Fixed Cipher related warnings on ZCS startup and added jetty version …

…at a common place
Zimbra · Jun 11, 2019 · 11060eb · 11060eb
1 parent e1a37ad
commit 11060eb
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 15 deletions.
diff --git a/build-ivysettings.xml b/build-ivysettings.xml
@@ -3,6 +3,7 @@
   <property name="httpclient.version" value="4.5.8"/>
   <property name="httpclient.httpcore.version" value="4.4.11"/>
   <property name="httpclient.async.version" value="4.1.4"/>
+  <property name="jetty.version" value="9.4.18.v20190429"/>
 <settings defaultResolver="chain-resolver" />
   <caches defaultCacheDir="${dev.home}/.ivy2/cache"/>
   <resolvers>

diff --git a/common/ivy.xml b/common/ivy.xml
@@ -32,8 +32,8 @@
   <dependency org="org.easymock" name="easymock" rev="3.0" />
   <dependency org="cglib" name="cglib" rev="2.2.2" />
   <dependency org="asm" name="asm" rev="3.3.1" />
-  <dependency org="org.eclipse.jetty" name="jetty-rewrite" rev="9.4.18.v20190429" />
-  <dependency org="org.eclipse.jetty" name="jetty-util" rev="9.4.18.v20190429" />
+  <dependency org="org.eclipse.jetty" name="jetty-rewrite" rev="${jetty.version}" />
+  <dependency org="org.eclipse.jetty" name="jetty-util" rev="${jetty.version}" />
   <dependency org="zimbra" name="zm-native" rev="latest.integration" />
   <dependency org="ant-contrib" name="ant-contrib" rev="1.0b3" />
  </dependencies>

diff --git a/store/conf/attrs/zimbra-attrs.xml b/store/conf/attrs/zimbra-attrs.xml
@@ -3413,6 +3413,24 @@ TODO - add support for multi-line values in globalConfigValue and defaultCOSValu
 
 <attr id="639" name="zimbraSSLExcludeCipherSuites" type="string" cardinality="multi" optionalIn="globalConfig,server" flags="serverInherited" requiresRestart="mailbox" since="5.0.5">
   <globalConfigValue>.*_RC4_.*</globalConfigValue>
+  <globalConfigValue>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_RSA_WITH_AES_128_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_RSA_WITH_AES_128_CBC_SHA256</globalConfigValue>
+  <globalConfigValue>TLS_RSA_WITH_AES_128_GCM_SHA256</globalConfigValue>
+  <globalConfigValue>TLS_RSA_WITH_AES_256_CBC_SHA</globalConfigValue>
+  <globalConfigValue>TLS_RSA_WITH_AES_256_CBC_SHA256</globalConfigValue>
+  <globalConfigValue>TLS_RSA_WITH_AES_256_GCM_SHA384</globalConfigValue>
   <desc>exact name or regular expression of cipher suites to exclude</desc>
 </attr>
 
@@ -8379,7 +8397,6 @@ TODO: delete them permanently from here
   <globalConfigValue>TLSv1</globalConfigValue>
   <globalConfigValue>TLSv1.1</globalConfigValue>
   <globalConfigValue>TLSv1.2</globalConfigValue>
-  <globalConfigValue>SSLv2Hello</globalConfigValue>
   <desc>List of SSL/TLS protocols (as documented by SunJSSE Provider Protocols and used in setEnabledProtocols) to be enabled in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)</desc>
 </attr>
 

diff --git a/store/ivy.xml b/store/ivy.xml
@@ -46,14 +46,14 @@
   <dependency org="com.googlecode.owasp-java-html-sanitizer" name="owasp-java-html-sanitizer" rev="20190503.1"/>
   <dependency org="org.ehcache" name="ehcache" rev="3.1.2"/>
   <dependency org="ant-1.7.0-ziputil-patched" name="ant-1.7.0-ziputil-patched" rev="1.0"/>
-  <dependency org="org.eclipse.jetty" name="jetty-continuation" rev="9.4.18.v20190429"/>
-  <dependency org="org.eclipse.jetty" name="jetty-security" rev="9.4.18.v20190429"/>
-  <dependency org="org.eclipse.jetty" name="jetty-http" rev="9.4.18.v20190429"/>
-  <dependency org="org.eclipse.jetty" name="jetty-io" rev="9.4.18.v20190429"/>
-  <dependency org="org.eclipse.jetty" name="jetty-server" rev="9.4.18.v20190429"/>
-  <dependency org="org.eclipse.jetty" name="jetty-servlet" rev="9.4.18.v20190429"/>
-  <dependency org="org.eclipse.jetty" name="jetty-servlets" rev="9.4.18.v20190429"/>
-  <dependency org="org.eclipse.jetty" name="jetty-util" rev="9.4.18.v20190429"/>
+  <dependency org="org.eclipse.jetty" name="jetty-continuation" rev="${jetty.version}"/>
+  <dependency org="org.eclipse.jetty" name="jetty-security" rev="${jetty.version}"/>
+  <dependency org="org.eclipse.jetty" name="jetty-http" rev="${jetty.version}"/>
+  <dependency org="org.eclipse.jetty" name="jetty-io" rev="${jetty.version}"/>
+  <dependency org="org.eclipse.jetty" name="jetty-server" rev="${jetty.version}"/>
+  <dependency org="org.eclipse.jetty" name="jetty-servlet" rev="${jetty.version}"/>
+  <dependency org="org.eclipse.jetty" name="jetty-servlets" rev="${jetty.version}"/>
+  <dependency org="org.eclipse.jetty" name="jetty-util" rev="${jetty.version}"/>
   <dependency org="commons-cli" name="commons-cli" rev="1.2"/>
   <dependency org="commons-pool" name="commons-pool" rev="1.6"/>
   <dependency org="commons-dbcp" name="commons-dbcp" rev="1.4"/>

diff --git a/store/src/java/com/zimbra/cs/account/ZAttrConfig.java b/store/src/java/com/zimbra/cs/account/ZAttrConfig.java
@@ -29931,7 +29931,7 @@ public Map<String,Object> unsetMailboxThrottleReapInterval(Map<String,Object> at
      */
     @ZAttr(id=1657)
     public String[] getMailboxdSSLProtocols() {
-        String[] value = getMultiAttr(Provisioning.A_zimbraMailboxdSSLProtocols, true, true); return value.length > 0 ? value : new String[] {"TLSv1","TLSv1.1","TLSv1.2","SSLv2Hello"};
+        String[] value = getMultiAttr(Provisioning.A_zimbraMailboxdSSLProtocols, true, true); return value.length > 0 ? value : new String[] {"TLSv1","TLSv1.1","TLSv1.2"};
     }
 
     /**
@@ -64795,7 +64795,7 @@ public Map<String,Object> unsetSSLDHParam(Map<String,Object> attrs) {
      */
     @ZAttr(id=639)
     public String[] getSSLExcludeCipherSuites() {
-        String[] value = getMultiAttr(Provisioning.A_zimbraSSLExcludeCipherSuites, true, true); return value.length > 0 ? value : new String[] {".*_RC4_.*"};
+        String[] value = getMultiAttr(Provisioning.A_zimbraSSLExcludeCipherSuites, true, true); return value.length > 0 ? value : new String[] {".*_RC4_.*","TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_DHE_DSS_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384"};
     }
 
     /**

diff --git a/store/src/java/com/zimbra/cs/account/ZAttrServer.java b/store/src/java/com/zimbra/cs/account/ZAttrServer.java
@@ -19444,7 +19444,7 @@ public Map<String,Object> unsetMailboxThrottleReapInterval(Map<String,Object> at
      */
     @ZAttr(id=1657)
     public String[] getMailboxdSSLProtocols() {
-        String[] value = getMultiAttr(Provisioning.A_zimbraMailboxdSSLProtocols, true, true); return value.length > 0 ? value : new String[] {"TLSv1","TLSv1.1","TLSv1.2","SSLv2Hello"};
+        String[] value = getMultiAttr(Provisioning.A_zimbraMailboxdSSLProtocols, true, true); return value.length > 0 ? value : new String[] {"TLSv1","TLSv1.1","TLSv1.2"};
     }
 
     /**
@@ -46016,7 +46016,7 @@ public Map<String,Object> unsetSSLCertificate(Map<String,Object> attrs) {
      */
     @ZAttr(id=639)
     public String[] getSSLExcludeCipherSuites() {
-        String[] value = getMultiAttr(Provisioning.A_zimbraSSLExcludeCipherSuites, true, true); return value.length > 0 ? value : new String[] {".*_RC4_.*"};
+        String[] value = getMultiAttr(Provisioning.A_zimbraSSLExcludeCipherSuites, true, true); return value.length > 0 ? value : new String[] {".*_RC4_.*","TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_DHE_DSS_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384"};
     }
 
     /**