HonzaCholasta
2017-03-02 08:09:53 UTC
URL: https://github.com/freeipa/freeipa/pull/531
Author: HonzaCholasta
Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias
Action: opened
PR body:
"""
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled via a /etc/httpd/alias/libnssckbi.so symlink. This is
problematic for a number of reasons:
* IPA has its own trust store, which is effectively bypassed when the
system trust module is enabled in the database. This may cause IPA
unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
trusted by httpd.
* On client install, the IPA trust configuration is copied to the system
trust store for third parties. When this configuration is removed, it may
cause loss of trust information in /etc/httpd/alias
(https://bugzilla.redhat.com/show_bug.cgi?id=1427897).
* When a CA certificate provided by the user in CA-less install conflicts
with a CA certificate in the system trust store, the latter may be used
by httpd, leading to broken https
(https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).
Rename the symlink on install and upgrade to prevent the system trust
module to be loaded in /etc/httpd/alias and fix all of the above issues.
https://pagure.io/freeipa/issue/6132
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/531/head:pr531
git checkout pr531
Author: HonzaCholasta
Title: #531: httpinstance: don't load system trust module in /etc/httpd/alias
Action: opened
PR body:
"""
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled via a /etc/httpd/alias/libnssckbi.so symlink. This is
problematic for a number of reasons:
* IPA has its own trust store, which is effectively bypassed when the
system trust module is enabled in the database. This may cause IPA
unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
trusted by httpd.
* On client install, the IPA trust configuration is copied to the system
trust store for third parties. When this configuration is removed, it may
cause loss of trust information in /etc/httpd/alias
(https://bugzilla.redhat.com/show_bug.cgi?id=1427897).
* When a CA certificate provided by the user in CA-less install conflicts
with a CA certificate in the system trust store, the latter may be used
by httpd, leading to broken https
(https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).
Rename the symlink on install and upgrade to prevent the system trust
module to be loaded in /etc/httpd/alias and fix all of the above issues.
https://pagure.io/freeipa/issue/6132
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/531/head:pr531
git checkout pr531