This is a re-creation of tls-settings-update #366

2024-12-18 20:47:58 +00:00 · 2022-04-14 06:35:49 -04:00 · 2022-04-14 06:35:49 -04:00 · 8b365bed34
commit 8b365bed34
parent 5088bf7107
5 changed files with 12 additions and 5 deletions
--- a/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java
+++ b/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java
@ -68,7 +68,7 @@ public final class ProvisionerApplication {
        }

        // enable TLS 1.1 and 1.2
-        System.setProperty("https.protocols", "TLSv1.2,TLSv1.1");
+        System.setProperty("https.protocols", "TLSv1.2");

        // initialize the context
        new AnnotationConfigApplicationContext(ProvisionerConfiguration.class);
--- a/HIRS_Utils/src/main/resources/persistence.properties
+++ b/HIRS_Utils/src/main/resources/persistence.properties
@ -1,6 +1,6 @@
 # Properties used to create JDBC connection
 # WARNING: DO NOT USE "disableSslHostnameVerification=true" FOR A REMOTE DATABASE
-persistence.db.url                  = jdbc:mariadb://localhost/hirs_db?autoReconnect=true&useSSL=true&requireSSL=true&amp;enabledSslProtocolSuites=TLSv1&disableSslHostnameVerification=true
+persistence.db.url                  = jdbc:mariadb://localhost/hirs_db?autoReconnect=true&useSSL=true&requireSSL=true&amp;enabledSslProtocolSuites=TLSv1.2&disableSslHostnameVerification=true
 persistence.db.username             = hirs_db
 persistence.db.password             = hirs_db
 persistence.db.driverClass          = org.mariadb.jdbc.Driver
--- a/package/scripts/common/db_create.sh
+++ b/package/scripts/common/db_create.sh
@ -37,4 +37,5 @@ else
    exit 1
 fi

-mysql -u root < $DB_CREATE_SCRIPT
+mysql -fu root < $DB_CREATE_SCRIPT
+mysql -fu root < /opt/hirs/scripts/common/secure_mysql.sql
--- a/package/scripts/common/secure_mysql.sql
+++ b/package/scripts/common/secure_mysql.sql
@ -0,0 +1,6 @@
+UPDATE mysql.user SET Password=PASSWORD('root') WHERE User='root';
+DELETE FROM mysql.user WHERE User='';
+DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
+DROP DATABASE IF EXISTS test;
+DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
+FLUSH PRIVILEGES
--- a/package/scripts/common/ssl_configure.sh
+++ b/package/scripts/common/ssl_configure.sh
@ -137,10 +137,10 @@ if [[ $1 = "server" ]]; then
        VERCMP_STATUS=$?
        if [[ $VERCMP_STATUS -eq 0 ]] || [[ $VERCMP_STATUS -eq 12 ]]; then
            # Tomcat v 6.0.38 or newer
-            sed -i "s/.*<\/Service>/<Connector port=\"8443\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" sslEnabledProtocols=\"TLSv1.1,TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
+            sed -i "s/.*<\/Service>/<Connector port=\"8443\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" sslEnabledProtocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
        elif [[ $VERCMP_STATUS -eq 11 ]]; then
            # Older than Tomcat 6.0.38
-            sed -i "s/.*<\/Service>/<Connector port=\"8443\" label=\"HIRS\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" protocols=\"TLSv1.1,TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA\" SSLDisableCompression=\"true\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
+            sed -i "s/.*<\/Service>/<Connector port=\"8443\" label=\"HIRS\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" protocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" SSLDisableCompression=\"true\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
        else
            echo "Unknown rpmdev-vercmp exit code: ${VERCMP_STATUS}"
            exit 1