Disable SSLv3 for Tomcat7, JBoss7, brooklyn-rest-server
Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/b726bd9d Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/b726bd9d Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/b726bd9d Branch: refs/heads/master Commit: b726bd9d8b17f92a585ffb329d32ad2d7b643a7b Parents: 7234b83 Author: Svetoslav Neykov <[email protected]> Authored: Tue Jan 27 16:56:46 2015 +0200 Committer: Svetoslav Neykov <[email protected]> Committed: Tue Jan 27 16:56:46 2015 +0200 ---------------------------------------------------------------------- .../resources/brooklyn/entity/webapp/jboss/jboss7-standalone.xml | 2 +- .../src/main/resources/brooklyn/entity/webapp/tomcat/server.xml | 2 +- .../src/main/java/brooklyn/launcher/BrooklynWebServer.java | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/b726bd9d/software/webapp/src/main/resources/brooklyn/entity/webapp/jboss/jboss7-standalone.xml ---------------------------------------------------------------------- diff --git a/software/webapp/src/main/resources/brooklyn/entity/webapp/jboss/jboss7-standalone.xml b/software/webapp/src/main/resources/brooklyn/entity/webapp/jboss/jboss7-standalone.xml index c82633e..1e0f6c1 100644 --- a/software/webapp/src/main/resources/brooklyn/entity/webapp/jboss/jboss7-standalone.xml +++ b/software/webapp/src/main/resources/brooklyn/entity/webapp/jboss/jboss7-standalone.xml @@ -257,7 +257,7 @@ <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" enabled="${entity.httpEnabled?string}"/> [#if entity.httpsEnabled] <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true" enabled="${entity.httpsEnabled?string}"> - <ssl key-alias="${entity.httpsSslKeyAlias}" password="${entity.httpsSslKeystorePassword}" certificate-key-file="${entity.httpsSslKeystoreFile}"/> + <ssl key-alias="${entity.httpsSslKeyAlias}" password="${entity.httpsSslKeystorePassword}" certificate-key-file="${entity.httpsSslKeystoreFile}" protocol="TLSv1,TLSv1.1,TLSv1.2"/> </connector> [/#if] <virtual-server name="default-host" enable-welcome-root="${entity.welcomeRootEnabled?string}"> http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/b726bd9d/software/webapp/src/main/resources/brooklyn/entity/webapp/tomcat/server.xml ---------------------------------------------------------------------- diff --git a/software/webapp/src/main/resources/brooklyn/entity/webapp/tomcat/server.xml b/software/webapp/src/main/resources/brooklyn/entity/webapp/tomcat/server.xml index df1360c..5fab4f2 100644 --- a/software/webapp/src/main/resources/brooklyn/entity/webapp/tomcat/server.xml +++ b/software/webapp/src/main/resources/brooklyn/entity/webapp/tomcat/server.xml @@ -93,7 +93,7 @@ <Connector port="${driver.httpsPort?c}" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="${driver.httpsSslKeystoreFile}" keystorePass="${entity.httpsSslKeystorePassword}" - clientAuth="false" sslProtocol="TLS" /> + clientAuth="false" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" /> [/#if] <!-- Define an AJP 1.3 Connector on port 8009 --> http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/b726bd9d/usage/launcher/src/main/java/brooklyn/launcher/BrooklynWebServer.java ---------------------------------------------------------------------- diff --git a/usage/launcher/src/main/java/brooklyn/launcher/BrooklynWebServer.java b/usage/launcher/src/main/java/brooklyn/launcher/BrooklynWebServer.java index e8a9cb6..4cf01f7 100644 --- a/usage/launcher/src/main/java/brooklyn/launcher/BrooklynWebServer.java +++ b/usage/launcher/src/main/java/brooklyn/launcher/BrooklynWebServer.java @@ -417,6 +417,8 @@ public class BrooklynWebServer { sslContextFactory.setTrustStorePassword(trustStorePassword); } + sslContextFactory.addExcludeProtocols("SSLv3"); + SslSocketConnector sslSocketConnector = new SslSocketConnector(sslContextFactory); sslSocketConnector.setPort(actualPort); server.addConnector(sslSocketConnector);
