File bug1204788.patch of Package cepces.27294
Index: b/bin/cepces-submit
===================================================================
--- a/bin/cepces-submit
+++ b/bin/cepces-submit
@@ -24,6 +24,7 @@ import os
import sys
import traceback
import argparse
+import requests
from cepces.certmonger.core import Result
from cepces.certmonger.operation import Operation
from cepces.config import Configuration
@@ -62,6 +63,8 @@ def main(global_overrides, krb5_override
# Load the configuration and instantiate a service.
config = Configuration.load(global_overrides=global_overrides,
krb5_overrides=krb5_overrides)
+ if config.openssl_seclevel and config.openssl_seclevel.isnumeric():
+ requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'ALL:@SECLEVEL=%s' % config.openssl_seclevel
service = Service(config)
# Call the operation.
@@ -89,14 +89,17 @@ if __name__ == '__main__':
parser.add_argument('--keytab', help='Use the specified keytab')
parser.add_argument('--principals',
help='A list of principals to try when requesting a ticket')
+ parser.add_argument('--openssl-seclevel', help='The openssl security level')
args = parser.parse_args()
+ g_overrides = {}
if args.server is not None:
- g_overrides = { 'server': args.server, 'auth': args.auth }
+ g_overrides['server'] = args.server
+ g_overrides['auth'] = args.auth
endpoint = 'https://%s/ADPolicyProvider_CEP_%s/service.svc/CEP' % \
(args.server, args.auth)
g_overrides['endpoint'] = endpoint
- else:
- g_overrides = {}
+ if args.openssl_seclevel is not None:
+ g_overrides['openssl_seclevel'] = args.openssl_seclevel
k_overrides = {}
if args.keytab is not None:
k_overrides['keytab'] = args.keytab
Index: b/cepces/config.py
===================================================================
--- a/cepces/config.py
+++ b/cepces/config.py
@@ -55,13 +55,14 @@ class Configuration(Base):
'Certificate': SOAPAuth.MessageCertificateAuthentication,
}
- def __init__(self, endpoint, endpoint_type, cas, auth):
+ def __init__(self, endpoint, endpoint_type, cas, auth, openssl_seclevel):
super().__init__()
self._endpoint = endpoint
self._endpoint_type = endpoint_type
self._cas = cas
self._auth = auth
+ self._openssl_seclevel = openssl_seclevel
@property
def endpoint(self):
@@ -83,6 +85,11 @@ class Configuration(Base):
"""Return the authentication method."""
return self._auth
+ @property
+ def openssl_seclevel(self):
+ """Return the openssl security level."""
+ return self._openssl_seclevel
+
@classmethod
def load(cls, files=None, dirs=None, global_overrides=None,
krb5_overrides=None):
@@ -109,6 +121,10 @@ class Configuration(Base):
config['DEFAULT']['FQDN'] = fqdn.upper()
config['DEFAULT']['shortname'] = shortname.lower()
config['DEFAULT']['SHORTNAME'] = shortname.upper()
+ if not config.has_section('global'):
+ config.add_section('global')
+ config['global']['openssl_seclevel'] = ''
+
if files is None:
files = DEFAULT_CONFIG_FILES
@@ -149,7 +162,7 @@ class Configuration(Base):
section = parser['global']
# Ensure certain required variables are present.
- for var in ['endpoint', 'auth', 'type']:
+ for var in ['endpoint', 'auth', 'type', 'openssl_seclevel']:
if var not in section:
raise RuntimeError(
'Missing "{}/{}" variable in configuration.'.format(
@@ -171,8 +184,9 @@ class Configuration(Base):
endpoint_type = section.get('type')
authn = Configuration.AUTH_HANDLER_MAP[section['auth']](parser)
cas = section.get('cas', True)
+ openssl_seclevel = section.get('openssl_seclevel')
if cas == '':
cas = False
- return Configuration(endpoint, endpoint_type, cas, authn.handle())
+ return Configuration(endpoint, endpoint_type, cas, authn.handle(), openssl_seclevel)
Index: b/conf/cepces.conf.dist
===================================================================
--- a/conf/cepces.conf.dist
+++ b/conf/cepces.conf.dist
@@ -45,6 +45,15 @@ endpoint=https://${server}/ADPolicyProvi
# Default: <not defined>
#cas=
+# This is the openssl security level. The latest openssl sets the default to
+# level 2, which disables some less secure ciphers. You may encounter an error
+# of '[SSL: DH_KEY_TOO_SMALL] dh key too small' if this level is set to high
+# for your server. If this happens, you can work around this issue by setting
+# openssl_seclevel to 1.
+#
+# Default: 2
+#openssl_seclevel=2
+
[kerberos]
# Use the specified keytab. If unspecified, the system default is used.
#