From 02eb00b312539f455d13b8a282cc523e11f2715e Mon Sep 17 00:00:00 2001

From: Christina Fu <cfu@redhat.com>

Date: Wed, 12 Nov 2014 15:29:04 -0800

Subject: [PATCH] Bug 1158410 add TLS range support to server.xml by default

 and upgrade

---

 base/server/config/pkislots.cfg                    |   3 +

 .../python/pki/server/deployment/pkiparser.py      |  43 ++++++++-

 base/server/share/conf/server.xml                  |   8 +-

 base/server/upgrade/10.1.2/.gitignore              |   4 -

 base/server/upgrade/10.1.2/01-AddTLSRangeSupport   | 102 +++++++++++++++++++++

 5 files changed, 153 insertions(+), 7 deletions(-)

 delete mode 100644 base/server/upgrade/10.1.2/.gitignore

 create mode 100755 base/server/upgrade/10.1.2/01-AddTLSRangeSupport

diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg

index ce1ac78..ffcef2d 100644

--- a/base/server/config/pkislots.cfg

+++ b/base/server/config/pkislots.cfg

@@ -101,4 +101,7 @@ TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS]

 TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS]

 TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS]

 TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS]

+TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_STREAM]

+TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]

+TOMCAT_SSL_RANGE_CIPHERS_SLOT=[TOMCAT_SSL_RANGE_CIPHERS]

 TPS_DIR_SLOT=[TPS_DIR]

diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py

index df636d4..2d7fadc 100644

--- a/base/server/python/pki/server/deployment/pkiparser.py

+++ b/base/server/python/pki/server/deployment/pkiparser.py

@@ -899,6 +899,45 @@ class PKIConfigParser:

                     "/var/run/pki/tomcat/" + self.pki_master_dict['pki_instance_name'] + ".pid"

                 self.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] = \

                     self.pki_master_dict['pki_tomcat_server_port']

+                self.pki_master_dict['TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT'] = \

+                    "tls1_0:tls1_2"

+                self.pki_master_dict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \

+                    "tls1_1:tls1_2"

+                self.pki_master_dict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \

+                    "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \

+                    "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \

+                    "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \

+                    "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \

+                    "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \

+                    "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \

+                    "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \

+                    "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \

+                    "+TLS_RSA_WITH_AES_128_CBC_SHA," + \

+                    "+TLS_RSA_WITH_AES_256_CBC_SHA," + \

+                    "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \

+                    "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \

+                    "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \

+                    "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \

+                    "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \

+                    "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \

+                    "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \

+                    "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \

+                    "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \

+                    "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \

+                    "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \

+                    "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \

+                    "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \

+                    "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \

+                    "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \

+                    "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \

+                    "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \

+                    "+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \

+                    "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \

+                    "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \

+                    "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \

+                    "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \

+                    "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \

+                    "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"

                 self.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] = \

                     "-SSL2_RC4_128_WITH_MD5," + \

                     "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \

@@ -922,8 +961,8 @@ class PKIConfigParser:

                     "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \

                     "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

                 self.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] = \

-                    "ssl2=true," + \

-                    "ssl3=true," + \

+                    "ssl2=false," + \

+                    "ssl3=false," + \

                     "tls=true"

                 self.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] = \

                     "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \

diff --git a/base/server/share/conf/server.xml b/base/server/share/conf/server.xml

index 8fbdf0f..306ebf2 100644

--- a/base/server/share/conf/server.xml

+++ b/base/server/share/conf/server.xml

@@ -142,6 +142,9 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)

               'ssl2Ciphers'

               'ssl3Ciphers'

               'tlsCiphers'

+              'sslVersionRangeStream'

+              'sslVersionRangeDatagram'

+              'sslRangeCiphers'

               'serverCertNickFile'

               'passwordFile'

               'passwordClass'

@@ -184,12 +187,15 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)

            ocspMinCacheEntryDuration="60"

            ocspMaxCacheEntryDuration="120"

            ocspTimeout="10"

-           strictCiphers="false"

+           strictCiphers="true"

            clientAuth="[PKI_AGENT_CLIENTAUTH]"

            sslOptions="[TOMCAT_SSL_OPTIONS]"

            ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"

            ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"

            tlsCiphers="[TOMCAT_TLS_CIPHERS]"

+           sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"

+           sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"

+           sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"

            serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"

            passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"

            passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"

diff --git a/base/server/upgrade/10.1.2/.gitignore b/base/server/upgrade/10.1.2/.gitignore

deleted file mode 100644

index 5e7d273..0000000

--- a/base/server/upgrade/10.1.2/.gitignore

+++ /dev/null

@@ -1,4 +0,0 @@

-# Ignore everything in this directory

-*

-# Except this file

-!.gitignore

diff --git a/base/server/upgrade/10.1.2/01-AddTLSRangeSupport b/base/server/upgrade/10.1.2/01-AddTLSRangeSupport

new file mode 100755

index 0000000..b5b83f4

--- /dev/null

+++ b/base/server/upgrade/10.1.2/01-AddTLSRangeSupport

@@ -0,0 +1,102 @@

+#!/usr/bin/python

+# Authors:

+#     Christina Fu <cfu@redhat.com>

+#     Endi S. Dewata <edewata@redhat.com>

+#

+# This program is free software; you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation; version 2 of the License.

+#

+# This program is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+# GNU General Public License for more details.

+#

+# You should have received a copy of the GNU General Public License along

+# with this program; if not, write to the Free Software Foundation, Inc.,

+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+#

+# Copyright (C) 2014 Red Hat, Inc.

+# All rights reserved.

+#

+

+import os

+from lxml import etree

+

+import pki.server.upgrade

+

+

+class AddTLSRangeSupport(pki.server.upgrade.PKIServerUpgradeScriptlet):

+

+    def __init__(self):

+

+        self.message = 'Add TLS Range Support'

+

+        self.parser = etree.XMLParser(remove_blank_text=True)

+

+

+    def upgrade_instance(self, instance):

+

+        server_xml = os.path.join(instance.conf_dir, 'server.xml')

+        #Backup the file before modify

+        self.backup(server_xml)

+        #Parse the server.xml into an XML object

+        document = etree.parse(server_xml, self.parser)

+        #perform the upgrade in memory

+        self.add_tls_range(document)

+        #Once all changes are made, write the XML back into the same server.xml

+        #This way we're preserving any other customization that has been done

+        # to the server.xml

+        with open(server_xml, 'w') as f:

+            f.write(etree.tostring(document, pretty_print=True))

+

+    def add_tls_range(self, document):

+

+        # Find existing Connector

+        server = document.getroot()

+        connectors = server.findall('.//Connector')

+

+        for connector in connectors:

+

+            secure = connector.get('secure')

+            if secure == 'true':

+                # Update Connector's attributes

+                connector.set('strictCiphers', 'true')

+                connector.set('sslVersionRangeStream', 'tls1_0:tls1_2')

+                connector.set('sslVersionRangeDatagram', 'tls1_1:tls1_2')

+                connector.set('sslRangeCiphers',

+                    '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,' \

+                    '-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,' \

+                    '+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,' \

+                    '+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,' \

+                    '+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,' \

+                    '-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,' \

+                    '+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,' \

+                    '+TLS_RSA_WITH_3DES_EDE_CBC_SHA,' \

+                    '+TLS_RSA_WITH_AES_128_CBC_SHA,' \

+                    '+TLS_RSA_WITH_AES_256_CBC_SHA,' \

+                    '+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,' \

+                    '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,' \

+                    '-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,' \

+                    '-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,' \

+                    '-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,' \

+                    '+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,' \

+                    '+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,' \

+                    '+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,' \

+                    '+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,' \

+                    '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,' \

+                    '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,' \

+                    '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,' \

+                    '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,' \

+                    '+TLS_RSA_WITH_AES_128_CBC_SHA256,' \

+                    '+TLS_RSA_WITH_AES_256_CBC_SHA256,' \

+                    '+TLS_RSA_WITH_AES_128_GCM_SHA256,' \

+                    '+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,' \

+                    '+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,' \

+                    '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,' \

+                    '+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,' \

+                    '+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,' \

+                    '+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,' \

+                    '+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,' \

+                    '+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256')

+