Red Hat CERTIFICATE SYSTEM 8.0 - RELEASE NOTES Release Note page 21

Reconfiguring the Red Hat Certificate System Subsystems to Prevent a Potential TLS-Related Man-in-the-Middle Attack
2. Add a section for the new port. Make sure that the clientAuth value is set to true. (The
4. Modify the /etc/init.d/instance_name initialization script to read the new status definitions.
1. At line 242, replace the following lines. Replace all the lines with the exact excerpt below
2. Modify the highlighted code at around line 280.
port number and serverCertNickFile and passwordFile directives should all match
your instance information.)
<!-- Port Separation: EE Secure Client Auth Port Connector --->
<Connector name="EEClientAuth" port="9446" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="SSL"
sslOptions="ssl2=true,ssl3=true,tls=true"
ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-
SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-
SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-
SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-
SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-
SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,
+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-
SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-
SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-
SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,
+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf"
passwordFile="/var/lib/pki-ca/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
certdbDir="/var/lib/pki-ca/alias"/>
because there are important differences in whitespace in the quoted strings.
unsecure_port_statement="Unsecure Port
secure_agent_port_statement="Secure Agent Port
secure_ee_port_statement="Secure EE Port
secure_ee_client_auth_port_statement="EE Client Auth Port = -"
secure_admin_port_statement="Secure Admin Port
pki_console_port_statement="PKI Console Port
tomcat_port_statement="Tomcat Port
-] -||
== -"$secure_agent_port_statement" -] -||
-] -||
= -"
= -"
= -"
= -"
= -"
= -"
head=`echo -"$line" -| cut -b1-22`
if [ -"$head" == -"$unsecure_port_statement"
[ -"$head"
[ -"$head" == -"$secure_ee_port_statement"
21