CLOUDSTACK-8160: use preferable protocols Signed-off-by: Rohit Yadav <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/debfcdef Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/debfcdef Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/debfcdef Branch: refs/heads/4.5 Commit: debfcdef788ce0d51be06db0ef10f6815f9b563b Parents: ed69d58 Author: Rohit Yadav <[email protected]> Authored: Wed Jan 21 18:01:34 2015 +0530 Committer: Rohit Yadav <[email protected]> Committed: Wed Jan 21 18:02:58 2015 +0530 ---------------------------------------------------------------------- client/tomcatconf/server-nonssl.xml.in | 2 +- client/tomcatconf/server-ssl.xml.in | 2 +- client/tomcatconf/server7-nonssl.xml.in | 2 +- client/tomcatconf/server7-ssl.xml.in | 2 +- .../manager/ClusteredAgentManagerImpl.java | 2 + .../mom/rabbitmq/RabbitMQEventBus.java | 7 ++- .../resource/XenServerConnectionPool.java | 4 +- .../opendaylight/api/NeutronRestApi.java | 19 ++++++-- .../cloud/network/utils/HttpClientWrapper.java | 4 +- .../storage/datastore/util/ElastistorUtil.java | 3 +- .../datastore/util/NexentaNmsClient.java | 4 +- .../storage/datastore/util/SolidFireUtil.java | 4 +- pom.xml | 7 +-- .../main/java/streamer/SocketWrapperImpl.java | 2 +- .../ConsoleProxySecureServerFactoryImpl.java | 6 ++- .../com/cloud/consoleproxy/util/RawHTTP.java | 25 +++++----- .../etc/apache2/sites-available/default-ssl | 1 + .../debian/config/etc/apache2/vhostexample.conf | 1 + systemvm/scripts/config_ssl.sh | 2 + test/pom.xml | 2 +- utils/src/com/cloud/utils/nio/Link.java | 5 +- utils/src/com/cloud/utils/nio/NioClient.java | 3 ++ .../src/com/cloud/utils/nio/NioConnection.java | 3 ++ .../cloud/utils/rest/RESTServiceConnector.java | 20 ++++++-- .../cloudstack/utils/security/SSLUtils.java | 51 ++++++++++++++++++++ .../ssl/EasySSLProtocolSocketFactory.java | 24 ++++++--- .../hypervisor/vmware/util/VmwareClient.java | 4 +- .../hypervisor/vmware/util/VmwareContext.java | 3 +- 28 files changed, 162 insertions(+), 52 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/client/tomcatconf/server-nonssl.xml.in ---------------------------------------------------------------------- diff --git a/client/tomcatconf/server-nonssl.xml.in b/client/tomcatconf/server-nonssl.xml.in index 847197c..e0debe4 100755 --- a/client/tomcatconf/server-nonssl.xml.in +++ b/client/tomcatconf/server-nonssl.xml.in @@ -82,7 +82,7 @@ <!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" + clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1" keystoreType="PKCS12" keystoreFile="conf\cloud-localhost.pk12" keystorePass="password" http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/client/tomcatconf/server-ssl.xml.in ---------------------------------------------------------------------- diff --git a/client/tomcatconf/server-ssl.xml.in b/client/tomcatconf/server-ssl.xml.in index 37bc53d..2e61251 100755 --- a/client/tomcatconf/server-ssl.xml.in +++ b/client/tomcatconf/server-ssl.xml.in @@ -82,7 +82,7 @@ <!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" + clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1" keystoreType="PKCS12" keystoreFile="conf\cloud-localhost.pk12" keystorePass="password" http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/client/tomcatconf/server7-nonssl.xml.in ---------------------------------------------------------------------- diff --git a/client/tomcatconf/server7-nonssl.xml.in b/client/tomcatconf/server7-nonssl.xml.in index 16085d7..7ea251a 100755 --- a/client/tomcatconf/server7-nonssl.xml.in +++ b/client/tomcatconf/server7-nonssl.xml.in @@ -82,7 +82,7 @@ <!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" + clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1" keystoreType="PKCS12" keystoreFile="conf\cloud-localhost.pk12" keystorePass="password" http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/client/tomcatconf/server7-ssl.xml.in ---------------------------------------------------------------------- diff --git a/client/tomcatconf/server7-ssl.xml.in b/client/tomcatconf/server7-ssl.xml.in index e8f3f10..97421ba 100755 --- a/client/tomcatconf/server7-ssl.xml.in +++ b/client/tomcatconf/server7-ssl.xml.in @@ -82,7 +82,7 @@ <!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" + clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1" keystoreType="PKCS12" keystoreFile="conf\cloud-localhost.pk12" keystorePass="password" http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java ---------------------------------------------------------------------- diff --git a/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java b/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java index 93d675f..72d7c3b 100755 --- a/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java +++ b/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java @@ -53,6 +53,7 @@ import org.apache.cloudstack.framework.config.dao.ConfigurationDao; import org.apache.cloudstack.managed.context.ManagedContextRunnable; import org.apache.cloudstack.managed.context.ManagedContextTimerTask; import org.apache.cloudstack.utils.identity.ManagementServerNode; +import org.apache.cloudstack.utils.security.SSLUtils; import com.cloud.agent.AgentManager; import com.cloud.agent.api.Answer; @@ -505,6 +506,7 @@ public class ClusteredAgentManagerImpl extends AgentManagerImpl implements Clust SSLContext sslContext = Link.initSSLContext(true); sslEngine = sslContext.createSSLEngine(ip, Port.value()); sslEngine.setUseClientMode(true); + sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols())); Link.doHandshake(ch, sslEngine, true); s_logger.info("SSL: Handshake done"); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java ---------------------------------------------------------------------- diff --git a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java index 2d389f2..25ecb75 100644 --- a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java +++ b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java @@ -59,6 +59,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus { private static Integer port; private static String username; private static String password; + private static String secureProtocol = "TLSv1.2"; public synchronized static void setVirtualHost(String virtualHost) { RabbitMQEventBus.virtualHost = virtualHost; @@ -153,6 +154,10 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus { RabbitMQEventBus.port = port; } + public void setSecureProtocol(String protocol) { + RabbitMQEventBus.secureProtocol = protocol; + } + @Override public void setName(String name) { this.name = name; @@ -373,7 +378,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus { } if (useSsl != null && !useSsl.isEmpty() && useSsl.equalsIgnoreCase("true")) { - factory.useSslProtocol(); + factory.useSslProtocol(this.secureProtocol); } Connection connection = factory.newConnection(); connection.addShutdownListener(disconnectHandler); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java ---------------------------------------------------------------------- diff --git a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java index d4360cf..a119c08 100644 --- a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java +++ b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java @@ -36,6 +36,8 @@ import org.apache.log4j.Logger; import org.apache.xmlrpc.XmlRpcException; import org.apache.xmlrpc.client.XmlRpcClientException; +import org.apache.cloudstack.utils.security.SSLUtils; + import com.xensource.xenapi.APIVersion; import com.xensource.xenapi.Connection; import com.xensource.xenapi.Host; @@ -82,7 +84,7 @@ public class XenServerConnectionPool { javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1]; javax.net.ssl.TrustManager tm = new TrustAllManager(); trustAllCerts[0] = tm; - javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("TLS"); + javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, null); javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); HostnameVerifier hv = new HostnameVerifier() { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java b/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java index 8c67a98..63d81a8 100644 --- a/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java +++ b/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java @@ -19,6 +19,7 @@ package org.apache.cloudstack.network.opendaylight.api; +import org.apache.cloudstack.utils.security.SSLUtils; import java.io.IOException; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; @@ -33,6 +34,7 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; @@ -175,7 +177,7 @@ public class NeutronRestApi { try { // Install the all-trusting trust manager - SSLContext sc = SSLContext.getInstance("SSL"); + SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, new java.security.SecureRandom()); ssf = sc.getSocketFactory(); } catch (KeyManagementException e) { @@ -187,17 +189,23 @@ public class NeutronRestApi { @Override public Socket createSocket(final String host, final int port) throws IOException { - return ssf.createSocket(host, port); + SSLSocket s = (SSLSocket) ssf.createSocket(host, port); + s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols())); + return s; } @Override public Socket createSocket(final String address, final int port, final InetAddress localAddress, final int localPort) throws IOException, UnknownHostException { - return ssf.createSocket(address, port, localAddress, localPort); + SSLSocket s = (SSLSocket) ssf.createSocket(address, port, localAddress, localPort); + s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols())); + return s; } @Override public Socket createSocket(final Socket socket, final String host, final int port, final boolean autoClose) throws IOException, UnknownHostException { - return ssf.createSocket(socket, host, port, autoClose); + SSLSocket s = (SSLSocket) ssf.createSocket(socket, host, port, autoClose); + s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols())); + return s; } @Override @@ -207,7 +215,8 @@ public class NeutronRestApi { if (timeout == 0) { return createSocket(host, port, localAddress, localPort); } else { - Socket s = ssf.createSocket(); + SSLSocket s = (SSLSocket) ssf.createSocket(); + s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols())); s.bind(new InetSocketAddress(localAddress, localPort)); s.connect(new InetSocketAddress(host, port), timeout); return s; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java b/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java index 8fdc82d..014cefb 100644 --- a/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java +++ b/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java @@ -27,6 +27,8 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; +import org.apache.cloudstack.utils.security.SSLUtils; + import org.apache.http.client.HttpClient; import org.apache.http.conn.ClientConnectionManager; import org.apache.http.conn.scheme.Scheme; @@ -39,7 +41,7 @@ public class HttpClientWrapper { public static HttpClient wrapClient(HttpClient base) { try { - SSLContext ctx = SSLContext.getInstance("TLS"); + SSLContext ctx = SSLUtils.getSSLContext(); X509TrustManager tm = new X509TrustManager() { @Override http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java ---------------------------------------------------------------------- diff --git a/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java b/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java index 7f2da72..7e1a5cb 100755 --- a/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java +++ b/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java @@ -39,6 +39,7 @@ import javax.ws.rs.core.UriBuilder; import org.apache.http.auth.InvalidCredentialsException; import org.apache.log4j.Logger; +import org.apache.cloudstack.utils.security.SSLUtils; import com.google.gson.Gson; import com.google.gson.annotations.SerializedName; @@ -1086,7 +1087,7 @@ public class ElastistorUtil { // Install the all-trusting trust manager try { - SSLContext sc = SSLContext.getInstance("TLS"); + SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, new SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); HttpsURLConnection.setDefaultHostnameVerifier(hv); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java ---------------------------------------------------------------------- diff --git a/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java b/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java index ed1a780..c0cd51d 100644 --- a/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java +++ b/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java @@ -45,6 +45,8 @@ import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.impl.conn.BasicClientConnectionManager; import org.apache.log4j.Logger; +import org.apache.cloudstack.utils.security.SSLUtils; + import com.google.gson.Gson; import com.google.gson.annotations.SerializedName; @@ -80,7 +82,7 @@ public class NexentaNmsClient { protected DefaultHttpClient getHttpsClient() { try { - SSLContext sslContext = SSLContext.getInstance("SSL"); + SSLContext sslContext = SSLUtils.getSSLContext(); X509TrustManager tm = new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java ---------------------------------------------------------------------- diff --git a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java index e3be262..97f5b65 100644 --- a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java +++ b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java @@ -54,6 +54,8 @@ import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.impl.conn.BasicClientConnectionManager; +import org.apache.cloudstack.utils.security.SSLUtils; + import com.google.gson.Gson; import com.google.gson.GsonBuilder; @@ -1606,7 +1608,7 @@ public class SolidFireUtil { private static DefaultHttpClient getHttpClient(int iPort) { try { - SSLContext sslContext = SSLContext.getInstance("SSL"); + SSLContext sslContext = SSLUtils.getSSLContext(); X509TrustManager tm = new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index fa37138..b7f9e78 100644 --- a/pom.xml +++ b/pom.xml @@ -61,8 +61,9 @@ <cs.gson.version>1.7.2</cs.gson.version> <cs.guava.version>14.0-rc1</cs.guava.version> <cs.xapi.version>6.2.0-3.1</cs.xapi.version> - <cs.httpclient.version>3.1</cs.httpclient.version> - <cs.httpcore.version>4.2.1</cs.httpcore.version> + <cs.httpclient.version>4.3.6</cs.httpclient.version> + <cs.httpcore.version>4.3.3</cs.httpcore.version> + <cs.commons-httpclient.version>3.1</cs.commons-httpclient.version> <cs.mysql.version>5.1.21</cs.mysql.version> <cs.xstream.version>1.3.1</cs.xstream.version> <cs.xmlrpc.version>3.1.3</cs.xmlrpc.version> @@ -323,7 +324,7 @@ <dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpclient</artifactId> - <version>${cs.httpcore.version}</version> + <version>${cs.httpclient.version}</version> </dependency> <dependency> <groupId>com.thoughtworks.xstream</groupId> http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java ---------------------------------------------------------------------- diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java index da89a0d..abb5b84 100755 --- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java +++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java @@ -139,7 +139,7 @@ public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper { SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); sslSocket = (SSLSocket)sslSocketFactory.createSocket(socket, address.getHostName(), address.getPort(), true); - + sslSocket.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"}); sslSocket.startHandshake(); InputStream sis = sslSocket.getInputStream(); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java ---------------------------------------------------------------------- diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java index 75d23b1..e15ddd4 100644 --- a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java +++ b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java @@ -21,6 +21,7 @@ import com.sun.net.httpserver.HttpServer; import com.sun.net.httpserver.HttpsConfigurator; import com.sun.net.httpserver.HttpsParameters; import com.sun.net.httpserver.HttpsServer; +import org.apache.cloudstack.utils.security.SSLUtils; import org.apache.log4j.Logger; import javax.net.ssl.KeyManagerFactory; @@ -71,7 +72,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa tmf.init(ks); s_logger.info("Trust manager factory is initialized"); - sslContext = SSLContext.getInstance("TLS"); + sslContext = SSLUtils.getSSLContext(); sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); s_logger.info("SSL context is initialized"); } catch (Exception ioe) { @@ -94,7 +95,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa tmf.init(ks); s_logger.info("Trust manager factory is initialized"); - sslContext = SSLContext.getInstance("TLS"); + sslContext = SSLUtils.getSSLContext(); sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); s_logger.info("SSL context is initialized"); } catch (Exception e) { @@ -139,6 +140,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa SSLServerSocket srvSock = null; SSLServerSocketFactory ssf = sslContext.getServerSocketFactory(); srvSock = (SSLServerSocket)ssf.createServerSocket(port); + srvSock.setEnabledProtocols(SSLUtils.getSupportedProtocols(srvSock.getEnabledProtocols())); s_logger.info("create SSL server socket on port: " + port); return srvSock; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java ---------------------------------------------------------------------- diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java index 2a115b2..8f78fb3 100644 --- a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java +++ b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java @@ -16,6 +16,8 @@ // under the License. package com.cloud.consoleproxy.util; +import org.apache.cloudstack.utils.security.SSLUtils; + import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; @@ -134,7 +136,15 @@ public final class RawHTTP { private Socket _getSocket() throws IOException { if (useSSL) { - SSLContext context = getClientSSLContext(); + SSLContext context = null; + try { + context = SSLUtils.getSSLContext("SunJSSE"); + } catch (NoSuchAlgorithmException e) { + s_logger.error("Unexpected exception ", e); + } catch (NoSuchProviderException e) { + s_logger.error("Unexpected exception ", e); + } + if (context == null) throw new IOException("Unable to setup SSL context"); @@ -143,6 +153,7 @@ public final class RawHTTP { context.init(null, trustAllCerts, new SecureRandom()); SocketFactory factory = context.getSocketFactory(); ssl = (SSLSocket)factory.createSocket(host, port); + ssl.setEnabledProtocols(SSLUtils.getSupportedProtocols(ssl.getEnabledProtocols())); /* ssl.setSSLParameters(context.getDefaultSSLParameters()); */ } catch (IOException e) { s_logger.error("IOException: " + e.getMessage(), e); @@ -229,16 +240,4 @@ public final class RawHTTP { } } } - - private SSLContext getClientSSLContext() { - SSLContext sslContext = null; - try { - sslContext = SSLContext.getInstance("SSL", "SunJSSE"); - } catch (NoSuchAlgorithmException e) { - s_logger.error("Unexpected exception ", e); - } catch (NoSuchProviderException e) { - s_logger.error("Unexpected exception ", e); - } - return sslContext; - } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl ---------------------------------------------------------------------- diff --git a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl index 0eea44d..6699f14 100644 --- a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl +++ b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl @@ -42,6 +42,7 @@ # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on + SSLProtocol all -SSLv2 -SSLv3 # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/systemvm/patches/debian/config/etc/apache2/vhostexample.conf ---------------------------------------------------------------------- diff --git a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf index c1bf8ea..70cb7dc 100644 --- a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf +++ b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf @@ -86,6 +86,7 @@ # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on + SSLProtocol all -SSLv2 -SSLv3 # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/systemvm/scripts/config_ssl.sh ---------------------------------------------------------------------- diff --git a/systemvm/scripts/config_ssl.sh b/systemvm/scripts/config_ssl.sh index 6971055..0659737 100755 --- a/systemvm/scripts/config_ssl.sh +++ b/systemvm/scripts/config_ssl.sh @@ -37,6 +37,7 @@ config_httpd_conf() { echo " DocumentRoot /var/www/html/" >> /etc/httpd/conf/httpd.conf echo " ServerName $srvr" >> /etc/httpd/conf/httpd.conf echo " SSLEngine on" >> /etc/httpd/conf/httpd.conf + echo " SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/httpd.conf echo " SSLCertificateFile /etc/httpd/ssl/certs/realhostip.crt" >> /etc/httpd/conf/httpd.conf echo " SSLCertificateKeyFile /etc/httpd/ssl/keys/realhostip.key" >> /etc/httpd/conf/httpd.conf echo "</VirtualHost>" >> /etc/httpd/conf/httpd.conf @@ -54,6 +55,7 @@ config_apache2_conf() { sed -i -e "s/NameVirtualHost .*:80/NameVirtualHost $ip:80/g" /etc/apache2/ports.conf sed -i 's/ssl-cert-snakeoil.key/cert_apache.key/' /etc/apache2/sites-available/default-ssl sed -i 's/ssl-cert-snakeoil.pem/cert_apache.crt/' /etc/apache2/sites-available/default-ssl + sed -i 's/SSLProtocol.*$/SSLProtocol all -SSLv2 -SSLv3/' /etc/apache2/sites-available/default-ssl if [ -f /etc/ssl/certs/cert_apache_chain.crt ] then sed -i -e "s/#SSLCertificateChainFile.*/SSLCertificateChainFile \/etc\/ssl\/certs\/cert_apache_chain.crt/" /etc/apache2/sites-available/default-ssl http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/test/pom.xml ---------------------------------------------------------------------- diff --git a/test/pom.xml b/test/pom.xml index 06cbcb9..6fa9013 100644 --- a/test/pom.xml +++ b/test/pom.xml @@ -67,7 +67,7 @@ <dependency> <groupId>commons-httpclient</groupId> <artifactId>commons-httpclient</artifactId> - <version>${cs.httpclient.version}</version> + <version>${cs.commons-httpclient.version}</version> </dependency> </dependencies> <build> http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/utils/src/com/cloud/utils/nio/Link.java ---------------------------------------------------------------------- diff --git a/utils/src/com/cloud/utils/nio/Link.java b/utils/src/com/cloud/utils/nio/Link.java index df2965a..971c253 100755 --- a/utils/src/com/cloud/utils/nio/Link.java +++ b/utils/src/com/cloud/utils/nio/Link.java @@ -44,6 +44,7 @@ import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import org.apache.cloudstack.utils.security.SSLUtils; import org.apache.log4j.Logger; import com.cloud.utils.PropertiesUtil; @@ -443,7 +444,7 @@ public class Link { tms[0] = new TrustAllManager(); } - sslContext = SSLContext.getInstance("TLS"); + sslContext = SSLUtils.getSSLContext(); sslContext.init(kmf.getKeyManagers(), tms, null); if (s_logger.isTraceEnabled()) { s_logger.trace("SSL: SSLcontext has been initialized"); @@ -465,7 +466,7 @@ public class Link { ByteBuffer out_pkgBuf = ByteBuffer.allocate(sslSession.getPacketBufferSize() + 40); ByteBuffer out_appBuf = ByteBuffer.allocate(sslSession.getApplicationBufferSize() + 40); int count; - ch.socket().setSoTimeout(10 * 1000); + ch.socket().setSoTimeout(30 * 1000); InputStream inStream = ch.socket().getInputStream(); // Use readCh to make sure the timeout on reading is working ReadableByteChannel readCh = Channels.newChannel(inStream); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/utils/src/com/cloud/utils/nio/NioClient.java ---------------------------------------------------------------------- diff --git a/utils/src/com/cloud/utils/nio/NioClient.java b/utils/src/com/cloud/utils/nio/NioClient.java index 5b00105..2f742f9 100755 --- a/utils/src/com/cloud/utils/nio/NioClient.java +++ b/utils/src/com/cloud/utils/nio/NioClient.java @@ -31,6 +31,8 @@ import javax.net.ssl.SSLEngine; import org.apache.log4j.Logger; +import org.apache.cloudstack.utils.security.SSLUtils; + public class NioClient extends NioConnection { private static final Logger s_logger = Logger.getLogger(NioClient.class); @@ -74,6 +76,7 @@ public class NioClient extends NioConnection { SSLContext sslContext = Link.initSSLContext(true); sslEngine = sslContext.createSSLEngine(_host, _port); sslEngine.setUseClientMode(true); + sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols())); Link.doHandshake(_clientConnection, sslEngine, true); s_logger.info("SSL: Handshake done"); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/utils/src/com/cloud/utils/nio/NioConnection.java ---------------------------------------------------------------------- diff --git a/utils/src/com/cloud/utils/nio/NioConnection.java b/utils/src/com/cloud/utils/nio/NioConnection.java index 773b1b0..34679b8 100755 --- a/utils/src/com/cloud/utils/nio/NioConnection.java +++ b/utils/src/com/cloud/utils/nio/NioConnection.java @@ -41,6 +41,8 @@ import java.util.concurrent.TimeUnit; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; +import org.apache.cloudstack.utils.security.SSLUtils; + import org.apache.log4j.Logger; import com.cloud.utils.concurrency.NamedThreadFactory; @@ -198,6 +200,7 @@ public abstract class NioConnection implements Runnable { sslEngine = sslContext.createSSLEngine(); sslEngine.setUseClientMode(false); sslEngine.setNeedClientAuth(false); + sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols())); Link.doHandshake(socketChannel, sslEngine, false); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/utils/src/com/cloud/utils/rest/RESTServiceConnector.java ---------------------------------------------------------------------- diff --git a/utils/src/com/cloud/utils/rest/RESTServiceConnector.java b/utils/src/com/cloud/utils/rest/RESTServiceConnector.java index 7cc2e89..487610a 100644 --- a/utils/src/com/cloud/utils/rest/RESTServiceConnector.java +++ b/utils/src/com/cloud/utils/rest/RESTServiceConnector.java @@ -37,6 +37,7 @@ import java.util.Map; import java.util.Map.Entry; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; @@ -61,6 +62,8 @@ import org.apache.commons.httpclient.protocol.ProtocolSocketFactory; import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; import org.apache.log4j.Logger; +import org.apache.cloudstack.utils.security.SSLUtils; + import com.google.gson.FieldNamingPolicy; import com.google.gson.Gson; import com.google.gson.GsonBuilder; @@ -334,7 +337,7 @@ public class RESTServiceConnector { try { // Install the all-trusting trust manager - final SSLContext sc = SSLContext.getInstance("SSL"); + final SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, new java.security.SecureRandom()); ssf = sc.getSocketFactory(); } catch (final KeyManagementException e) { @@ -346,17 +349,23 @@ public class RESTServiceConnector { @Override public Socket createSocket(final String host, final int port) throws IOException { - return ssf.createSocket(host, port); + SSLSocket socket = (SSLSocket) ssf.createSocket(host, port); + socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols())); + return socket; } @Override public Socket createSocket(final String address, final int port, final InetAddress localAddress, final int localPort) throws IOException, UnknownHostException { - return ssf.createSocket(address, port, localAddress, localPort); + SSLSocket socket = (SSLSocket) ssf.createSocket(address, port, localAddress, localPort); + socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols())); + return socket; } @Override public Socket createSocket(final Socket socket, final String host, final int port, final boolean autoClose) throws IOException, UnknownHostException { - return ssf.createSocket(socket, host, port, autoClose); + SSLSocket s = (SSLSocket) ssf.createSocket(socket, host, port, autoClose); + s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols())); + return s; } @Override @@ -366,7 +375,8 @@ public class RESTServiceConnector { if (timeout == 0) { return createSocket(host, port, localAddress, localPort); } else { - final Socket s = ssf.createSocket(); + final SSLSocket s = (SSLSocket) ssf.createSocket(); + s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols())); s.bind(new InetSocketAddress(localAddress, localPort)); s.connect(new InetSocketAddress(host, port), timeout); return s; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java ---------------------------------------------------------------------- diff --git a/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java new file mode 100644 index 0000000..7f9ee77 --- /dev/null +++ b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java @@ -0,0 +1,51 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// + +package org.apache.cloudstack.utils.security; + +import org.apache.log4j.Logger; + +import javax.net.ssl.SSLContext; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.util.HashSet; +import java.util.Set; + +public class SSLUtils { + public static final Logger s_logger = Logger.getLogger(SSLUtils.class); + + public static String[] getSupportedProtocols(String[] protocols) { + Set set = new HashSet(); + for (String s : protocols) { + if (s.equals("SSLv3") || s.equals("SSLv2Hello")) { + continue; + } + set.add(s); + } + return (String[]) set.toArray(new String[set.size()]); + } + + public static SSLContext getSSLContext() throws NoSuchAlgorithmException { + return SSLContext.getInstance("TLSv1.2"); + } + + public static SSLContext getSSLContext(String provider) throws NoSuchAlgorithmException, NoSuchProviderException { + return SSLContext.getInstance("TLSv1.2", provider); + } +} http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java ---------------------------------------------------------------------- diff --git a/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java b/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java index 42650fc..d180f5d 100644 --- a/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java +++ b/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java @@ -19,6 +19,7 @@ package org.apache.commons.httpclient.contrib.ssl; +import org.apache.cloudstack.utils.security.SSLUtils; import org.apache.commons.httpclient.ConnectTimeoutException; import org.apache.commons.httpclient.HttpClientError; import org.apache.commons.httpclient.params.HttpConnectionParams; @@ -28,6 +29,7 @@ import org.apache.commons.logging.LogFactory; import javax.net.SocketFactory; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; import java.io.IOException; import java.net.InetAddress; @@ -99,7 +101,7 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory { private static SSLContext createEasySSLContext() { try { - SSLContext context = SSLContext.getInstance("SSL"); + SSLContext context = SSLUtils.getSSLContext(); context.init(null, new TrustManager[] {new EasyX509TrustManager(null)}, null); return context; } catch (Exception e) { @@ -120,8 +122,9 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory { */ @Override public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException { - - return getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort); + SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort); + socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols())); + return socket; } /** @@ -135,8 +138,8 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory { * * @param host the host name/IP * @param port the port on the host - * @param clientHost the local host name/IP to bind the socket to - * @param clientPort the port on the local machine + * @param localAddress the local host name/IP to bind the socket to + * @param localPort the port on the local machine * @param params {@link HttpConnectionParams Http connection parameters} * * @return Socket a new socket @@ -156,7 +159,8 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory { if (timeout == 0) { return socketfactory.createSocket(host, port, localAddress, localPort); } else { - Socket socket = socketfactory.createSocket(); + SSLSocket socket = (SSLSocket) socketfactory.createSocket(); + socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols())); SocketAddress localaddr = new InetSocketAddress(localAddress, localPort); SocketAddress remoteaddr = new InetSocketAddress(host, port); socket.bind(localaddr); @@ -170,11 +174,15 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory { */ @Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { - return getSSLContext().getSocketFactory().createSocket(host, port); + SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host, port); + socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols())); + return socket; } public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException { - return getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose); + SSLSocket s= (SSLSocket) getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose); + s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols())); + return s; } @Override http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java ---------------------------------------------------------------------- diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java index 9284569..cc657a6 100644 --- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java +++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java @@ -32,6 +32,8 @@ import javax.xml.ws.handler.MessageContext; import org.apache.log4j.Logger; +import org.apache.cloudstack.utils.security.SSLUtils; + import com.vmware.vim25.DynamicProperty; import com.vmware.vim25.InvalidCollectorVersionFaultMsg; import com.vmware.vim25.InvalidPropertyFaultMsg; @@ -103,7 +105,7 @@ public class VmwareClient { javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1]; javax.net.ssl.TrustManager tm = new TrustAllTrustManager(); trustAllCerts[0] = tm; - javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL"); + javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext(); javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext(); sslsc.setSessionTimeout(0); sc.init(null, trustAllCerts, null); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/debfcdef/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java ---------------------------------------------------------------------- diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java index 08456c4..cb0c4d7 100755 --- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java +++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java @@ -41,6 +41,7 @@ import javax.net.ssl.SSLSession; import javax.xml.ws.soap.SOAPFaultException; import org.apache.log4j.Logger; +import org.apache.cloudstack.utils.security.SSLUtils; import com.vmware.vim25.ManagedObjectReference; import com.vmware.vim25.ObjectContent; @@ -79,7 +80,7 @@ public class VmwareContext { javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1]; javax.net.ssl.TrustManager tm = new TrustAllManager(); trustAllCerts[0] = tm; - javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL"); + javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, null); javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
