freeipa

Clone
Source Code
GIT

f037bfa httpinstance: disable system trust module in /etc/httpd/alias

3 files Authored by jcholast 7 years ago, Committed by mbasti 7 years ago,
raw patch tree parent
3 files changed. 31 lines added. 0 lines removed.
ipaplatform/base/paths.py
file modified
+1 -0
ipaserver/install/httpinstance.py
file modified
+14 -0
ipaserver/install/server/upgrade.py
file modified
+16 -0 
    httpinstance: disable system trust module in /etc/httpd/alias
    
    Currently the NSS database in /etc/httpd/alias is installed with the system
    trust module enabled. This is problematic for a number of reasons:
    
    * IPA has its own trust store, which is effectively bypassed when the
      system trust module is enabled in the database. This may cause IPA
      unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
      trusted by httpd.
    
    * On client install, the IPA trust configuration is copied to the system
      trust store for third parties. When this configuration is removed, it may
      cause loss of trust information in /etc/httpd/alias
      (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).
    
    * When a CA certificate provided by the user in CA-less install conflicts
      with a CA certificate in the system trust store, the latter may be used
      by httpd, leading to broken https
      (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).
    
    Disable the system trust module on install and upgrade to prevent the
    system trust store to be used in /etc/httpd/alias and fix all of the above
    issues.
    
    https://pagure.io/freeipa/issue/6132
    
    Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
file modified
+1 -0
file modified
+14 -0
file modified
+16 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.