From ac1a2207ef3002637749773c02ecfaaaef0d0854 Mon Sep 17 00:00:00 2001 From: Harikrishna Patnala Date: Tue, 4 Nov 2014 17:47:04 +0530 Subject: [PATCH] CS-17504: Weak SSL ciphers supported by the management server Signed-off-by: Rohit Yadav (cherry picked from commit 20a63c409d52b2c3dffc8ea58dd25ffb7e55d0e8) Signed-off-by: Rohit Yadav Conflicts: packaging/centos63/cloud.spec --- client/tomcatconf/java.security.ciphers.in | 18 ++++++++++++++++++ client/tomcatconf/tomcat6-nonssl.conf.in | 2 +- client/tomcatconf/tomcat6-ssl.conf.in | 2 +- debian/cloudstack-management.install | 1 + packaging/centos63/cloud.spec | 2 +- packaging/centos7/cloud.spec | 2 +- packaging/fedora20/cloud.spec | 2 +- packaging/fedora21/cloud.spec | 2 +- 8 files changed, 25 insertions(+), 6 deletions(-) create mode 100644 client/tomcatconf/java.security.ciphers.in diff --git a/client/tomcatconf/java.security.ciphers.in b/client/tomcatconf/java.security.ciphers.in new file mode 100644 index 00000000000..986abf61e71 --- /dev/null +++ b/client/tomcatconf/java.security.ciphers.in @@ -0,0 +1,18 @@ + # Licensed to the Apache Software Foundation (ASF) under one + # or more contributor license agreements. See the NOTICE file + # distributed with this work for additional information + # regarding copyright ownership. The ASF licenses this file + # to you under the Apache License, Version 2.0 (the + # "License"); you may not use this file except in compliance + # with the License. You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, + # software distributed under the License is distributed on an + # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + # KIND, either express or implied. See the License for the + # specific language governing permissions and limitations + # under the License. + +jdk.tls.disabledAlgorithms=DH keySize < 128, RSA keySize < 128, DES keySize < 128, SHA1 keySize < 128, MD5 keySize < 128, RC4 \ No newline at end of file diff --git a/client/tomcatconf/tomcat6-nonssl.conf.in b/client/tomcatconf/tomcat6-nonssl.conf.in index 5ce724c73b7..3f08c906660 100644 --- a/client/tomcatconf/tomcat6-nonssl.conf.in +++ b/client/tomcatconf/tomcat6-nonssl.conf.in @@ -41,7 +41,7 @@ CATALINA_TMPDIR="@MSENVIRON@/temp" # Use JAVA_OPTS to set java.library.path for libtcnative.so #JAVA_OPTS="-Djava.library.path=/usr/lib64" -JAVA_OPTS="-Djava.awt.headless=true -Dcom.sun.management.jmxremote=false -Xmx2g -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=@MSLOGDIR@ -XX:PermSize=512M -XX:MaxPermSize=800m" +JAVA_OPTS="-Djava.awt.headless=true -Dcom.sun.management.jmxremote=false -Xmx2g -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=@MSLOGDIR@ -XX:PermSize=512M -XX:MaxPermSize=800m -Djava.security.properties=/etc/cloudstack/management/java.security.ciphers" # What user should run tomcat TOMCAT_USER="@MSUSER@" diff --git a/client/tomcatconf/tomcat6-ssl.conf.in b/client/tomcatconf/tomcat6-ssl.conf.in index c967a98be98..e7c53ac9f8f 100644 --- a/client/tomcatconf/tomcat6-ssl.conf.in +++ b/client/tomcatconf/tomcat6-ssl.conf.in @@ -40,7 +40,7 @@ CATALINA_TMPDIR="@MSENVIRON@/temp" # Use JAVA_OPTS to set java.library.path for libtcnative.so #JAVA_OPTS="-Djava.library.path=/usr/lib64" -JAVA_OPTS="-Djava.awt.headless=true -Dcom.sun.management.jmxremote=false -Djavax.net.ssl.trustStore=/etc/cloudstack/management/cloudmanagementserver.keystore -Djavax.net.ssl.trustStorePassword=vmops.com -Xmx2g -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=@MSLOGDIR@ -XX:MaxPermSize=800m -XX:PermSize=512M" +JAVA_OPTS="-Djava.awt.headless=true -Dcom.sun.management.jmxremote=false -Djavax.net.ssl.trustStore=/etc/cloudstack/management/cloudmanagementserver.keystore -Djavax.net.ssl.trustStorePassword=vmops.com -Xmx2g -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=@MSLOGDIR@ -XX:MaxPermSize=800m -XX:PermSize=512M -Djava.security.properties=/etc/cloudstack/management/java.security.ciphers" # What user should run tomcat TOMCAT_USER="@MSUSER@" diff --git a/debian/cloudstack-management.install b/debian/cloudstack-management.install index ea3f93ba0cb..4e016dfe292 100644 --- a/debian/cloudstack-management.install +++ b/debian/cloudstack-management.install @@ -30,6 +30,7 @@ /etc/cloudstack/management/tomcat6.conf /etc/cloudstack/management/web.xml /etc/cloudstack/management/environment.properties +/etc/cloudstack/management/java.security.ciphers /etc/cloudstack/management/log4j-cloud.xml /etc/cloudstack/management/tomcat-users.xml /etc/cloudstack/management/context.xml diff --git a/packaging/centos63/cloud.spec b/packaging/centos63/cloud.spec index 07b33608599..83e3c0c832e 100644 --- a/packaging/centos63/cloud.spec +++ b/packaging/centos63/cloud.spec @@ -290,7 +290,7 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/cl rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/classes/vms for name in db.properties log4j-cloud.xml tomcat6-nonssl.conf tomcat6-ssl.conf server-ssl.xml server-nonssl.xml \ - catalina.policy catalina.properties classpath.conf tomcat-users.xml web.xml environment.properties ; do + catalina.policy catalina.properties classpath.conf tomcat-users.xml web.xml environment.properties java.security.ciphers; do mv ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/classes/$name \ ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/management/$name done diff --git a/packaging/centos7/cloud.spec b/packaging/centos7/cloud.spec index 3aec3493cff..b6c9559eec8 100644 --- a/packaging/centos7/cloud.spec +++ b/packaging/centos7/cloud.spec @@ -264,7 +264,7 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/cl rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/classes/vms for name in catalina.properties db.properties log4j-cloud.xml web.xml cloud-bridge.properties\ - ec2-service.properties server.xml commons-logging.properties environment.properties tomcat-users.xml + ec2-service.properties server.xml commons-logging.properties environment.properties java.security.ciphers tomcat-users.xml do cp packaging/centos7/tomcat7/$name \ ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/management/$name diff --git a/packaging/fedora20/cloud.spec b/packaging/fedora20/cloud.spec index 84b29dbf641..1bb1c978d2d 100644 --- a/packaging/fedora20/cloud.spec +++ b/packaging/fedora20/cloud.spec @@ -292,7 +292,7 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/cl rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/classes/vms for name in db.properties log4j-cloud.xml tomcat6-nonssl.conf tomcat6-ssl.conf server-ssl.xml server-nonssl.xml \ - catalina.policy catalina.properties classpath.conf tomcat-users.xml web.xml environment.properties ; do + catalina.policy catalina.properties classpath.conf tomcat-users.xml web.xml environment.properties java.security.ciphers ; do mv ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/classes/$name \ ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/management/$name done diff --git a/packaging/fedora21/cloud.spec b/packaging/fedora21/cloud.spec index 98b12baa694..661d8073000 100644 --- a/packaging/fedora21/cloud.spec +++ b/packaging/fedora21/cloud.spec @@ -292,7 +292,7 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/cl rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/classes/vms for name in db.properties log4j-cloud.xml tomcat6-nonssl.conf tomcat6-ssl.conf server-ssl.xml server-nonssl.xml \ - catalina.policy catalina.properties classpath.conf tomcat-users.xml web.xml environment.properties ; do + catalina.policy catalina.properties classpath.conf tomcat-users.xml web.xml environment.properties java.security.ciphers ; do mv ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/classes/$name \ ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/management/$name done