From cc5068b6832772ce3a21fa0c2de75acaeb02befb Mon Sep 17 00:00:00 2001
From: GONG Jie <gongjie@linux.vnet.ibm.com>
Date: Wed, 13 Mar 2019 16:23:49 +0800
Subject: [PATCH 1/4] Show warning message when site.xcatsslversion has an
 value during upgrade

---
 xCAT-server/sbin/xcatconfig | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/xCAT-server/sbin/xcatconfig b/xCAT-server/sbin/xcatconfig
index 1d3652d92..2ce6e0951 100755
--- a/xCAT-server/sbin/xcatconfig
+++ b/xCAT-server/sbin/xcatconfig
@@ -1206,6 +1206,7 @@ sub initDB
         $chtabcmds .= "$::XCATROOT/sbin/chtab key=cleanupxcatpost site.value=no;";
         $chtabcmds .= "$::XCATROOT/sbin/chtab key=dhcplease site.value=43200;";
         $chtabcmds .= "$::XCATROOT/sbin/chtab key=auditnosyslog site.value=0;";
+        $chtabcmds .= "$::XCATROOT/sbin/chtab key=xcatsslversion site.value=;";
         $chtabcmds .= "$::XCATROOT/sbin/chtab key=auditskipcmds site.value=ALL;";
 
         #$chtabcmds .= "$::XCATROOT/sbin/chtab key=useflowcontrol site.value=yes;"; # need to fix 4031
@@ -1471,6 +1472,15 @@ sub initDB
                 xCAT::MsgUtils->message('E', "Could not set ddns as dnshandler.");
             }
         }
+
+        # Set default value for site.xcatsslversion when update xcat
+        $cmds = "XCATBYPASS=Y $::XCATROOT/sbin/tabdump site 2>/dev/null | grep xcatsslversion";
+        xCAT::Utils->runcmd("$cmds", -1);
+        if ($::RUNCMD_RC == 0) {
+            verbose("+-+-+-+-+-+-+-+ The default value of site.xcatsslversion was updated.");
+            verbose("|W|A|R|N|I|N|G| Run `chdef -t site xcatsslversion=' to update your system to");
+            verbose("+-+-+-+-+-+-+-+ the new default value. See `man site' for more details");
+        }
     }
 
     # remove xcatserver,xcatclient

From 26c27cc55e0cb0343b1f43955854120da1d039e3 Mon Sep 17 00:00:00 2001
From: GONG Jie <gongjie@linux.vnet.ibm.com>
Date: Wed, 13 Mar 2019 17:10:59 +0800
Subject: [PATCH 2/4] Update document for site

---
 docs/source/guides/admin-guides/references/man5/site.5.rst | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/source/guides/admin-guides/references/man5/site.5.rst b/docs/source/guides/admin-guides/references/man5/site.5.rst
index 33f4ac5e3..6700c946c 100644
--- a/docs/source/guides/admin-guides/references/man5/site.5.rst
+++ b/docs/source/guides/admin-guides/references/man5/site.5.rst
@@ -465,7 +465,11 @@ site Attributes:
   
    xcatlport:  The port used by xcatd command log writer process to collect command output.
   
-   xcatsslversion:  The ssl version by xcatd. Default is TLSv1.
+   xcatsslversion:  The SSL_version option xcatd used and passed to
+                    IO::Socket::SSL->start_SSL(). By default, this value is
+                    set to empty. In this case, xcatd will use
+                    'SSLv23:!SSLv2:!SSLv3:!TLSv1' internally.
+                    For more detail, see https://metacpan.org/pod/IO::Socket::SSL
   
    xcatsslciphers:  The ssl cipher by xcatd. Default is 3DES.
  

From 18d4af9890bc3e4d9277accaa6a8d4bad7700f91 Mon Sep 17 00:00:00 2001
From: GONG Jie <gongjie@linux.vnet.ibm.com>
Date: Wed, 13 Mar 2019 17:11:21 +0800
Subject: [PATCH 3/4] Update document for ssl_config

---
 docs/source/advanced/security/ssl_config.rst | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/docs/source/advanced/security/ssl_config.rst b/docs/source/advanced/security/ssl_config.rst
index 58f01bc3a..0c411e8d7 100644
--- a/docs/source/advanced/security/ssl_config.rst
+++ b/docs/source/advanced/security/ssl_config.rst
@@ -8,21 +8,13 @@ The configuration is stored in the xCAT site table using the ``site.xcatsslversi
 Configuration
 -------------
 
-By default, xCAT ships with ``TLSv1`` configured.  The current highest SSL version that can be supported is ``TLSv1.2``.
+``site.xcatsslversion`` is the ``SSL_version`` option ``xcatd`` used and passed to ``IO::Socket::SSL->start_SSL()``. By default, this value is set to empty. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally. For more detail, see https://metacpan.org/pod/IO::Socket::SSL
+By default, xCAT ships with an empty value for ``site.xcatsslversion``. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally.
 
-* For rhels7.x and sles12.x and higher: ::
-
-    chtab key=xcatsslversion site.value=TLSv12
-
-* For ubuntu 14.x and higher: ::
+Here is an example of change ``site.xcatsslversoin`` to a different value. Say, TLS 1.2 is preferred. ::
 
     chtab key=xcatsslversion site.value=TLSv1_2
 
-* For AIX 7.1.3.x: ::
-
-    chtab key=xcatsslversion site.value=TLSv1_2
-
-
 If running > ``TLSv1``, it is possible to disable insecure ciphers.  Here's an example of one possible configuration: ::
 
     "xcatsslciphers","kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!MEDIUM:!LOW:!MD5:!EXPORT:!CAMELLIA:!ECDH",,

From 240841483de5b1370492543350728e448510f9ef Mon Sep 17 00:00:00 2001
From: GONG Jie <gongjie@linux.vnet.ibm.com>
Date: Wed, 13 Mar 2019 18:09:03 +0800
Subject: [PATCH 4/4] Revise the warning messages

---
 xCAT-server/sbin/xcatconfig | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/xCAT-server/sbin/xcatconfig b/xCAT-server/sbin/xcatconfig
index 2ce6e0951..5f8b1c5de 100755
--- a/xCAT-server/sbin/xcatconfig
+++ b/xCAT-server/sbin/xcatconfig
@@ -1477,9 +1477,26 @@ sub initDB
         $cmds = "XCATBYPASS=Y $::XCATROOT/sbin/tabdump site 2>/dev/null | grep xcatsslversion";
         xCAT::Utils->runcmd("$cmds", -1);
         if ($::RUNCMD_RC == 0) {
-            verbose("+-+-+-+-+-+-+-+ The default value of site.xcatsslversion was updated.");
-            verbose("|W|A|R|N|I|N|G| Run `chdef -t site xcatsslversion=' to update your system to");
-            verbose("+-+-+-+-+-+-+-+ the new default value. See `man site' for more details");
+            xCAT::MsgUtils->message('I',
+                "__      ___   ___ _  _ ___ _  _  ___");
+            xCAT::MsgUtils->message('I',
+                "\\ \\    / /_\\ | _ \\ \\| |_ _| \\| |/ __|                      _     +-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                " \\ \\/\\/ / _ \\|   / .` || || .` | (_ |                     oo\\    |W|A|R|N|I|N|G|");
+            xCAT::MsgUtils->message('I',
+                "  \\_/\\_/_/ \\_\\_|_\\_|\\_|___|_|\\_|\\___|                    (__)\\   +-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "+--------------------------------------------------------------+ +-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "| The default value of `site.xcatsslversion' was updated.      |:|W|A|R|N|I|N|G|");
+            xCAT::MsgUtils->message('I',
+                "| Run `chdef -t site xcatsslversion=' to update your system to |:+-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "| the new default value. See `man site' for more details.      |:+-+-+-+-+-+-+-+");
+            xCAT::MsgUtils->message('I',
+                "+--------------------------------------------------------------+:|W|A|R|N|I|N|G|");
+            xCAT::MsgUtils->message('I',
+                " ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::+-+-+-+-+-+-+-+");
         }
     }