You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2018/03/12 10:44:01 UTC
[GitHub] rhtyd closed pull request #2480: CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1
rhtyd closed pull request #2480: CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1
URL: https://github.com/apache/cloudstack/pull/2480
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
index 5c0d6ce6047..0b0b0839e70 100644
--- a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
+++ b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
@@ -61,7 +61,7 @@
private static Integer port;
private static String username;
private static String password;
- private static String secureProtocol = "TLSv1";
+ private static String secureProtocol = "TLSv1.2";
public synchronized static void setVirtualHost(String virtualHost) {
RabbitMQEventBus.virtualHost = virtualHost;
@@ -623,4 +623,4 @@ public void handleDelivery(String queueName, Envelope envelope, AMQP.BasicProper
return;
}
}
-}
\ No newline at end of file
+}
diff --git a/systemvm/debian/etc/apache2/vhost.template b/systemvm/debian/etc/apache2/vhost.template
index caded8c2ad4..688239cd8c0 100644
--- a/systemvm/debian/etc/apache2/vhost.template
+++ b/systemvm/debian/etc/apache2/vhost.template
@@ -89,7 +89,7 @@
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
+ SSLProtocol TLSv1.2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
diff --git a/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh b/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
index 6e2e3059a53..3544806b1f9 100644
--- a/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
+++ b/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
@@ -28,7 +28,7 @@ function configure_apache2() {
# Backup stock apache configuration since we may modify it in Secondary Storage VM
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/default.orig
cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.orig
- sed -i 's/SSLProtocol all -SSLv2$/SSLProtocol all -SSLv2 -SSLv3/g' /etc/apache2/mods-available/ssl.conf
+ sed -i 's/SSLProtocol .*$/SSLProtocol TLSv1.2/g' /etc/apache2/mods-available/ssl.conf
}
function install_cloud_scripts() {
diff --git a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
index 8016f5a1916..9fbdb4aa553 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
@@ -34,7 +34,7 @@
public static String[] getSupportedProtocols(String[] protocols) {
Set<String> set = new HashSet<String>();
for (String s : protocols) {
- if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
+ if (s.equals("TLSv1") || s.equals("TLSv1.1") || s.equals("SSLv3") || s.equals("SSLv2Hello")) {
continue;
}
set.add(s);
@@ -46,7 +46,7 @@
* It returns recommended protocols that are considered secure.
*/
public static String[] getRecommendedProtocols() {
- return new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
+ return new String[] { "TLSv1.2" };
}
/**
diff --git a/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
index 625b538d7f2..6c66dcd1bd0 100644
--- a/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
+++ b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
@@ -69,9 +69,9 @@ public void getSupportedProtocolsTest() {
}
private void verifyProtocols(ArrayList<String> protocolsList) {
- Assert.assertTrue(protocolsList.contains("TLSv1"));
- Assert.assertTrue(protocolsList.contains("TLSv1.1"));
Assert.assertTrue(protocolsList.contains("TLSv1.2"));
+ Assert.assertFalse(protocolsList.contains("TLSv1"));
+ Assert.assertFalse(protocolsList.contains("TLSv1.1"));
Assert.assertFalse(protocolsList.contains("SSLv3"));
Assert.assertFalse(protocolsList.contains("SSLv2Hello"));
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services