[Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

Standa Laznicka slaznick at redhat.com
Mon Dec 19 08:12:51 UTC 2016 

On 12/16/2016 03:23 PM, Rob Crittenden wrote:
> Standa Laznicka wrote:
>> Hello,
>>
>> I started a design page for FreeIPA on FIPS-enabled systems:
>> https://www.freeipa.org/page/V4/FreeIPA-on-FIPS
>>
>> Me and Tomáš are still investigating what of all things will need to
>> change in order to have FreeIPA on FIPS-enabled RHEL. So far I managed
>> to install and run patched FreeIPA server and client and connect them
>> together.
>>
>> There are some issues with NSS when trying to create an HTTPS request
>> (apparently, NSS requires an NSS database password to set up an SSL
>> connection). I am actually thinking of removing NSSConnection from the
>> client altogether.
> Can you expand on this a bit? NSS should only need a pin when it needs
> access to a private key. What connection(s) are you talking about, and
> what would you replace NSSConnection with?
>
> rob

Hello Rob,

Thank you for this excellent question, in order to cut the email short I 
seem to have omitted quite a few information.

One of the very first problems I had with FreeIPA with FIPS was that NSS 
was always asking for password/pin. I was discussing this with the NSS 
guys on their IRC chat last week and it turns out that NSS tries to 
create a private key every time you want to use it as a backend for an 
SSL connection on FIPS. I still don't think this is quite right so I may 
open a bugzilla for that.

Anyway, the guys suggested me that we could try to create the database 
with an empty password and everything will work. I don't quite like 
that, too, but it's at least something if you don't want the `ipa` 
command to always bug you for password you have no way knowing if you're 
just a regular user.

What I think would be a better way to go is to use 
httplib.HTTPSConnection. We have the needed certificates in 
/etc/ipa/ca.crt anyway so why not use them instead. We had a discussion 
with Honza this morning and it seems that with this approach we may get 
rid of the NSSConnection class altogether (although I still need to 
check a few spots) and start the process of moving away from NSS which 
was discussed some year ago in an internal mailing list (for some reason).

Will be happy to hear thoughts on this,
Standa

More information about the Freeipa-devel mailing list