From 6bbc9b0ef11fe8c9a3d10e9d14709f0fcd32ec05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Besson?= <sbesson@glencoesoftware.com>
Date: Fri, 25 Aug 2023 12:41:22 +0100
Subject: [PATCH 1/3] omero admin start: add warning for deprecated TLS
 protocols

The message should be raised either if omero.glacier2.IceSSL.Protocols
is unset or if TLS 1.0 or 1.1 are found in the list of allowed protocols
---
 src/omero/plugins/admin.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/omero/plugins/admin.py b/src/omero/plugins/admin.py
index 31b97ae97..000803d58 100755
--- a/src/omero/plugins/admin.py
+++ b/src/omero/plugins/admin.py
@@ -800,6 +800,21 @@ def startasync(self, args, config):
                 "sysadmins/server-performance.html?highlight=poolsize\n"
                 "for more information.")
 
+        ssl_protocols = config.get("omero.glacier2.IceSSL.Protocols", "")
+        # TLS 1.0 and 1.1 were deprecated in https://datatracker.ietf.org/doc/html/rfc8996
+        # Both protocols are included in the default value of IceSSL.Protocols
+        # https://doc.zeroc.com/ice/3.6/property-reference/icessl#id-.IceSSL.*v3.6-IceSSL.Protocols
+        has_deprecated_tls = (
+            ssl_protocols == "" or
+            "TLS1_0" in ssl_protocols or
+            "TLS1_1" in ssl_protocols
+        )
+        if has_deprecated_tls:
+            self.ctx.out(
+                "WARNING: Your server is configured to allow a deprecated TLS protocol.\n"
+                "\nPlease refer to https://omero.readthedocs.io/en/stable/sysadmins/server-upgrade.html"
+                " for instructions on how to upgrade the protocols.")
+
         self._initDir()
         # Do a check to see if we've started before.
         self._regdata()

From 0659f4ec827ae9f79c836521b29720130748b3de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Besson?= <sbesson@glencoesoftware.com>
Date: Sat, 26 Aug 2023 08:30:38 +0100
Subject: [PATCH 2/3] Use ConfigXml getter to access SSL Protocols value

---
 src/omero/plugins/admin.py | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/src/omero/plugins/admin.py b/src/omero/plugins/admin.py
index 000803d58..124769bb0 100755
--- a/src/omero/plugins/admin.py
+++ b/src/omero/plugins/admin.py
@@ -800,20 +800,21 @@ def startasync(self, args, config):
                 "sysadmins/server-performance.html?highlight=poolsize\n"
                 "for more information.")
 
-        ssl_protocols = config.get("omero.glacier2.IceSSL.Protocols", "")
-        # TLS 1.0 and 1.1 were deprecated in https://datatracker.ietf.org/doc/html/rfc8996
+        # Warn if deprecated TLS 1.0 and 1.1 protocols are allowed
+        # See https://datatracker.ietf.org/doc/html/rfc8996
         # Both protocols are included in the default value of IceSSL.Protocols
         # https://doc.zeroc.com/ice/3.6/property-reference/icessl#id-.IceSSL.*v3.6-IceSSL.Protocols
-        has_deprecated_tls = (
-            ssl_protocols == "" or
-            "TLS1_0" in ssl_protocols or
-            "TLS1_1" in ssl_protocols
-        )
-        if has_deprecated_tls:
-            self.ctx.out(
-                "WARNING: Your server is configured to allow a deprecated TLS protocol.\n"
-                "\nPlease refer to https://omero.readthedocs.io/en/stable/sysadmins/server-upgrade.html"
-                " for instructions on how to upgrade the protocols.")
+        DEPRECATED_TLS_MESSAGE = (
+            "Your server is configured to allow a deprecated TLS protocol."
+            "\n\nPlease refer to https://omero.readthedocs.io/en/stable/"
+            "sysadmins/server-upgrade.html for instructions on how to "
+            "upgrade the protocols.")
+        try:
+            ssl_protocols = config["omero.glacier2.IceSSL.Protocols"]
+            if ("TLS1_0" in ssl_protocols or "TLS1_1" in ssl_protocols):
+                self.ctx.out("WARNING: " + DEPRECATED_TLS_MESSAGE)
+        except KeyError:
+            self.ctx.out("WARNING: " + DEPRECATED_TLS_MESSAGE)
 
         self._initDir()
         # Do a check to see if we've started before.

From 8c5b661275537534188a850167755948b06b7224 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Besson?= <sbesson@glencoesoftware.com>
Date: Tue, 19 Sep 2023 14:14:36 +0100
Subject: [PATCH 3/3] Use relevant anchor to the server certificate section

---
 src/omero/plugins/admin.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/omero/plugins/admin.py b/src/omero/plugins/admin.py
index 124769bb0..598fa348d 100755
--- a/src/omero/plugins/admin.py
+++ b/src/omero/plugins/admin.py
@@ -807,8 +807,8 @@ def startasync(self, args, config):
         DEPRECATED_TLS_MESSAGE = (
             "Your server is configured to allow a deprecated TLS protocol."
             "\n\nPlease refer to https://omero.readthedocs.io/en/stable/"
-            "sysadmins/server-upgrade.html for instructions on how to "
-            "upgrade the protocols.")
+            "sysadmins/server-upgrade.html#server-certificates for "
+            "instructions on how to upgrade your configuration.")
         try:
             ssl_protocols = config["omero.glacier2.IceSSL.Protocols"]
             if ("TLS1_0" in ssl_protocols or "TLS1_1" in ssl_protocols):