diff options
-rw-r--r-- | base/server/python/pki/server/deployment/pkiparser.py | 72 | ||||
-rw-r--r-- | base/server/share/conf/ciphers.info | 66 | ||||
-rw-r--r-- | base/server/tomcat7/conf/server.xml | 3 | ||||
-rw-r--r-- | base/server/tomcat8/conf/server.xml | 3 |
4 files changed, 110 insertions, 34 deletions
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index f192cc924..229e71b31 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -919,42 +919,46 @@ class PKIConfigParser: "tls1_0:tls1_2" self.mdict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \ "tls1_1:tls1_2" + ## + # Reminder: if the following cipher lists are updated, be sure + # to remember to update pki/base/server/share/conf/ciphers.info + # accordingly + # if self.mdict['pki_ssl_server_key_type'] == "ecc": self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ - "+TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ - "+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," + \ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ + "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" + "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" else: self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ @@ -963,34 +967,34 @@ class PKIConfigParser: "-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ "-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," +\ "-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ - "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ - "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ - "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ + "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ - "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ - "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ - "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ - "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ - "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" + "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_256_CBC_SHA" self.mdict['TOMCAT_SSL2_CIPHERS_SLOT'] = \ "-SSL2_RC4_128_WITH_MD5," + \ "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \ diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info new file mode 100644 index 000000000..998c51e98 --- /dev/null +++ b/base/server/share/conf/ciphers.info @@ -0,0 +1,66 @@ +## +# BEGIN COPYRIGHT BLOCK +# Copyright (C) 2015 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK +# +# This file contains the default sslRangeCiphers that come with this version of +# the PKI software in its <instance>/conf/server.xml file. +# Depending on which kind of SSL server you have, you want to reference the +# corresponding cipher suite for making adjustments to your instance server.xml. +# +# +# About the TLS range related parameters: +# 'sslVersionRangeStream' +# 'sslVersionRangeDatagram' +# 'sslRangeCiphers' +# The sslVersionRangeStream and sslVersionRangeDatagram by default +# contains values that are supported by the native NSS. Changes can +# be made to restrict or relax the support. +# The sslRangeCiphers by default conatins a list of ciphers best +# for the type of the server installed. Changes can be made to suit +# each site's needs. +# Although TLS1.2 ciphers (SHA256) are preferred, many older clients +# do not support them. For example, +# the following "preferred modern" ciphers are on by default, and by +# simply limiting the sslVersionRange* parameters, they can be turned off. +# TLS_RSA_WITH_AES_128_CBC_SHA256, +# TLS_RSA_WITH_AES_256_CBC_SHA256, +# TLS_RSA_WITH_AES_128_GCM_SHA256, +# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, +# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, +# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, +# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +# The following ciphers are supported in rhel7.2 or greater, and they +# are off by default, and can be turned on by sites running rhel7.2 or +# greater: +# TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, +# TLS_DHE_RSA_WITH_AES_128_CBC_SHA, +# TLS_DHE_RSA_WITH_AES_256_CBC_SHA, +# TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, +# TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, +# TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 +# Although the following (somewhat weaker ciphers, in CBC mode), though +# adaquate for the CS operations, they can be turned off if needed: +# TLS_RSA_WITH_3DES_EDE_CBC_SHA, +# TLS_RSA_WITH_AES_128_CBC_SHA, +# TLS_RSA_WITH_AES_256_CBC_SHA, +# TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA +# Note: In an EC CS server setup, you will see by default that the +# following RSA ciphers are left on. Those are used for installation +# where the actual systems certs have not yet been crated, and a +# temporary RSA ssl server cert is at play. +# Those can be turned off manually by sites. +# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, +# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, +# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +# These ciphers might be removed by the installation script in some +# future release. +# +## +# For RSA servers: + sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" +# +# +# For ECC servers: + sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml index d944d324b..7deb8a201 100644 --- a/base/server/tomcat7/conf/server.xml +++ b/base/server/tomcat7/conf/server.xml @@ -179,6 +179,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt ocspTimeout -sets OCSP timeout in seconds + + See <instance dir>/conf/ciphers.info + About the TLS range related parameters --> <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" maxHttpHeaderSize="8192" diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml index 2c2536b7f..7c74d7ced 100644 --- a/base/server/tomcat8/conf/server.xml +++ b/base/server/tomcat8/conf/server.xml @@ -198,6 +198,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt ocspTimeout -sets OCSP timeout in seconds + + See <instance dir>/conf/ciphers.info + About the TLS range related parameters --> <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" |