[
https://issues.apache.org/jira/browse/CLOUDSTACK-10319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16395064#comment-16395064
]
ASF GitHub Bot commented on CLOUDSTACK-10319:
---------------------------------------------
rhtyd closed pull request #2480: CLOUDSTACK-10319: Prefer TLSv1.2, deprecate
TLSv1.0,1.1
URL: https://github.com/apache/cloudstack/pull/2480
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
index 5c0d6ce6047..0b0b0839e70 100644
---
a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
+++
b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
@@ -61,7 +61,7 @@
private static Integer port;
private static String username;
private static String password;
- private static String secureProtocol = "TLSv1";
+ private static String secureProtocol = "TLSv1.2";
public synchronized static void setVirtualHost(String virtualHost) {
RabbitMQEventBus.virtualHost = virtualHost;
@@ -623,4 +623,4 @@ public void handleDelivery(String queueName, Envelope
envelope, AMQP.BasicProper
return;
}
}
-}
\ No newline at end of file
+}
diff --git a/systemvm/debian/etc/apache2/vhost.template
b/systemvm/debian/etc/apache2/vhost.template
index caded8c2ad4..688239cd8c0 100644
--- a/systemvm/debian/etc/apache2/vhost.template
+++ b/systemvm/debian/etc/apache2/vhost.template
@@ -89,7 +89,7 @@
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
+ SSLProtocol TLSv1.2
SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
diff --git
a/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
b/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
index 6e2e3059a53..3544806b1f9 100644
--- a/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
+++ b/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
@@ -28,7 +28,7 @@ function configure_apache2() {
# Backup stock apache configuration since we may modify it in Secondary
Storage VM
cp /etc/apache2/sites-available/000-default.conf
/etc/apache2/sites-available/default.orig
cp /etc/apache2/sites-available/default-ssl.conf
/etc/apache2/sites-available/default-ssl.orig
- sed -i 's/SSLProtocol all -SSLv2$/SSLProtocol all -SSLv2 -SSLv3/g'
/etc/apache2/mods-available/ssl.conf
+ sed -i 's/SSLProtocol .*$/SSLProtocol TLSv1.2/g'
/etc/apache2/mods-available/ssl.conf
}
function install_cloud_scripts() {
diff --git
a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
index 8016f5a1916..9fbdb4aa553 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
@@ -34,7 +34,7 @@
public static String[] getSupportedProtocols(String[] protocols) {
Set<String> set = new HashSet<String>();
for (String s : protocols) {
- if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
+ if (s.equals("TLSv1") || s.equals("TLSv1.1") || s.equals("SSLv3")
|| s.equals("SSLv2Hello")) {
continue;
}
set.add(s);
@@ -46,7 +46,7 @@
* It returns recommended protocols that are considered secure.
*/
public static String[] getRecommendedProtocols() {
- return new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
+ return new String[] { "TLSv1.2" };
}
/**
diff --git a/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
index 625b538d7f2..6c66dcd1bd0 100644
--- a/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
+++ b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
@@ -69,9 +69,9 @@ public void getSupportedProtocolsTest() {
}
private void verifyProtocols(ArrayList<String> protocolsList) {
- Assert.assertTrue(protocolsList.contains("TLSv1"));
- Assert.assertTrue(protocolsList.contains("TLSv1.1"));
Assert.assertTrue(protocolsList.contains("TLSv1.2"));
+ Assert.assertFalse(protocolsList.contains("TLSv1"));
+ Assert.assertFalse(protocolsList.contains("TLSv1.1"));
Assert.assertFalse(protocolsList.contains("SSLv3"));
Assert.assertFalse(protocolsList.contains("SSLv2Hello"));
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Prefer TLSv1.2 and deprecate TLS 1.0/1.1
> ----------------------------------------
>
> Key: CLOUDSTACK-10319
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10319
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Rohit Yadav
> Assignee: Rohit Yadav
> Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> TLS 1.0 and 1.1 are both recommended to not be used. The aim would be to make
> cloudstack prefer tls 1.2.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
