freeipa

Clone
Source Code
GIT

#4853 Utilize system-wide crypto-policies
Closed: fixed 6 years ago Opened 9 years ago by mkosek.

Closed: fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1179220

Please convert to use the system's crypto policy for SSL and TLS:
https://fedoraproject.org/wiki/Packaging:CryptoPolicies

If this program is compiled against gnutls, change the default priority string
to be "@SYSTEM" or to use gnutls_set_default_priority().

If this program is compiled against openssl, and there is no default cipher
list specified, you don't need to modify it. Otherwise replace the default
cipher list with "PROFILE=SYSTEM".

In both cases please verify that the application uses the system's crypto
policies.

If the package is already using the system-wide crypto policies, or it does not
use SSL or TLS, no action is required, the bug can simply be closed.

FreeIPA does neither use OpenSSL nor GnuTLS for SSL yet. I removed the ssl module in #5068. It looks like we don't have to do anything for now. I've asked the original reporter on Bugzilla. Let's see what he has to say about NSS.

I also did some digging because I wasn't familiar with the feature. The profile feature is not part of OpenSSL. It is part of a Fedora patch. The feature works only on Fedora and maybe on other Red Hat systems. I haven't checked RHEL yet.

http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1h-system-cipherlist.patch?id=646646611547dd7072b0562ed5f27861fbb12f48

http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl.spec?id=646646611547dd7072b0562ed5f27861fbb12f48#n275

 
--- Comment #7 from Nikos Mavrogiannopoulos ---
NSS cannot be configured to use the system wide policies. In that case that bug
should depend on:
https://bugzilla.redhat.com/show_bug.cgi?id=1157720

FreeIPA indirectly uses OpenSSL through Dogtag PKI. Dogtag makes use of the requests library, which in turn depeneds on Python's ssl module. As of now there is no way to configure requests' cipher list.

During processing of remaining tickets in 4.2 Backlog, this ticket was found as suitable to be fixed in the nearest bugfixing branch - which is 4.2.x.

BTW This is also relevant to DNSSEC. BIND integration is already done in Fedora, so we can easily backport it (if we are allowed to backport relevant parts of system wide policies).

See BIND bug https://bugzilla.redhat.com/show_bug.cgi?id=1179925

FreeIPA 4.2.1 was released, moving to 4.2.x.

Metadata Update from @mkosek:
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.5 backlog
7 years ago

I changed the target version to 4.7 since it's technically a new feature.

https://github.com/freeipa/freeipa/pull/1561 implements crypto policy for bind and HTTPS. I think it doesn't update an existing named.conf. I'll figure that out later.

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1561 (was: 0)
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.5 backlog)
6 years ago

master:

  • 90a75f0 Use system-wide crypto-policies on Fedora
  • aee0d21 Upgrade named.conf to include crypto policy
  • 68caeb8 Add mocked test for named crypto policy update

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

master:

  • 421fc37 Fix upgrade when named.conf does not exist

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
https://github.com/freeipa/freeipa/pull/1561
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1179220
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.