Merge pull request xapi-project#3740 from DeliZhangX/feature/REQ-226/cc-backport-havana

krizex · web-flow · commit 9a48be4ee572 · 2018-10-18T13:20:01.000+08:00
Feature/req 226/cc backport havana
diff --git a/ocaml/xapi/certificates.ml b/ocaml/xapi/certificates.ml
@@ -28,8 +28,10 @@ let c_rehash = "/usr/bin/c_rehash"
 let pem_certificate_header = "-----BEGIN CERTIFICATE-----"
 let pem_certificate_footer = "-----END CERTIFICATE-----"
 
+let certificate_path = "/etc/stunnel/certs"
+
 let library_path is_cert =
-  if is_cert then Stunnel.certificate_path else Stunnel.crl_path
+  if is_cert then certificate_path else Stunnel.crl_path
 
 let library_filename is_cert name =
   Filename.concat (library_path is_cert) name
@@ -45,6 +47,8 @@ let rehash () =
   rehash' (library_path true);
   rehash' (library_path false)
 
+let update_ca_bundle () = ignore (execute_command_get_output "/opt/xensource/bin/update-ca-bundle.sh" [])
+
 let get_type is_cert =
   if is_cert then "certificate" else "CRL"
 
@@ -130,7 +134,7 @@ let host_install is_cert ~name ~cert =
     mkdir_cert_path is_cert;
     write_string_to_file filename cert;
     Unix.chmod filename (cert_perms is_cert);
-    rehash()
+    update_ca_bundle ()
   with
   | e ->
     warn "Exception installing %s %s: %s" (get_type is_cert) name
@@ -146,7 +150,7 @@ let host_uninstall is_cert ~name =
   debug "Uninstalling %s %s" (get_type is_cert) name;
   try
     Sys.remove filename;
-    rehash()
+    update_ca_bundle ()
   with
   | e ->
     warn "Exception uninstalling %s %s: %s" (get_type is_cert) name
diff --git a/ocaml/xapi/xapi_globs.ml b/ocaml/xapi/xapi_globs.ml
@@ -934,7 +934,7 @@ let xenopsd_queues = ref ([
 
 let default_xenopsd = ref "org.xen.xapi.xenops.xenlight"
 
-let ciphersuites_good_outbound = ref "!EXPORT:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:AES256-SHA256:RSA+AES128-SHA256:AES128-SHA"
+let ciphersuites_good_outbound = ref "!EXPORT:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES128-SHA:AES128-SHA256"
 let ciphersuites_legacy_outbound = ref "RSA+AES256-SHA:RSA+AES128-SHA:RSA+RC4-SHA:RSA+DES-CBC3-SHA"
 
 let gpumon_stop_timeout = ref 10.0
diff --git a/scripts/OMakefile b/scripts/OMakefile
@@ -65,6 +65,7 @@ install:
 	$(IPROG) sysconfig-xapi $(DESTDIR)/etc/sysconfig/xapi
 	$(IPROG) generate_ssl_cert $(DESTDIR)$(LIBEXECDIR)
 	$(IPROG) fix_firewall.sh $(DESTDIR)$(BINDIR)
+	$(IPROG) update-ca-bundle.sh $(DESTDIR)$(BINDIR)
 	mkdir -p $(DESTDIR)$(OPTDIR)/debug
 	$(IPROG) debug_ha_query_liveset $(DESTDIR)$(OPTDIR)/debug
 	$(IPROG) xe-scsi-dev-map $(DESTDIR)$(BINDIR)
diff --git a/scripts/init.d-xapissl b/scripts/init.d-xapissl
@@ -66,7 +66,7 @@ writeconffile () {
 
     # (This "good" list must match, or at least contain one of,
     #  the ciphersuites-good-outbound list in /etc/xapi.conf.)
-    GOOD_CIPHERS='ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:AES256-SHA256:RSA+AES128-SHA256:AES128-SHA'
+    GOOD_CIPHERS='ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES128-SHA:AES128-SHA256'
     BACK_COMPAT_CIPHERS='RSA+AES256-SHA:RSA+AES128-SHA:RSA+RC4-SHA:RSA+RC4-MD5:RSA+DES-CBC3-SHA'
 
     if [ -n "${STUNNEL_IDLE_TIMEOUT}" ]; then
@@ -81,7 +81,7 @@ writeconffile () {
     echo "; Autogenerated by ${0}" > $SSLCONFFILE
     writec '; during xapi start-up.'
     writec '; '
-    if [ ${ANCIENT_STUNNEL} = 0 ]; then
+    if [ ${ANCIENT_STUNNEL} = 0 ] && [ x"$CC_PREPARATIONS" != x"true" ]; then
         # stunnel 4.56 fips demands sslVersion = TLSv1 (not "all" or even
         # "TLSv1.2") so we cannot use fips mode.
         writec 'fips = no'
diff --git a/scripts/update-ca-bundle.sh b/scripts/update-ca-bundle.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+#
+# Copyright (c) Citrix Systems 2008. All rights reserved.
+#
+
+set -e
+
+mkdir -p /etc/stunnel
+find /etc/stunnel/certs -name '*.pem' | xargs cat > /etc/stunnel/xapi-stunnel-ca-bundle.pem.tmp
+mv /etc/stunnel/xapi-stunnel-ca-bundle.pem.tmp /etc/stunnel/xapi-stunnel-ca-bundle.pem
