diff options
| author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-08-26 00:02:29 +0000 |
|---|---|---|
| committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-08-26 00:02:29 +0000 |
| commit | 4f6928cc0493ede41e90b6fa4e1cde570bd17336 (patch) | |
| tree | f73d03580d02af6455a388366474cdc98c4e0819 | |
| parent | e90d291d9a737369587711eb6a879d700a3c5d7b (diff) | |
| download | pki-4f6928cc0493ede41e90b6fa4e1cde570bd17336.tar.gz pki-4f6928cc0493ede41e90b6fa4e1cde570bd17336.tar.xz pki-4f6928cc0493ede41e90b6fa4e1cde570bd17336.zip | |
Bugzilla 730146 - SSL handshake picks non-FIPS ciphers in FIPS mode
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2180 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
| -rw-r--r-- | pki/base/ca/shared/conf/server.xml | 12 | ||||
| -rw-r--r-- | pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java | 18 | ||||
| -rw-r--r-- | pki/base/kra/shared/conf/server.xml | 9 | ||||
| -rw-r--r-- | pki/base/native-tools/src/sslget/sslget.c | 16 | ||||
| -rw-r--r-- | pki/base/ocsp/shared/conf/server.xml | 9 | ||||
| -rwxr-xr-x | pki/base/setup/pkicreate | 20 | ||||
| -rw-r--r-- | pki/base/tks/shared/conf/server.xml | 9 | ||||
| -rw-r--r-- | pki/base/tps/apache/conf/nss.conf | 12 | ||||
| -rw-r--r-- | pki/base/tps/src/httpClient/engine.cpp | 48 | ||||
| -rw-r--r-- | pki/base/tps/src/include/httpClient/httpc/engine.h | 1 | ||||
| -rw-r--r-- | pki/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java | 12 |
11 files changed, 140 insertions, 26 deletions
diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml index 5984d491..4056fbbb 100644 --- a/pki/base/ca/shared/conf/server.xml +++ b/pki/base/ca/shared/conf/server.xml @@ -129,11 +129,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" + strictCiphers="false" clientAuth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" @@ -147,11 +148,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + strictCiphers="false" clientAuth="false" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" @@ -164,11 +166,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + strictCiphers="false" clientAuth="false" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" @@ -181,11 +184,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + strictCiphers="false" clientAuth="true" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" diff --git a/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java b/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java index 13b08024..f9d8114c 100644 --- a/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java +++ b/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java @@ -103,11 +103,18 @@ public final class JssSubsystem implements ICryptoSubsystem { /* default sslv2 and sslv3 cipher suites(all), set if no prefs in config.*/ private static final String DEFAULT_CIPHERPREF = - "rc4export,rc2export,rc4,rc2,des,desede3," + - "rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha," + - "rsa_rc4_128_md5,rsa_3des_sha,rsa_fips_des_sha," + - "rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha," + - "fortezza_null,rsa_null_md5"; + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + + "TLS_RSA_WITH_AES_128_CBC_SHA," + + "TLS_RSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + +// "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + +// "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + +// "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"; /* list of all ciphers JSS supports */ private static final int mJSSCipherSuites[] = { @@ -403,6 +410,7 @@ public final class JssSubsystem implements ICryptoSubsystem { } } } + } /** diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml index d7df4b13..fcd849ef 100644 --- a/pki/base/kra/shared/conf/server.xml +++ b/pki/base/kra/shared/conf/server.xml @@ -128,11 +128,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" + strictCiphers="false" clientAuth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" @@ -146,11 +147,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + strictCiphers="false" clientAuth="false" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" @@ -163,11 +165,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + strictCiphers="false" clientAuth="false" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" diff --git a/pki/base/native-tools/src/sslget/sslget.c b/pki/base/native-tools/src/sslget/sslget.c index f08b4cd9..5f4d448d 100644 --- a/pki/base/native-tools/src/sslget/sslget.c +++ b/pki/base/native-tools/src/sslget/sslget.c @@ -521,7 +521,23 @@ client_main( NSS_SetDomesticPolicy(); /* all the SSL2 and SSL3 cipher suites are enabled by default. */ + + /* enable FIPS ciphers */ + SSL_CipherPrefSetDefault(0xc004 /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc003 /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc00a /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x2f /* TLS_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x35 /* TLS_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc008 /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc009 /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc012 /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc013 /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x32 /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x38 /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x33 /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); /* * Rifle through the values for the host diff --git a/pki/base/ocsp/shared/conf/server.xml b/pki/base/ocsp/shared/conf/server.xml index ff33b9aa..6217ce1d 100644 --- a/pki/base/ocsp/shared/conf/server.xml +++ b/pki/base/ocsp/shared/conf/server.xml @@ -128,11 +128,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" + strictCiphers="false" clientAuth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" @@ -146,11 +147,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + strictCiphers="false" clientAuth="false" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" @@ -163,11 +165,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + strictCiphers="false" clientAuth="false" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index ed069e36..b6f8a493 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -306,7 +306,7 @@ my $TOMCAT_CFG = "TOMCAT_CFG"; my $TOMCAT_SSL_OPTIONS = "TOMCAT_SSL_OPTIONS"; my $TOMCAT_SSL2_CIPHERS = "TOMCAT_SSL2_CIPHERS"; my $TOMCAT_SSL3_CIPHERS = "TOMCAT_SSL3_CIPHERS"; -my $TOMCAT_TLS3_CIPHERS = "TOMCAT_TLS3_CIPHERS"; +my $TOMCAT_TLS_CIPHERS = "TOMCAT_TLS_CIPHERS"; my $TOMCAT_INSTANCE_COMMON_LIB = "TOMCAT_INSTANCE_COMMON_LIB"; my $TOMCAT_LOG_DIR = "TOMCAT_LOG_DIR"; my $PKI_INSTANCE_INITSCRIPT = "PKI_INSTANCE_INITSCRIPT"; @@ -2520,13 +2520,17 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so . "-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA," . "-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," . "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; - $slot_hash{$TOMCAT_TLS3_CIPHERS} = "-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA," - . "+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5," - . "+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA," - . "-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA," - . "-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA," - . "-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," - . "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; + $slot_hash{$TOMCAT_TLS_CIPHERS} = "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + . "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + . "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + . "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + . "+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA," + . "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + . "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + . "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + . "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + . "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + . "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"; $slot_hash{$TOMCAT_INSTANCE_COMMON_LIB} = "$tomcat_instance_common_lib_path/*.jar"; if (!$redirected_logs_path) { $slot_hash{$TOMCAT_LOG_DIR} = $logs_instance_path; diff --git a/pki/base/tks/shared/conf/server.xml b/pki/base/tks/shared/conf/server.xml index ff33b9aa..6217ce1d 100644 --- a/pki/base/tks/shared/conf/server.xml +++ b/pki/base/tks/shared/conf/server.xml @@ -128,11 +128,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" + strictCiphers="false" clientAuth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" @@ -146,11 +147,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + strictCiphers="false" clientAuth="false" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" @@ -163,11 +165,12 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + strictCiphers="false" clientAuth="false" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" diff --git a/pki/base/tps/apache/conf/nss.conf b/pki/base/tps/apache/conf/nss.conf index 2e0b0eca..314df040 100644 --- a/pki/base/tps/apache/conf/nss.conf +++ b/pki/base/tps/apache/conf/nss.conf @@ -92,10 +92,16 @@ TransferLog [SERVER_ROOT]/logs/access_log # Enable/Disable SSL for this virtual host. NSSEngine on +# FIPS Switch: +# Enable/Disable FIPS mode +# NSSFIPS on + # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_nss documentation for a complete list. NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha +# SSL cipher suite in FIPS mode: +# NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol SSLv3,TLSv1 @@ -187,10 +193,16 @@ TransferLog [SERVER_ROOT]/logs/access_log # Enable/Disable SSL for this virtual host. NSSEngine on +# FIPS Switch: +# Enable/Disable FIPS mode +# NSSFIPS on + # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_nss documentation for a complete list. NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha +# SSL cipher suite in FIPS mode: +# NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol SSLv3,TLSv1 diff --git a/pki/base/tps/src/httpClient/engine.cpp b/pki/base/tps/src/httpClient/engine.cpp index 46efe42d..621a3724 100644 --- a/pki/base/tps/src/httpClient/engine.cpp +++ b/pki/base/tps/src/httpClient/engine.cpp @@ -182,6 +182,24 @@ int ssl3Suites[] = { 0 }; +int tlsSuites[] = { +// TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, +// TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, +// TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +// TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, +// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, +// TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA +}; + void disableAllCiphersOnSocket(PRFileDesc* sock) { int i; int numsuites = SSL_NumImplementedCiphers; @@ -199,6 +217,13 @@ void __EXPORT EnableAllSSL3Ciphers(PRFileDesc* sock) { } } +void __EXPORT EnableAllTLSCiphers(PRFileDesc* sock) { + int i =0; + while (tlsSuites[i]) { + SSL_CipherPrefSet(sock, tlsSuites[i++], SSL_ALLOWED); + } +} + PRBool __EXPORT EnableCipher(const char* cipherString) { int ndx; @@ -504,6 +529,18 @@ void nodelay(PRFileDesc* fd) { } +void __EXPORT setDefaultAllTLSCiphers() { + int i =0; + char alg[256]; + while (tlsSuites[i]) { + PR_snprintf((char *)alg, 256, "%x", tlsSuites[i]); + RA::Debug( LL_PER_PDU, + "setDefaultAllTLSCiphers", + alg); + SSL_CipherPrefSetDefault(tlsSuites[i++], PR_TRUE); + } +} + /** * Returns a file descriptor for I/O if the HTTP connection is successful * @param addr PRnetAddr structure which points to the server to connect to @@ -521,6 +558,7 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn, PRFileDesc *sock = NULL; SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + setDefaultAllTLSCiphers(); tcpsock = PR_OpenTCPSocket(addr->raw.family); @@ -547,6 +585,9 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn, nodelay(tcpsock); if (PR_TRUE == SSLOn) { + RA::Debug( LL_PER_PDU, + "Engine::_doConnect: ", + "SSL is ON" ); sock=SSL_ImportFD(NULL, tcpsock); if (!sock) { //xxx log @@ -635,8 +676,15 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn, return NULL; } + RA::Debug( LL_PER_PDU, + "Engine::_doConnect: ", + "end SSL is ON" ); + //EnableAllTLSCiphers( sock); //EnableAllSSL3Ciphers( sock); } else { + RA::Debug( LL_PER_PDU, + "Engine::_doConnect: ", + "SSL is OFF" ); sock = tcpsock; } diff --git a/pki/base/tps/src/include/httpClient/httpc/engine.h b/pki/base/tps/src/include/httpClient/httpc/engine.h index 73881ed8..9a57b024 100644 --- a/pki/base/tps/src/include/httpClient/httpc/engine.h +++ b/pki/base/tps/src/include/httpClient/httpc/engine.h @@ -71,6 +71,7 @@ PRBool __EXPORT InitSecurity(char* dbpath, char* certname, char* certpassword, char * prefix ,int verify=1); PRBool __EXPORT EnableCipher(const char* ciphername); void __EXPORT EnableAllSSL3Ciphers(); +void __EXPORT EnableAllTLSCiphers(); __EXPORT const char * nscperror_lookup(int error); #endif diff --git a/pki/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/pki/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java index e24fbb0a..b55306e7 100644 --- a/pki/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java +++ b/pki/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java @@ -51,6 +51,18 @@ public class JssSSLSocketFactory implements ISocketFactory { SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5, SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSLSocket.SSL3_RSA_WITH_NULL_MD5, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA, + SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA, + SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + //SSLSocket.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + //SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + //SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 0 }; |