Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1154687
Description of problem: When the IPA servers in an infrastructure are configured to require TLS 1.1 or higher in httpd, the 'ipa' command-line tool fails. Version-Release number of selected component (if applicable): RHEL 6.5 How reproducible: Always Steps to Reproduce: 1. Install IPA 2. Run "ipa user-show admin" to confirm functionality 3. Edit /etc/httpd/conf.d/nss.conf to require TLS 1.1 or 1.2 only 4. attempt "ipa user-show admin" or any other ipa subcommand. Actual results: The ipa command fails to contact the servers Expected results: The ipa command operates normally Additional info: A testbed reproducer is being built in Amazon EC2. I'm happy to clone the testbed and share AMI with anyone working on the bug.
This ticket should cover any other client/server part fixes for preventing POODLE attack.
With python-nss-0.16 this can be addressed with one line of code in ipapython/nsslib.py:
self.sock.set_ssl_version_range(ssl.SSL_LIBRARY_VERSION_TLS_1 _1, ssl.SSL_LIBRARY_VERSION_TLS_1_2)
I'd recommend extending handshake_callback() as well to print a lot more information that is now available due to the addition of get_ssl_channel_info() and get_cipher_suite_info(). We can print the version of SSL/TLS in the connection along with the cipher, plus a bunch of other interesting bits if desired.
I'd also recommend adding a new variable to contants.py that defines the protocols to enable, defaulting to tls1.1,tls1.2.
Note that the call to set the protocols sets a range, min to max, with no holes. So you can't for example enable tls1.0 and tls1.2 w/o also enabling tls1.1.
I don't think this option needs to be added to default.conf for now but it would allow a user to override it if desired.
FreeIPA 4.1.1 was released.
master:
ipa-4-1:
List of what's left: https://www.redhat.com/archives/freeipa-devel/2014-November/msg00431.html
mod_nss is now also configured on upgrade (just once so that it can be overridden by admin)
4.1.2 was released.
Jan - just checking, all we are waiting for at the moment is Requires on next 389-ds-base 1.3.3.6, right?
That's correct.
Bump 389-ds-base and pki-ca dependencies for POODLE fixes
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 4.1.3
Login to comment on this ticket.