CP-311259: Use Tls_policy to configure cipher suites

Lin Liu · Lin Liu · commit 923bfaeac9fb · 2026-03-30T09:08:35.000Z
Signed-off-by: Lin Liu &lt;lin.liu01@citrix.com&gt;
diff --git a/ocaml/libs/stunnel/stunnel.ml b/ocaml/libs/stunnel/stunnel.ml
@@ -222,9 +222,9 @@ let config_file ?(accept = None) config host port =
          )
        ; [Printf.sprintf "connect=%s:%d" host port]
        ; [
-           "sslVersion = TLSv1.2"
-         ; "ciphers = " ^ Constants.good_ciphersuites
-         ; "curve = secp384r1"
+           "sslVersion = " ^ Tls_policy.Openssl.default_version
+         ; "ciphers = " ^ Tls_policy.Openssl.default_ciphers
+         ; "curve = " ^ Tls_policy.Openssl.default_curve
          ]
        ; ( match config with
          | None ->
diff --git a/ocaml/nbd/src/main.ml b/ocaml/nbd/src/main.ml
@@ -92,8 +92,8 @@ let init_tls_get_server_ctx ~certfile =
   let certfile = require_str "certfile" certfile in
   Some
     (Nbd_unix.TlsServer
-       (Nbd_unix.init_tls_get_ctx ~curve:"secp384r1" ~certfile
-          ~ciphersuites:Constants.good_ciphersuites ()
+       (Nbd_unix.init_tls_get_ctx ~curve:Tls_policy.Openssl.default_curve
+          ~certfile ~ciphersuites:Tls_policy.Openssl.default_ciphers ()
        )
     )
 
diff --git a/ocaml/xapi-consts/constants.ml b/ocaml/xapi-consts/constants.ml
@@ -429,10 +429,6 @@ let gencert = ref "/opt/xensource/libexec/gencert"
 
 let openssl_path = ref "/usr/bin/openssl"
 
-let good_ciphersuites =
-  String.concat ":"
-    ["ECDHE-RSA-AES256-GCM-SHA384"; "ECDHE-RSA-AES128-GCM-SHA256"]
-
 let verify_certificates_path = "/var/xapi/verify-certificates"
 
 let python3_path = "/usr/bin/python3"
diff --git a/ocaml/xapi/extauth_plugin_ADwinbind.ml b/ocaml/xapi/extauth_plugin_ADwinbind.ml
@@ -952,6 +952,9 @@ let config_winbind_daemon domain_info =
         ; "tls trust system cas = yes"
         ; "tls verify peer = ca_and_name_if_available"
         ; tls_ca
+        ; Printf.sprintf "tls ca directories = %s" certs_dir
+        ; Printf.sprintf "tls priority = %s"
+            (Tls_policy.Gnutls.default_policy ())
         ; Printf.sprintf "winbind scan trusted domains = %s"
             scan_trusted_domains
         ; "winbind use krb5 enterprise principals = yes"
diff --git a/ocaml/xapi/sparse_dd_wrapper.ml b/ocaml/xapi/sparse_dd_wrapper.ml
@@ -122,7 +122,7 @@ let dd_internal progress_cb base prezeroed verify_cert ?(proto = None) infile
                     ; "-size"
                     ; Int64.to_string size
                     ; "-good-ciphersuites"
-                    ; Constants.good_ciphersuites
+                    ; Tls_policy.Openssl.default_ciphers
                     ]
                   ; ( if prezeroed then
                         ["-prezeroed"]
diff --git a/ocaml/xapi/xapi_stunnel_server.ml b/ocaml/xapi/xapi_stunnel_server.ml
@@ -52,10 +52,10 @@ end = struct
       let open Printf in
       let cipher_options =
         [
-          sprintf "ciphers = %s" Constants.good_ciphersuites
-        ; "curve = secp384r1"
-        ; "options = CIPHER_SERVER_PREFERENCE"
-        ; "sslVersion = TLSv1.2"
+          sprintf "ciphers = %s" Tls_policy.Openssl.default_ciphers
+        ; "curve = " ^ Tls_policy.Openssl.default_curve
+        ; "options = " ^ Tls_policy.Openssl.default_server_preference
+        ; "sslVersion = " ^ Tls_policy.Openssl.default_version
         ]
       in
       [

Original file line number	Diff line number	Diff line change
`@@ -222,9 +222,9 @@ let config_file ?(accept = None) config host port =`
`222`	`222`	`)`
`223`	`223`	`; [Printf.sprintf "connect=%s:%d" host port]`
`224`	`224`	`; [`
`225`		`- "sslVersion = TLSv1.2"`
`226`		`- ; "ciphers = " ^ Constants.good_ciphersuites`
`227`		`- ; "curve = secp384r1"`
	`225`	`+ "sslVersion = " ^ Tls_policy.Openssl.default_version`
	`226`	`+ ; "ciphers = " ^ Tls_policy.Openssl.default_ciphers`
	`227`	`+ ; "curve = " ^ Tls_policy.Openssl.default_curve`
`228`	`228`	`]`
`229`	`229`	`; ( match config with`
`230`	`230`	`\| None ->`
Original file line number	Diff line number	Diff line change
`@@ -92,8 +92,8 @@ let init_tls_get_server_ctx ~certfile =`
`92`	`92`	`let certfile = require_str "certfile" certfile in`
`93`	`93`	`Some`
`94`	`94`	`(Nbd_unix.TlsServer`
`95`		`- (Nbd_unix.init_tls_get_ctx ~curve:"secp384r1" ~certfile`
`96`		`- ~ciphersuites:Constants.good_ciphersuites ()`
	`95`	`+ (Nbd_unix.init_tls_get_ctx ~curve:Tls_policy.Openssl.default_curve`
	`96`	`+ ~certfile ~ciphersuites:Tls_policy.Openssl.default_ciphers ()`
`97`	`97`	`)`
`98`	`98`	`)`
`99`	`99`
Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ let dd_internal progress_cb base prezeroed verify_cert ?(proto = None) infile`
`122`	`122`	`; "-size"`
`123`	`123`	`; Int64.to_string size`
`124`	`124`	`; "-good-ciphersuites"`
`125`		`- ; Constants.good_ciphersuites`
	`125`	`+ ; Tls_policy.Openssl.default_ciphers`
`126`	`126`	`]`
`127`	`127`	`; ( if prezeroed then`
`128`	`128`	`["-prezeroed"]`
Original file line number	Diff line number	Diff line change
`@@ -52,10 +52,10 @@ end = struct`
`52`	`52`	`let open Printf in`
`53`	`53`	`let cipher_options =`
`54`	`54`	`[`
`55`		`- sprintf "ciphers = %s" Constants.good_ciphersuites`
`56`		`- ; "curve = secp384r1"`
`57`		`- ; "options = CIPHER_SERVER_PREFERENCE"`
`58`		`- ; "sslVersion = TLSv1.2"`
	`55`	`+ sprintf "ciphers = %s" Tls_policy.Openssl.default_ciphers`
	`56`	`+ ; "curve = " ^ Tls_policy.Openssl.default_curve`
	`57`	`+ ; "options = " ^ Tls_policy.Openssl.default_server_preference`
	`58`	`+ ; "sslVersion = " ^ Tls_policy.Openssl.default_version`
`59`	`59`	`]`
`60`	`60`	`in`
`61`	`61`	`[`