a2f |
|
|
|
760a2f |
|
|
|
760a2f |
+# The ipa-3-0 set_directive() has very loose comparision of directive
|
|
|
760a2f |
+# which would cause multiple NSSCipherSuite to be added so provide
|
|
|
760a2f |
+# a custom function for it.
|
|
|
760a2f |
+def set_directive(filename, directive, value, quotes=True, separator=' '):
|
|
|
760a2f |
+ """Set a name/value pair directive in a configuration file.
|
|
|
760a2f |
+
|
|
|
760a2f |
+ A value of None means to drop the directive.
|
|
|
760a2f |
+
|
|
|
760a2f |
+ This has only been tested with nss.conf
|
|
|
760a2f |
+ """
|
|
|
760a2f |
+ valueset = False
|
|
|
760a2f |
+ st = os.stat(filename)
|
|
|
760a2f |
+ fd = open(filename)
|
|
|
760a2f |
+ newfile = []
|
|
|
760a2f |
+ for line in fd:
|
|
|
760a2f |
+ if line.lstrip().startswith(directive):
|
|
|
760a2f |
+ valueset = True
|
|
|
760a2f |
+ if value is not None:
|
|
|
760a2f |
+ if quotes:
|
|
|
760a2f |
+ newfile.append('%s%s"%s"\n' %
|
|
|
760a2f |
+ (directive, separator, value))
|
|
|
760a2f |
+ else:
|
|
|
760a2f |
+ newfile.append('%s%s%s\n' % (directive, separator, value))
|
|
|
760a2f |
+ else:
|
|
|
760a2f |
+ newfile.append(line)
|
|
|
760a2f |
+ fd.close()
|
|
|
760a2f |
+ if not valueset:
|
|
|
760a2f |
+ if value is not None:
|
|
|
760a2f |
+ if quotes:
|
|
|
760a2f |
+ newfile.append('%s%s"%s"\n' % (directive, separator, value))
|
|
|
760a2f |
+ else:
|
|
|
760a2f |
+ newfile.append('%s%s%s\n' % (directive, separator, value))
|
|
|
760a2f |
+
|
|
|
760a2f |
+ fd = open(filename, "w")
|
|
|
760a2f |
+ fd.write("".join(newfile))
|
|
|
760a2f |
+ fd.close()
|
|
|
760a2f |
+ os.chown(filename, st.st_uid, st.st_gid) # reset perms
|
|
|
760a2f |
+
|
|
|
760a2f |
+
|
|
|
760a2f |
+def update_mod_nss_cipher_suite():
|
|
|
760a2f |
+ add_ciphers = ['ecdhe_rsa_aes_128_sha', 'ecdhe_rsa_aes_256_sha']
|
|
|
760a2f |
+ ciphers = installutils.get_directive(NSS_CONF, 'NSSCipherSuite')
|
|
|
760a2f |
+
|
|
|
760a2f |
+ # Run through once to see if any of the new ciphers are there but
|
|
|
760a2f |
+ # disabled. If they are then enable them.
|
|
|
760a2f |
+ lciphers = ciphers.split(',')
|
|
|
760a2f |
+ new_ciphers = []
|
|
|
760a2f |
+ for cipher in lciphers:
|
|
|
760a2f |
+ for add in add_ciphers:
|
|
|
760a2f |
+ if cipher.endswith(add):
|
|
|
760a2f |
+ if cipher.startswith('-'):
|
|
|
760a2f |
+ cipher = '+%s' % add
|
|
|
760a2f |
+ new_ciphers.append(cipher)
|
|
|
760a2f |
+
|
|
|
760a2f |
+ # Run through again and add remaining ciphers as enabled.
|
|
|
760a2f |
+ for add in add_ciphers:
|
|
|
760a2f |
+ if add not in ciphers:
|
|
|
760a2f |
+ new_ciphers.append('+%s' % add)
|
|
|
760a2f |
+
|
|
|
760a2f |
+ ciphers = ','.join(new_ciphers)
|
|
|
760a2f |
+ set_directive(NSS_CONF, 'NSSCipherSuite', ciphers, False)
|
|
|
760a2f |
+ root_logger.info('Updated Apache cipher list')
|
|
|
760a2f |
+
|
|
|
760a2f |
+
|
|
|
760a2f |
+def restart_http():
|
|
|
760a2f |
+ root_logger.info('Restarting HTTP')
|
|
|
760a2f |
+ fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
|
|
|
760a2f |
+ http = HTTPInstance(fstore)
|
|
|
760a2f |
+ http.restart()
|
|
|
760a2f |
+
|
|
|
760a2f |
+
|
|
|
760a2f |
def main():
|
|
|
760a2f |
if os.getegid() != 0:
|
|
|
760a2f |
sys.exit("Must be root to run this script")
|
|
|
760a2f |
@@ -110,6 +187,8 @@ def main():
|
|
|
760a2f |
|
|
|
760a2f |
add_ca_schema()
|
|
|
760a2f |
restart_pki_ds()
|
|
|
760a2f |
+ update_mod_nss_cipher_suite()
|
|
|
760a2f |
+ restart_http()
|
|
|
760a2f |
|
|
|
760a2f |
root_logger.info('Schema updated successfully')
|
|
|
760a2f |
|
|
|
760a2f |
--
|
|
|
760a2f |
2.20.1
|
|
|
760a2f |
|