Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default and upgrade

5 files changed, 153 insertions, 3 deletions

diff --git a/base/common/upgrade/10.2.1/.ignore b/base/common/upgrade/10.2.1/.ignore
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/base/common/upgrade/10.2.1/.ignore
diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg
index 8f7dc7812..38ed6b9f2 100644
--- a/base/server/config/pkislots.cfg
+++ b/base/server/config/pkislots.cfg
@@ -73,4 +73,7 @@ TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS]
 TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS]
 TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS]
 TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS]
+TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_STREAM]
+TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]
+TOMCAT_SSL_RANGE_CIPHERS_SLOT=[TOMCAT_SSL_RANGE_CIPHERS]
 TPS_DIR_SLOT=[TPS_DIR]
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index ea6bbffab..6086da0b1 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -903,6 +903,45 @@ class PKIConfigParser:
                     ".pid"
                 self.mdict['TOMCAT_SERVER_PORT_SLOT'] = \
                     self.mdict['pki_tomcat_server_port']
+                self.mdict['TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT'] = \
+                    "tls1_0:tls1_2"
+                self.mdict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \
+                    "tls1_1:tls1_2"
+                self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \
+                    "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
+                    "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
+                    "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
+                    "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_RSA_WITH_AES_128_CBC_SHA," + \
+                    "+TLS_RSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
+                    "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
+                    "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
+                    "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
+                    "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
+                    "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
+                    "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \
+                    "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
+                    "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
+                    "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
+                    "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
                 self.mdict['TOMCAT_SSL2_CIPHERS_SLOT'] = \
                     "-SSL2_RC4_128_WITH_MD5," + \
                     "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \
@@ -926,8 +965,8 @@ class PKIConfigParser:
                     "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
                     "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
                 self.mdict['TOMCAT_SSL_OPTIONS_SLOT'] = \
-                    "ssl2=true," + \
-                    "ssl3=true," + \
+                    "ssl2=false," + \
+                    "ssl3=false," + \
                     "tls=true"
                 self.mdict['TOMCAT_TLS_CIPHERS_SLOT'] = \
                     "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
diff --git a/base/server/share/conf/server.xml b/base/server/share/conf/server.xml
index 8fbdf0f7e..306ebf25b 100644
--- a/base/server/share/conf/server.xml
+++ b/base/server/share/conf/server.xml
@@ -142,6 +142,9 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
               'ssl2Ciphers'
               'ssl3Ciphers'
               'tlsCiphers'
+              'sslVersionRangeStream'
+              'sslVersionRangeDatagram'
+              'sslRangeCiphers'
               'serverCertNickFile'
               'passwordFile'
               'passwordClass'
@@ -184,12 +187,15 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
            ocspMinCacheEntryDuration="60"
            ocspMaxCacheEntryDuration="120"
            ocspTimeout="10"
-           strictCiphers="false"
+           strictCiphers="true"
            clientAuth="[PKI_AGENT_CLIENTAUTH]"
            sslOptions="[TOMCAT_SSL_OPTIONS]"
            ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
            ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
            tlsCiphers="[TOMCAT_TLS_CIPHERS]"
+           sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
+           sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
+           sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
            serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
            passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
            passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
diff --git a/base/server/upgrade/10.2.1/01-AddTLSRangeSupport b/base/server/upgrade/10.2.1/01-AddTLSRangeSupport
new file mode 100755
index 000000000..b5b83f465
--- /dev/null
+++ b/base/server/upgrade/10.2.1/01-AddTLSRangeSupport
@@ -0,0 +1,102 @@
+#!/usr/bin/python
+# Authors:
+#     Christina Fu <cfu@redhat.com>
+#     Endi S. Dewata <edewata@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2014 Red Hat, Inc.
+# All rights reserved.
+#
+
+import os
+from lxml import etree
+
+import pki.server.upgrade
+
+
+class AddTLSRangeSupport(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+    def __init__(self):
+
+        self.message = 'Add TLS Range Support'
+
+        self.parser = etree.XMLParser(remove_blank_text=True)
+
+
+    def upgrade_instance(self, instance):
+
+        server_xml = os.path.join(instance.conf_dir, 'server.xml') 
+        #Backup the file before modify
+        self.backup(server_xml)
+        #Parse the server.xml into an XML object
+        document = etree.parse(server_xml, self.parser)
+        #perform the upgrade in memory
+        self.add_tls_range(document)
+        #Once all changes are made, write the XML back into the same server.xml
+        #This way we're preserving any other customization that has been done
+        # to the server.xml
+        with open(server_xml, 'w') as f:
+            f.write(etree.tostring(document, pretty_print=True)) 
+
+    def add_tls_range(self, document):
+
+        # Find existing Connector
+        server = document.getroot()
+        connectors = server.findall('.//Connector')
+
+        for connector in connectors:
+ 
+            secure = connector.get('secure')
+            if secure == 'true':
+                # Update Connector's attributes
+                connector.set('strictCiphers', 'true')
+                connector.set('sslVersionRangeStream', 'tls1_0:tls1_2')
+                connector.set('sslVersionRangeDatagram', 'tls1_1:tls1_2')
+                connector.set('sslRangeCiphers',
+                    '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,' \
+                    '-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,' \
+                    '+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,' \
+                    '+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,' \
+                    '+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,' \
+                    '-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,' \
+                    '+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,' \
+                    '+TLS_RSA_WITH_3DES_EDE_CBC_SHA,' \
+                    '+TLS_RSA_WITH_AES_128_CBC_SHA,' \
+                    '+TLS_RSA_WITH_AES_256_CBC_SHA,' \
+                    '+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,' \
+                    '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,' \
+                    '-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,' \
+                    '-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,' \
+                    '-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,' \
+                    '+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,' \
+                    '+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,' \
+                    '+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,' \
+                    '+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,' \
+                    '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,' \
+                    '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,' \
+                    '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,' \
+                    '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,' \
+                    '+TLS_RSA_WITH_AES_128_CBC_SHA256,' \
+                    '+TLS_RSA_WITH_AES_256_CBC_SHA256,' \
+                    '+TLS_RSA_WITH_AES_128_GCM_SHA256,' \
+                    '+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,' \
+                    '+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,' \
+                    '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,' \
+                    '+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,' \
+                    '+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,' \
+                    '+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,' \
+                    '+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,' \
+                    '+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256')
+