diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2017-03-17 19:25:07 +0100 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2017-03-19 22:40:45 +0100 |
| commit | a0fde2d91a02c4d11b698582a2cd64a76765ed25 (patch) | |
| tree | 76aa1b9a0bc8ede6f055396ca512c833047865c9 | |
| parent | af7be30e164b1aebbb0e6eaf1fbfc6b9fb46360e (diff) | |
| download | pki-a0fde2d91a02c4d11b698582a2cd64a76765ed25.tar.gz pki-a0fde2d91a02c4d11b698582a2cd64a76765ed25.tar.xz pki-a0fde2d91a02c4d11b698582a2cd64a76765ed25.zip | |
Added pki.conf parameter for SSL ciphers.
A new parameter has been added to pki.conf to configure the SSL
ciphers used by PKI CLI in addition to the default ciphers.
| -rw-r--r-- | base/common/share/etc/pki.conf | 7 | ||||
| -rw-r--r-- | base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 3 | ||||
| -rw-r--r-- | base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 12 |
3 files changed, 22 insertions, 0 deletions
diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf index 617c07f9c..e6d53714d 100644 --- a/base/common/share/etc/pki.conf +++ b/base/common/share/etc/pki.conf @@ -31,3 +31,10 @@ export SSL_DATAGRAM_VERSION_MIN SSL_DATAGRAM_VERSION_MAX="TLS_1_2" export SSL_DATAGRAM_VERSION_MAX + +# SSL ciphers +# This parameter lists SSL ciphers to enable in addition to the default ciphers. +# The list contains IANA-registered cipher names separated by white spaces. +# https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 +SSL_CIPHERS="" +export SSL_CIPHERS diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index f2e0d08d9..053d72c4e 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -538,6 +538,9 @@ public class MainCLI extends CLI { ); CryptoUtil.setDefaultSSLCiphers(); + + String ciphers = System.getenv("SSL_CIPHERS"); + CryptoUtil.setSSLCiphers(ciphers); } public PKIClient getClient() throws Exception { diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index d708230e3..fd7b1bb23 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -947,6 +947,18 @@ public class CryptoUtil { } } + public static void setSSLCiphers(String ciphers) throws SocketException { + + if (ciphers == null) return; + + StringTokenizer st = new StringTokenizer(ciphers); + + while (st.hasMoreTokens()) { + String cipher = st.nextToken(); + setSSLCipher(cipher, true); + } + } + public static void setSSLCipher(String cipher, boolean enabled) throws SocketException { Integer cipherID = cipherMap.get(cipher); |