Within the /ipa Location on ipa.conf we should add NSSRequireSSL to require that SSL is enabled to do negotiate authentication. This is an added level of protection in case a user messes up our rewrite rules.
attachment freeipa-rcrit-882-ssl.patch
master: f42da43[[BR]] ipa-2-1: 384d4e8
As Rob reported in
http://www.redhat.com/archives/freeipa-devel/2011-September/msg00360.html
this breaks the installation. Reopening. A ticket based on a fix suggested by Rob has been sent to the list.
attachment freeipa-mkosek-127-nssrequiressl-should-not-be-required-for-entire-ipa.patch
Firefox doesn't send the password to URIs that haven't requested authentication so we are ok there sending credentials.
Pushing to 3.0 for more careful consideration as it will cause major changes to ipa.conf.
Moving the ticket to the next month iteration.
Patch is obsolete, removing on_review flag.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: Tickets Deferred
I'm going to close this. I can't recall any reported case where a user has messed with the rewrite rules which enforce https requests.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.