[Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

[Christian Heimes]

On 2016-12-19 15:07, John Dennis wrote:
> I'm not a big fan of NSS, it has it's issues. As the author of the
> Python binding I'm quite aware of all the nasty behaviors NSS has and
> needs to be worked around. I wouldn't be sad to see it go but OpenSSL
> has it's own issues too. If you remove NSS you're also removing the
> option to support smart cards, HSM's etc. Perhaps before removing
> functionality it would be good to assess what the requirements are.

When Standa started to work on the PR, I raised similar concerns
regarding the feature set of OpenSSL. I asked him to write a design spec
to address some of the concerns.

HSM and smart card authentication are of no concern. Standa's PR
replaces FreeIPA's internal HTTS connection with a OpenSSL based
implementation. It's used to communicate from an IPA client to an IPA
server or from an IPA server to Dogtag. We don't support client cert
auth for client to server. Smart card authentication is performed based
on pkinit and Kerberos. Currently just IPA server to Dogtag uses client
cert authentication. That part will be replaced with GSSAPI eventually.

I'm more concerned that we loose the ability to check revocation state
of certificates. Python's ssl module has no support for OCSP. OpenSSL's
and Python's CRL capabilities are sub-par compared to NSS. The ssl
module can load CRLs but it has no means to retrieve or update a CRL
from a remote server.

For Fedora 26 we will have to deal with similar concerns for libldap.
Fedora has switched from NSS to OpenSSL as TLS backend.

Christian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20170112/6e43fab4/attachment.sig>