Merge pull request #6349 from tiwillia/rc4cipher

OpenShift Bot · OpenShift Bot · commit ab9d702abf06 · 2016-01-27T22:50:31.000-05:00
Merged by openshift-bot
diff --git a/node-proxy/config/web-proxy-config.json b/node-proxy/config/web-proxy-config.json
@@ -121,7 +121,8 @@
       "ssl"            : {
         "ca"         : "/etc/pki/tls/certs/localhost.crt",
         "certificate": "/etc/pki/tls/certs/localhost.crt",
-        "private_key": "/etc/pki/tls/private/localhost.key"
+        "private_key": "/etc/pki/tls/private/localhost.key",
+        "ciphers"    : "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:+3DES"
       }
     }
   },
diff --git a/node-proxy/lib/utils/http-utils.js b/node-proxy/lib/utils/http-utils.js
@@ -29,13 +29,16 @@ exports.createProtocolServer = function(protocol, opts) {
       break;
     case 'https':
       var ssl_opts  = {
-        secureProtocol: 'SSLv23_method',
         secureOptions: constants.SSL_OP_NO_SSLv3
       };
       ssl_opts.ca   = fs.readFileSync(opts.ca);
       ssl_opts.cert = fs.readFileSync(opts.certificate);
       ssl_opts.key  = fs.readFileSync(opts.private_key);
 
+      ssl_opts.ciphers = opts.ciphers || "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+\
+          kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+\
+          CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:+3DES";
+
       proto_handler = https.createServer(ssl_opts);
       break;
   }
diff --git a/node-proxy/openshift-origin-node-proxy.spec b/node-proxy/openshift-origin-node-proxy.spec
@@ -132,6 +132,7 @@ fi
 %endif
 %attr(0755,-,-) %{_bindir}/node-find-proxy-route-files
 %attr(0640,-,-) %{_sysconfdir}/openshift/web-proxy-config.json
+%config(noreplace) %{_sysconfdir}/openshift/web-proxy-config.json
 %attr(0644,-,-) %{_sysconfdir}/logrotate.d/%{name}
 %ghost %attr(0660,root,root) %{logroot}/supervisor.log
 %dir %attr(0700,apache,apache) %{logroot}
diff --git a/node-proxy/test/wsapp.js b/node-proxy/test/wsapp.js
@@ -55,10 +55,12 @@ createWebSocketServer(app8080);
 
 var  sslcerts_path = "../sslcerts/";
 var  server_name = "localhost";
+var  cipher_list = "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:" + 
+               "+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:+3DES";
 var ssl_options = {
   key:  fs.readFileSync(sslcerts_path + server_name + ".key"),
   cert: fs.readFileSync(sslcerts_path + server_name + ".crt"),
-  secureProtocol: 'SSLv23_method',
+  ciphers: cipher_list,
   secureOptions: constants.SSL_OP_NO_SSLv3
 };
 

Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,8 @@`
`121`	`121`	`"ssl" : {`
`122`	`122`	`"ca" : "/etc/pki/tls/certs/localhost.crt",`
`123`	`123`	`"certificate": "/etc/pki/tls/certs/localhost.crt",`
`124`		`- "private_key": "/etc/pki/tls/private/localhost.key"`
	`124`	`+ "private_key": "/etc/pki/tls/private/localhost.key",`
	`125`	`+ "ciphers" : "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:+3DES"`
`125`	`126`	`}`
`126`	`127`	`}`
`127`	`128`	`},`