omero admin start: add warning for deprecated TLS protocols

The message should be raised either if omero.glacier2.IceSSL.Protocols is unset or if TLS 1.0 or 1.1 are found in the list of allowed protocols
ome · Aug 25, 2023 · 6bbc9b0 · 6bbc9b0
1 parent 7c2f644
commit 6bbc9b0
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/src/omero/plugins/admin.py b/src/omero/plugins/admin.py
@@ -800,6 +800,21 @@ def startasync(self, args, config):
                 "sysadmins/server-performance.html?highlight=poolsize\n"
                 "for more information.")
 
+        ssl_protocols = config.get("omero.glacier2.IceSSL.Protocols", "")
+        # TLS 1.0 and 1.1 were deprecated in https://datatracker.ietf.org/doc/html/rfc8996
+        # Both protocols are included in the default value of IceSSL.Protocols
+        # https://doc.zeroc.com/ice/3.6/property-reference/icessl#id-.IceSSL.*v3.6-IceSSL.Protocols
+        has_deprecated_tls = (
+            ssl_protocols == "" or
+            "TLS1_0" in ssl_protocols or
+            "TLS1_1" in ssl_protocols
+        )
+        if has_deprecated_tls:
+            self.ctx.out(
+                "WARNING: Your server is configured to allow a deprecated TLS protocol.\n"
+                "\nPlease refer to https://omero.readthedocs.io/en/stable/sysadmins/server-upgrade.html"
+                " for instructions on how to upgrade the protocols.")
+
         self._initDir()
         # Do a check to see if we've started before.
         self._regdata()