[Pki-devel] [PATCH] 978 Added configuration parameters for SSL version ranges.

Sun, 19 Mar 2017 11:49:27 -0700 

The hard-coded SSL version ranges in PKI CLI have been converted
into configurable parameters in the pki.conf.

Pushed to master under trivial rule.

--
Endi S. Dewata

>From 31683301b69fda23893c80af7c34c42a75e1b906 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Fri, 17 Mar 2017 19:20:30 +0100
Subject: [PATCH] Added configuration parameters for SSL version ranges.

The hard-coded SSL version ranges in PKI CLI have been converted
into configurable parameters in the pki.conf.
---
 base/common/share/etc/pki.conf                       | 14 ++++++++++++++
 .../src/com/netscape/cmstools/cli/MainCLI.java       | 20 ++++++++++++++++++--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index 5eeb187922791c51c851e30a4b38475a20c6bd9b..617c07f9c57e79b6d49fc32ab0beb43b95580df2 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -17,3 +17,17 @@ export LOGGING_CONFIG
 # PKI CLI options
 PKI_CLI_OPTIONS=
 export PKI_CLI_OPTIONS
+
+# SSL version ranges
+# Valid values: SSL_3_0, TLS_1_0, TLS_1_1, TLS_1_2
+SSL_STREAM_VERSION_MIN="TLS_1_0"
+export SSL_STREAM_VERSION_MIN
+
+SSL_STREAM_VERSION_MAX="TLS_1_2"
+export SSL_STREAM_VERSION_MAX
+
+SSL_DATAGRAM_VERSION_MIN="TLS_1_1"
+export SSL_DATAGRAM_VERSION_MIN
+
+SSL_DATAGRAM_VERSION_MAX="TLS_1_2"
+export SSL_DATAGRAM_VERSION_MAX
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 8f575dbf738af06885fb80bfaec6ca996a8db401..b3de8757f2fbf46a6a9cfdb6b770e20830037a2c 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -519,8 +519,24 @@ public class MainCLI extends CLI {
 
         }
 
-        CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
-        CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
+        // See default SSL configuration in /usr/share/pki/etc/pki.conf.
+
+        String streamVersionMin = System.getenv("SSL_STREAM_VERSION_MIN");
+        String streamVersionMax = System.getenv("SSL_STREAM_VERSION_MAX");
+
+        CryptoUtil.setSSLStreamVersionRange(
+                SSLVersion.valueOf(streamVersionMin),
+                SSLVersion.valueOf(streamVersionMax)
+        );
+
+        String datagramVersionMin = System.getenv("SSL_DATAGRAM_VERSION_MIN");
+        String datagramVersionMax = System.getenv("SSL_DATAGRAM_VERSION_MAX");
+
+        CryptoUtil.setSSLDatagramVersionRange(
+                SSLVersion.valueOf(datagramVersionMin),
+                SSLVersion.valueOf(datagramVersionMax)
+        );
+
         CryptoUtil.setClientCiphers();
     }
 
-- 
2.9.3


_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Reply via email to