From 51b361f475b3e25ace982873beb05cafcba95808 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvomacka@redhat.com>
Date: Jun 06 2017 11:33:54 +0000
Subject: Turn off OCSP check


The OCSP check was previously turned on but it introduced several
issues. Therefore the check will be turned off by default.

For turning on should be used ipa advise command with correct recipe.
The solution is tracked here: https://pagure.io/freeipa/issue/6982

Fixes: https://pagure.io/freeipa/issue/6981
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index cd7f120..d168481 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,24 +21,11 @@
 
 import syslog
 import traceback
-from ipalib import api
 from ipaplatform import services
-from ipaplatform.paths import paths
-from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
-from ipaserver.install import certs, installutils
+from ipaserver.install import certs
 
 
 def _main():
-
-    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
-    api.finalize()
-
-    db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
-    nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
-
-    # Add trust flag which set certificate trusted for SSL connections.
-    db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
-
     syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
     try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 12fdddc..f637b97 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -34,8 +34,7 @@ from augeas import Augeas
 from ipalib.install import certmonger
 from ipapython import ipaldap
 from ipapython.certdb import (IPA_CA_TRUST_FLAGS,
-                              EXTERNAL_CA_TRUST_FLAGS,
-                              TRUSTED_PEER_TRUST_FLAGS)
+                              EXTERNAL_CA_TRUST_FLAGS)
 from ipaserver.install import replication
 from ipaserver.install import service
 from ipaserver.install import certs
@@ -74,6 +73,10 @@ NSS_CIPHER_SUITE = [
 ]
 NSS_CIPHER_REVISION = '20160129'
 
+OCSP_DIRECTIVE = 'NSSOCSP'
+
+NSS_OCSP_ENABLED = 'nss_ocsp_enabled'
+
 
 def httpd_443_configured():
     """
@@ -163,7 +166,7 @@ class HTTPInstance(service.Service):
                   self.set_mod_nss_protocol)
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
         self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
-        self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
+        self.step("disabling mod_nss OCSP", self.disable_mod_nss_ocsp)
         self.step("adding URL rewriting rules", self.__add_include)
         self.step("configuring httpd", self.__configure_http)
         self.step("setting up httpd keytab", self.request_service_keytab)
@@ -270,7 +273,12 @@ class HTTPInstance(service.Service):
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
-    def enable_mod_nss_ocsp(self):
+    def disable_mod_nss_ocsp(self):
+        if sysupgrade.get_upgrade_state('http', NSS_OCSP_ENABLED) is None:
+            self.__disable_mod_nss_ocsp()
+            sysupgrade.set_upgrade_state('http', NSS_OCSP_ENABLED, False)
+
+    def __disable_mod_nss_ocsp(self):
         aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
 
         aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
@@ -278,22 +286,21 @@ class HTTPInstance(service.Service):
         aug.load()
 
         path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF)
+        ocsp_path = '{}/directive[.="{}"]'.format(path, OCSP_DIRECTIVE)
+        ocsp_arg = '{}/arg'.format(ocsp_path)
+        ocsp_comment = '{}/#comment[.="{}"]'.format(path, OCSP_DIRECTIVE)
 
-        ocsp_comment = aug.get(
-                        '{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
-        ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+        ocsp_dir = aug.get(ocsp_path)
 
-        if ocsp_dir is None and ocsp_comment is not None:
-            # Directive is missing, comment is present
-            aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
-                    'NSSOCSP')
-            aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
-        elif ocsp_dir is None:
-            # Directive is missing and comment is missing
-            aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+        # there is NSSOCSP directive in nss.conf file, comment it
+        # otherwise just do nothing
+        if ocsp_dir is not None:
+            ocsp_state = aug.get(ocsp_arg)
+            aug.remove(ocsp_arg)
+            aug.rename(ocsp_path, '#comment')
+            aug.set(ocsp_comment, '{} {}'.format(OCSP_DIRECTIVE, ocsp_state))
+            aug.save()
 
-        aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
-        aug.save()
 
     def set_mod_nss_cipher_suite(self):
         ciphers = ','.join(NSS_CIPHER_SUITE)
@@ -412,8 +419,6 @@ class HTTPInstance(service.Service):
             self.__set_mod_nss_nickname(nickname)
             self.add_cert_to_service()
 
-            db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
-
         else:
             if not self.promote:
                 ca_args = [
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index b1f59d3..732776f 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1395,24 +1395,6 @@ def fix_trust_flags():
     sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
 
 
-def fix_server_cert_trust_flags():
-    root_logger.info(
-        '[Fixing server certificate trust flags in %s]' %
-        paths.HTTPD_ALIAS_DIR)
-
-    if sysupgrade.get_upgrade_state('http', 'fix_serv_cert_trust_flags'):
-        root_logger.info("Trust flags already processed")
-        return
-
-    db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
-    sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF,
-                                             "NSSNickname")
-    # Add trust flag which set certificate trusted for SSL connections.
-    db.trust_root_cert(sc_nickname, certdb.TRUSTED_PEER_TRUST_FLAGS)
-
-    sysupgrade.set_upgrade_state('http', 'fix_serv_cert_trust_flags', True)
-
-
 def update_mod_nss_protocol(http):
     root_logger.info('[Updating mod_nss protocol versions]')
 
@@ -1425,9 +1407,9 @@ def update_mod_nss_protocol(http):
     sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)
 
 
-def enable_mod_nss_ocsp(http):
+def disable_mod_nss_ocsp(http):
     root_logger.info('[Updating mod_nss enabling OCSP]')
-    http.enable_mod_nss_ocsp()
+    http.disable_mod_nss_ocsp()
 
 
 def update_mod_nss_cipher_suite(http):
@@ -1721,9 +1703,8 @@ def upgrade_configuration():
     update_ipa_httpd_service_conf(http)
     update_mod_nss_protocol(http)
     update_mod_nss_cipher_suite(http)
-    enable_mod_nss_ocsp(http)
+    disable_mod_nss_ocsp(http)
     fix_trust_flags()
-    fix_server_cert_trust_flags()
     update_http_keytab(http)
     http.configure_gssproxy()
     http.start()