A new parameter has been added to pki.conf to enable/disable the default SSL ciphers for PKI CLI.
Pushed to master under trivial rule. -- Endi S. Dewata
>From de4b48b9e4523a865e74f8122e130e976b124410 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edew...@redhat.com> Date: Sun, 19 Mar 2017 21:47:08 +0100 Subject: [PATCH] Added pki.conf parameter for default SSL ciphers. A new parameter has been added to pki.conf to enable/disable the default SSL ciphers for PKI CLI. --- base/common/share/etc/pki.conf | 5 +++++ base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf index e6d53714d6378ffa04327363f8089b819b67ae39..9f4df6371fea716c9e6097aedfd79486bc91dc5b 100644 --- a/base/common/share/etc/pki.conf +++ b/base/common/share/etc/pki.conf @@ -32,6 +32,11 @@ export SSL_DATAGRAM_VERSION_MIN SSL_DATAGRAM_VERSION_MAX="TLS_1_2" export SSL_DATAGRAM_VERSION_MAX +# SSL default ciphers +# This boolean parameter determines whether to enable default SSL ciphers. +SSL_DEFAULT_CIPHERS="true" +export SSL_DEFAULT_CIPHERS + # SSL ciphers # This parameter lists SSL ciphers to enable in addition to the default ciphers. # The list contains IANA-registered cipher names separated by white spaces. diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 053d72c4e55dfe125fb110044acc048f48939ea1..83090a108a15997039fe217aa0a0296a54f59cf9 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -537,7 +537,12 @@ public class MainCLI extends CLI { SSLVersion.valueOf(datagramVersionMax) ); - CryptoUtil.setDefaultSSLCiphers(); + String defaultCiphers = System.getenv("SSL_DEFAULT_CIPHERS"); + if (Boolean.parseBoolean(defaultCiphers)) { + CryptoUtil.setDefaultSSLCiphers(); + } else { + CryptoUtil.unsetSSLCiphers(); + } String ciphers = System.getenv("SSL_CIPHERS"); CryptoUtil.setSSLCiphers(ciphers); -- 2.9.3
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel