CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 (#2480)

This deprecates and remove TLS 1.0 and 1.1 from preferred list of
protocols and keeps only TLSv1.2.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java

@@ -61,7 +61,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
     private static Integer port;
     private static String username;
     private static String password;
-    private static String secureProtocol = "TLSv1";
+    private static String secureProtocol = "TLSv1.2";
 
     public synchronized static void setVirtualHost(String virtualHost) {
         RabbitMQEventBus.virtualHost = virtualHost;
@@ -623,4 +623,4 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
             return;
         }
     }
-}
+}

systemvm/debian/etc/apache2/vhost.template

@@ -89,7 +89,7 @@
 	#   SSL Engine Switch:
 	#   Enable/Disable SSL for this virtual host.
 	SSLEngine on
-	SSLProtocol all -SSLv2 -SSLv3
+	SSLProtocol TLSv1.2
 	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 	SSLHonorCipherOrder on
 

tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh

@@ -28,7 +28,7 @@ function configure_apache2() {
    # Backup stock apache configuration since we may modify it in Secondary Storage VM
    cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/default.orig
    cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.orig
-   sed -i 's/SSLProtocol all -SSLv2$/SSLProtocol all -SSLv2 -SSLv3/g' /etc/apache2/mods-available/ssl.conf
+   sed -i 's/SSLProtocol .*$/SSLProtocol TLSv1.2/g' /etc/apache2/mods-available/ssl.conf
 }
 
 function install_cloud_scripts() {

utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java

@@ -34,7 +34,7 @@ public class SSLUtils {
     public static String[] getSupportedProtocols(String[] protocols) {
         Set<String> set = new HashSet<String>();
         for (String s : protocols) {
-            if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
+            if (s.equals("TLSv1") || s.equals("TLSv1.1") || s.equals("SSLv3") || s.equals("SSLv2Hello")) {
                 continue;
             }
             set.add(s);
@@ -46,7 +46,7 @@ public class SSLUtils {
      * It returns recommended protocols that are considered secure.
      */
     public static String[] getRecommendedProtocols() {
-        return new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
+        return new String[] { "TLSv1.2" };
     }
 
     /**

utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java

@@ -69,9 +69,9 @@ public class SSLUtilsTest {
     }
 
     private void verifyProtocols(ArrayList<String> protocolsList) {
-        Assert.assertTrue(protocolsList.contains("TLSv1"));
-        Assert.assertTrue(protocolsList.contains("TLSv1.1"));
         Assert.assertTrue(protocolsList.contains("TLSv1.2"));
+        Assert.assertFalse(protocolsList.contains("TLSv1"));
+        Assert.assertFalse(protocolsList.contains("TLSv1.1"));
         Assert.assertFalse(protocolsList.contains("SSLv3"));
         Assert.assertFalse(protocolsList.contains("SSLv2Hello"));
     }