Repository: cloudstack Updated Branches: refs/heads/4.3 bd5fe46e5 -> 53c0ab856
CLOUDSTACK-8160: use preferable protocols (cherry picked from commit debfcdef788ce0d51be06db0ef10f6815f9b563b) Signed-off-by: Rohit Yadav <[email protected]> Conflicts: client/tomcatconf/server7-nonssl.xml.in client/tomcatconf/server7-ssl.xml.in engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java pom.xml services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java systemvm/scripts/config_ssl.sh utils/src/com/cloud/utils/nio/NioClient.java utils/src/com/cloud/utils/rest/RESTServiceConnector.java utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/53c0ab85 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/53c0ab85 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/53c0ab85 Branch: refs/heads/4.3 Commit: 53c0ab856a4358f508e6ef7488cffaba4d184a03 Parents: bd5fe46 Author: Rohit Yadav <[email protected]> Authored: Wed Jan 21 18:01:34 2015 +0530 Committer: Rohit Yadav <[email protected]> Committed: Wed Jan 21 18:24:54 2015 +0530 ---------------------------------------------------------------------- client/tomcatconf/server-nonssl.xml.in | 2 +- client/tomcatconf/server-ssl.xml.in | 2 +- .../manager/ClusteredAgentManagerImpl.java | 3 + .../mom/rabbitmq/RabbitMQEventBus.java | 9 ++- .../xen/resource/XenServerConnectionPool.java | 5 +- .../cloud/network/utils/HttpClientWrapper.java | 5 +- .../storage/datastore/util/SolidFireUtil.java | 4 +- pom.xml | 7 ++- .../main/java/streamer/SocketWrapperImpl.java | 2 +- .../ConsoleProxySecureServerFactoryImpl.java | 11 ++-- .../com/cloud/consoleproxy/util/RawHTTP.java | 27 ++++---- .../etc/apache2/sites-available/default-ssl | 1 + .../debian/config/etc/apache2/vhostexample.conf | 1 + systemvm/scripts/config_ssl.sh | 6 ++ test/pom.xml | 2 +- utils/src/com/cloud/utils/nio/Link.java | 5 +- utils/src/com/cloud/utils/nio/NioClient.java | 3 + .../src/com/cloud/utils/nio/NioConnection.java | 3 + .../cloudstack/utils/security/SSLUtils.java | 51 +++++++++++++++ .../ssl/EasySSLProtocolSocketFactory.java | 65 +++++++------------- .../hypervisor/vmware/util/VmwareClient.java | 4 +- .../hypervisor/vmware/util/VmwareContext.java | 3 +- 22 files changed, 143 insertions(+), 78 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/client/tomcatconf/server-nonssl.xml.in ---------------------------------------------------------------------- diff --git a/client/tomcatconf/server-nonssl.xml.in b/client/tomcatconf/server-nonssl.xml.in index 847197c..e0debe4 100755 --- a/client/tomcatconf/server-nonssl.xml.in +++ b/client/tomcatconf/server-nonssl.xml.in @@ -82,7 +82,7 @@ <!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" + clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1" keystoreType="PKCS12" keystoreFile="conf\cloud-localhost.pk12" keystorePass="password" http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/client/tomcatconf/server-ssl.xml.in ---------------------------------------------------------------------- diff --git a/client/tomcatconf/server-ssl.xml.in b/client/tomcatconf/server-ssl.xml.in index 37bc53d..2e61251 100755 --- a/client/tomcatconf/server-ssl.xml.in +++ b/client/tomcatconf/server-ssl.xml.in @@ -82,7 +82,7 @@ <!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" + clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1" keystoreType="PKCS12" keystoreFile="conf\cloud-localhost.pk12" keystorePass="password" http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java ---------------------------------------------------------------------- diff --git a/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java b/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java index 2fd1caf..3e970ca 100755 --- a/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java +++ b/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java @@ -51,6 +51,8 @@ import org.apache.cloudstack.managed.context.ManagedContextTimerTask; import org.apache.cloudstack.utils.identity.ManagementServerNode; import org.apache.log4j.Logger; +import org.apache.cloudstack.utils.security.SSLUtils; + import com.cloud.agent.AgentManager; import com.cloud.agent.api.Answer; import com.cloud.agent.api.CancelCommand; @@ -499,6 +501,7 @@ public class ClusteredAgentManagerImpl extends AgentManagerImpl implements Clust SSLContext sslContext = Link.initSSLContext(true); sslEngine = sslContext.createSSLEngine(ip, Port.value()); sslEngine.setUseClientMode(true); + sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols())); Link.doHandshake(ch, sslEngine, true); s_logger.info("SSL: Handshake done"); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java ---------------------------------------------------------------------- diff --git a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java index 30b4475..8e24c03 100644 --- a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java +++ b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java @@ -47,6 +47,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus { private static Integer port; private static String username; private static String password; + private static String secureProtocol = "TLSv1.2"; public static void setVirtualHost(String virtualHost) { RabbitMQEventBus.virtualHost = virtualHost; @@ -141,6 +142,10 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus { this.port = port; } + public void setSecureProtocol(String protocol) { + RabbitMQEventBus.secureProtocol = protocol; + } + public void setName(String name) { this.name = name; } @@ -369,7 +374,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus { } if (useSsl != null && !useSsl.isEmpty() && useSsl.equalsIgnoreCase("true")) { - factory.useSslProtocol(); + factory.useSslProtocol(this.secureProtocol); } Connection connection = factory.newConnection(); connection.addShutdownListener(disconnectHandler); @@ -605,4 +610,4 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus { return; } } -} \ No newline at end of file +} http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java ---------------------------------------------------------------------- diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java index b73bf59..bbcc1a4 100644 --- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java +++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java @@ -38,6 +38,9 @@ import org.apache.xmlrpc.client.XmlRpcClientException; import com.cloud.utils.NumbersUtil; import com.cloud.utils.PropertiesUtil; import com.cloud.utils.exception.CloudRuntimeException; + +import org.apache.cloudstack.utils.security.SSLUtils; + import com.xensource.xenapi.APIVersion; import com.xensource.xenapi.Connection; import com.xensource.xenapi.Host; @@ -79,7 +82,7 @@ public class XenServerConnectionPool { javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1]; javax.net.ssl.TrustManager tm = new TrustAllManager(); trustAllCerts[0] = tm; - javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("TLS"); + javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, null); javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); HostnameVerifier hv = new HostnameVerifier() { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java b/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java index 7dfec92..37ed125 100644 --- a/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java +++ b/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java @@ -24,6 +24,9 @@ import javax.net.ssl.SSLException; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; + +import org.apache.cloudstack.utils.security.SSLUtils; + import org.apache.http.client.HttpClient; import org.apache.http.conn.ClientConnectionManager; import org.apache.http.conn.scheme.Scheme; @@ -38,7 +41,7 @@ public class HttpClientWrapper { public static HttpClient wrapClient(HttpClient base) { try { - SSLContext ctx = SSLContext.getInstance("TLS"); + SSLContext ctx = SSLUtils.getSSLContext(); X509TrustManager tm = new X509TrustManager() { public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java ---------------------------------------------------------------------- diff --git a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java index 2d528ef..995973f 100644 --- a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java +++ b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java @@ -47,6 +47,8 @@ import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.impl.conn.BasicClientConnectionManager; import com.cloud.utils.exception.CloudRuntimeException; +import org.apache.cloudstack.utils.security.SSLUtils; + import com.google.gson.Gson; import com.google.gson.GsonBuilder; @@ -1011,7 +1013,7 @@ public class SolidFireUtil private static DefaultHttpClient getHttpClient(int iPort) { try { - SSLContext sslContext = SSLContext.getInstance("SSL"); + SSLContext sslContext = SSLUtils.getSSLContext(); X509TrustManager tm = new X509TrustManager() { public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException { } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 5746c59..1468ad7 100644 --- a/pom.xml +++ b/pom.xml @@ -58,8 +58,9 @@ <cs.gson.version>1.7.2</cs.gson.version> <cs.guava.version>14.0-rc1</cs.guava.version> <cs.xapi.version>5.6.100-1</cs.xapi.version> - <cs.httpclient.version>3.1</cs.httpclient.version> - <cs.httpcore.version>4.2.1</cs.httpcore.version> + <cs.httpclient.version>4.3.6</cs.httpclient.version> + <cs.httpcore.version>4.3.3</cs.httpcore.version> + <cs.commons-httpclient.version>3.1</cs.commons-httpclient.version> <cs.mysql.version>5.1.21</cs.mysql.version> <cs.xstream.version>1.3.1</cs.xstream.version> <cs.xmlrpc.version>3.1.3</cs.xmlrpc.version> @@ -318,7 +319,7 @@ <dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpclient</artifactId> - <version>${cs.httpcore.version}</version> + <version>${cs.httpclient.version}</version> </dependency> <dependency> <groupId>com.thoughtworks.xstream</groupId> http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java ---------------------------------------------------------------------- diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java index 07b3dc9..9d8a458 100755 --- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java +++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java @@ -140,7 +140,7 @@ public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper { SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); sslSocket = (SSLSocket)sslSocketFactory.createSocket(socket, address.getHostName(), address.getPort(), true); - + sslSocket.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"}); sslSocket.startHandshake(); InputStream sis = sslSocket.getInputStream(); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java ---------------------------------------------------------------------- diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java index ee0ee13..e58e6fb 100644 --- a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java +++ b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java @@ -21,6 +21,7 @@ import java.io.FileInputStream; import java.io.IOException; import java.net.InetSocketAddress; import java.security.KeyStore; +import org.apache.cloudstack.utils.security.SSLUtils; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; @@ -68,7 +69,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa tmf.init(ks); s_logger.info("Trust manager factory is initialized"); - sslContext = SSLContext.getInstance("TLS"); + sslContext = SSLUtils.getSSLContext(); sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); s_logger.info("SSL context is initialized"); } catch (Exception ioe) { @@ -90,8 +91,8 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(ks); s_logger.info("Trust manager factory is initialized"); - - sslContext = SSLContext.getInstance("TLS"); + + sslContext = SSLUtils.getSSLContext(); sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); s_logger.info("SSL context is initialized"); } catch(Exception e) { @@ -133,8 +134,10 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa try { SSLServerSocket srvSock = null; SSLServerSocketFactory ssf = sslContext.getServerSocketFactory(); + srvSock = (SSLServerSocket) ssf.createServerSocket(port); - + srvSock.setEnabledProtocols(SSLUtils.getSupportedProtocols(srvSock.getEnabledProtocols())); + s_logger.info("create SSL server socket on port: " + port); return srvSock; } catch (Exception ioe) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java ---------------------------------------------------------------------- diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java index c77b551..532d599 100644 --- a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java +++ b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java @@ -16,6 +16,8 @@ // under the License. package com.cloud.consoleproxy.util; +import org.apache.cloudstack.utils.security.SSLUtils; + import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; @@ -136,8 +138,16 @@ public final class RawHTTP { private Socket _getSocket() throws IOException { if (useSSL) { - SSLContext context = getClientSSLContext(); - if(context == null) + SSLContext context = null; + try { + context = SSLUtils.getSSLContext("SunJSSE"); + } catch (NoSuchAlgorithmException e) { + s_logger.error("Unexpected exception ", e); + } catch (NoSuchProviderException e) { + s_logger.error("Unexpected exception ", e); + } + + if (context == null) throw new IOException("Unable to setup SSL context"); SSLSocket ssl = null; @@ -145,6 +155,7 @@ public final class RawHTTP { context.init(null, trustAllCerts, new SecureRandom()); SocketFactory factory = context.getSocketFactory(); ssl = (SSLSocket) factory.createSocket(host, port); + ssl.setEnabledProtocols(SSLUtils.getSupportedProtocols(ssl.getEnabledProtocols())); /* ssl.setSSLParameters(context.getDefaultSSLParameters()); */ } catch (IOException e) { s_logger.error("IOException: " + e.getMessage(), e); @@ -234,16 +245,4 @@ public final class RawHTTP { } } } - - private SSLContext getClientSSLContext() { - SSLContext sslContext = null; - try { - sslContext = SSLContext.getInstance("SSL", "SunJSSE"); - } catch (NoSuchAlgorithmException e) { - s_logger.error("Unexpected exception ", e); - } catch (NoSuchProviderException e) { - s_logger.error("Unexpected exception ", e); - } - return sslContext; - } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl ---------------------------------------------------------------------- diff --git a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl index 0eea44d..6699f14 100644 --- a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl +++ b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl @@ -42,6 +42,7 @@ # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on + SSLProtocol all -SSLv2 -SSLv3 # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/systemvm/patches/debian/config/etc/apache2/vhostexample.conf ---------------------------------------------------------------------- diff --git a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf index c1bf8ea..70cb7dc 100644 --- a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf +++ b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf @@ -86,6 +86,7 @@ # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on + SSLProtocol all -SSLv2 -SSLv3 # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/systemvm/scripts/config_ssl.sh ---------------------------------------------------------------------- diff --git a/systemvm/scripts/config_ssl.sh b/systemvm/scripts/config_ssl.sh index e474787..5e00a45 100755 --- a/systemvm/scripts/config_ssl.sh +++ b/systemvm/scripts/config_ssl.sh @@ -36,6 +36,7 @@ config_httpd_conf() { echo " DocumentRoot /var/www/html/" >> /etc/httpd/conf/httpd.conf echo " ServerName $srvr" >> /etc/httpd/conf/httpd.conf echo " SSLEngine on" >> /etc/httpd/conf/httpd.conf + echo " SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/httpd.conf echo " SSLCertificateFile /etc/httpd/ssl/certs/realhostip.crt" >> /etc/httpd/conf/httpd.conf echo " SSLCertificateKeyFile /etc/httpd/ssl/keys/realhostip.key" >> /etc/httpd/conf/httpd.conf echo "</VirtualHost>" >> /etc/httpd/conf/httpd.conf @@ -53,6 +54,11 @@ config_apache2_conf() { sed -i -e "s/NameVirtualHost .*:80/NameVirtualHost $ip:80/g" /etc/apache2/ports.conf sed -i 's/ssl-cert-snakeoil.key/cert_apache.key/' /etc/apache2/sites-available/default-ssl sed -i 's/ssl-cert-snakeoil.pem/cert_apache.crt/' /etc/apache2/sites-available/default-ssl + sed -i 's/SSLProtocol.*$/SSLProtocol all -SSLv2 -SSLv3/' /etc/apache2/sites-available/default-ssl + if [ -f /etc/ssl/certs/cert_apache_chain.crt ] + then + sed -i -e "s/#SSLCertificateChainFile.*/SSLCertificateChainFile \/etc\/ssl\/certs\/cert_apache_chain.crt/" /etc/apache2/sites-available/default-ssl + fi } copy_certs() { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/test/pom.xml ---------------------------------------------------------------------- diff --git a/test/pom.xml b/test/pom.xml index 9058722..58b1e78 100644 --- a/test/pom.xml +++ b/test/pom.xml @@ -67,7 +67,7 @@ <dependency> <groupId>commons-httpclient</groupId> <artifactId>commons-httpclient</artifactId> - <version>${cs.httpclient.version}</version> + <version>${cs.commons-httpclient.version}</version> </dependency> </dependencies> <build> http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/com/cloud/utils/nio/Link.java ---------------------------------------------------------------------- diff --git a/utils/src/com/cloud/utils/nio/Link.java b/utils/src/com/cloud/utils/nio/Link.java index 374b380..67d88c6 100755 --- a/utils/src/com/cloud/utils/nio/Link.java +++ b/utils/src/com/cloud/utils/nio/Link.java @@ -40,6 +40,7 @@ import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import org.apache.cloudstack.utils.security.SSLUtils; import org.apache.log4j.Logger; import com.cloud.utils.PropertiesUtil; @@ -433,7 +434,7 @@ public class Link { tms[0] = new TrustAllManager(); } - sslContext = SSLContext.getInstance("TLS"); + sslContext = SSLUtils.getSSLContext(); sslContext.init(kmf.getKeyManagers(), tms, null); if (s_logger.isTraceEnabled()) { s_logger.trace("SSL: SSLcontext has been initialized"); @@ -460,7 +461,7 @@ public class Link { ByteBuffer out_appBuf = ByteBuffer.allocate(sslSession.getApplicationBufferSize() + 40); int count; - ch.socket().setSoTimeout(10 * 1000); + ch.socket().setSoTimeout(30 * 1000); InputStream inStream = ch.socket().getInputStream(); // Use readCh to make sure the timeout on reading is working ReadableByteChannel readCh = Channels.newChannel(inStream); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/com/cloud/utils/nio/NioClient.java ---------------------------------------------------------------------- diff --git a/utils/src/com/cloud/utils/nio/NioClient.java b/utils/src/com/cloud/utils/nio/NioClient.java index 8d12f93..679e9fe 100755 --- a/utils/src/com/cloud/utils/nio/NioClient.java +++ b/utils/src/com/cloud/utils/nio/NioClient.java @@ -27,6 +27,8 @@ import javax.net.ssl.SSLEngine; import org.apache.log4j.Logger; +import org.apache.cloudstack.utils.security.SSLUtils; + public class NioClient extends NioConnection { private static final Logger s_logger = Logger.getLogger(NioClient.class); @@ -75,6 +77,7 @@ public class NioClient extends NioConnection { SSLContext sslContext = Link.initSSLContext(true); sslEngine = sslContext.createSSLEngine(_host, _port); sslEngine.setUseClientMode(true); + sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols())); Link.doHandshake(sch, sslEngine, true); s_logger.info("SSL: Handshake done"); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/com/cloud/utils/nio/NioConnection.java ---------------------------------------------------------------------- diff --git a/utils/src/com/cloud/utils/nio/NioConnection.java b/utils/src/com/cloud/utils/nio/NioConnection.java index 07c2bea..224609a 100755 --- a/utils/src/com/cloud/utils/nio/NioConnection.java +++ b/utils/src/com/cloud/utils/nio/NioConnection.java @@ -38,6 +38,8 @@ import java.util.concurrent.TimeUnit; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; +import org.apache.cloudstack.utils.security.SSLUtils; + import org.apache.log4j.Logger; import com.cloud.utils.concurrency.NamedThreadFactory; @@ -193,6 +195,7 @@ public abstract class NioConnection implements Runnable { sslEngine = sslContext.createSSLEngine(); sslEngine.setUseClientMode(false); sslEngine.setNeedClientAuth(false); + sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols())); Link.doHandshake(socketChannel, sslEngine, false); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java ---------------------------------------------------------------------- diff --git a/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java new file mode 100644 index 0000000..7f9ee77 --- /dev/null +++ b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java @@ -0,0 +1,51 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// + +package org.apache.cloudstack.utils.security; + +import org.apache.log4j.Logger; + +import javax.net.ssl.SSLContext; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.util.HashSet; +import java.util.Set; + +public class SSLUtils { + public static final Logger s_logger = Logger.getLogger(SSLUtils.class); + + public static String[] getSupportedProtocols(String[] protocols) { + Set set = new HashSet(); + for (String s : protocols) { + if (s.equals("SSLv3") || s.equals("SSLv2Hello")) { + continue; + } + set.add(s); + } + return (String[]) set.toArray(new String[set.size()]); + } + + public static SSLContext getSSLContext() throws NoSuchAlgorithmException { + return SSLContext.getInstance("TLSv1.2"); + } + + public static SSLContext getSSLContext(String provider) throws NoSuchAlgorithmException, NoSuchProviderException { + return SSLContext.getInstance("TLSv1.2", provider); + } +} http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java ---------------------------------------------------------------------- diff --git a/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java b/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java index 52f0ea6..76ea8da 100644 --- a/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java +++ b/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java @@ -39,8 +39,11 @@ import java.net.UnknownHostException; import javax.net.SocketFactory; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; +import org.apache.cloudstack.utils.security.SSLUtils; + import org.apache.commons.httpclient.ConnectTimeoutException; import org.apache.commons.httpclient.HttpClientError; import org.apache.commons.httpclient.params.HttpConnectionParams; @@ -111,7 +114,7 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory private static SSLContext createEasySSLContext() { try { - SSLContext context = SSLContext.getInstance("SSL"); + SSLContext context = SSLUtils.getSSLContext(); context.init( null, new TrustManager[] {new EasyX509TrustManager(null)}, @@ -130,22 +133,11 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory return this.sslcontext; } - /** - * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int) - */ - public Socket createSocket( - String host, - int port, - InetAddress clientHost, - int clientPort) - throws IOException, UnknownHostException { - - return getSSLContext().getSocketFactory().createSocket( - host, - port, - clientHost, - clientPort - ); + @Override + public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException { + SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort); + socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols())); + return socket; } /** @@ -159,8 +151,8 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory * * @param host the host name/IP * @param port the port on the host - * @param clientHost the local host name/IP to bind the socket to - * @param clientPort the port on the local machine + * @param localAddress the local host name/IP to bind the socket to + * @param localPort the port on the local machine * @param params {@link HttpConnectionParams Http connection parameters} * * @return Socket a new socket @@ -184,7 +176,8 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory if (timeout == 0) { return socketfactory.createSocket(host, port, localAddress, localPort); } else { - Socket socket = socketfactory.createSocket(); + SSLSocket socket = (SSLSocket) socketfactory.createSocket(); + socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols())); SocketAddress localaddr = new InetSocketAddress(localAddress, localPort); SocketAddress remoteaddr = new InetSocketAddress(host, port); socket.bind(localaddr); @@ -193,32 +186,16 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory } } - /** - * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int) - */ - public Socket createSocket(String host, int port) - throws IOException, UnknownHostException { - return getSSLContext().getSocketFactory().createSocket( - host, - port - ); + public Socket createSocket(String host, int port) throws IOException, UnknownHostException { + SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host, port); + socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols())); + return socket; } - /** - * @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean) - */ - public Socket createSocket( - Socket socket, - String host, - int port, - boolean autoClose) - throws IOException, UnknownHostException { - return getSSLContext().getSocketFactory().createSocket( - socket, - host, - port, - autoClose - ); + public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException { + SSLSocket s= (SSLSocket) getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose); + s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols())); + return s; } public boolean equals(Object obj) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java ---------------------------------------------------------------------- diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java index f196697..49512c0 100644 --- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java +++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java @@ -32,6 +32,8 @@ import javax.xml.ws.WebServiceException; import org.apache.log4j.Logger; +import org.apache.cloudstack.utils.security.SSLUtils; + import com.vmware.vim25.DynamicProperty; import com.vmware.vim25.InvalidCollectorVersionFaultMsg; import com.vmware.vim25.InvalidPropertyFaultMsg; @@ -103,7 +105,7 @@ public class VmwareClient { javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1]; javax.net.ssl.TrustManager tm = new TrustAllTrustManager(); trustAllCerts[0] = tm; - javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL"); + javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext(); javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext(); sslsc.setSessionTimeout(0); sc.init(null, trustAllCerts, null); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java ---------------------------------------------------------------------- diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java index eefb7cb..3182acc 100755 --- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java +++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java @@ -40,6 +40,7 @@ import javax.net.ssl.SSLSession; import javax.xml.ws.soap.SOAPFaultException; import org.apache.log4j.Logger; +import org.apache.cloudstack.utils.security.SSLUtils; import com.cloud.hypervisor.vmware.mo.DatacenterMO; import com.cloud.hypervisor.vmware.mo.DatastoreFile; @@ -77,7 +78,7 @@ public class VmwareContext { javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1]; javax.net.ssl.TrustManager tm = new TrustAllManager(); trustAllCerts[0] = tm; - javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL"); + javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, null); javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
