summaryrefslogtreecommitdiffstats
path: root/base/server
diff options
context:
space:
mode:
Diffstat (limited to 'base/server')
-rw-r--r--base/server/python/pki/server/deployment/pkiparser.py72
-rw-r--r--base/server/share/conf/ciphers.info66
-rw-r--r--base/server/tomcat7/conf/server.xml3
-rw-r--r--base/server/tomcat8/conf/server.xml3
4 files changed, 110 insertions, 34 deletions
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index c1b6be395..425b71034 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -921,42 +921,46 @@ class PKIConfigParser:
"tls1_0:tls1_2"
self.mdict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \
"tls1_1:tls1_2"
+ ##
+ # Reminder: if the following cipher lists are updated, be sure
+ # to remember to update pki/base/server/share/conf/ciphers.info
+ # accordingly
+ #
if self.mdict['pki_ssl_server_key_type'] == "ecc":
self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \
- "+TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
- "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
- "+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
+ "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
+ "-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
+ "-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," + \
"+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
"-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_RSA_WITH_AES_128_CBC_SHA," + \
"-TLS_RSA_WITH_AES_256_CBC_SHA," + \
"+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
"+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
+ "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
"-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
"-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
"-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
+ "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
"-TLS_RSA_WITH_AES_128_CBC_SHA256," + \
"-TLS_RSA_WITH_AES_256_CBC_SHA256," + \
"-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
"+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
- "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
"+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
- "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
- "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
- "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
+ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
else:
self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \
"-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
@@ -965,34 +969,34 @@ class PKIConfigParser:
"-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
"-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
+ "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," +\
"-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
- "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "+TLS_RSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
- "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
- "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
+ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
- "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
- "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
- "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
- "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \
- "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
- "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \
- "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
+ "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
+ "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
+ "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
+ "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
"-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
"-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
"-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
+ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
+ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \
+ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \
+ "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
+ "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "+TLS_RSA_WITH_AES_128_CBC_SHA," + \
+ "+TLS_RSA_WITH_AES_256_CBC_SHA"
self.mdict['TOMCAT_SSL2_CIPHERS_SLOT'] = \
"-SSL2_RC4_128_WITH_MD5," + \
"-SSL2_RC4_128_EXPORT40_WITH_MD5," + \
diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info
new file mode 100644
index 000000000..998c51e98
--- /dev/null
+++ b/base/server/share/conf/ciphers.info
@@ -0,0 +1,66 @@
+##
+# BEGIN COPYRIGHT BLOCK
+# Copyright (C) 2015 Red Hat, Inc.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+# This file contains the default sslRangeCiphers that come with this version of
+# the PKI software in its <instance>/conf/server.xml file.
+# Depending on which kind of SSL server you have, you want to reference the
+# corresponding cipher suite for making adjustments to your instance server.xml.
+#
+#
+# About the TLS range related parameters:
+# 'sslVersionRangeStream'
+# 'sslVersionRangeDatagram'
+# 'sslRangeCiphers'
+# The sslVersionRangeStream and sslVersionRangeDatagram by default
+# contains values that are supported by the native NSS. Changes can
+# be made to restrict or relax the support.
+# The sslRangeCiphers by default conatins a list of ciphers best
+# for the type of the server installed. Changes can be made to suit
+# each site's needs.
+# Although TLS1.2 ciphers (SHA256) are preferred, many older clients
+# do not support them. For example,
+# the following "preferred modern" ciphers are on by default, and by
+# simply limiting the sslVersionRange* parameters, they can be turned off.
+# TLS_RSA_WITH_AES_128_CBC_SHA256,
+# TLS_RSA_WITH_AES_256_CBC_SHA256,
+# TLS_RSA_WITH_AES_128_GCM_SHA256,
+# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+# The following ciphers are supported in rhel7.2 or greater, and they
+# are off by default, and can be turned on by sites running rhel7.2 or
+# greater:
+# TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+# TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+# TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+# TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+# TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+# TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+# Although the following (somewhat weaker ciphers, in CBC mode), though
+# adaquate for the CS operations, they can be turned off if needed:
+# TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+# TLS_RSA_WITH_AES_128_CBC_SHA,
+# TLS_RSA_WITH_AES_256_CBC_SHA,
+# TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+# Note: In an EC CS server setup, you will see by default that the
+# following RSA ciphers are left on. Those are used for installation
+# where the actual systems certs have not yet been crated, and a
+# temporary RSA ssl server cert is at play.
+# Those can be turned off manually by sites.
+# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+# These ciphers might be removed by the installation script in some
+# future release.
+#
+##
+# For RSA servers:
+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
+#
+#
+# For ECC servers:
+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml
index d944d324b..7deb8a201 100644
--- a/base/server/tomcat7/conf/server.xml
+++ b/base/server/tomcat7/conf/server.xml
@@ -179,6 +179,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
ocspTimeout -sets OCSP timeout in seconds
+
+ See <instance dir>/conf/ciphers.info
+ About the TLS range related parameters
-->
<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
maxHttpHeaderSize="8192"
diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml
index 2c2536b7f..7c74d7ced 100644
--- a/base/server/tomcat8/conf/server.xml
+++ b/base/server/tomcat8/conf/server.xml
@@ -198,6 +198,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
ocspTimeout -sets OCSP timeout in seconds
+
+ See <instance dir>/conf/ciphers.info
+ About the TLS range related parameters
-->
<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]"
port="[PKI_SECURE_PORT]"
generated by cgit (git 2.34.1) at 2024-06-19 04:43:07 +0000