From 295757c8effdff7b37b2165566baf54b0b1855b0 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Wed, 6 Jun 2018 14:23:04 -0400
Subject: [PATCH] Tighten some security parameters

---
 xCAT-server/sbin/xcatd                     | 5 +++--
 xCAT-server/share/xcat/ca/openssl.cnf.tmpl | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/xCAT-server/sbin/xcatd b/xCAT-server/sbin/xcatd
index d9cc5d98d..802199875 100755
--- a/xCAT-server/sbin/xcatd
+++ b/xCAT-server/sbin/xcatd
@@ -1517,8 +1517,8 @@ until ($quit) {
 
         populate_site_hash();
         my %extrasslargs;
-        if ($::XCATSITEVALS{xcatsslversion}) { $extrasslargs{SSL_version} = $::XCATSITEVALS{xcatsslversion}; }
-        if ($::XCATSITEVALS{xcatsslciphers}) { $extrasslargs{SSL_cipher_list} = $::XCATSITEVALS{xcatsslciphers}; }
+	#if ($::XCATSITEVALS{xcatsslversion}) { $extrasslargs{SSL_version} = $::XCATSITEVALS{xcatsslversion}; }
+        if ($::XCATSITEVALS{xcatsslciphers}) { $extrasslargs{SSL_cipher_list} = $::XCATSITEVALS{xcatsslciphers}; } else { $extrasslargs{SSL_cipher_list} = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384"; }
         use Data::Dumper;
 
         $SIG{ALRM} = sub { $ssltimeout = 1; die; };
@@ -1528,6 +1528,7 @@ until ($quit) {
                 SSL_key_file    => $xcatdir . "/cert/server-cred.pem",
                 SSL_cert_file   => $xcatdir . "/cert/server-cred.pem",
                 SSL_ca_file     => $xcatdir . "/cert/ca.pem",
+		SSL_ecdh_curve => 'prime256v1',
                 SSL_server      => 1,
                 SSL_verify_mode => 1,
                 %extrasslargs,
diff --git a/xCAT-server/share/xcat/ca/openssl.cnf.tmpl b/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
index abfe25892..e3647635c 100644
--- a/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
+++ b/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
@@ -67,7 +67,7 @@ cert_opt 	= ca_default		# Certificate field options
 
 default_days	= 7300			# how long to certify for
 default_crl_days= 30			# how long before next CRL
-default_md	= sha1			# which md to use.
+default_md	= sha256		# which md to use.
 preserve	= no			# keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look