[Sblim-commit] sfcb ChangeLog, 1.684, 1.685 NEWS, 1.608, 1.609 README, 1.56, 1.57 control.c, 1.39, 1.40 httpAdapter.c, 1.92, 1.93 sfcb.cfg.pre.in, 1.26, 1.27

[Michael Chase-S. <mc...@us...>]

Update of /cvsroot/sblim/sfcb
In directory vz-cvs-3.sog:/tmp/cvs-serv28646

Modified Files:
	ChangeLog NEWS README control.c httpAdapter.c sfcb.cfg.pre.in 
Log Message:
[ 3406825 ] Make ssl cipher list configurable


Index: ChangeLog
===================================================================
RCS file: /cvsroot/sblim/sfcb/ChangeLog,v
retrieving revision 1.684
retrieving revision 1.685
diff -u -d -r1.684 -r1.685
--- ChangeLog	9 Sep 2011 21:32:43 -0000	1.684
+++ ChangeLog	9 Sep 2011 22:54:18 -0000	1.685
@@ -1,6 +1,11 @@
 2011-09-09 Michael Chase-Salerno <br...@li...>
 
 	* httpAdapter.c, sfcb.cfg.pre.in, control.c:
+	[ 3406825 ] Make ssl cipher list configurable
+
+2011-09-09 Michael Chase-Salerno <br...@li...>
+
+	* httpAdapter.c, sfcb.cfg.pre.in, control.c:
 	[ 3406823 ] Make select timeout a config option.
 
 2011-09-06 Michael Chase-Salerno <br...@li...>

Index: sfcb.cfg.pre.in
===================================================================
RCS file: /cvsroot/sblim/sfcb/sfcb.cfg.pre.in,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -d -r1.26 -r1.27
--- sfcb.cfg.pre.in	9 Sep 2011 21:32:43 -0000	1.26
+++ sfcb.cfg.pre.in	9 Sep 2011 22:54:18 -0000	1.27
@@ -183,6 +183,11 @@
 ## Default is sfcCertificateAuthentication
 certificateAuthLib:   sfcCertificateAuthentication
 
+## List of SSL ciphers to enable.
+## Default is "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" which disables
+##      weak ciphers.
+sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
+
 ##---------------------------------- UDS --------------------------------------
 ## These options only apply if configured with --enable-uds
 

Index: httpAdapter.c
===================================================================
RCS file: /cvsroot/sblim/sfcb/httpAdapter.c,v
retrieving revision 1.92
retrieving revision 1.93
diff -u -d -r1.92 -r1.93
--- httpAdapter.c	9 Sep 2011 21:32:43 -0000	1.92
+++ httpAdapter.c	9 Sep 2011 22:54:18 -0000	1.93
@@ -1421,7 +1421,8 @@
   char           *fnc,
                  *fnk,
                  *fnt,
-                 *fnl;
+                 *fnl,
+                 *sslCiphers;
   int             rc;
   ctx = SSL_CTX_new(SSLv23_method());
   getControlChars("sslCertificateFilePath", &fnc);
@@ -1467,10 +1468,11 @@
   SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
                       SSL_OP_SINGLE_DH_USE);
   /*
-   * disable weak ciphers 
+   * Set valid ciphers
    */
-  if (SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH")
-      != 1)
+  getControlChars("sslCiphers", &sslCiphers);
+  _SFCB_TRACE(1, ("---  sslCiphers = %s", sslCiphers));
+  if (SSL_CTX_set_cipher_list(ctx, sslCiphers) != 1)
     intSSLerror("Error setting cipher list (no valid ciphers)");
 
 }

Index: README
===================================================================
RCS file: /cvsroot/sblim/sfcb/README,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -d -r1.56 -r1.57
--- README	9 Sep 2011 21:32:43 -0000	1.56
+++ README	9 Sep 2011 22:54:18 -0000	1.57
@@ -495,6 +495,7 @@
 	keepaliveMaxRequest: 10
 	sslKeyFilePath: /usr/local/etc/sfcb/file.pem
 	sslCertificateFilePath: /usr/local/etc/sfcb/server.pem
+    sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
 	registrationDir: /usr/local/var/lib/sfcb/registration
 	providerDirs: /usr/local/lib/sfcb /usr/local/lib /usr/local/lib/cmpi
 
@@ -562,8 +563,6 @@
 slpRefreshInterval
 	timeinterval in seconds in which the slp process refreshes information
 
-
-
 keepaliveTimeout
         Specify the maximum time in seconds an sfcb HTTP process will wait
         between two requests on one connection before terminating. Setting 
@@ -584,6 +583,11 @@
 	The file must be in PEM format. This file is only required if 
 	enableHttps is set to true. Default=/usr/local/etc/sfcb/server.pem
 
+sslCiphers
+	Specify the list of SSL ciphers to enable. 
+	Default is "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" which disables 
+		weak ciphers.
+
 registrationDir
 	Specify the registration directory, which contains the provider
 	registration data, the staging area and the static repository.

Index: NEWS
===================================================================
RCS file: /cvsroot/sblim/sfcb/NEWS,v
retrieving revision 1.608
retrieving revision 1.609
diff -u -d -r1.608 -r1.609
--- NEWS	9 Sep 2011 21:32:43 -0000	1.608
+++ NEWS	9 Sep 2011 22:54:18 -0000	1.609
@@ -4,6 +4,7 @@
 New features:
 
 - 3406823 Make select timeout a config option.
+- 3406825 Make ssl cipher list configurable
 
 Bugs fixed: 
 

Index: control.c
===================================================================
RCS file: /cvsroot/sblim/sfcb/control.c,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -d -r1.39 -r1.40
--- control.c	9 Sep 2011 21:32:43 -0000	1.39
+++ control.c	9 Sep 2011 22:54:18 -0000	1.40
@@ -104,6 +104,7 @@
 
    {"sslKeyFilePath",   0, SFCB_CONFDIR "/file.pem"},
    {"sslCertificateFilePath", 0, SFCB_CONFDIR "/server.pem"},
+   {"sslCiphers", 0, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"},
 
    {"registrationDir", 0, SFCB_STATEDIR "/registration"},
    {"providerDirs", 3, SFCB_LIBDIR " " CMPI_LIBDIR " " LIBDIR}, /* 3: unstripped */