summaryrefslogtreecommitdiffstats
path: root/base/server/python/pki/server
diff options
context:
space:
mode:
authorChristina Fu <cfu@redhat.com>2015-08-14 19:57:15 +0200
committerChristina Fu <cfu@redhat.com>2015-08-14 18:26:05 -0700
commit67c895851781d69343979cbcff138184803880ea (patch)
tree265dc9539f3d8352cc2fee2b8663a45034334ca8 /base/server/python/pki/server
parent4743a86beb48b81edc90d8e35ebbebfa414faea2 (diff)
downloadpki-67c895851781d69343979cbcff138184803880ea.tar.gz
pki-67c895851781d69343979cbcff138184803880ea.tar.xz
pki-67c895851781d69343979cbcff138184803880ea.zip
Ticket #1556 Weak HTTPS TLS ciphers
This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization)
Diffstat (limited to 'base/server/python/pki/server')
-rw-r--r--base/server/python/pki/server/deployment/pkiparser.py72
1 files changed, 38 insertions, 34 deletions
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index c1b6be395..425b71034 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -921,42 +921,46 @@ class PKIConfigParser:
"tls1_0:tls1_2"
self.mdict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \
"tls1_1:tls1_2"
+ ##
+ # Reminder: if the following cipher lists are updated, be sure
+ # to remember to update pki/base/server/share/conf/ciphers.info
+ # accordingly
+ #
if self.mdict['pki_ssl_server_key_type'] == "ecc":
self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \
- "+TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
- "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
- "+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
+ "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
+ "-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
+ "-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," + \
"+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
"-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_RSA_WITH_AES_128_CBC_SHA," + \
"-TLS_RSA_WITH_AES_256_CBC_SHA," + \
"+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
"+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
+ "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
"-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
"-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
"-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
+ "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
"-TLS_RSA_WITH_AES_128_CBC_SHA256," + \
"-TLS_RSA_WITH_AES_256_CBC_SHA256," + \
"-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
"+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
- "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
"+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
- "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
- "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
- "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
+ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
else:
self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \
"-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
@@ -965,34 +969,34 @@ class PKIConfigParser:
"-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
"-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
+ "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," +\
"-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
- "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "+TLS_RSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
- "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
- "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
+ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
- "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
- "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
- "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
- "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \
- "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
- "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \
- "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
+ "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
+ "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
+ "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
+ "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
"-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
"-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
"-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
+ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
+ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \
+ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \
+ "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
+ "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "+TLS_RSA_WITH_AES_128_CBC_SHA," + \
+ "+TLS_RSA_WITH_AES_256_CBC_SHA"
self.mdict['TOMCAT_SSL2_CIPHERS_SLOT'] = \
"-SSL2_RC4_128_WITH_MD5," + \
"-SSL2_RC4_128_EXPORT40_WITH_MD5," + \
generated by cgit (git 2.34.1) at 2024-05-23 14:42:50 +0000