Merge remote-tracking branch 'origin/issue-17'

source/pdp/configuration.rst

@@ -98,6 +98,18 @@ SECURITY section
         - No
         - false
 
+    *
+        - tlsProtocol
+        - Which TLS protocol should be used whent HTTPS is enabled. Available values: TLS (default), TLSv1.2, TLSv1.1.
+        - No
+        - TLS
+
+    *
+        - enabledProtocols
+        - Specifies the TLS protocol versions to be enabled for use on the connection. The standard names that can be passed are, for example: TLSv1.2, TLSv1.1 and TLSv1.
+        - No
+        - None
+
     *
         - requireClientCertAuthentication
         - Indicates whether the client must use a valid client certificate to authenticate to the PDP
@@ -126,6 +138,7 @@ PDP configuration file.
     trustInfoDir = /etc/grid-security/certificates
     # HTTPS enabled
     enableSSL = true
+    tlsProtocol = TLS
 
 Advanced Configuration Options
 ------------------------------
@@ -195,15 +208,21 @@ POLICY section
 SECURITY section
 ~~~~~~~~~~~~~~~~
 
-+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+
-| Property              | Description                                                                                                   | Required? | Default Value    |
-+=======================+===============================================================================================================+===========+==================+
-| trustInfoRefresh      | The frequency, in minutes, that the trust material specified by ``trustInfoDir`` will be checked for updates. | N         | 60 (1 hour)      |
-+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+
-| messageValidityPeriod | The number of seconds, from the time a message is issued, until it is considered expired.                     | N         | 300s (5 minutes) |
-+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+
-| clockSkew             | The allowance, in seconds, used when computing validity periods.                                              | N         | 30s              |
-+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+
++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
+| Property              | Description                                                                                                                                                                       | Required? | Default Value    |
++=======================+===================================================================================================================================================================================+===========+==================+
+| trustInfoRefresh      | The frequency, in minutes, that the trust material specified by ``trustInfoDir`` will be checked for updates.                                                                     | N         | 60 (1 hour)      |
++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
+| messageValidityPeriod | The number of seconds, from the time a message is issued, until it is considered expired.                                                                                         | N         | 300s (5 minutes) |
++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
+| clockSkew             | The allowance, in seconds, used when computing validity periods.                                                                                                                  | N         | 30s              |
++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
+| enableSSL             | Enable HTTPS on the service port (SSL/TLS). The ``serviceCertificate``, ``servicePrivateKey``, and ``trustInfoDir`` properties must also be defined in order to use this setting. | N         | false            |
++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
+| tlsProtocol           | Which TLS protocol should be used whent HTTPS is enabled. Available values: TLS (default), TLSv1.2, TLSv1.1.                                                                      | N         | TLS              |
++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
+| enabledProtocols      | Specifies the TLS protocol versions to be enabled for use on the connection. The standard names that can be passed are, for example: TLSv1.2, TLSv1.1 and TLSv1                   | N         | None             |
++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
 
 
 .. _argus-pdp-conf-env-file:

source/pep/pepd_configuration.rst

@@ -109,6 +109,10 @@ SECURITY section
 +-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+
 | ``enableSSL``                       | Enable HTTPS on the service port (SSL/TLS). The ``serviceCertificate``, ``servicePrivateKey``, and ``trustInfoDir`` properties must also be defined in order to use this setting. | N                                                               | false         |
 +-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+
+| ``tlsProtocol``                     | Which TLS protocol should be used whent HTTPS is enabled. Available values: TLS (default), TLSv1.2, TLSv1.1.                                                                      | N                                                               | TLS           |
++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+
+| ``enabledProtocols``                | Specifies the TLS protocol versions to be enabled for use on the connection. The standard names that can be passed are, for example: TLSv1.2, TLSv1.1 and TLSv1                   | N                                                               | None          |
++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+
 | ``requireClientCertAuthentication`` | The client must have a valid X.509 client certificate to authenticate to the PEP Server                                                                                           | N                                                               | true          |
 +-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+
 
@@ -150,6 +154,7 @@ matches the name section configuring the PIP. Also note that the
     serviceCertificate = /etc/grid-security/hostcert.pem
     trustInfoDir = /etc/grid-security/certificates
     enableSSL = true
+    tlsProtocol = TLS
     requireClientCertAuthentication = true
 
     [REQVALIDATOR_PIP]

source/release_notes.rst

@@ -7,9 +7,8 @@ Latest release:
 
 .. toctree::
    :maxdepth: 1
-
-   release_notes/v_1_7_3.rst
 
+   release_notes/v_1_7_3
 
 Older releases:
 

source/release_notes/v_1_7_3.rst

@@ -3,9 +3,9 @@
 Argus 1.7.3 (24-09-2022)
 ========================
 
-The Argus 1.7.3 release allows TLS configuration for all the main services
-and includes a fix for the PEP policy parser in order to not fail in case
-of quoted commas or empty values for ``subjectdn``.
+The Argus 1.7.3 release allows TLS protocol version to be configured on
+pdp and pep server components and includes a fix for the PEP policy parser
+in order to not fail in case of quoted commas or empty values for ``subjectdn``.
 
 Updated components
 ~~~~~~~~~~~~~~~~~~