Please review.
https://fedorahosted.org/pki/ticket/1648 [RFE] provide separate cipher
lists for CS instances acting as client and server
This patch allows the administrator to specify an allowed list of ssl
ciphers for subsystem->subsystem communication that is separate from the
server one in server.xml
Note:
* it is only meant for cs subsystem->subsystem communication; i.e..
ca->kra, tps->ca, tps->kra, tps->tks (e.g. not for connection to the
ldap server, internal, publishing, or authentication)
* the clientCiphers configuration is a "strict" list, meaning, only the
ciphers in the comma separated list are enabled in the connection when
acting as a client
* if the clientCiphers configuration parameter is undefined, default
action is taken to enable all available ciphers provided (that means it
works as it did prior to this patch)
* pki-core and pki-util packages are expected to be updated together for
the newly added clientCiphers String parameter in various
affected connection
interfaces; since it is handled in a way that if this parameter
is null, it
goes to default, as they are expected to be internal to cs
subsystems
How to test (what I have tested):
* turn on a couple ECDH_RSA_* ciphers on the server side for CA and KRA:
- edit <ca instance dir>/conf/server.xml, search for
sslRangeCiphers, and turn '-' to '+' for, say,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- restart ca
- repeat for kra
- expect browser to connect to ca and kra with the TLS_ECDHE_RSA_*
ciphers that are turned on
- verify using ssltap or any tool that can catch and report from an
ssl session
* turn on client side cihpers in the ca for talking to the kra:
- edit <ca instance dir>/ca/conf/CS.cfg, add a list of ciphers
WITHOUT the TLS_ECDHE_* ciphers, e.g.
ca.connector.KRA.clientCiphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
- expect ca to connect to kra using the ciphers allowed in the
clientCiphers list by doing an enrollment with archival
- verify using ssltap or any tool that can catch and report from an
ssl session
* perform the same test between tps and other subsystems.
tps.connector.<ca id>.clientCiphers=< your selected cipher list>
tps.connector.<kra id>.clientCiphers=< your selected cipher list>
tps.connector.<tks id>.clientCiphers=< your selected cipher list>
thanks,
Christina