[Sblim-commit] Git: SFCB - Small Footprint CIM Broker branch, master, updated. SFCB_1_4_0-138-g68195d8

[Michael Chase-S. <mc...@us...>]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "SFCB - Small Footprint CIM Broker".

The branch, master has been updated
       via  68195d80e4569c61195c39df7708ec95db43cf69 (commit)
       via  d1ac95d90cb0a0a76b2ec6261156bc81c27f8fc5 (commit)
       via  161efa73f5276a56a6fab090732a7459dbd2223f (commit)
      from  9eae8745aae577ffd227553516f2282d578f7075 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 68195d80e4569c61195c39df7708ec95db43cf69
Merge: d1ac95d 9eae874
Author: Michael Chase-Salerno <br...@li...>
Date:   Fri Sep 9 13:25:46 2011 -0400

    Merge branch 'master' of ssh://sblim.git.sourceforge.net/gitroot/sblim/sfcb
    
    Conflicts:
    	ChangeLog

commit d1ac95d90cb0a0a76b2ec6261156bc81c27f8fc5
Author: Michael Chase-Salerno <br...@li...>
Date:   Fri Sep 9 13:23:20 2011 -0400

    3406825 Make ssl cipher list configurable

commit 161efa73f5276a56a6fab090732a7459dbd2223f
Author: Michael Chase-Salerno <br...@li...>
Date:   Fri Sep 9 13:22:03 2011 -0400

    3406825 Make ssl cipher list configurable

-----------------------------------------------------------------------

Summary of changes:
diff --git a/ChangeLog b/ChangeLog
index 47fdedd..abaa502 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,15 @@
+2011-09-09 Michael Chase-Salerno <br...@li...>
+
+	* httpAdapter.c, sfcb.cfg.pre.in, control.c:
+	[ 3406825 ] Make ssl cipher list configurable
+
 2011-09-09 Narasimha Sharoff <nsh...@us...>
 
 	* mofc/backend_sfcb.c objectImplSwapI32toP32.c
 	[ 3310192 ] 32bit sfcbmof fails to run under x86_64
 	Initial patch from Chris Poblete, reworked by Narasimha Sharoff
 
-2011-09-06 Michael Chase-Salerno <br...@li...>
+2011-09-09 Michael Chase-Salerno <br...@li...>
 
 	* httpAdapter.c, sfcb.cfg.pre.in, control.c:
 	[ 3406823 ] Make select timeout a config option.
diff --git a/README b/README
index 92b5689..240c7d4 100644
--- a/README
+++ b/README
@@ -510,6 +510,7 @@ file /usr/local/etc/sfcb/sfcb.cfg. For example:
 	keepaliveMaxRequest: 10
 	sslKeyFilePath: /usr/local/etc/sfcb/file.pem
 	sslCertificateFilePath: /usr/local/etc/sfcb/server.pem
+    sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
 	registrationDir: /usr/local/var/lib/sfcb/registration
 	providerDirs: /usr/local/lib/sfcb /usr/local/lib /usr/local/lib/cmpi
 
@@ -602,6 +603,11 @@ sslCertificateFilePath
 	The file must be in PEM format. This file is only required if 
 	enableHttps is set to true. Default=/usr/local/etc/sfcb/server.pem
 
+sslCiphers
+	Specify the list of SSL ciphers to enable. 
+	Default is "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" which disables 
+		weak ciphers.
+
 registrationDir
 	Specify the registration directory, which contains the provider
 	registration data, the staging area and the static repository.
diff --git a/control.c b/control.c
index 225e015..11f1567 100644
--- a/control.c
+++ b/control.c
@@ -95,6 +95,7 @@ Control         init[] = {
   {"sslKeyFilePath", 0, SFCB_CONFDIR "/file.pem"},
   {"sslCertificateFilePath", 0, SFCB_CONFDIR "/server.pem"},
   {"sslCertList", 0, SFCB_CONFDIR "/clist.pem"},
+  {"sslCiphers", 0, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"},
 
   {"registrationDir", 0, SFCB_STATEDIR "/registration"},
   {"providerDirs", 3, SFCB_LIBDIR " " CMPI_LIBDIR " " LIBDIR},  /* 3:
diff --git a/httpAdapter.c b/httpAdapter.c
index d4767bc..67bcb5c 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -1599,7 +1599,8 @@ initSSL()
                  *fnk,
                  *fnt,
                  *fnl,
-                 *fcert;
+                 *fcert,
+                 *sslCiphers;
   int             rc;
   ctx = SSL_CTX_new(SSLv23_method());
   getControlChars("sslCertificateFilePath", &fnc);
@@ -1647,10 +1648,11 @@ initSSL()
   SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
                       SSL_OP_SINGLE_DH_USE);
   /*
-   * disable weak ciphers 
+   * Set valid ciphers
    */
-  if (SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH")
-      != 1)
+  getControlChars("sslCiphers", &sslCiphers);
+  _SFCB_TRACE(1, ("---  sslCiphers = %s", sslCiphers));
+  if (SSL_CTX_set_cipher_list(ctx, sslCiphers) != 1)
     intSSLerror("Error setting cipher list (no valid ciphers)");
 
 }
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index 6cefc75..f22dbec 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -193,6 +193,11 @@ sslClientTrustStore: @sysconfdir@/sfcb/client.pem
 ## Default is sfcCertificateAuthentication
 certificateAuthLib:   sfcCertificateAuthentication
 
+## List of SSL ciphers to enable.
+## Default is "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" which disables
+##      weak ciphers.
+sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
+
 ##---------------------------------- UDS --------------------------------------
 ## These options only apply if configured with --enable-uds
 


hooks/post-receive
-- 
SFCB - Small Footprint CIM Broker