A new parameter has been added to pki.conf to configure the SSL ciphers used by PKI CLI in addition to the default ciphers.
Pushed to master under trivial rule. -- Endi S. Dewata
>From a0fde2d91a02c4d11b698582a2cd64a76765ed25 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Fri, 17 Mar 2017 19:25:07 +0100 Subject: [PATCH] Added pki.conf parameter for SSL ciphers. A new parameter has been added to pki.conf to configure the SSL ciphers used by PKI CLI in addition to the default ciphers. --- base/common/share/etc/pki.conf | 7 +++++++ base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 3 +++ base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 12 ++++++++++++ 3 files changed, 22 insertions(+) diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf index 617c07f9c57e79b6d49fc32ab0beb43b95580df2..e6d53714d6378ffa04327363f8089b819b67ae39 100644 --- a/base/common/share/etc/pki.conf +++ b/base/common/share/etc/pki.conf @@ -31,3 +31,10 @@ export SSL_DATAGRAM_VERSION_MIN SSL_DATAGRAM_VERSION_MAX="TLS_1_2" export SSL_DATAGRAM_VERSION_MAX + +# SSL ciphers +# This parameter lists SSL ciphers to enable in addition to the default ciphers. +# The list contains IANA-registered cipher names separated by white spaces. +# https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 +SSL_CIPHERS="" +export SSL_CIPHERS diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index f2e0d08d948381421ee69d1cde2eb035a5a6467b..053d72c4e55dfe125fb110044acc048f48939ea1 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -538,6 +538,9 @@ public class MainCLI extends CLI { ); CryptoUtil.setDefaultSSLCiphers(); + + String ciphers = System.getenv("SSL_CIPHERS"); + CryptoUtil.setSSLCiphers(ciphers); } public PKIClient getClient() throws Exception { diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index d708230e3597f0834d0d2e184bd5df2b8efd53f5..fd7b1bb23ff9af9049822cf6714c48e4386e3e0f 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -947,6 +947,18 @@ public class CryptoUtil { } } + public static void setSSLCiphers(String ciphers) throws SocketException { + + if (ciphers == null) return; + + StringTokenizer st = new StringTokenizer(ciphers); + + while (st.hasMoreTokens()) { + String cipher = st.nextToken(); + setSSLCipher(cipher, true); + } + } + public static void setSSLCipher(String cipher, boolean enabled) throws SocketException { Integer cipherID = cipherMap.get(cipher); -- 2.9.3
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
