diff options
| -rw-r--r-- | base/server/python/pki/server/deployment/pkiparser.py | 20 | ||||
| -rw-r--r-- | base/server/share/conf/ciphers.info | 24 |
2 files changed, 26 insertions, 18 deletions
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 425b71034..e5e02a09e 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -938,7 +938,7 @@ class PKIConfigParser: "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ - "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ @@ -954,13 +954,13 @@ class PKIConfigParser: "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ - "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" else: self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ @@ -974,9 +974,9 @@ class PKIConfigParser: "-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ @@ -988,9 +988,9 @@ class PKIConfigParser: "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info index 998c51e98..69aaeaa67 100644 --- a/base/server/share/conf/ciphers.info +++ b/base/server/share/conf/ciphers.info @@ -27,10 +27,20 @@ # TLS_RSA_WITH_AES_128_CBC_SHA256, # TLS_RSA_WITH_AES_256_CBC_SHA256, # TLS_RSA_WITH_AES_128_GCM_SHA256, -# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, -# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, # TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +# The TLS_ECDHE_RSA_* ciphers provide Perfect Forward Secrecy, +# which, while provide added security to the already secure and adequate +# TLS_RSA_* ciphers, requries 3 times longer to establish SSL sessions. +# In our testing environment, some HSM might also have issues providing +# subsystem->subsystem SSL handshake. We are therefore turning them +# off by default. One can enable them manually by turning the "-" to +# "+" under sslRangeCiphers and restart the subsystem. +# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, +# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, +# TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, +# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, +# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA # The following ciphers are supported in rhel7.2 or greater, and they # are off by default, and can be turned on by sites running rhel7.2 or # greater: @@ -45,22 +55,20 @@ # TLS_RSA_WITH_3DES_EDE_CBC_SHA, # TLS_RSA_WITH_AES_128_CBC_SHA, # TLS_RSA_WITH_AES_256_CBC_SHA, -# TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA # Note: In an EC CS server setup, you will see by default that the # following RSA ciphers are left on. Those are used for installation # where the actual systems certs have not yet been crated, and a # temporary RSA ssl server cert is at play. # Those can be turned off manually by sites. -# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, -# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +# TLS_RSA_WITH_AES_256_CBC_SHA256, +# TLS_RSA_WITH_AES_128_GCM_SHA256 # These ciphers might be removed by the installation script in some # future release. # ## # For RSA servers: - sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" + sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" # # # For ECC servers: - sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" |