1.7.1-0 release (#745)

* Increase WQL_MAX_SYMBOLS to 256 * Solaris 10X86 installtion issue * ssl cipher suite defaults * Fixes OMI Selinux semodule issue. * sslv3 tls1 ciphersuite defaults
microsoft · Aug 3, 2023 · cc6e573 · cc6e573
1 parent 170d375
commit cc6e573
Show file tree

Hide file tree

Showing 8 changed files with 17 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -144,7 +144,8 @@ NoSSLv3            | When `true`, the SSLv3 protocol is disabled. If NoSSLv2 and
 NoTLSv1_0          | When `true`, the TLSv1.0 protocol is disabled
 NoTLSv1_1          | When `true`, and if available on the platform, the TLSv1.1 protocol is disabled
 NoTLSv1_2          | When `true`, and if available on the platform, the TLSv1.2 protocol is disabled
-sslciphersuite     | The prioritized list of allowed SSL/TLS ciphers. For example, set `sslciphersuite=ALL:!SSLv2:!SSLv3:!TLSv1:!RC4-MD5:!RC4-SHA:!SEED-SHA` in `/etc/opt/omi/conf/omiserver.conf` to disable all SSLv2,SSLv3,TLSv1 ciphers and 3 weak ciphers: RC4-MD5,RC4-SHA,SEED-SHA; then run `sudo /opt/omi/bin/service_control restart` to take effect, for more information, check `man ciphers` or search internet with `openssl man ciphers` 
+sslciphersuite     | The prioritized list of allowed SSL/TLS ciphers. For example, set ## The prioritized list of allowed SSL/TLS `sslciphersuite=ALL:!SSLv2:!SSLv3:!TLSv1:!TLSv0:!CBC:!RC4-MD5:!RC4-SHA:!SEED-SHA` in `/etc/opt/omi/conf/omiserver.conf` to disable all SSLv2,SSLv3,TLSv1,TLSv0 ciphers and other weak ciphers: ##CBC,RC4-MD5,RC4-SHA,SEED-SHA; then run `sudo /opt/omi/bin/service_control restart` to take effect, for more information, check `man ciphers` or search internet with `openssl man ciphers` 
+
 
 ### Configuring OMI Client
 

diff --git a/Unix/buildtool b/Unix/buildtool
@@ -1591,8 +1591,8 @@ if [ "$arg1" = "openssllibdir" ]; then
                 fi
                 ;;
             SUNOS_I86PC_SUNPRO)
-                if [ -f "/usr/sfw/lib/libssl.so" ]; then
-                    libdir=/usr/sfw/lib
+                if [ -f "/usr/lib/libssl.so" ]; then
+                    libdir=/usr/lib
                 fi
                 ;;
             SUNOS_SPARC_SUNPRO)

diff --git a/Unix/etc/omicli.conf b/Unix/etc/omicli.conf
@@ -46,4 +46,4 @@ NoSSLv3=true
 NoTLSv1_0=true
 NoTLSv1_1=true
 NoTLSv1_2=false
-NoSSLCompression=true
+NoSSLCompression=true
diff --git a/Unix/etc/omiserver.conf b/Unix/etc/omiserver.conf
@@ -60,6 +60,13 @@ NoTLSv1_1=true
 NoTLSv1_2=false
 NoSSLCompression=true
 
+##
+## This section is for TLS enabled ciphers
+## The prioritized list of allowed SSL/TLS ciphers. For example, set `sslciphersuite=ALL:!SSLv2:!SSLv3:!TLSv1:!TLSv0:!CBC:!RC4-MD5:!RC4-SHA:!SEED-SHA` in `/etc/opt/omi/conf/omiserver.conf` to disable all SSLv2,SSLv3,TLSv1,TLSv0 ciphers and other weak ciphers: ##CBC,RC4-MD5,RC4-SHA,SEED-SHA; then run `sudo /opt/omi/bin/service_control restart` to take effect, for more information, check `man ciphers` or search internet with `openssl man ciphers` 
+## Note : Disabling TLSv1 and SSLv3 on some older implemetation of openssl doesn't work well. In such cases, either update the openssl version or update the below sslciphersuite value accordingly
+##
+sslciphersuite=ALL:!SSLv2:!SSLv3:!TLSv1:!TLSv0:!CBC:!RC4-MD5:!RC4-SHA:!SEED-SHA
+
 ##
 ## NtlmCredsFile -- credentials file for NTLM authentication
 ##

diff --git a/Unix/installbuilder/datafiles/Base_OMI.data b/Unix/installbuilder/datafiles/Base_OMI.data
@@ -366,9 +366,9 @@ SHA1="sha1"
     export LD_LIBRARY_PATH
     OPENSSL_PATH="/usr/local/bin/openssl"
 #elseif PFMINOR == 10
-    LD_LIBRARY_PATH=/usr/sfw/lib
+    LD_LIBRARY_PATH=/usr/lib
     export LD_LIBRARY_PATH
-    OPENSSL_PATH="/usr/sfw/bin/openssl"
+    OPENSSL_PATH="/usr/bin/openssl"
 #endif
 #endif
 

diff --git a/Unix/installbuilder/datafiles/Linux.data b/Unix/installbuilder/datafiles/Linux.data
@@ -333,7 +333,7 @@ if [ -e /usr/sbin/semodule ]; then
     echo "System appears to have SELinux installed, attempting to install selinux policy module for logrotate"
     echo "  Trying ${{SEPKG_DIR_OMI}}/omi-logrotate.pp ..."
     sestatus=`sestatus|grep status|awk '{print $3}'`
-    if [ -e /usr/bin/dpkg-deb -a "$sestatus" = "disabled" ]; then
+    if [ "$sestatus" = "disabled" ]; then
         echo "INFO: omi-logrotate selinux policy module has not yet installed due to selinux is disabled."
         echo "When enabling selinux, load omi-logrotate module manually with following commands for logrotate feature to work properly for omi logs."
         echo "/usr/sbin/semodule -i $SEPKG_DIR_OMI/omi-logrotate.pp >/dev/null 2>&1"

diff --git a/Unix/installbuilder/service_scripts/omid.sun10 b/Unix/installbuilder/service_scripts/omid.sun10
@@ -27,7 +27,7 @@ OMI_BINDIR=$OMI_HOME/bin
 OMI_LIBDIR=$OMI_HOME/lib
 
 # Where to find needed libs
-LD_LIBRARY_PATH=/usr/local/lib:/usr/sfw/lib:$OMI_LIBDIR
+LD_LIBRARY_PATH=/usr/local/lib:/usr/lib:/usr/sfw/lib:$OMI_LIBDIR
 export LD_LIBRARY_PATH
 
 #TEMPLATE_CODEVOV_ENV#

diff --git a/Unix/wql/wql.h b/Unix/wql/wql.h
@@ -20,7 +20,7 @@ extern "C" {
 #endif
 
 #define WQL_MAX_PROPERTIES 128
-#define WQL_MAX_SYMBOLS 128
+#define WQL_MAX_SYMBOLS 256
 
 /* Type of symbol appearing in the WHERE clause */
 typedef enum _WQL_Type