[PATCH] 0037-2, 0053 ensure correct CRL contents for host CA
by Fraser Tweedale
The attached patches fix https://fedorahosted.org/pki/ticket/1626.
0037-2: earlier patch to store issuer DN in certificate entries,
updated to add indices for the 'issuerName' attribute.
0053: updates the filter used by CRLIP to find certs to include in
CRL.
Note the following limitations:
1. No database update in relation to issuerName attribute and
indices. If people are otherwise satisfied with the patch, I will
file a ticket for the database upgrade aspect.
2. There is no way to define CRLIP for a lightweight CA. There is a
separate ticket for this: https://fedorahosted.org/pki/ticket/1626
(currently not a priority).
Cheers,
Fraser
8 years, 6 months
[PATCH] pki-cfu-0106-Ticket-1648-RFE-provide-separate-cipher-lists-for-CS.patch
by Christina Fu
Please review.
https://fedorahosted.org/pki/ticket/1648 [RFE] provide separate cipher
lists for CS instances acting as client and server
This patch allows the administrator to specify an allowed list of ssl
ciphers for subsystem->subsystem communication that is separate from the
server one in server.xml
Note:
* it is only meant for cs subsystem->subsystem communication; i.e..
ca->kra, tps->ca, tps->kra, tps->tks (e.g. not for connection to the
ldap server, internal, publishing, or authentication)
* the clientCiphers configuration is a "strict" list, meaning, only the
ciphers in the comma separated list are enabled in the connection when
acting as a client
* if the clientCiphers configuration parameter is undefined, default
action is taken to enable all available ciphers provided (that means it
works as it did prior to this patch)
* pki-core and pki-util packages are expected to be updated together for
the newly added clientCiphers String parameter in various
affected connection
interfaces; since it is handled in a way that if this parameter
is null, it
goes to default, as they are expected to be internal to cs
subsystems
How to test (what I have tested):
* turn on a couple ECDH_RSA_* ciphers on the server side for CA and KRA:
- edit <ca instance dir>/conf/server.xml, search for
sslRangeCiphers, and turn '-' to '+' for, say,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- restart ca
- repeat for kra
- expect browser to connect to ca and kra with the TLS_ECDHE_RSA_*
ciphers that are turned on
- verify using ssltap or any tool that can catch and report from an
ssl session
* turn on client side cihpers in the ca for talking to the kra:
- edit <ca instance dir>/ca/conf/CS.cfg, add a list of ciphers
WITHOUT the TLS_ECDHE_* ciphers, e.g.
ca.connector.KRA.clientCiphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
- expect ca to connect to kra using the ciphers allowed in the
clientCiphers list by doing an enrollment with archival
- verify using ssltap or any tool that can catch and report from an
ssl session
* perform the same test between tps and other subsystems.
tps.connector.<ca id>.clientCiphers=< your selected cipher list>
tps.connector.<kra id>.clientCiphers=< your selected cipher list>
tps.connector.<tks id>.clientCiphers=< your selected cipher list>
thanks,
Christina
8 years, 6 months
[PATCH] 652 Updated TPS UI element IDs.
by Endi Sukma Dewata
The TPS UI navigation elements have been updated to add the
missing names and to use better names. The checkbox IDs in various
pages have also been renamed for consistency.
The pki-ui.js has been modified to use the checkbox ID of the
template row instead of table name to construct the checkbox ID
of the actual rows.
https://fedorahosted.org/pki/ticket/1622
--
Endi S. Dewata
8 years, 6 months
[PATCH] 0048-0049 Lightweight CAs: implement deletion
by Fraser Tweedale
The attached patches fix some incorrect synchronization of the
lightweight CAs index (patch 0048) and implement deletion of
lightweight CAs (patch 0049).
These patches replace earlier patches 0048 and 0049 which I rescind.
There is a commented out throw in
CertificateAuthority.deleteAuthority(); I don't yet understand what
causes this failure case but a) everything seems to work (at least
with the small numbers of lightweight CAs I've tested with) and b)
I'm seeking clarification from NSS experts on the matter, so stay
tuned.
Cheers,
Fraser
8 years, 6 months