e3ffab
From 6b1fe8db7d5bb08899b3b1ed4a8a48e82d73f13e Mon Sep 17 00:00:00 2001
e3ffab
From: Jan Cholasta <jcholast@redhat.com>
e3ffab
Date: Tue, 25 Nov 2014 08:12:53 +0000
e3ffab
Subject: [PATCH] Add TLS 1.2 to the protocol list in mod_nss config
e3ffab
e3ffab
https://fedorahosted.org/freeipa/ticket/4653
e3ffab
e3ffab
Reviewed-By: Martin Kosek <mkosek@redhat.com>
e3ffab
---
e3ffab
 install/tools/ipa-upgradeconfig   | 13 +++++++++++++
e3ffab
 ipaserver/install/httpinstance.py |  7 ++++---
e3ffab
 2 files changed, 17 insertions(+), 3 deletions(-)
e3ffab
e3ffab
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
e3ffab
index 3484f8e8768fe05dddb08e9a40e58d8ad9c2e1e7..6b687fbd73d01f6574cd8ea3193cedba4d5c0e67 100644
e3ffab
--- a/install/tools/ipa-upgradeconfig
e3ffab
+++ b/install/tools/ipa-upgradeconfig
e3ffab
@@ -1274,6 +1274,18 @@ def fix_trust_flags():
e3ffab
     sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
e3ffab
 
e3ffab
 
e3ffab
+def update_mod_nss_protocol(http):
e3ffab
+    root_logger.info('[Updating mod_nss protocol versions]')
e3ffab
+
e3ffab
+    if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls12'):
e3ffab
+        root_logger.info("Protocol versions already updated")
e3ffab
+        return
e3ffab
+
e3ffab
+    http.set_mod_nss_protocol()
e3ffab
+
e3ffab
+    sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)
e3ffab
+
e3ffab
+
e3ffab
 def main():
e3ffab
     """
e3ffab
     Get some basics about the system. If getting those basics fail then
e3ffab
@@ -1375,6 +1387,7 @@ def main():
e3ffab
     http.change_mod_nss_port_from_http()
e3ffab
 
e3ffab
     http.stop()
e3ffab
+    update_mod_nss_protocol(http)
e3ffab
     fix_trust_flags()
e3ffab
     http.start()
e3ffab
 
e3ffab
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
e3ffab
index 14efa5b937784054bd6aace9ba4cda8f0b46aeb6..f9e020039734c7ff61e06ead0e30fb28701d6fc8 100644
e3ffab
--- a/ipaserver/install/httpinstance.py
e3ffab
+++ b/ipaserver/install/httpinstance.py
e3ffab
@@ -115,7 +115,8 @@ class HTTPInstance(service.Service):
e3ffab
 
e3ffab
 
e3ffab
         self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
e3ffab
-        self.step("setting mod_nss protocol list to TLSv1.0 and TLSv1.1", self.__set_mod_nss_protocol)
e3ffab
+        self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2",
e3ffab
+                  self.set_mod_nss_protocol)
e3ffab
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
e3ffab
         self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
e3ffab
         self.step("adding URL rewriting rules", self.__add_include)
e3ffab
@@ -205,8 +206,8 @@ class HTTPInstance(service.Service):
e3ffab
     def __set_mod_nss_nickname(self, nickname):
e3ffab
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname)
e3ffab
 
e3ffab
-    def __set_mod_nss_protocol(self):
e3ffab
-        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1', False)
e3ffab
+    def set_mod_nss_protocol(self):
e3ffab
+        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False)
e3ffab
 
e3ffab
     def enable_mod_nss_renegotiate(self):
e3ffab
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
e3ffab
-- 
e3ffab
2.1.0
e3ffab