diff options
| author | Christina Fu <cfu@redhat.com> | 2014-11-21 17:30:55 -0800 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2014-11-24 13:19:13 -0800 |
| commit | 025e4e643911dcb277d9d0efb0e6d7533a679e71 (patch) | |
| tree | e2a58f5901232611150e171a8284df45662840e1 | |
| parent | c0e3716fe43b87139bae57dba992fe0376bd215d (diff) | |
| download | pki-025e4e643911dcb277d9d0efb0e6d7533a679e71.tar.gz pki-025e4e643911dcb277d9d0efb0e6d7533a679e71.tar.xz pki-025e4e643911dcb277d9d0efb0e6d7533a679e71.zip | |
Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default and upgrade
| -rw-r--r-- | base/common/upgrade/10.2.1/.ignore | 0 | ||||
| -rw-r--r-- | base/server/config/pkislots.cfg | 3 | ||||
| -rw-r--r-- | base/server/python/pki/server/deployment/pkiparser.py | 43 | ||||
| -rw-r--r-- | base/server/share/conf/server.xml | 8 | ||||
| -rwxr-xr-x | base/server/upgrade/10.2.1/01-AddTLSRangeSupport | 102 | ||||
| -rw-r--r-- | specs/dogtag-pki-theme.spec | 6 | ||||
| -rw-r--r-- | specs/dogtag-pki.spec | 10 | ||||
| -rw-r--r-- | specs/pki-console.spec | 8 | ||||
| -rw-r--r-- | specs/pki-core.spec | 10 |
9 files changed, 178 insertions, 12 deletions
diff --git a/base/common/upgrade/10.2.1/.ignore b/base/common/upgrade/10.2.1/.ignore new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/base/common/upgrade/10.2.1/.ignore diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg index 8f7dc7812..38ed6b9f2 100644 --- a/base/server/config/pkislots.cfg +++ b/base/server/config/pkislots.cfg @@ -73,4 +73,7 @@ TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS] TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS] TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS] TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS] +TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_STREAM] +TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_DATAGRAM] +TOMCAT_SSL_RANGE_CIPHERS_SLOT=[TOMCAT_SSL_RANGE_CIPHERS] TPS_DIR_SLOT=[TPS_DIR] diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index ea6bbffab..6086da0b1 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -903,6 +903,45 @@ class PKIConfigParser: ".pid" self.mdict['TOMCAT_SERVER_PORT_SLOT'] = \ self.mdict['pki_tomcat_server_port'] + self.mdict['TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT'] = \ + "tls1_0:tls1_2" + self.mdict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \ + "tls1_1:tls1_2" + self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ + "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ + "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ + "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ + "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ + "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ + "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ + "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" self.mdict['TOMCAT_SSL2_CIPHERS_SLOT'] = \ "-SSL2_RC4_128_WITH_MD5," + \ "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \ @@ -926,8 +965,8 @@ class PKIConfigParser: "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" self.mdict['TOMCAT_SSL_OPTIONS_SLOT'] = \ - "ssl2=true," + \ - "ssl3=true," + \ + "ssl2=false," + \ + "ssl3=false," + \ "tls=true" self.mdict['TOMCAT_TLS_CIPHERS_SLOT'] = \ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ diff --git a/base/server/share/conf/server.xml b/base/server/share/conf/server.xml index 8fbdf0f7e..306ebf25b 100644 --- a/base/server/share/conf/server.xml +++ b/base/server/share/conf/server.xml @@ -142,6 +142,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) 'ssl2Ciphers' 'ssl3Ciphers' 'tlsCiphers' + 'sslVersionRangeStream' + 'sslVersionRangeDatagram' + 'sslRangeCiphers' 'serverCertNickFile' 'passwordFile' 'passwordClass' @@ -184,12 +187,15 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" - strictCiphers="false" + strictCiphers="true" clientAuth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" tlsCiphers="[TOMCAT_TLS_CIPHERS]" + sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" + sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" + sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" diff --git a/base/server/upgrade/10.2.1/01-AddTLSRangeSupport b/base/server/upgrade/10.2.1/01-AddTLSRangeSupport new file mode 100755 index 000000000..b5b83f465 --- /dev/null +++ b/base/server/upgrade/10.2.1/01-AddTLSRangeSupport @@ -0,0 +1,102 @@ +#!/usr/bin/python +# Authors: +# Christina Fu <cfu@redhat.com> +# Endi S. Dewata <edewata@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2014 Red Hat, Inc. +# All rights reserved. +# + +import os +from lxml import etree + +import pki.server.upgrade + + +class AddTLSRangeSupport(pki.server.upgrade.PKIServerUpgradeScriptlet): + + def __init__(self): + + self.message = 'Add TLS Range Support' + + self.parser = etree.XMLParser(remove_blank_text=True) + + + def upgrade_instance(self, instance): + + server_xml = os.path.join(instance.conf_dir, 'server.xml') + #Backup the file before modify + self.backup(server_xml) + #Parse the server.xml into an XML object + document = etree.parse(server_xml, self.parser) + #perform the upgrade in memory + self.add_tls_range(document) + #Once all changes are made, write the XML back into the same server.xml + #This way we're preserving any other customization that has been done + # to the server.xml + with open(server_xml, 'w') as f: + f.write(etree.tostring(document, pretty_print=True)) + + def add_tls_range(self, document): + + # Find existing Connector + server = document.getroot() + connectors = server.findall('.//Connector') + + for connector in connectors: + + secure = connector.get('secure') + if secure == 'true': + # Update Connector's attributes + connector.set('strictCiphers', 'true') + connector.set('sslVersionRangeStream', 'tls1_0:tls1_2') + connector.set('sslVersionRangeDatagram', 'tls1_1:tls1_2') + connector.set('sslRangeCiphers', + '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,' \ + '-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,' \ + '+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,' \ + '+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,' \ + '+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,' \ + '-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,' \ + '+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,' \ + '+TLS_RSA_WITH_3DES_EDE_CBC_SHA,' \ + '+TLS_RSA_WITH_AES_128_CBC_SHA,' \ + '+TLS_RSA_WITH_AES_256_CBC_SHA,' \ + '+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,' \ + '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,' \ + '-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,' \ + '-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,' \ + '-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,' \ + '+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,' \ + '+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,' \ + '+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,' \ + '+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,' \ + '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,' \ + '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,' \ + '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,' \ + '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,' \ + '+TLS_RSA_WITH_AES_128_CBC_SHA256,' \ + '+TLS_RSA_WITH_AES_256_CBC_SHA256,' \ + '+TLS_RSA_WITH_AES_128_GCM_SHA256,' \ + '+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,' \ + '+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,' \ + '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,' \ + '+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,' \ + '+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,' \ + '+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,' \ + '+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,' \ + '+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256') + diff --git a/specs/dogtag-pki-theme.spec b/specs/dogtag-pki-theme.spec index 4d9044fe2..c7524ece6 100644 --- a/specs/dogtag-pki-theme.spec +++ b/specs/dogtag-pki-theme.spec @@ -1,6 +1,6 @@ Name: dogtag-pki-theme Version: 10.2.1 -Release: 0.1%{?dist} +Release: 0.2%{?dist} Summary: Certificate System - Dogtag PKI Theme Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -163,6 +163,10 @@ cd build %changelog +* Mon Nov 24 2014 Christina Fu <cfu@redhat.com> 10.2.1-0.2 +- Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default and upgrade +- up the release number to 0.2 + * Fri Oct 24 2014 Dogtag Team <pki-devel@redhat.com> 10.2.1-0.1 - Updated version number to 10.2.1-0.1. diff --git a/specs/dogtag-pki.spec b/specs/dogtag-pki.spec index 8bd3c418f..a53c38d68 100644 --- a/specs/dogtag-pki.spec +++ b/specs/dogtag-pki.spec @@ -1,7 +1,7 @@ Summary: Dogtag Public Key Infrastructure (PKI) Suite Name: dogtag-pki Version: 10.2.1 -Release: 0.1%{?dist} +Release: 0.2%{?dist} # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 License: GPLv2 and LGPLv2 URL: http://pki.fedoraproject.org/ @@ -15,10 +15,10 @@ ExcludeArch: ppc ppc64 ppcle ppc64le s390 s390x %define dogtag_pki_theme_version %{version} %define esc_version 1.1.0 -%define jss_version 4.2.6-31 +%define jss_version 4.2.6-35 %define pki_core_version %{version} %define pki_console_version %{version} -%define tomcatjss_version 7.1.0 +%define tomcatjss_version 7.1.1 Requires: apache-commons-codec Requires: selinux-policy-base >= 3.11.1-43 @@ -106,6 +106,10 @@ rm -rf %{buildroot} %doc README %changelog +* Mon Nov 24 2014 Christina Fu <cfu@redhat.com> 10.2.1-0.2 +- Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default and upgrade +- up the release number to 0.2 + * Fri Oct 24 2014 Dogtag Team <pki-devel@redhat.com> 10.2.1-0.1 - Updated version number to 10.2.1-0.1. diff --git a/specs/pki-console.spec b/specs/pki-console.spec index 6d37c731b..f12799486 100644 --- a/specs/pki-console.spec +++ b/specs/pki-console.spec @@ -1,6 +1,6 @@ Name: pki-console Version: 10.2.1 -Release: 0.1%{?dist} +Release: 0.2%{?dist} Summary: Certificate System - PKI Console URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -20,7 +20,7 @@ BuildRequires: nspr-devel BuildRequires: nss-devel BuildRequires: junit BuildRequires: jpackage-utils >= 1.7.5-10 -BuildRequires: jss >= 4.2.6-24 +BuildRequires: jss >= 4.2.6-35 BuildRequires: pki-base >= 10.0.0 Requires: idm-console-framework @@ -88,6 +88,10 @@ cd build %changelog +* Mon Nov 24 2014 Christina Fu <cfu@redhat.com> 10.2.1-0.2 +- Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default and upgrade +- up the release number to 0.2 + * Fri Oct 24 2014 Dogtag Team <pki-devel@redhat.com> 10.2.1-0.1 - Updated version number to 10.2.1-0.1. diff --git a/specs/pki-core.spec b/specs/pki-core.spec index 3c1cd7f80..bcec35ade 100644 --- a/specs/pki-core.spec +++ b/specs/pki-core.spec @@ -5,7 +5,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} Name: pki-core Version: 10.2.1 -Release: 0.1%{?dist} +Release: 0.2%{?dist} Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -63,9 +63,9 @@ BuildRequires: policycoreutils-python BuildRequires: python-ldap BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 4.2.6-28 +BuildRequires: jss >= 4.2.6-35 BuildRequires: systemd-units -BuildRequires: tomcatjss >= 7.1.0 +BuildRequires: tomcatjss >= 7.1.1 # additional build requirements needed to build native 'tpsclient' # REMINDER: Revisit these once 'tpsclient' is rewritten as a Java app @@ -854,6 +854,10 @@ echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 %endif # %{with server} %changelog +* Mon Nov 24 2014 Christina Fu <cfu@redhat.com> 10.2.1-0.2 +- Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default and upgrade +- up the release number to 0.2 + * Fri Oct 24 2014 Dogtag Team <pki-devel@redhat.com> 10.2.1-0.1 - Updated version number to 10.2.1-0.1. - Added CLIs to simplify generating user certificates |