[Pki-devel] [PATCH] 984 Added pki.conf parameter for default SSL ciphers.

[Endi Sukma Dewata]

A new parameter has been added to pki.conf to enable/disable the
default SSL ciphers for PKI CLI.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From de4b48b9e4523a865e74f8122e130e976b124410 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 19 Mar 2017 21:47:08 +0100
Subject: [PATCH] Added pki.conf parameter for default SSL ciphers.

A new parameter has been added to pki.conf to enable/disable the
default SSL ciphers for PKI CLI.
---
 base/common/share/etc/pki.conf | 5 +
 base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 7 ++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index e6d53714d6378ffa04327363f8089b819b67ae39..9f4df6371fea716c9e6097aedfd79486bc91dc5b 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -32,6 +32,11 @@ export SSL_DATAGRAM_VERSION_MIN
 SSL_DATAGRAM_VERSION_MAX="TLS_1_2"
 export SSL_DATAGRAM_VERSION_MAX
 
+# SSL default ciphers
+# This boolean parameter determines whether to enable default SSL ciphers.
+SSL_DEFAULT_CIPHERS="true"
+export SSL_DEFAULT_CIPHERS
+
 # SSL ciphers
 # This parameter lists SSL ciphers to enable in addition to the default ciphers.
 # The list contains IANA-registered cipher names separated by white spaces.
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 053d72c4e55dfe125fb110044acc048f48939ea1..83090a108a15997039fe217aa0a0296a54f59cf9 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -537,7 +537,12 @@ public class MainCLI extends CLI {
 SSLVersion.valueOf(datagramVersionMax)
 );
 
-CryptoUtil.setDefaultSSLCiphers();
+String defaultCiphers = System.getenv("SSL_DEFAULT_CIPHERS");
+if (Boolean.parseBoolean(defaultCiphers)) {
+CryptoUtil.setDefaultSSLCiphers();
+} else {
+CryptoUtil.unsetSSLCiphers();
+}
 
 String ciphers = System.getenv("SSL_CIPHERS");
 CryptoUtil.setSSLCiphers(ciphers);
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 980 Fixed error handling in CryptoUtil.unsetSSLCiphers().

[Endi Sukma Dewata]

The CryptoUtil.unsetSSLCiphers() has been modified not to ignore
exceptions.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From cdffde5b5449db804e98ccac624cdc5eeab29dce Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 19 Mar 2017 19:52:51 +0100
Subject: [PATCH] Fixed error handling in CryptoUtil.unsetSSLCiphers().

The CryptoUtil.unsetSSLCiphers() has been modified not to ignore
exceptions.
---
 base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 17d314a010a8ba3e4c30e41c8816c14979cfb86a..70aaa373fc3a9e0ed9d533aaaf61de87912e4d7b 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -985,13 +985,13 @@ public class CryptoUtil {
 /*
  * unset all implemented cipehrs; for enforcing strict list of ciphers
  */
-private static void unsetSSLCiphers() throws SocketException {
-int ciphers[] = SSLSocket.getImplementedCipherSuites();
-try {
-for (int i = 0; ciphers != null && i < ciphers.length; i++) {
-SSLSocket.setCipherPreferenceDefault(ciphers[i], false);
-}
-} catch (Exception e) {
+public static void unsetSSLCiphers() throws SocketException {
+
+int cipherIDs[] = SSLSocket.getImplementedCipherSuites();
+if (cipherIDs == null) return;
+
+for (int cipherID : cipherIDs) {
+SSLSocket.setCipherPreferenceDefault(cipherID, false);
 }
 }
 
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 982 Refactored CryptoUtil.setClientCiphers().

[Endi Sukma Dewata]

The code that converts cipher name into cipher ID and enables
the cipher in CryptoUtil.setClientCiphers() has been moved into
a separate method.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From af7be30e164b1aebbb0e6eaf1fbfc6b9fb46360e Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 19 Mar 2017 20:16:53 +0100
Subject: [PATCH] Refactored CryptoUtil.setClientCiphers().

The code that converts cipher name into cipher ID and enables
the cipher in CryptoUtil.setClientCiphers() has been moved into
a separate method.
---
 .../src/com/netscape/cmsutil/crypto/CryptoUtil.java | 17 +++--
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 729d71d63edc84d6681ddd3e5299e877d8ea8250..d708230e3597f0834d0d2e184bd5df2b8efd53f5 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -48,8 +48,8 @@ import java.util.Vector;
 
 import org.apache.commons.lang.StringUtils;
 import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.CryptoManager.NotInitializedException;
 import org.mozilla.jss.NoSuchTokenException;
+import org.mozilla.jss.CryptoManager.NotInitializedException;
 import org.mozilla.jss.SecretDecoderRing.KeyManager;
 import org.mozilla.jss.asn1.ANY;
 import org.mozilla.jss.asn1.ASN1Util;
@@ -105,6 +105,7 @@ import org.mozilla.jss.ssl.SSLSocket.SSLVersionRange;
 import org.mozilla.jss.util.Base64OutputStream;
 import org.mozilla.jss.util.Password;
 
+import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion;
 import com.netscape.cmsutil.util.Cert;
 import com.netscape.cmsutil.util.Utils;
 
@@ -942,14 +943,18 @@ public class CryptoUtil {
 unsetSSLCiphers();
 
 for (String cipher : ciphers) {
+setSSLCipher(cipher, true);
+}
+}
 
-Integer cipherID = cipherMap.get(cipher);
-if (cipherID == null) {
-throw new SocketException("Unsupported cipher: " + cipher);
-}
+public static void setSSLCipher(String cipher, boolean enabled) throws SocketException {
 
-SSLSocket.setCipherPreferenceDefault(cipherID, true);
+Integer cipherID = cipherMap.get(cipher);
+if (cipherID == null) {
+throw new SocketException("Unsupported cipher: " + cipher);
 }
+
+SSLSocket.setCipherPreferenceDefault(cipherID, enabled);
 }
 
 public static void setDefaultSSLCiphers() throws SocketException {
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 981 Fixed error handling in CryptoUtil.setClientCiphers().

[Endi Sukma Dewata]

The CryptoUtil.setClientCiphers() has been modified to throw
an exception on unsupported cipher.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 035f37b6416e9b001ff49e06142751b974835a9b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 19 Mar 2017 20:08:50 +0100
Subject: [PATCH] Fixed error handling in CryptoUtil.setClientCiphers().

The CryptoUtil.setClientCiphers() has been modified to throw
an exception on unsupported cipher.
---
 base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 70aaa373fc3a9e0ed9d533aaaf61de87912e4d7b..729d71d63edc84d6681ddd3e5299e877d8ea8250 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -944,7 +944,9 @@ public class CryptoUtil {
 for (String cipher : ciphers) {
 
 Integer cipherID = cipherMap.get(cipher);
-if (cipherID == null) continue;
+if (cipherID == null) {
+throw new SocketException("Unsupported cipher: " + cipher);
+}
 
 SSLSocket.setCipherPreferenceDefault(cipherID, true);
 }
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 979 Renamed CryptoUtil.setClientCiphers().

[Endi Sukma Dewata]

The setClientCiphers() in CryptoUtil has been renamed to
setDefaultSSLCiphers() for clarity.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From a168db3f36584a6a576daa91c993d18c134835fe Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 19 Mar 2017 18:44:06 +0100
Subject: [PATCH] Renamed CryptoUtil.setClientCiphers().

The setClientCiphers() in CryptoUtil has been renamed to
setDefaultSSLCiphers() for clarity.
---
 .../src/com/netscape/admin/certsrv/connection/JSSConnection.java  | 2 +-
 base/java-tools/src/com/netscape/cmstools/HttpClient.java | 2 +-
 base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java| 2 +-
 base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java b/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
index 8678b537886bc28b1ec81f9f61be8337b2f8c00f..5513155051d24c12e6c83a8aef5c2fd1b2cca6f4 100644
--- a/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
+++ b/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
@@ -121,7 +121,7 @@ public class JSSConnection implements IConnection, SSLCertificateApprovalCallbac
 
 CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
 CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
-CryptoUtil.setClientCiphers();
+CryptoUtil.setDefaultSSLCiphers();
 
 s = new SSLSocket(host, port, null, 0, this, this);
 
diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
index aa3bd174385c4fa6a04ac5ce330a5a0d54b6973a..29b7446b4b6785b427affb511dd4d3d0d5d9d4e2 100644
--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
@@ -126,7 +126,7 @@ public class HttpClient {
 
 CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
 CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
-CryptoUtil.setClientCiphers();
+CryptoUtil.setDefaultSSLCiphers();
 
 sslSocket = new SSLSocket(_host, _port);
 // SSLSocket.setSSLVersionRange() needs to be exposed in JSS
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index b3de8757f2fbf46a6a9cfdb6b770e20830037a2c..f2e0d08d948381421ee69d1cde2eb035a5a6467b 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -537,7 +537,7 @@ public class MainCLI extends CLI {
 SSLVersion.valueOf(datagramVersionMax)
 );
 
-CryptoUtil.setClientCiphers();
+CryptoUtil.setDefaultSSLCiphers();
 }
 
 public PKIClient getClient() throws Exception {
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index fccda69e4789ffbc4285099b2847a8aafdd2a694..17d314a010a8ba3e4c30e41c8816c14979cfb86a 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -932,7 +932,7 @@ public class CryptoUtil {
 
 if (list == null) {
 // use default
-setClientCiphers();
+setDefaultSSLCiphers();
 return;
 }
 
@@ -950,7 +950,7 @@ public class CryptoUtil {
 }
 }
 
-public static void setClientCiphers() throws SocketException {
+public static void setDefaultSSLCiphers() throws SocketException {
 
 int ciphers[] = SSLSocket.getImplementedCipherSuites();
 if (ciphers == null) return;
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 978 Added configuration parameters for SSL version ranges.

[Endi Sukma Dewata]

The hard-coded SSL version ranges in PKI CLI have been converted
into configurable parameters in the pki.conf.

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 31683301b69fda23893c80af7c34c42a75e1b906 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 17 Mar 2017 19:20:30 +0100
Subject: [PATCH] Added configuration parameters for SSL version ranges.

The hard-coded SSL version ranges in PKI CLI have been converted
into configurable parameters in the pki.conf.
---
 base/common/share/etc/pki.conf   | 14 ++
 .../src/com/netscape/cmstools/cli/MainCLI.java   | 20 ++--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index 5eeb187922791c51c851e30a4b38475a20c6bd9b..617c07f9c57e79b6d49fc32ab0beb43b95580df2 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -17,3 +17,17 @@ export LOGGING_CONFIG
 # PKI CLI options
 PKI_CLI_OPTIONS=
 export PKI_CLI_OPTIONS
+
+# SSL version ranges
+# Valid values: SSL_3_0, TLS_1_0, TLS_1_1, TLS_1_2
+SSL_STREAM_VERSION_MIN="TLS_1_0"
+export SSL_STREAM_VERSION_MIN
+
+SSL_STREAM_VERSION_MAX="TLS_1_2"
+export SSL_STREAM_VERSION_MAX
+
+SSL_DATAGRAM_VERSION_MIN="TLS_1_1"
+export SSL_DATAGRAM_VERSION_MIN
+
+SSL_DATAGRAM_VERSION_MAX="TLS_1_2"
+export SSL_DATAGRAM_VERSION_MAX
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 8f575dbf738af06885fb80bfaec6ca996a8db401..b3de8757f2fbf46a6a9cfdb6b770e20830037a2c 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -519,8 +519,24 @@ public class MainCLI extends CLI {
 
 }
 
-CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
-CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
+// See default SSL configuration in /usr/share/pki/etc/pki.conf.
+
+String streamVersionMin = System.getenv("SSL_STREAM_VERSION_MIN");
+String streamVersionMax = System.getenv("SSL_STREAM_VERSION_MAX");
+
+CryptoUtil.setSSLStreamVersionRange(
+SSLVersion.valueOf(streamVersionMin),
+SSLVersion.valueOf(streamVersionMax)
+);
+
+String datagramVersionMin = System.getenv("SSL_DATAGRAM_VERSION_MIN");
+String datagramVersionMax = System.getenv("SSL_DATAGRAM_VERSION_MAX");
+
+CryptoUtil.setSSLDatagramVersionRange(
+SSLVersion.valueOf(datagramVersionMin),
+SSLVersion.valueOf(datagramVersionMax)
+);
+
 CryptoUtil.setClientCiphers();
 }
 
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 977 Fixed PKIClient initialization in PKI CLI.

[Endi Sukma Dewata]

The PKI CLI has been modified such that it initializes the
PKIClient (and retrieves the access banner) only if the CLI
needs to access the PKI server.

https://pagure.io/dogtagpki/issue/2612

Pushed to master under trivial rule.

--
Endi S. Dewata
>From 6bcb89b55db870766ddcf09002a5997b323bd196 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sat, 18 Mar 2017 07:45:30 +0100
Subject: [PATCH] Fixed PKIClient initialization in PKI CLI.

The PKI CLI has been modified such that it initializes the
PKIClient (and retrieves the access banner) only if the CLI
needs to access the PKI server.

https://pagure.io/dogtagpki/issue/2612
---
 base/java-tools/src/com/netscape/cmstools/cli/CLI.java  |  2 +-
 base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java  | 11 +++
 base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java |  2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
index 0a9106705f6d965b62b2600710ffb855b3a94485..65fad75e017ed57df871b45c7ce3009ca9f91857 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
@@ -183,7 +183,7 @@ public class CLI {
 return null;
 }
 
-public PKIClient getClient() {
+public PKIClient getClient() throws Exception {
 return client;
 }
 
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 4c0a9182341f62b8718f4202b0825a7cdc2068d4..8f575dbf738af06885fb80bfaec6ca996a8db401 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -522,6 +522,15 @@ public class MainCLI extends CLI {
 CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
 CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
 CryptoUtil.setClientCiphers();
+}
+
+public PKIClient getClient() throws Exception {
+
+if (client != null) return client;
+
+if (verbose) {
+System.out.println("Initializing PKIClient");
+}
 
 client = new PKIClient(config, null);
 client.setVerbose(verbose);
@@ -558,6 +567,8 @@ public class MainCLI extends CLI {
 }
 }
 }
+
+return client;
 }
 
 public void execute(String[] args) throws Exception {
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java
index c5387cf0320c65459102f38f9f8b3d50ad060055..1cf6feaf2b044f2ec7473cdf0a1810761097ac1b 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java
@@ -87,7 +87,7 @@ public class ProxyCLI extends CLI {
 return module.removeModule(name);
 }
 
-public PKIClient getClient() {
+public PKIClient getClient() throws Exception {
 return module.getClient();
 }
 
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel