Index: /branches/rel_apv_10_7/usr/click/webui/htdocs/new/src/apv/models/loadbalancing/slb/ssl/real.py =================================================================== --- /branches/rel_apv_10_7/usr/click/webui/htdocs/new/src/apv/models/loadbalancing/slb/ssl/real.py (revision 39983) +++ /branches/rel_apv_10_7/usr/click/webui/htdocs/new/src/apv/models/loadbalancing/slb/ssl/real.py (working copy) @@ -40,23 +40,24 @@ 'backup_certs': AssoField2(verbose_name=_('Backup/Restore Certificate'), tgt='loadbalancing.slb.ssl.ReallHostCertBackup.asso', mul='1', pos='left', optional=True), }) - + server_verification = FieldGroup(verbose_name=_('Server Verification Settings'), level=ADVANCED, fields={ 'server_verification': AssoField2(verbose_name=_('Server Verification Settings'), tgt='loadbalancing.slb.ssl.SSLServerVerificationSettings.rhost', mul='1', pos='left'), }) - + advanced_options = FieldGroup(verbose_name=_('Advanced Options'), level=ADVANCED, optional=True, fields={ 'client_auth': BooleanField(verbose_name=_('Client Authentication'), lexical=('on', 'off'), default=False), 'ocsp_stapling': BooleanField(verbose_name=_('OCSP Stapling'), lexical=('on','off'), hidden=True, default=False, editable=False), 'ocsp_stapling_status': TextField(verbose_name=_('OCSP Stapling Status'), editable=False, optional=True, style='long', condition=ValueCondition('ocsp_stapling', [True])), 'session_reuse': BooleanField(verbose_name=_('Session Reuse'), lexical=('on', 'off'), default=True), + 'renegotiation': BooleanField(verbose_name=_('SSL Renegotiation'), lexical=('on', 'off'), default=False), 'autosni': BooleanField(verbose_name=_('SNI Get Automatically'), lexical=('on', 'off'), default=False), 'protocol': MultiEnumField(verbose_name=_('SSL Protocol Version'), values=( ('SSLv3', 'SSLv3'), ('TLSv1', 'TLSv1'), ('TLSv11', 'TLSv1.1'), - ('TLSv12', 'TLSv1.2'), + ('TLSv12', 'TLSv1.2'), ('TLSv13', 'TLSv1.3'), ('SM2v11', 'SM2v1.1'), )), @@ -576,7 +577,7 @@ } class Manager(CLIManager): - @QueryingFields(['key_cert_status', 'autosni', 'client_auth', 'ocsp_stapling', 'early_data_zero_rtt', 'tlsv13_psk_mode', 'session_reuse', 'rsa_key_length', 'ecc_key_length','ssli_status','mode','protocol']) + @QueryingFields(['key_cert_status', 'autosni', 'client_auth', 'ocsp_stapling', 'early_data_zero_rtt', 'tlsv13_psk_mode', 'session_reuse', 'rsa_key_length', 'ecc_key_length','ssli_status','mode','protocol', 'renegotiation']) def _get_settings(self, pk_dict): self.cli.set_enable(force=True) result = self.cli.cmd('show ssl settings "%s"' % pk_dict['name'], @@ -591,7 +592,8 @@ RegexParser('SNI Get Automatically: enabled', MATCHONE), RegexParser('OCSP Stapling : disabled', MATCHONE), RegexParser('TLSv13 Early Data: enabled', MATCHONE), - RegexParser('TLSv13 PSK Mode: (.*)', MATCHONE)) + RegexParser('TLSv13 PSK Mode: (.*)', MATCHONE), + RegexParser('SSL renegotiation: enabled', MATCHONE)) #12 result1 = self.cli.cmd('show ssli setting', EasyParser('ssli on %s'%pk_dict['name'], ['?mode'])) result2 = self.cli.cmd('show ssl status key "%s"' % pk_dict['name']) @@ -609,10 +611,11 @@ 'ocsp_stapling': False if result[9] else True, 'early_data_zero_rtt': True if result[10] else False, 'tlsv13_psk_mode': result[11][0] if result[11] else "psk_ke:psk_dhe_ke", + 'renegotiation': True if result[12] else False, 'key_cert_status': result2 + '\n' + result3, } - - @UpdatingFields(['client_auth', 'session_reuse', 'protocol']) + + @UpdatingFields(['client_auth', 'session_reuse', 'renegotiation', 'protocol']) def _update_settings(self, instance): self.cli.set_config() if instance.client_auth: @@ -620,25 +623,35 @@ BlankParser(nonblank_exception=CLICmdError, supplement=True)) else: result = self.cli.cmd('no ssl settings clientauth "%s"' % instance.name) - + if instance.session_reuse: self.cli.cmd('ssl settings reuse "%s"' % instance.name, BlankParser(nonblank_exception=CLICmdError, supplement=True)) else: self.cli.cmd('no ssl settings reuse "%s"' % instance.name, BlankParser(nonblank_exception=CLICmdError, supplement=True)) + if instance.renegotiation: + self.cli.cmd('ssl globals renegotiation on', + BlankParser(nonblank_exception=CLICmdError, supplement=True), + force_global=True) + self.cli.cmd('ssl settings reneg "%s"' % instance.name, + BlankParser(nonblank_exception=CLICmdError, supplement=True)) + else: + self.cli.cmd('no ssl settings reneg "%s"' % instance.name, + RegexParser('not supported by hardware', match_exception=CLICmdNormal, exclusive=True), + BlankParser(nonblank_exception=CLICmdError, supplement=True)) self.cli.cmd('ssl settings protocol "%s" "%s"' % (instance.name, ':'.join(instance.protocol)), RegexParser('Warning: RSASSA-PSS certificate has been deactivated automatically because TLSv1.3 is removed from the host.', match_exception=CLICmdWarning, exclusive=True), RegexParser('Please remember to modify the supported cipher suite.', match_exception=CLICmdWarning, exclusive=True), RegexParser('Please modify the ciphersuite.', match_exception=CLICmdWarning, exclusive=True), BlankParser(nonblank_exception=CLICmdError, supplement=True)) mark_expire_all(SSLRealHost) - + def _get_ocsp_stapling_status(self, pk_dict): self.cli.set_enable() result = self.cli.cmd('show ssl status ocspstapling "%s"' % pk_dict['name']) return result - + def _update_autosni(self,instance): self.cli.set_config() if instance.autosni: @@ -702,6 +715,9 @@ "ECDHE-SM4-SM3":"0xe011", "TLS-AES128-GCM-SHA256":"0x1301", "TLS-AES256-GCM-SHA384":"0x1302", + "TLS-CHACHA20-POLY1305-SHA256":"0x1303", + "TLS-AES128-CCM-SHA256":"0x1304", + "TLS-AES128-CCM-8-SHA256":"0x1305", "ECC-SM4-GCM-SM3": "0xe053", "ECDHE-SM4-GCM-SM3":"0xe051", "!SSLv2":"!SSLv2",