From 964d13237029e0568f56342917ae386746c0b281 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 1 Feb 2019 10:30:40 -0500
Subject: [PATCH] Update mod_nss cipher list so there is overlap with a 4.x
master
dogtag updated its cipher list, disabling a lot of ciphers, which
causes an overlap problem with a RHEL 6.x IPA master.
This update script adds the two available ciphers to the nss.conf
so that creating a CA replica is possible.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
contrib/copy-schema-to-ca-RHEL6.py | 79 ++++++++++++++++++++++++++++++
1 file changed, 79 insertions(+)
diff --git a/contrib/copy-schema-to-ca-RHEL6.py b/contrib/copy-schema-to-ca-RHEL6.py
index 3ed16555e9a63867162b58fe99531db46e867a8b..2b866a52ba99f59db913a127f271c6da63a65b95 100755
--- a/contrib/copy-schema-to-ca-RHEL6.py
+++ b/contrib/copy-schema-to-ca-RHEL6.py
@@ -31,6 +31,12 @@ from ipaserver.install.dsinstance import DS_USER
from ipaserver.install.cainstance import PKI_USER
from ipapython import services
+# for mod_nss
+from ipaserver.install.httpinstance import NSS_CONF
+from ipaserver.install.httpinstance import HTTPInstance
+from ipaserver.install import installutils
+from ipapython import sysrestore
+
SERVERID = "PKI-IPA"
SCHEMA_FILENAMES = (
"60kerberos.ldif",
@@ -100,6 +106,77 @@ def restart_pki_ds():
services.service('dirsrv').restart(SERVERID)
+# The ipa-3-0 set_directive() has very loose comparision of directive
+# which would cause multiple NSSCipherSuite to be added so provide
+# a custom function for it.
+def set_directive(filename, directive, value, quotes=True, separator=' '):
+ """Set a name/value pair directive in a configuration file.
+
+ A value of None means to drop the directive.
+
+ This has only been tested with nss.conf
+ """
+ valueset = False
+ st = os.stat(filename)
+ fd = open(filename)
+ newfile = []
+ for line in fd:
+ if line.lstrip().startswith(directive):
+ valueset = True
+ if value is not None:
+ if quotes:
+ newfile.append('%s%s"%s"\n' %
+ (directive, separator, value))
+ else:
+ newfile.append('%s%s%s\n' % (directive, separator, value))
+ else:
+ newfile.append(line)
+ fd.close()
+ if not valueset:
+ if value is not None:
+ if quotes:
+ newfile.append('%s%s"%s"\n' % (directive, separator, value))
+ else:
+ newfile.append('%s%s%s\n' % (directive, separator, value))
+
+ fd = open(filename, "w")
+ fd.write("".join(newfile))
+ fd.close()
+ os.chown(filename, st.st_uid, st.st_gid) # reset perms
+
+
+def update_mod_nss_cipher_suite():
+ add_ciphers = ['ecdhe_rsa_aes_128_sha', 'ecdhe_rsa_aes_256_sha']
+ ciphers = installutils.get_directive(NSS_CONF, 'NSSCipherSuite')
+
+ # Run through once to see if any of the new ciphers are there but
+ # disabled. If they are then enable them.
+ lciphers = ciphers.split(',')
+ new_ciphers = []
+ for cipher in lciphers:
+ for add in add_ciphers:
+ if cipher.endswith(add):
+ if cipher.startswith('-'):
+ cipher = '+%s' % add
+ new_ciphers.append(cipher)
+
+ # Run through again and add remaining ciphers as enabled.
+ for add in add_ciphers:
+ if add not in ciphers:
+ new_ciphers.append('+%s' % add)
+
+ ciphers = ','.join(new_ciphers)
+ set_directive(NSS_CONF, 'NSSCipherSuite', ciphers, False)
+ root_logger.info('Updated Apache cipher list')
+
+
+def restart_http():
+ root_logger.info('Restarting HTTP')
+ fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+ http = HTTPInstance(fstore)
+ http.restart()
+
+
def main():
if os.getegid() != 0:
sys.exit("Must be root to run this script")
@@ -110,6 +187,8 @@ def main():
add_ca_schema()
restart_pki_ds()
+ update_mod_nss_cipher_suite()
+ restart_http()
root_logger.info('Schema updated successfully')
--
2.20.1