brooklyn-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From henev...@apache.org
Subject [2/3] incubator-brooklyn git commit: White list ciphers for nginx and Tomcat
Date Mon, 18 May 2015 15:12:09 GMT
White list ciphers for nginx and Tomcat


Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/4076d3bb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/4076d3bb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/4076d3bb

Branch: refs/heads/master
Commit: 4076d3bbcbf3fd9763a94c644f77ffd9be1456ad
Parents: 1de9eea
Author: Svetoslav Neykov <svetoslav.neykov@cloudsoftcorp.com>
Authored: Tue May 5 15:41:46 2015 +0300
Committer: Svetoslav Neykov <svetoslav.neykov@cloudsoftcorp.com>
Committed: Thu May 7 20:35:09 2015 +0300

----------------------------------------------------------------------
 .../brooklyn/entity/proxy/nginx/server.conf     |  8 +++
 .../brooklyn/entity/webapp/tomcat/server.xml    | 57 +++++++++++++++++++-
 2 files changed, 64 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/4076d3bb/software/webapp/src/main/resources/brooklyn/entity/proxy/nginx/server.conf
----------------------------------------------------------------------
diff --git a/software/webapp/src/main/resources/brooklyn/entity/proxy/nginx/server.conf b/software/webapp/src/main/resources/brooklyn/entity/proxy/nginx/server.conf
index eb34ddb..3de046f 100644
--- a/software/webapp/src/main/resources/brooklyn/entity/proxy/nginx/server.conf
+++ b/software/webapp/src/main/resources/brooklyn/entity/proxy/nginx/server.conf
@@ -50,7 +50,15 @@ http {
         listen                      ${entity.port?c} default ssl;
         ssl_certificate             ${driver.runDir}/conf/global.crt;
         ssl_certificate_key         ${driver.runDir}/conf/global.key;
+
+        # https://wiki.mozilla.org/Security/Server_Side_TLS
+        # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+        # generated 05.05.2015, Intermediate config from first link
+        ssl_session_timeout         1d;
+        ssl_session_cache           shared:SSL:50m;
         ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers                 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+        ssl_prefer_server_ciphers   on;
         [#else]
         # HTTP setup
         listen                      ${entity.port?c};

http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/4076d3bb/software/webapp/src/main/resources/brooklyn/entity/webapp/tomcat/server.xml
----------------------------------------------------------------------
diff --git a/software/webapp/src/main/resources/brooklyn/entity/webapp/tomcat/server.xml b/software/webapp/src/main/resources/brooklyn/entity/webapp/tomcat/server.xml
index 5fab4f2..83e8db0 100644
--- a/software/webapp/src/main/resources/brooklyn/entity/webapp/tomcat/server.xml
+++ b/software/webapp/src/main/resources/brooklyn/entity/webapp/tomcat/server.xml
@@ -90,10 +90,65 @@
          OpenSSL style configuration is required as described in the APR/native
          documentation -->
     [#if entity.httpsEnabled]
+
+    <!--
+        SSL config:
+        https://wiki.mozilla.org/Security/Server_Side_TLS (v3.4)
+        http://stackoverflow.com/questions/19846020/how-to-map-a-openssls-cipher-list-to-java-jsse
+        List created on 05.05.2015, Intermediate config from first link.
+
+        List repeated twice, once with TLS_ prefix, once with SSL_ prefix for IBM java compatibility.
+        https://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/ciphersuites.html
+    -->
+
     <Connector port="${driver.httpsPort?c}" protocol="org.apache.coyote.http11.Http11Protocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                keystoreFile="${driver.httpsSslKeystoreFile}" keystorePass="${entity.httpsSslKeystorePassword}"
-               clientAuth="false" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" />
+               clientAuth="false" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
+               ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+                        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+                        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+                        TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+                        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+                        TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+                        TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+                        TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,
+                        TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
+                        TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
+                        TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
+                        TLS_SRP_SHA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+                        TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
+                        TLS_SRP_SHA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+                        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+                        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+                        TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+                        TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+                        SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+                        SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+                        SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_DSS_WITH_AES_128_GCM_SHA256,
+                        SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
+                        SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+                        SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+                        SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+                        SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+                        SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
+                        SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
+                        SSL_DHE_DSS_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
+                        SSL_RSA_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_AES_256_GCM_SHA384,
+                        SSL_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA256,
+                        SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,
+                        SSL_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,SSL_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
+                        SSL_SRP_SHA_WITH_AES_256_CBC_SHA,SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
+                        SSL_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,SSL_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
+                        SSL_SRP_SHA_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
+                        SSL_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,SSL_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+                        SSL_RSA_WITH_CAMELLIA_256_CBC_SHA,SSL_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+                        SSL_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,SSL_RSA_WITH_CAMELLIA_128_CBC_SHA,
+                        SSL_RSA_WITH_3DES_EDE_CBC_SHA" />
     [/#if]
 
     <!-- Define an AJP 1.3 Connector on port 8009 -->


Mime
View raw message