File bug1204788.patch of Package cepces

Overview Repositories Revisions Requests Users Attributes Meta

File bug1204788.patch of Package cepces

Index: b/bin/cepces-submit
===================================================================
--- a/bin/cepces-submit
+++ b/bin/cepces-submit
@@ -24,6 +24,7 @@ import os
 import sys
 import traceback
 import argparse
+import requests
 from cepces.certmonger.core import Result
 from cepces.certmonger.operation import Operation
 from cepces.config import Configuration
@@ -62,6 +63,8 @@ def main(global_overrides, krb5_override
             # Load the configuration and instantiate a service.
             config = Configuration.load(global_overrides=global_overrides,
                                         krb5_overrides=krb5_overrides)
+            if config.openssl_seclevel and config.openssl_seclevel.isnumeric():
+                requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'ALL:@SECLEVEL=%s' % config.openssl_seclevel
             service = Service(config)
 
             # Call the operation.
@@ -89,14 +89,17 @@ if __name__ == '__main__':
     parser.add_argument('--keytab', help='Use the specified keytab')
     parser.add_argument('--principals',
         help='A list of principals to try when requesting a ticket')
+    parser.add_argument('--openssl-seclevel', help='The openssl security level')
     args = parser.parse_args()
+    g_overrides = {}
     if args.server is not None:
-        g_overrides = { 'server': args.server, 'auth': args.auth }
+        g_overrides['server'] = args.server
+        g_overrides['auth'] = args.auth
         endpoint = 'https://%s/ADPolicyProvider_CEP_%s/service.svc/CEP' % \
                         (args.server, args.auth)
         g_overrides['endpoint'] = endpoint
-    else:
-        g_overrides = {}
+    if args.openssl_seclevel is not None:
+        g_overrides['openssl_seclevel'] = args.openssl_seclevel
     k_overrides = {}
     if args.keytab is not None:
         k_overrides['keytab'] = args.keytab
Index: b/cepces/config.py
===================================================================
--- a/cepces/config.py
+++ b/cepces/config.py
@@ -55,13 +55,14 @@ class Configuration(Base):
         'Certificate': SOAPAuth.MessageCertificateAuthentication,
     }
 
-    def __init__(self, endpoint, endpoint_type, cas, auth):
+    def __init__(self, endpoint, endpoint_type, cas, auth, openssl_seclevel):
         super().__init__()
 
         self._endpoint = endpoint
         self._endpoint_type = endpoint_type
         self._cas = cas
         self._auth = auth
+        self._openssl_seclevel = openssl_seclevel
 
     @property
     def endpoint(self):
@@ -83,6 +85,11 @@ class Configuration(Base):
         """Return the authentication method."""
         return self._auth
 
+    @property
+    def openssl_seclevel(self):
+        """Return the openssl security level."""
+        return self._openssl_seclevel
+
     @classmethod
     def load(cls, files=None, dirs=None, global_overrides=None,
              krb5_overrides=None):
@@ -109,6 +121,10 @@ class Configuration(Base):
         config['DEFAULT']['FQDN'] = fqdn.upper()
         config['DEFAULT']['shortname'] = shortname.lower()
         config['DEFAULT']['SHORTNAME'] = shortname.upper()
 
+        if not config.has_section('global'):
+            config.add_section('global')
+        config['global']['openssl_seclevel'] = ''
+
         if files is None:
             files = DEFAULT_CONFIG_FILES
@@ -149,7 +162,7 @@ class Configuration(Base):
         section = parser['global']
 
         # Ensure certain required variables are present.
-        for var in ['endpoint', 'auth', 'type']:
+        for var in ['endpoint', 'auth', 'type', 'openssl_seclevel']:
             if var not in section:
                 raise RuntimeError(
                     'Missing "{}/{}" variable in configuration.'.format(
@@ -171,8 +184,9 @@ class Configuration(Base):
         endpoint_type = section.get('type')
         authn = Configuration.AUTH_HANDLER_MAP[section['auth']](parser)
         cas = section.get('cas', True)
+        openssl_seclevel = section.get('openssl_seclevel')
 
         if cas == '':
             cas = False
 
-        return Configuration(endpoint, endpoint_type, cas, authn.handle())
+        return Configuration(endpoint, endpoint_type, cas, authn.handle(), openssl_seclevel)
Index: b/conf/cepces.conf.dist
===================================================================
--- a/conf/cepces.conf.dist
+++ b/conf/cepces.conf.dist
@@ -45,6 +45,15 @@ endpoint=https://${server}/ADPolicyProvi
 # Default: <not defined>
 #cas=
 
+# This is the openssl security level. The latest openssl sets the default to
+# level 2, which disables some less secure ciphers. You may encounter an error
+# of '[SSL: DH_KEY_TOO_SMALL] dh key too small' if this level is set to high
+# for your server. If this happens, you can work around this issue by setting
+# openssl_seclevel to 1.
+#
+# Default: 2
+#openssl_seclevel=2
+
 [kerberos]
 # Use the specified keytab. If unspecified, the system default is used.
 #

Places

File bug1204788.patch of Package cepces

Places