From 02eb00b312539f455d13b8a282cc523e11f2715e Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Wed, 12 Nov 2014 15:29:04 -0800
Subject: [PATCH] Bug 1158410 add TLS range support to server.xml by default
and upgrade
---
base/server/config/pkislots.cfg | 3 +
.../python/pki/server/deployment/pkiparser.py | 43 ++++++++-
base/server/share/conf/server.xml | 8 +-
base/server/upgrade/10.1.2/.gitignore | 4 -
base/server/upgrade/10.1.2/01-AddTLSRangeSupport | 102 +++++++++++++++++++++
5 files changed, 153 insertions(+), 7 deletions(-)
delete mode 100644 base/server/upgrade/10.1.2/.gitignore
create mode 100755 base/server/upgrade/10.1.2/01-AddTLSRangeSupport
diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg
index ce1ac78..ffcef2d 100644
--- a/base/server/config/pkislots.cfg
+++ b/base/server/config/pkislots.cfg
@@ -101,4 +101,7 @@ TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS]
TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS]
TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS]
TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS]
+TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_STREAM]
+TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]
+TOMCAT_SSL_RANGE_CIPHERS_SLOT=[TOMCAT_SSL_RANGE_CIPHERS]
TPS_DIR_SLOT=[TPS_DIR]
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index df636d4..2d7fadc 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -899,6 +899,45 @@ class PKIConfigParser:
"/var/run/pki/tomcat/" + self.pki_master_dict['pki_instance_name'] + ".pid"
self.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] = \
self.pki_master_dict['pki_tomcat_server_port']
+ self.pki_master_dict['TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT'] = \
+ "tls1_0:tls1_2"
+ self.pki_master_dict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \
+ "tls1_1:tls1_2"
+ self.pki_master_dict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \
+ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
+ "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
+ "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
+ "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "+TLS_RSA_WITH_AES_128_CBC_SHA," + \
+ "+TLS_RSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
+ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
+ "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
+ "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \
+ "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
+ "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
+ "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
+ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
+ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
+ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
+ "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \
+ "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
+ "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \
+ "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
+ "+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
+ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
+ "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
+ "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
+ "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
self.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] = \
"-SSL2_RC4_128_WITH_MD5," + \
"-SSL2_RC4_128_EXPORT40_WITH_MD5," + \
@@ -922,8 +961,8 @@ class PKIConfigParser:
"-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
"+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
self.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] = \
- "ssl2=true," + \
- "ssl3=true," + \
+ "ssl2=false," + \
+ "ssl3=false," + \
"tls=true"
self.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] = \
"-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
diff --git a/base/server/share/conf/server.xml b/base/server/share/conf/server.xml
index 8fbdf0f..306ebf2 100644
--- a/base/server/share/conf/server.xml
+++ b/base/server/share/conf/server.xml
@@ -142,6 +142,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
'ssl2Ciphers'
'ssl3Ciphers'
'tlsCiphers'
+ 'sslVersionRangeStream'
+ 'sslVersionRangeDatagram'
+ 'sslRangeCiphers'
'serverCertNickFile'
'passwordFile'
'passwordClass'
@@ -184,12 +187,15 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
ocspMinCacheEntryDuration="60"
ocspMaxCacheEntryDuration="120"
ocspTimeout="10"
- strictCiphers="false"
+ strictCiphers="true"
clientAuth="[PKI_AGENT_CLIENTAUTH]"
sslOptions="[TOMCAT_SSL_OPTIONS]"
ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
tlsCiphers="[TOMCAT_TLS_CIPHERS]"
+ sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
+ sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
+ sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
diff --git a/base/server/upgrade/10.1.2/.gitignore b/base/server/upgrade/10.1.2/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.1.2/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.1.2/01-AddTLSRangeSupport b/base/server/upgrade/10.1.2/01-AddTLSRangeSupport
new file mode 100755
index 0000000..b5b83f4
--- /dev/null
+++ b/base/server/upgrade/10.1.2/01-AddTLSRangeSupport
@@ -0,0 +1,102 @@
+#!/usr/bin/python
+# Authors:
+# Christina Fu <cfu@redhat.com>
+# Endi S. Dewata <edewata@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2014 Red Hat, Inc.
+# All rights reserved.
+#
+
+import os
+from lxml import etree
+
+import pki.server.upgrade
+
+
+class AddTLSRangeSupport(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+ def __init__(self):
+
+ self.message = 'Add TLS Range Support'
+
+ self.parser = etree.XMLParser(remove_blank_text=True)
+
+
+ def upgrade_instance(self, instance):
+
+ server_xml = os.path.join(instance.conf_dir, 'server.xml')
+ #Backup the file before modify
+ self.backup(server_xml)
+ #Parse the server.xml into an XML object
+ document = etree.parse(server_xml, self.parser)
+ #perform the upgrade in memory
+ self.add_tls_range(document)
+ #Once all changes are made, write the XML back into the same server.xml
+ #This way we're preserving any other customization that has been done
+ # to the server.xml
+ with open(server_xml, 'w') as f:
+ f.write(etree.tostring(document, pretty_print=True))
+
+ def add_tls_range(self, document):
+
+ # Find existing Connector
+ server = document.getroot()
+ connectors = server.findall('.//Connector')
+
+ for connector in connectors:
+
+ secure = connector.get('secure')
+ if secure == 'true':
+ # Update Connector's attributes
+ connector.set('strictCiphers', 'true')
+ connector.set('sslVersionRangeStream', 'tls1_0:tls1_2')
+ connector.set('sslVersionRangeDatagram', 'tls1_1:tls1_2')
+ connector.set('sslRangeCiphers',
+ '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,' \
+ '-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,' \
+ '+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,' \
+ '+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,' \
+ '+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,' \
+ '-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,' \
+ '+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,' \
+ '+TLS_RSA_WITH_3DES_EDE_CBC_SHA,' \
+ '+TLS_RSA_WITH_AES_128_CBC_SHA,' \
+ '+TLS_RSA_WITH_AES_256_CBC_SHA,' \
+ '+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,' \
+ '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,' \
+ '-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,' \
+ '-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,' \
+ '-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,' \
+ '+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,' \
+ '+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,' \
+ '+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,' \
+ '+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,' \
+ '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,' \
+ '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,' \
+ '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,' \
+ '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,' \
+ '+TLS_RSA_WITH_AES_128_CBC_SHA256,' \
+ '+TLS_RSA_WITH_AES_256_CBC_SHA256,' \
+ '+TLS_RSA_WITH_AES_128_GCM_SHA256,' \
+ '+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,' \
+ '+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,' \
+ '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,' \
+ '+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,' \
+ '+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,' \
+ '+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,' \
+ '+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,' \
+ '+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256')
+