You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ro...@apache.org on 2018/03/12 10:44:07 UTC
[cloudstack] branch 4.11 updated: CLOUDSTACK-10319: Prefer TLSv1.2,
deprecate TLSv1.0, 1.1 (#2480)
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.11 by this push:
new da8cf8c CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 (#2480)
da8cf8c is described below
commit da8cf8c3703178b0570ae34b5f5338dd704b8c73
Author: Rohit Yadav <ro...@apache.org>
AuthorDate: Mon Mar 12 11:43:59 2018 +0100
CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 (#2480)
This deprecates and remove TLS 1.0 and 1.1 from preferred list of
protocols and keeps only TLSv1.2.
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
---
.../src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java | 4 ++--
systemvm/debian/etc/apache2/vhost.template | 2 +-
.../appliance/systemvmtemplate/scripts/configure_systemvm_services.sh | 2 +-
.../src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java | 4 ++--
utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java | 4 ++--
5 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
index 5c0d6ce..0b0b083 100644
--- a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
+++ b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
@@ -61,7 +61,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
private static Integer port;
private static String username;
private static String password;
- private static String secureProtocol = "TLSv1";
+ private static String secureProtocol = "TLSv1.2";
public synchronized static void setVirtualHost(String virtualHost) {
RabbitMQEventBus.virtualHost = virtualHost;
@@ -623,4 +623,4 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
return;
}
}
-}
\ No newline at end of file
+}
diff --git a/systemvm/debian/etc/apache2/vhost.template b/systemvm/debian/etc/apache2/vhost.template
index caded8c..688239c 100644
--- a/systemvm/debian/etc/apache2/vhost.template
+++ b/systemvm/debian/etc/apache2/vhost.template
@@ -89,7 +89,7 @@
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
+ SSLProtocol TLSv1.2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE- [...]
SSLHonorCipherOrder on
diff --git a/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh b/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
index 6e2e305..3544806 100644
--- a/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
+++ b/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
@@ -28,7 +28,7 @@ function configure_apache2() {
# Backup stock apache configuration since we may modify it in Secondary Storage VM
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/default.orig
cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.orig
- sed -i 's/SSLProtocol all -SSLv2$/SSLProtocol all -SSLv2 -SSLv3/g' /etc/apache2/mods-available/ssl.conf
+ sed -i 's/SSLProtocol .*$/SSLProtocol TLSv1.2/g' /etc/apache2/mods-available/ssl.conf
}
function install_cloud_scripts() {
diff --git a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
index 8016f5a..9fbdb4a 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
@@ -34,7 +34,7 @@ public class SSLUtils {
public static String[] getSupportedProtocols(String[] protocols) {
Set<String> set = new HashSet<String>();
for (String s : protocols) {
- if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
+ if (s.equals("TLSv1") || s.equals("TLSv1.1") || s.equals("SSLv3") || s.equals("SSLv2Hello")) {
continue;
}
set.add(s);
@@ -46,7 +46,7 @@ public class SSLUtils {
* It returns recommended protocols that are considered secure.
*/
public static String[] getRecommendedProtocols() {
- return new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
+ return new String[] { "TLSv1.2" };
}
/**
diff --git a/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
index 625b538..6c66dcd 100644
--- a/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
+++ b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
@@ -69,9 +69,9 @@ public class SSLUtilsTest {
}
private void verifyProtocols(ArrayList<String> protocolsList) {
- Assert.assertTrue(protocolsList.contains("TLSv1"));
- Assert.assertTrue(protocolsList.contains("TLSv1.1"));
Assert.assertTrue(protocolsList.contains("TLSv1.2"));
+ Assert.assertFalse(protocolsList.contains("TLSv1"));
+ Assert.assertFalse(protocolsList.contains("TLSv1.1"));
Assert.assertFalse(protocolsList.contains("SSLv3"));
Assert.assertFalse(protocolsList.contains("SSLv2Hello"));
}
--
To stop receiving notification emails like this one, please contact
rohit@apache.org.