5:41 p.m.
Please review.
https://fedorahosted.org/pki/ticket/1648 [RFE] provide separate cipher
lists for CS instances acting as client and server
This patch allows the administrator to specify an allowed list of ssl
ciphers for subsystem->subsystem communication that is separate from the
server one in server.xml
Note:
* it is only meant for cs subsystem->subsystem communication; i.e..
ca->kra, tps->ca, tps->kra, tps->tks (e.g. not for connection to the
ldap server, internal, publishing, or authentication)
* the clientCiphers configuration is a "strict" list, meaning, only the
ciphers in the comma separated list are enabled in the connection when
acting as a client
* if the clientCiphers configuration parameter is undefined, default
action is taken to enable all available ciphers provided (that means it
works as it did prior to this patch)
* pki-core and pki-util packages are expected to be updated together for
the newly added clientCiphers String parameter in various
affected connection
interfaces; since it is handled in a way that if this parameter
is null, it
goes to default, as they are expected to be internal to cs
subsystems
How to test (what I have tested):
* turn on a couple ECDH_RSA_* ciphers on the server side for CA and KRA:
- edit <ca instance dir>/conf/server.xml, search for
sslRangeCiphers, and turn '-' to '+' for, say,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- restart ca
- repeat for kra
- expect browser to connect to ca and kra with the TLS_ECDHE_RSA_*
ciphers that are turned on
- verify using ssltap or any tool that can catch and report from an
ssl session
* turn on client side cihpers in the ca for talking to the kra:
- edit <ca instance dir>/ca/conf/CS.cfg, add a list of ciphers
WITHOUT the TLS_ECDHE_* ciphers, e.g.
ca.connector.KRA.clientCiphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
- expect ca to connect to kra using the ciphers allowed in the
clientCiphers list by doing an enrollment with archival
- verify using ssltap or any tool that can catch and report from an
ssl session
* perform the same test between tps and other subsystems.
tps.connector.<ca id>.clientCiphers=< your selected cipher list>
tps.connector.<kra id>.clientCiphers=< your selected cipher list>
tps.connector.<tks id>.clientCiphers=< your selected cipher list>
thanks,
Christina
6:41 p.m.
New subject: [PATCH] pki-cfu-0106-Ticket-1648-RFE-provide-separate-cipher-lists-for-CS.patch
Looks good. And I hear it is tested to work.
Just one thing.
There is a bunch of cipher mapping code in there which I believe is already in tomcatjss.
It would be better if a future ticket is created to move all that down to JSS so both of
those
can make use of it and not copy it.
ACK
----- Original Message -----
From: "Christina Fu" <cfu(a)redhat.com>
To: "pki-devel" <pki-devel(a)redhat.com>
Sent: Tuesday, October 20, 2015 3:41:38 PM
Subject: [Pki-devel]
[PATCH] pki-cfu-0106-Ticket-1648-RFE-provide-separate-cipher-lists-for-CS.patch
Please review.
https://fedorahosted.org/pki/ticket/1648 [RFE] provide separate cipher
lists for CS instances acting as client and server
This patch allows the administrator to specify an allowed list of ssl
ciphers for subsystem->subsystem communication that is separate from the
server one in server.xml
Note:
* it is only meant for cs subsystem->subsystem communication; i.e..
ca->kra, tps->ca, tps->kra, tps->tks (e.g. not for connection to the
ldap server, internal, publishing, or authentication)
* the clientCiphers configuration is a "strict" list, meaning, only the
ciphers in the comma separated list are enabled in the connection when
acting as a client
* if the clientCiphers configuration parameter is undefined, default
action is taken to enable all available ciphers provided (that means it
works as it did prior to this patch)
* pki-core and pki-util packages are expected to be updated together for
the newly added clientCiphers String parameter in various
affected connection
interfaces; since it is handled in a way that if this parameter
is null, it
goes to default, as they are expected to be internal to cs
subsystems
How to test (what I have tested):
* turn on a couple ECDH_RSA_* ciphers on the server side for CA and KRA:
- edit <ca instance dir>/conf/server.xml, search for
sslRangeCiphers, and turn '-' to '+' for, say,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- restart ca
- repeat for kra
- expect browser to connect to ca and kra with the TLS_ECDHE_RSA_*
ciphers that are turned on
- verify using ssltap or any tool that can catch and report from an
ssl session
* turn on client side cihpers in the ca for talking to the kra:
- edit <ca instance dir>/ca/conf/CS.cfg, add a list of ciphers
WITHOUT the TLS_ECDHE_* ciphers, e.g.
ca.connector.KRA.clientCiphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
- expect ca to connect to kra using the ciphers allowed in the
clientCiphers list by doing an enrollment with archival
- verify using ssltap or any tool that can catch and report from an
ssl session
* perform the same test between tps and other subsystems.
tps.connector.<ca id>.clientCiphers=< your selected cipher list>
tps.connector.<kra id>.clientCiphers=< your selected cipher list>
tps.connector.<tks id>.clientCiphers=< your selected cipher list>
thanks,
Christina
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
6:55 p.m.
Thank you! I was thinking just that.
Pushed to master:
commit 562a49f08df2adb1a3f233a9b7490575182ece04
Christina
On 10/20/2015 04:41 PM, John Magne wrote:
Looks good. And I hear it is tested to work.
Just one thing.
There is a bunch of cipher mapping code in there which I believe is already in
tomcatjss.
It would be better if a future ticket is created to move all that down to JSS so both of
those
can make use of it and not copy it.
ACK
----- Original Message -----
From: "Christina Fu" <cfu(a)redhat.com>
To: "pki-devel" <pki-devel(a)redhat.com>
Sent: Tuesday, October 20, 2015 3:41:38 PM
Subject: [Pki-devel]
[PATCH] pki-cfu-0106-Ticket-1648-RFE-provide-separate-cipher-lists-for-CS.patch
Please review.
https://fedorahosted.org/pki/ticket/1648 [RFE] provide separate cipher
lists for CS instances acting as client and server
This patch allows the administrator to specify an allowed list of ssl
ciphers for subsystem->subsystem communication that is separate from the
server one in server.xml
Note:
* it is only meant for cs subsystem->subsystem communication; i.e..
ca->kra, tps->ca, tps->kra, tps->tks (e.g. not for connection to the
ldap server, internal, publishing, or authentication)
* the clientCiphers configuration is a "strict" list, meaning, only the
ciphers in the comma separated list are enabled in the connection when
acting as a client
* if the clientCiphers configuration parameter is undefined, default
action is taken to enable all available ciphers provided (that means it
works as it did prior to this patch)
* pki-core and pki-util packages are expected to be updated together for
the newly added clientCiphers String parameter in various
affected connection
interfaces; since it is handled in a way that if this parameter
is null, it
goes to default, as they are expected to be internal to cs
subsystems
How to test (what I have tested):
* turn on a couple ECDH_RSA_* ciphers on the server side for CA and KRA:
- edit <ca instance dir>/conf/server.xml, search for
sslRangeCiphers, and turn '-' to '+' for, say,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- restart ca
- repeat for kra
- expect browser to connect to ca and kra with the TLS_ECDHE_RSA_*
ciphers that are turned on
- verify using ssltap or any tool that can catch and report from an
ssl session
* turn on client side cihpers in the ca for talking to the kra:
- edit <ca instance dir>/ca/conf/CS.cfg, add a list of ciphers
WITHOUT the TLS_ECDHE_* ciphers, e.g.
ca.connector.KRA.clientCiphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
- expect ca to connect to kra using the ciphers allowed in the
clientCiphers list by doing an enrollment with archival
- verify using ssltap or any tool that can catch and report from an
ssl session
* perform the same test between tps and other subsystems.
tps.connector.<ca id>.clientCiphers=< your selected cipher list>
tps.connector.<kra id>.clientCiphers=< your selected cipher list>
tps.connector.<tks id>.clientCiphers=< your selected cipher list>
thanks,
Christina
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
3351
days inactive
3351
days old
2 comments
2 participants
participants (2)
-
Christina Fu -
John Magne