[Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question
Alexander Bokovoy
abokovoy at redhat.com
Thu Jan 12 15:51:32 UTC 2017
On to, 12 tammi 2017, Christian Heimes wrote:
>On 2016-12-19 15:07, John Dennis wrote:
>> I'm not a big fan of NSS, it has it's issues. As the author of the
>> Python binding I'm quite aware of all the nasty behaviors NSS has and
>> needs to be worked around. I wouldn't be sad to see it go but OpenSSL
>> has it's own issues too. If you remove NSS you're also removing the
>> option to support smart cards, HSM's etc. Perhaps before removing
>> functionality it would be good to assess what the requirements are.
>
>When Standa started to work on the PR, I raised similar concerns
>regarding the feature set of OpenSSL. I asked him to write a design spec
>to address some of the concerns.
>
>HSM and smart card authentication are of no concern. Standa's PR
>replaces FreeIPA's internal HTTS connection with a OpenSSL based
>implementation. It's used to communicate from an IPA client to an IPA
>server or from an IPA server to Dogtag. We don't support client cert
>auth for client to server. Smart card authentication is performed based
>on pkinit and Kerberos. Currently just IPA server to Dogtag uses client
>cert authentication. That part will be replaced with GSSAPI eventually.
We are adding client cert authentication in 4.5. This is pretty big part
of the release, actually, as we are getting external authentication and
privilege separation support. See Simo's PR#314 which is very close to
be merged.
We don't plan yet to use this for IPA client itself, but nothing prevent
clients other than web browsers to utilize client cert auth to establish
TLS session authentication. In fact, this is something which most likely
will be used for external entities anyway.
>I'm more concerned that we loose the ability to check revocation state
>of certificates. Python's ssl module has no support for OCSP. OpenSSL's
>and Python's CRL capabilities are sub-par compared to NSS. The ssl
>module can load CRLs but it has no means to retrieve or update a CRL
>from a remote server.
>
>For Fedora 26 we will have to deal with similar concerns for libldap.
>Fedora has switched from NSS to OpenSSL as TLS backend.
>
>Christian
>
>--
>Manage your subscription for the Freeipa-devel mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-devel
>Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list