From da8cf8c3703178b0570ae34b5f5338dd704b8c73 Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Mon, 12 Mar 2018 11:43:59 +0100 Subject: [PATCH] CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 (#2480) This deprecates and remove TLS 1.0 and 1.1 from preferred list of protocols and keeps only TLSv1.2. Signed-off-by: Rohit Yadav --- .../org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java | 4 ++-- systemvm/debian/etc/apache2/vhost.template | 2 +- .../systemvmtemplate/scripts/configure_systemvm_services.sh | 2 +- .../java/org/apache/cloudstack/utils/security/SSLUtils.java | 4 ++-- .../src/test/java/com/cloud/utils/security/SSLUtilsTest.java | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java index 5c0d6ce6047..0b0b0839e70 100644 --- a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java +++ b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java @@ -61,7 +61,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus { private static Integer port; private static String username; private static String password; - private static String secureProtocol = "TLSv1"; + private static String secureProtocol = "TLSv1.2"; public synchronized static void setVirtualHost(String virtualHost) { RabbitMQEventBus.virtualHost = virtualHost; @@ -623,4 +623,4 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus { return; } } -} \ No newline at end of file +} diff --git a/systemvm/debian/etc/apache2/vhost.template b/systemvm/debian/etc/apache2/vhost.template index caded8c2ad4..688239cd8c0 100644 --- a/systemvm/debian/etc/apache2/vhost.template +++ b/systemvm/debian/etc/apache2/vhost.template @@ -89,7 +89,7 @@ # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 + SSLProtocol TLSv1.2 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on diff --git a/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh b/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh index 6e2e3059a53..3544806b1f9 100644 --- a/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh +++ b/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh @@ -28,7 +28,7 @@ function configure_apache2() { # Backup stock apache configuration since we may modify it in Secondary Storage VM cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/default.orig cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.orig - sed -i 's/SSLProtocol all -SSLv2$/SSLProtocol all -SSLv2 -SSLv3/g' /etc/apache2/mods-available/ssl.conf + sed -i 's/SSLProtocol .*$/SSLProtocol TLSv1.2/g' /etc/apache2/mods-available/ssl.conf } function install_cloud_scripts() { diff --git a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java index 8016f5a1916..9fbdb4aa553 100644 --- a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java +++ b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java @@ -34,7 +34,7 @@ public class SSLUtils { public static String[] getSupportedProtocols(String[] protocols) { Set set = new HashSet(); for (String s : protocols) { - if (s.equals("SSLv3") || s.equals("SSLv2Hello")) { + if (s.equals("TLSv1") || s.equals("TLSv1.1") || s.equals("SSLv3") || s.equals("SSLv2Hello")) { continue; } set.add(s); @@ -46,7 +46,7 @@ public class SSLUtils { * It returns recommended protocols that are considered secure. */ public static String[] getRecommendedProtocols() { - return new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" }; + return new String[] { "TLSv1.2" }; } /** diff --git a/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java index 625b538d7f2..6c66dcd1bd0 100644 --- a/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java +++ b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java @@ -69,9 +69,9 @@ public class SSLUtilsTest { } private void verifyProtocols(ArrayList protocolsList) { - Assert.assertTrue(protocolsList.contains("TLSv1")); - Assert.assertTrue(protocolsList.contains("TLSv1.1")); Assert.assertTrue(protocolsList.contains("TLSv1.2")); + Assert.assertFalse(protocolsList.contains("TLSv1")); + Assert.assertFalse(protocolsList.contains("TLSv1.1")); Assert.assertFalse(protocolsList.contains("SSLv3")); Assert.assertFalse(protocolsList.contains("SSLv2Hello")); }