Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport][ipa-4-8] Enable TLS 1.3 support #3972

Closed
wants to merge 3 commits into from

Conversation

@tiran
Copy link
Member

@tiran tiran commented Dec 2, 2019

Manual backport of PR #3911

tiran added 3 commits Nov 18, 2019
urllib3 now supports post-handshake authentication with TLS 1.3. Enable
TLS 1.3 support for Apache HTTPd.

The update depends on bug fixes for TLS 1.3 PHA support in urllib3 and
Apache HTTPd. New builds are available in freeipa-master COPR and in
F30/F31.

Overwrite crypto-policy on Fedora only. Fedora 31 and earlier have TLS
1.0 and 1.1 still enabled by default.

Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Fedora 30 update FEDORA-2019-d54e892077 httpd-2.4.41-6.1.fc30
Fedora 31 update FEDORA-2019-ae1dd32c5f httpd-2.4.41-9.fc31
RHEL 8.2 RHEA-2019:47297-02 httpd-2.4.37-21

Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Client connections no longer override TLS version range and ciphers by
default. Instead clients use the default settings from the system's
crypto policy.

Minimum TLS version is now TLS 1.2. The default crypto policy on
RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as
minimum version. The minimum version is configured with OpenSSL 1.1.1
APIs. Python 3.6 lacks the setters to override the system policy.

The effective minimum version is always TLS 1.2, because FreeIPA
reconfigures Apache HTTPd on Fedora.

Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
@tiran tiran added the ack label Dec 2, 2019
@tiran
Copy link
Member Author

@tiran tiran commented Dec 2, 2019

Backport ACK

Manual backport was merely required because the tool didn't work. The cherry picks applied cleanly.

@tiran tiran added the pushed label Dec 2, 2019
@tiran
Copy link
Member Author

@tiran tiran commented Dec 2, 2019

ipa-4-8:

  • f7de64c Enable TLS 1.3 support on the server
  • ae9e41b Update Apache HTTPd for RHBZ#1775146
  • b655586 Don't hard-code client's TLS versions and ciphers
@tiran tiran closed this Dec 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

1 participant
You can’t perform that action at this time.