From 5935b765aaeb0f30844812db057020b1aaea4559 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 14 Aug 2015 19:57:15 +0200 Subject: Ticket #1556 Weak HTTPS TLS ciphers This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, /conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization) (cherry picked from commit 67c895851781d69343979cbcff138184803880ea) --- .../python/pki/server/deployment/pkiparser.py | 72 ++++++++++++---------- 1 file changed, 38 insertions(+), 34 deletions(-) (limited to 'base/server/python') diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index f192cc924..229e71b31 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -919,42 +919,46 @@ class PKIConfigParser: "tls1_0:tls1_2" self.mdict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \ "tls1_1:tls1_2" + ## + # Reminder: if the following cipher lists are updated, be sure + # to remember to update pki/base/server/share/conf/ciphers.info + # accordingly + # if self.mdict['pki_ssl_server_key_type'] == "ecc": self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ - "+TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ - "+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," + \ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ + "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" + "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" else: self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ @@ -963,34 +967,34 @@ class PKIConfigParser: "-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ "-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," +\ "-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ - "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ - "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ - "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ + "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ - "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ - "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ - "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ - "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ - "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" + "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_256_CBC_SHA" self.mdict['TOMCAT_SSL2_CIPHERS_SLOT'] = \ "-SSL2_RC4_128_WITH_MD5," + \ "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \ -- cgit