CP-311259: Use tls lib to configure cipher suites

Signed-off-by: Lin Liu <lin.liu01@citrix.com>

Author: Lin Liu

dune-project

@@ -645,6 +645,8 @@
    (= :version))
   (uuid
    (= :version))
+  (tls
+   (= :version))
   (xapi-consts
    (= :version))
   xapi-inventory
@@ -660,6 +662,18 @@
    (= :version))
   (odoc :with-doc)))
 
+(package
+ (name tls)
+ (synopsis "TLS policy types and format-specific string renderers")
+ (description
+  "Provides TLS policy types and renderers for GnuTLS priority strings and OpenSSL cipher lists.")
+ (depends
+  (ocaml
+   (>= "4.14"))
+  (dune
+   (>= "3.0"))
+  (odoc :with-doc)))
+
 (package
  (name sexpr))
 

ocaml/libs/stunnel/dune

@@ -7,6 +7,7 @@
     forkexec
     safe-resources
     threads.posix
+    tls
     unix
     uuid
     xapi-consts

ocaml/libs/stunnel/stunnel.ml

@@ -222,9 +222,9 @@ let config_file ?(accept = None) config host port =
          )
        ; [Printf.sprintf "connect=%s:%d" host port]
        ; [
-           "sslVersion = TLSv1.2"
-         ; "ciphers = " ^ Constants.good_ciphersuites
-         ; "curve = secp384r1"
+           "sslVersion = " ^ Tls.Openssl.default_version
+         ; "ciphers = " ^ Tls.Openssl.default_ciphers
+         ; "curve = " ^ Tls.Openssl.default_curve
          ]
        ; ( match config with
          | None ->

ocaml/nbd/src/dune

@@ -21,6 +21,7 @@
   xapi-consts
   xapi-inventory
   xapi-types
+  tls
   xen-api-client-lwt
   )
 )

ocaml/nbd/src/main.ml

@@ -92,8 +92,8 @@ let init_tls_get_server_ctx ~certfile =
   let certfile = require_str "certfile" certfile in
   Some
     (Nbd_unix.TlsServer
-       (Nbd_unix.init_tls_get_ctx ~curve:"secp384r1" ~certfile
-          ~ciphersuites:Constants.good_ciphersuites ()
+       (Nbd_unix.init_tls_get_ctx ~curve:Tls.Openssl.default_curve ~certfile
+          ~ciphersuites:Tls.Openssl.default_ciphers ()
        )
     )
 

ocaml/xapi-consts/constants.ml

@@ -429,10 +429,6 @@ let gencert = ref "/opt/xensource/libexec/gencert"
 
 let openssl_path = ref "/usr/bin/openssl"
 
-let good_ciphersuites =
-  String.concat ":"
-    ["ECDHE-RSA-AES256-GCM-SHA384"; "ECDHE-RSA-AES128-GCM-SHA256"]
-
 let verify_certificates_path = "/var/xapi/verify-certificates"
 
 let python3_path = "/usr/bin/python3"

ocaml/xapi/dune

@@ -85,6 +85,7 @@
   clock
   astring
   stunnel
+  tls
   sexplib0
   sexplib
   sexpr
@@ -182,6 +183,7 @@
   sha
   str
   stunnel
+  tls
   tapctl
   tar
   tar-unix
@@ -301,6 +303,7 @@
   rpclib.json
   rpclib.xml
   stunnel
+  tls
   tgroup
   threads.posix
   tracing

ocaml/xapi/extauth_plugin_ADwinbind.ml

@@ -920,6 +920,7 @@ let config_winbind_daemon domain_info =
         ; "tls trust system cas = yes"
         ; "tls verify peer = ca_and_name_if_available"
         ; Printf.sprintf "tls ca directories = %s" certs_dir
+        ; Printf.sprintf "tls priority = %s" (Tls.Gnutls.default_policy ())
         ; Printf.sprintf "winbind scan trusted domains = %s"
             scan_trusted_domains
         ; "winbind use krb5 enterprise principals = yes"

ocaml/xapi/sparse_dd_wrapper.ml

@@ -122,7 +122,7 @@ let dd_internal progress_cb base prezeroed verify_cert ?(proto = None) infile
                     ; "-size"
                     ; Int64.to_string size
                     ; "-good-ciphersuites"
-                    ; Constants.good_ciphersuites
+                    ; Tls.Openssl.default_ciphers
                     ]
                   ; ( if prezeroed then
                         ["-prezeroed"]

ocaml/xapi/xapi_stunnel_server.ml

@@ -52,10 +52,10 @@ end = struct
       let open Printf in
       let cipher_options =
         [
-          sprintf "ciphers = %s" Constants.good_ciphersuites
-        ; "curve = secp384r1"
-        ; "options = CIPHER_SERVER_PREFERENCE"
-        ; "sslVersion = TLSv1.2"
+          sprintf "ciphers = %s" Tls.Openssl.default_ciphers
+        ; "curve = " ^ Tls.Openssl.default_curve
+        ; "options = " ^ Tls.Openssl.default_server_preference
+        ; "sslVersion = " ^ Tls.Openssl.default_version
         ]
       in
       [