Back to bug 1302136

Who When What Removed Added
Matthew Harmsen 2016-01-26 22:13:33 UTC Status NEW POST
Assignee mharmsen cfu
RHEL Program Management 2016-01-26 22:30:19 UTC Keywords FutureFeature
Red Hat Bugzilla 2016-01-26 22:30:19 UTC Doc Type Bug Fix Enhancement
Ann Marie Rubin 2016-02-09 22:04:29 UTC CC arubin
Sat6QE Jenkins 2016-03-28 20:15:54 UTC Status POST MODIFIED
Mike McCune 2016-03-28 22:24:40 UTC Status MODIFIED POST
Matthew Harmsen 2016-05-18 22:05:33 UTC Status POST MODIFIED
Target Release --- 7.3
Fixed In Version pki-core-10.3.1-1.el7
errata-xmlrpc 2016-05-18 22:25:18 UTC Status MODIFIED ON_QA
Roshni 2016-08-09 15:28:00 UTC CC cfu, rpattath
Flags needinfo?(cfu)
Christina Fu 2016-08-10 16:44:06 UTC Flags needinfo?(cfu)
Roshni 2016-08-12 18:40:19 UTC Status ON_QA VERIFIED
Petr Bokoc 2016-09-07 14:40:30 UTC Blocks 1373961
Christina Fu 2016-09-07 17:11:22 UTC Doc Text Feature:
This feature allows the administrator to specify an allowed list of ssl ciphers when the server is acting as a client for cs subsystem->cs subsystem communication. This cipher list is separate from the server one in server.xml

Reason:
Prior to this feature, the cipher list specified in server.xml is used when a CS instance is acting as server as well as client. In some cases, certain ciphers might not be desired or might not work. This feature gives administrators tighter control.

Result:
One could now edit CS.cfg (on the "client" side) and add or edit the "clientCiphers" list:e.g. for ca --> kra
ca.connector.KRA.clientCiphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
or in tps,
tps.connector.<ca id>.clientCiphers=< your selected cipher list>
tps.connector.<kra id>.clientCiphers=< your selected cipher list>
tps.connector.<tks id>.clientCiphers=< your selected cipher list>
and expect the cs subsystem that is acting as the ssl client to be restricted to the ciphers in the clientCiphers list.
Petr Bokoc 2016-09-29 13:06:33 UTC CC pbokoc
Docs Contact pbokoc
Petr Bokoc 2016-10-04 14:05:25 UTC Docs Contact pbokoc tcapek
Tomas Capek 2016-10-11 17:37:09 UTC Doc Text Feature:
This feature allows the administrator to specify an allowed list of ssl ciphers when the server is acting as a client for cs subsystem->cs subsystem communication. This cipher list is separate from the server one in server.xml

Reason:
Prior to this feature, the cipher list specified in server.xml is used when a CS instance is acting as server as well as client. In some cases, certain ciphers might not be desired or might not work. This feature gives administrators tighter control.

Result:
One could now edit CS.cfg (on the "client" side) and add or edit the "clientCiphers" list:e.g. for ca --> kra
ca.connector.KRA.clientCiphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
or in tps,
tps.connector.<ca id>.clientCiphers=< your selected cipher list>
tps.connector.<kra id>.clientCiphers=< your selected cipher list>
tps.connector.<tks id>.clientCiphers=< your selected cipher list>
and expect the cs subsystem that is acting as the ssl client to be restricted to the ciphers in the clientCiphers list. 		Separate cipher lists for instances acting as a client

Prior to this feature, the cipher list specified in the `server.xml` file was used when a Certificate System instance was acting as a server as well as a client. In some cases, certain ciphers could be not desired or did not work. This update gives administrators tighter control as it allows the administrator to specify an allowed list of SSL ciphers when the server is acting as a client for communication between two Certificate System subsystems. This cipher list is separate from the one stored on the server.
errata-xmlrpc 2016-11-02 15:21:07 UTC Status VERIFIED RELEASE_PENDING
errata-xmlrpc 2016-11-04 05:22:34 UTC Status RELEASE_PENDING CLOSED
Resolution --- ERRATA
Last Closed 2016-11-04 01:22:34 UTC
Dinesh Prasanth 2020-10-04 20:59:45 UTC Link ID Github dogtagpki/pki/issues/2207

Back to bug 1302136