[Pki-devel] [PATCH] pki-cfu-0106-Ticket-1648-RFE-provide-separate-cipher-lists-for-CS.patch

Christina Fu cfu at redhat.com
Tue Oct 20 22:41:38 UTC 2015 

Please review.

https://fedorahosted.org/pki/ticket/1648 [RFE] provide separate cipher 
lists for CS instances acting as client and server

This patch allows the administrator to specify an allowed list of ssl 
ciphers for subsystem->subsystem communication that is separate from the 
server one in server.xml

Note:
* it is only meant for cs subsystem->subsystem communication; i.e.. 
ca->kra, tps->ca, tps->kra, tps->tks (e.g. not for connection to the 
ldap server, internal, publishing, or authentication)
* the clientCiphers configuration is a "strict" list, meaning, only the 
ciphers in the comma separated list are enabled in the connection when 
acting as a client
* if the clientCiphers configuration parameter is undefined, default 
action is taken to enable all available ciphers provided (that means it 
works as it did prior to this patch)
* pki-core and pki-util packages are expected to be updated together for
       the newly added clientCiphers String parameter in various 
affected connection
       interfaces; since it is handled in a way that if this parameter 
is null, it
       goes to default,  as they are expected to be internal to cs 
subsystems

How to test (what I have tested):
* turn on a couple ECDH_RSA_* ciphers on the server side for CA and KRA:
    - edit <ca instance dir>/conf/server.xml, search for 
sslRangeCiphers, and turn '-' to '+' for, say,
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    - restart ca
    - repeat for kra
    - expect browser to connect to ca and kra with the TLS_ECDHE_RSA_* 
ciphers that are turned on
    - verify using ssltap or any tool that can catch and report from an 
ssl session
* turn on client side cihpers in the ca for talking to the kra:
    - edit <ca instance dir>/ca/conf/CS.cfg, add a list of ciphers 
WITHOUT the TLS_ECDHE_* ciphers, e.g.
ca.connector.KRA.clientCiphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
    - expect ca to connect to kra using the ciphers allowed in the 
clientCiphers list by doing an enrollment with archival
    - verify using ssltap or any tool that can catch and report from an 
ssl session
* perform the same test between tps and other subsystems.
      tps.connector.<ca id>.clientCiphers=< your selected cipher list>
      tps.connector.<kra id>.clientCiphers=< your selected cipher list>
      tps.connector.<tks id>.clientCiphers=< your selected cipher list>

thanks,
Christina
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cfu-0106-Ticket-1648-RFE-provide-separate-cipher-lists-for-CS.patch
Type: text/x-patch
Size: 31201 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20151020/1b3f3f66/attachment.bin>

More information about the Pki-devel mailing list