Ticket 1566 on HSM, non-CA subystem installations failing while trying to join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations

author: Christina Fu <cfu@redhat.com> 2015-08-19 13:52:53 +0200
committer: Christina Fu <cfu@redhat.com> 2015-08-19 17:17:31 +0200
commit: 89211b9915e9c3e034d311ac0fa7091e9e08bde8 (patch)
tree: 4ecc8939eb74d1bd48113f10583218ac3b96c40c /base/server/python/pki/server/deployment/pkiparser.py
parent: 6260a6d20c113343dd04cdbed999865ebc1650c9 (diff)
download: pki-89211b9915e9c3e034d311ac0fa7091e9e08bde8.tar.gz
pki-89211b9915e9c3e034d311ac0fa7091e9e08bde8.tar.xz
pki-89211b9915e9c3e034d311ac0fa7091e9e08bde8.zip
1 files changed, 10 insertions, 10 deletions
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 259e24864..09619d557 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -947,7 +947,7 @@ class PKIConfigParser:
                     "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
                     "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
                     "-TLS_RSA_WITH_AES_128_CBC_SHA," + \
-                    "-TLS_RSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_RSA_WITH_AES_256_CBC_SHA," + \
                     "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
                     "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
                     "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
@@ -963,13 +963,13 @@ class PKIConfigParser:
                     "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
                     "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
                     "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \
-                    "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \
+                    "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
                     "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
                     "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
                     "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
-                    "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
-                    "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
-                    "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+                    "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+                    "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
+                    "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
             else:
                 self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \
                     "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
@@ -983,9 +983,9 @@ class PKIConfigParser:
                     "-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
                     "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
                     "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
-                    "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
-                    "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
-                    "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+                    "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
+                    "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
                     "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \
                     "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
                     "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
@@ -997,9 +997,9 @@ class PKIConfigParser:
                     "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
                     "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
                     "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
-                    "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
+                    "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
                     "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
-                    "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
+                    "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
                     "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \
                     "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \
                     "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
author	Christina Fu <cfu@redhat.com>	2015-08-19 13:52:53 +0200
committer	Christina Fu <cfu@redhat.com>	2015-08-19 17:17:31 +0200
commit	89211b9915e9c3e034d311ac0fa7091e9e08bde8 (patch)
tree	4ecc8939eb74d1bd48113f10583218ac3b96c40c /base/server/python/pki/server/deployment/pkiparser.py
parent	6260a6d20c113343dd04cdbed999865ebc1650c9 (diff)
download	pki-89211b9915e9c3e034d311ac0fa7091e9e08bde8.tar.gz pki-89211b9915e9c3e034d311ac0fa7091e9e08bde8.tar.xz pki-89211b9915e9c3e034d311ac0fa7091e9e08bde8.zip