diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-08-26 00:02:29 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-08-26 00:02:29 +0000 |
commit | 4f6928cc0493ede41e90b6fa4e1cde570bd17336 (patch) | |
tree | f73d03580d02af6455a388366474cdc98c4e0819 /pki/base/tps | |
parent | e90d291d9a737369587711eb6a879d700a3c5d7b (diff) | |
download | pki-4f6928cc0493ede41e90b6fa4e1cde570bd17336.tar.gz pki-4f6928cc0493ede41e90b6fa4e1cde570bd17336.tar.xz pki-4f6928cc0493ede41e90b6fa4e1cde570bd17336.zip |
Bugzilla 730146 - SSL handshake picks non-FIPS ciphers in FIPS mode
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2180 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/tps')
-rw-r--r-- | pki/base/tps/apache/conf/nss.conf | 12 | ||||
-rw-r--r-- | pki/base/tps/src/httpClient/engine.cpp | 48 | ||||
-rw-r--r-- | pki/base/tps/src/include/httpClient/httpc/engine.h | 1 |
3 files changed, 61 insertions, 0 deletions
diff --git a/pki/base/tps/apache/conf/nss.conf b/pki/base/tps/apache/conf/nss.conf index 2e0b0ecae..314df040d 100644 --- a/pki/base/tps/apache/conf/nss.conf +++ b/pki/base/tps/apache/conf/nss.conf @@ -92,10 +92,16 @@ TransferLog [SERVER_ROOT]/logs/access_log # Enable/Disable SSL for this virtual host. NSSEngine on +# FIPS Switch: +# Enable/Disable FIPS mode +# NSSFIPS on + # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_nss documentation for a complete list. NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha +# SSL cipher suite in FIPS mode: +# NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol SSLv3,TLSv1 @@ -187,10 +193,16 @@ TransferLog [SERVER_ROOT]/logs/access_log # Enable/Disable SSL for this virtual host. NSSEngine on +# FIPS Switch: +# Enable/Disable FIPS mode +# NSSFIPS on + # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_nss documentation for a complete list. NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha +# SSL cipher suite in FIPS mode: +# NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol SSLv3,TLSv1 diff --git a/pki/base/tps/src/httpClient/engine.cpp b/pki/base/tps/src/httpClient/engine.cpp index 46efe42d3..621a37244 100644 --- a/pki/base/tps/src/httpClient/engine.cpp +++ b/pki/base/tps/src/httpClient/engine.cpp @@ -182,6 +182,24 @@ int ssl3Suites[] = { 0 }; +int tlsSuites[] = { +// TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, +// TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, +// TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +// TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, +// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, +// TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA +}; + void disableAllCiphersOnSocket(PRFileDesc* sock) { int i; int numsuites = SSL_NumImplementedCiphers; @@ -199,6 +217,13 @@ void __EXPORT EnableAllSSL3Ciphers(PRFileDesc* sock) { } } +void __EXPORT EnableAllTLSCiphers(PRFileDesc* sock) { + int i =0; + while (tlsSuites[i]) { + SSL_CipherPrefSet(sock, tlsSuites[i++], SSL_ALLOWED); + } +} + PRBool __EXPORT EnableCipher(const char* cipherString) { int ndx; @@ -504,6 +529,18 @@ void nodelay(PRFileDesc* fd) { } +void __EXPORT setDefaultAllTLSCiphers() { + int i =0; + char alg[256]; + while (tlsSuites[i]) { + PR_snprintf((char *)alg, 256, "%x", tlsSuites[i]); + RA::Debug( LL_PER_PDU, + "setDefaultAllTLSCiphers", + alg); + SSL_CipherPrefSetDefault(tlsSuites[i++], PR_TRUE); + } +} + /** * Returns a file descriptor for I/O if the HTTP connection is successful * @param addr PRnetAddr structure which points to the server to connect to @@ -521,6 +558,7 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn, PRFileDesc *sock = NULL; SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + setDefaultAllTLSCiphers(); tcpsock = PR_OpenTCPSocket(addr->raw.family); @@ -547,6 +585,9 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn, nodelay(tcpsock); if (PR_TRUE == SSLOn) { + RA::Debug( LL_PER_PDU, + "Engine::_doConnect: ", + "SSL is ON" ); sock=SSL_ImportFD(NULL, tcpsock); if (!sock) { //xxx log @@ -635,8 +676,15 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn, return NULL; } + RA::Debug( LL_PER_PDU, + "Engine::_doConnect: ", + "end SSL is ON" ); + //EnableAllTLSCiphers( sock); //EnableAllSSL3Ciphers( sock); } else { + RA::Debug( LL_PER_PDU, + "Engine::_doConnect: ", + "SSL is OFF" ); sock = tcpsock; } diff --git a/pki/base/tps/src/include/httpClient/httpc/engine.h b/pki/base/tps/src/include/httpClient/httpc/engine.h index 73881ed81..9a57b024e 100644 --- a/pki/base/tps/src/include/httpClient/httpc/engine.h +++ b/pki/base/tps/src/include/httpClient/httpc/engine.h @@ -71,6 +71,7 @@ PRBool __EXPORT InitSecurity(char* dbpath, char* certname, char* certpassword, char * prefix ,int verify=1); PRBool __EXPORT EnableCipher(const char* ciphername); void __EXPORT EnableAllSSL3Ciphers(); +void __EXPORT EnableAllTLSCiphers(); __EXPORT const char * nscperror_lookup(int error); #endif |