[Pki-devel] [PATCH] 991 Added support for disabling SSL ciphers in pki.conf.

Mon, 20 Mar 2017 20:12:56 -0700 

The CryptoUtil.setSSLCiphers() has been modified to support a "-"
sign in front of the cipher name or ID to disable the cipher.

Pushed to master under trivial rule.

--
Endi S. Dewata

>From 8ba95a89a7de733c5319f575e80621faa2b45e90 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Fri, 17 Mar 2017 19:25:07 +0100
Subject: [PATCH] Added support for disabling SSL ciphers in pki.conf.

The CryptoUtil.setSSLCiphers() has been modified to support a "-"
sign in front of the cipher name or ID to disable the cipher.
---
 base/common/share/etc/pki.conf                            | 3 ++-
 base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 9 ++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index 4bb874f63f7ad70f14eb8c019e38d3d3d2865543..c0b607308156d9de6522c811113625c82869f06b 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -38,8 +38,9 @@ SSL_DEFAULT_CIPHERS="true"
 export SSL_DEFAULT_CIPHERS
 
 # SSL ciphers
-# This parameter lists SSL ciphers to enable in addition to the default ciphers.
+# This parameter lists SSL ciphers to enable/disable in addition to the default ciphers.
 # The list contains IANA-registered cipher names or hex IDs separated by white spaces.
 # https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
+# To disable a cipher, specify a "-" sign in front of the cipher name or ID.
 SSL_CIPHERS=""
 export SSL_CIPHERS
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 5e6659363ae209080225342ddc2c2e97d9367bca..c436b4d02dd5bb7006acbcfa65fd8a64bcd02140 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -955,7 +955,14 @@ public class CryptoUtil {
 
         while (st.hasMoreTokens()) {
             String cipher = st.nextToken();
-            setSSLCipher(cipher, true);
+            boolean enabled = true;
+
+            if (cipher.startsWith("-")) {
+                enabled = false;
+                cipher = cipher.substring(1);
+            }
+
+            setSSLCipher(cipher, enabled);
         }
     }
 
-- 
2.9.3


_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Reply via email to