The hard-coded SSL version ranges in PKI CLI have been converted into configurable parameters in the pki.conf.
Pushed to master under trivial rule. -- Endi S. Dewata
>From 31683301b69fda23893c80af7c34c42a75e1b906 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edew...@redhat.com> Date: Fri, 17 Mar 2017 19:20:30 +0100 Subject: [PATCH] Added configuration parameters for SSL version ranges. The hard-coded SSL version ranges in PKI CLI have been converted into configurable parameters in the pki.conf. --- base/common/share/etc/pki.conf | 14 ++++++++++++++ .../src/com/netscape/cmstools/cli/MainCLI.java | 20 ++++++++++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf index 5eeb187922791c51c851e30a4b38475a20c6bd9b..617c07f9c57e79b6d49fc32ab0beb43b95580df2 100644 --- a/base/common/share/etc/pki.conf +++ b/base/common/share/etc/pki.conf @@ -17,3 +17,17 @@ export LOGGING_CONFIG # PKI CLI options PKI_CLI_OPTIONS= export PKI_CLI_OPTIONS + +# SSL version ranges +# Valid values: SSL_3_0, TLS_1_0, TLS_1_1, TLS_1_2 +SSL_STREAM_VERSION_MIN="TLS_1_0" +export SSL_STREAM_VERSION_MIN + +SSL_STREAM_VERSION_MAX="TLS_1_2" +export SSL_STREAM_VERSION_MAX + +SSL_DATAGRAM_VERSION_MIN="TLS_1_1" +export SSL_DATAGRAM_VERSION_MIN + +SSL_DATAGRAM_VERSION_MAX="TLS_1_2" +export SSL_DATAGRAM_VERSION_MAX diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 8f575dbf738af06885fb80bfaec6ca996a8db401..b3de8757f2fbf46a6a9cfdb6b770e20830037a2c 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -519,8 +519,24 @@ public class MainCLI extends CLI { } - CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2); - CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2); + // See default SSL configuration in /usr/share/pki/etc/pki.conf. + + String streamVersionMin = System.getenv("SSL_STREAM_VERSION_MIN"); + String streamVersionMax = System.getenv("SSL_STREAM_VERSION_MAX"); + + CryptoUtil.setSSLStreamVersionRange( + SSLVersion.valueOf(streamVersionMin), + SSLVersion.valueOf(streamVersionMax) + ); + + String datagramVersionMin = System.getenv("SSL_DATAGRAM_VERSION_MIN"); + String datagramVersionMax = System.getenv("SSL_DATAGRAM_VERSION_MAX"); + + CryptoUtil.setSSLDatagramVersionRange( + SSLVersion.valueOf(datagramVersionMin), + SSLVersion.valueOf(datagramVersionMax) + ); + CryptoUtil.setClientCiphers(); } -- 2.9.3
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel