From 025e4e643911dcb277d9d0efb0e6d7533a679e71 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Fri, 21 Nov 2014 17:30:55 -0800
Subject: Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by
 default and upgrade

---
 .../python/pki/server/deployment/pkiparser.py      | 43 +++++++++++++++++++++-
 1 file changed, 41 insertions(+), 2 deletions(-)

(limited to 'base/server/python')

diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index ea6bbffab..6086da0b1 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -903,6 +903,45 @@ class PKIConfigParser:
                     ".pid"
                 self.mdict['TOMCAT_SERVER_PORT_SLOT'] = \
                     self.mdict['pki_tomcat_server_port']
+                self.mdict['TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT'] = \
+                    "tls1_0:tls1_2"
+                self.mdict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \
+                    "tls1_1:tls1_2"
+                self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \
+                    "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
+                    "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
+                    "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
+                    "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_RSA_WITH_AES_128_CBC_SHA," + \
+                    "+TLS_RSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
+                    "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
+                    "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
+                    "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+                    "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
+                    "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
+                    "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
+                    "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \
+                    "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
+                    "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
+                    "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
+                    "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
                 self.mdict['TOMCAT_SSL2_CIPHERS_SLOT'] = \
                     "-SSL2_RC4_128_WITH_MD5," + \
                     "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \
@@ -926,8 +965,8 @@ class PKIConfigParser:
                     "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
                     "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
                 self.mdict['TOMCAT_SSL_OPTIONS_SLOT'] = \
-                    "ssl2=true," + \
-                    "ssl3=true," + \
+                    "ssl2=false," + \
+                    "ssl3=false," + \
                     "tls=true"
                 self.mdict['TOMCAT_TLS_CIPHERS_SLOT'] = \
                     "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
-- 
cgit