From 6b1fe8db7d5bb08899b3b1ed4a8a48e82d73f13e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 25 Nov 2014 08:12:53 +0000
Subject: [PATCH] Add TLS 1.2 to the protocol list in mod_nss config

https://fedorahosted.org/freeipa/ticket/4653

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 install/tools/ipa-upgradeconfig   | 13 +++++++++++++
 ipaserver/install/httpinstance.py |  7 ++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 3484f8e8768fe05dddb08e9a40e58d8ad9c2e1e7..6b687fbd73d01f6574cd8ea3193cedba4d5c0e67 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1274,6 +1274,18 @@ def fix_trust_flags():
     sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
 
 
+def update_mod_nss_protocol(http):
+    root_logger.info('[Updating mod_nss protocol versions]')
+
+    if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls12'):
+        root_logger.info("Protocol versions already updated")
+        return
+
+    http.set_mod_nss_protocol()
+
+    sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)
+
+
 def main():
     """
     Get some basics about the system. If getting those basics fail then
@@ -1375,6 +1387,7 @@ def main():
     http.change_mod_nss_port_from_http()
 
     http.stop()
+    update_mod_nss_protocol(http)
     fix_trust_flags()
     http.start()
 
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 14efa5b937784054bd6aace9ba4cda8f0b46aeb6..f9e020039734c7ff61e06ead0e30fb28701d6fc8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -115,7 +115,8 @@ class HTTPInstance(service.Service):
 
 
         self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
-        self.step("setting mod_nss protocol list to TLSv1.0 and TLSv1.1", self.__set_mod_nss_protocol)
+        self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2",
+                  self.set_mod_nss_protocol)
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
         self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
         self.step("adding URL rewriting rules", self.__add_include)
@@ -205,8 +206,8 @@ class HTTPInstance(service.Service):
     def __set_mod_nss_nickname(self, nickname):
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname)
 
-    def __set_mod_nss_protocol(self):
-        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1', False)
+    def set_mod_nss_protocol(self):
+        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False)
 
     def enable_mod_nss_renegotiate(self):
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
-- 
2.1.0