You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ro...@apache.org on 2018/03/26 08:46:55 UTC
[cloudstack] branch 4.11 updated: CLOUDSTACK-10319: Allow TLSv1,
v1.1 for XenServer, Vmware (#2507)
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.11 by this push:
new c4cc679 CLOUDSTACK-10319: Allow TLSv1, v1.1 for XenServer, Vmware (#2507)
c4cc679 is described below
commit c4cc679c3b34a5f38cc17a01a96e9d69aa370641
Author: Rohit Yadav <ro...@apache.org>
AuthorDate: Mon Mar 26 14:16:49 2018 +0530
CLOUDSTACK-10319: Allow TLSv1, v1.1 for XenServer, Vmware (#2507)
This reverts changes from #2480, instead moves TLS settings to
java ciphers settings config file. It should be sufficient to enforce
TLS v1.2 on public facing CloudStack services:
- CloudStack webserver (Jetty based)
- Apache2 for secondary storage VM
- CPVM HTTPs server
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
---
client/conf/java.security.ciphers.in | 2 +-
.../src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java | 4 ++--
utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/client/conf/java.security.ciphers.in b/client/conf/java.security.ciphers.in
index 986abf6..27e2d69 100644
--- a/client/conf/java.security.ciphers.in
+++ b/client/conf/java.security.ciphers.in
@@ -15,4 +15,4 @@
# specific language governing permissions and limitations
# under the License.
-jdk.tls.disabledAlgorithms=DH keySize < 128, RSA keySize < 128, DES keySize < 128, SHA1 keySize < 128, MD5 keySize < 128, RC4
\ No newline at end of file
+jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, TLSv1, TLSv1.1, DH keySize < 128, RSA keySize < 128, DES keySize < 128, SHA1 keySize < 128, MD5 keySize < 128, RC4
diff --git a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
index 9fbdb4a..8016f5a 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
@@ -34,7 +34,7 @@ public class SSLUtils {
public static String[] getSupportedProtocols(String[] protocols) {
Set<String> set = new HashSet<String>();
for (String s : protocols) {
- if (s.equals("TLSv1") || s.equals("TLSv1.1") || s.equals("SSLv3") || s.equals("SSLv2Hello")) {
+ if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
continue;
}
set.add(s);
@@ -46,7 +46,7 @@ public class SSLUtils {
* It returns recommended protocols that are considered secure.
*/
public static String[] getRecommendedProtocols() {
- return new String[] { "TLSv1.2" };
+ return new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
}
/**
diff --git a/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
index 6c66dcd..625b538 100644
--- a/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
+++ b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
@@ -69,9 +69,9 @@ public class SSLUtilsTest {
}
private void verifyProtocols(ArrayList<String> protocolsList) {
+ Assert.assertTrue(protocolsList.contains("TLSv1"));
+ Assert.assertTrue(protocolsList.contains("TLSv1.1"));
Assert.assertTrue(protocolsList.contains("TLSv1.2"));
- Assert.assertFalse(protocolsList.contains("TLSv1"));
- Assert.assertFalse(protocolsList.contains("TLSv1.1"));
Assert.assertFalse(protocolsList.contains("SSLv3"));
Assert.assertFalse(protocolsList.contains("SSLv2Hello"));
}
--
To stop receiving notification emails like this one, please contact
rohit@apache.org.