e3ffab
From e1bac92634c2783b4003d496539810a2d993f71d Mon Sep 17 00:00:00 2001
e3ffab
From: Jan Cholasta <jcholast@redhat.com>
e3ffab
Date: Tue, 9 Dec 2014 10:33:20 +0000
e3ffab
Subject: [PATCH] Disable TLS 1.2 in nss.conf until mod_nss supports it
e3ffab
e3ffab
---
e3ffab
 install/tools/ipa-upgradeconfig   | 8 ++++++--
e3ffab
 ipaserver/install/httpinstance.py | 4 ++--
e3ffab
 2 files changed, 8 insertions(+), 4 deletions(-)
e3ffab
e3ffab
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
e3ffab
index cf85f58c26510fcd105b54126152a50474c869b5..2691f0b0f217793243f7a0813f351c4364e2a951 100755
e3ffab
--- a/install/tools/ipa-upgradeconfig
e3ffab
+++ b/install/tools/ipa-upgradeconfig
e3ffab
@@ -1276,13 +1276,17 @@ def fix_trust_flags():
e3ffab
 def update_mod_nss_protocol(http):
e3ffab
     root_logger.info('[Updating mod_nss protocol versions]')
e3ffab
 
e3ffab
-    if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls12'):
e3ffab
+    if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls11'):
e3ffab
         root_logger.info("Protocol versions already updated")
e3ffab
         return
e3ffab
 
e3ffab
     http.set_mod_nss_protocol()
e3ffab
 
e3ffab
-    sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)
e3ffab
+    sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls11', True)
e3ffab
+
e3ffab
+    if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls12'):
e3ffab
+        sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12',
e3ffab
+                                     False)
e3ffab
 
e3ffab
 
e3ffab
 def main():
e3ffab
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
e3ffab
index cda85ab02b8054748e671935fcfbc3993257c53e..13c44abf59dbaf6f4aef1425992fa8ff181a3007 100644
e3ffab
--- a/ipaserver/install/httpinstance.py
e3ffab
+++ b/ipaserver/install/httpinstance.py
e3ffab
@@ -119,7 +119,7 @@ class HTTPInstance(service.Service):
e3ffab
 
e3ffab
 
e3ffab
         self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
e3ffab
-        self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2",
e3ffab
+        self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.1",
e3ffab
                   self.set_mod_nss_protocol)
e3ffab
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
e3ffab
         self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
e3ffab
@@ -214,7 +214,7 @@ class HTTPInstance(service.Service):
e3ffab
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname)
e3ffab
 
e3ffab
     def set_mod_nss_protocol(self):
e3ffab
-        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False)
e3ffab
+        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1', False)
e3ffab
 
e3ffab
     def enable_mod_nss_renegotiate(self):
e3ffab
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
e3ffab
-- 
e3ffab
2.1.0
e3ffab