Disallow SSLv3 by default in Jetty
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/990f4b1d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/990f4b1d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/990f4b1d Branch: refs/heads/master Commit: 990f4b1d594c8f1446d42a516eaef82020df2747 Parents: 60af486 Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Oct 20 12:13:25 2014 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Oct 20 16:11:43 2014 +0100 ---------------------------------------------------------------------- .../http_jetty/JettyHTTPServerEngine.java | 4 + .../org/apache/cxf/systest/ws/ssl/SSLTest.java | 142 +++++++++++++++++++ .../org/apache/cxf/systest/ws/ssl/Server.java | 47 ++++++ .../apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl | 109 ++++++++++++++ .../org/apache/cxf/systest/ws/ssl/client.xml | 34 +++++ .../org/apache/cxf/systest/ws/ssl/server.xml | 69 +++++++++ 6 files changed, 405 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/990f4b1d/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java index 9716646..6fc1f41 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java @@ -671,6 +671,10 @@ public class JettyHTTPServerEngine protected SSLContext createSSLContext(SslContextFactory scf) throws Exception { String proto = tlsServerParameters.getSecureSocketProtocol() == null ? "TLS" : tlsServerParameters.getSecureSocketProtocol(); + + if (!"SSLv3".equals(proto)) { + scf.addExcludeProtocols("SSLv3"); + } SSLContext context = tlsServerParameters.getJsseProvider() == null ? SSLContext.getInstance(proto) http://git-wip-us.apache.org/repos/asf/cxf/blob/990f4b1d/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java new file mode 100644 index 0000000..47c240d --- /dev/null +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java @@ -0,0 +1,142 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ws.ssl; + +import java.io.IOException; +import java.net.URL; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; +import javax.net.ssl.TrustManager; + +import org.apache.cxf.Bus; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.configuration.jsse.SSLUtils; +import org.apache.cxf.systest.ws.common.SecurityTestUtil; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.junit.BeforeClass; + +/** + * A set of tests SSL protocol support. + */ +public class SSLTest extends AbstractBusClientServerTestBase { + static final String PORT = allocatePort(Server.class); + static final String PORT2 = allocatePort(Server.class, 2); + + @BeforeClass + public static void startServers() throws Exception { + assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + launchServer(Server.class, true) + ); + } + + public static void cleanup() throws Exception { + SecurityTestUtil.cleanup(); + stopAllServers(); + } + + @org.junit.Test + public void testSSLv3NotAllowed() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SSLTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + System.setProperty("https.protocols", "SSLv3"); + + URL service = new URL("https://localhost:"; + PORT); + HttpsURLConnection connection = (HttpsURLConnection) service.openConnection(); + + connection.setHostnameVerifier(new DisableCNCheckVerifier()); + + SSLContext sslContext = SSLContext.getInstance("SSL"); + URL keystore = SSLTest.class.getResource("../security/Truststore.jks"); + TrustManager[] trustManagers = + SSLUtils.getTrustStoreManagers(false, "jks", keystore.getPath(), + "PKIX", LogUtils.getL7dLogger(SSLTest.class)); + sslContext.init(null, trustManagers, new java.security.SecureRandom()); + + connection.setSSLSocketFactory(sslContext.getSocketFactory()); + + try { + connection.connect(); + fail("Failure expected on an SSLv3 connection attempt"); + } catch (IOException ex) { + // expected + } + + System.clearProperty("https.protocols"); + + bus.shutdown(true); + } + + @org.junit.Test + public void testSSLv3Allowed() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SSLTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + System.setProperty("https.protocols", "SSLv3"); + + URL service = new URL("https://localhost:"; + PORT2); + HttpsURLConnection connection = (HttpsURLConnection) service.openConnection(); + + connection.setHostnameVerifier(new DisableCNCheckVerifier()); + + SSLContext sslContext = SSLContext.getInstance("SSL"); + URL keystore = SSLTest.class.getResource("../security/Truststore.jks"); + TrustManager[] trustManagers = + SSLUtils.getTrustStoreManagers(false, "jks", keystore.getPath(), + "PKIX", LogUtils.getL7dLogger(SSLTest.class)); + sslContext.init(null, trustManagers, new java.security.SecureRandom()); + + connection.setSSLSocketFactory(sslContext.getSocketFactory()); + + connection.connect(); + + connection.disconnect(); + + System.clearProperty("https.protocols"); + + bus.shutdown(true); + } + + private static final class DisableCNCheckVerifier implements HostnameVerifier { + + @Override + public boolean verify(String arg0, SSLSession arg1) { + return true; + } + + }; +} http://git-wip-us.apache.org/repos/asf/cxf/blob/990f4b1d/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/Server.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/Server.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/Server.java new file mode 100644 index 0000000..ce169c3 --- /dev/null +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/Server.java @@ -0,0 +1,47 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ws.ssl; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; + +public class Server extends AbstractBusTestServerBase { + + public Server() { + + } + + protected void run() { + URL busFile = Server.class.getResource("server.xml"); + Bus busLocal = new SpringBusFactory().createBus(busFile); + BusFactory.setDefaultBus(busLocal); + setBus(busLocal); + + try { + new Server(); + } catch (Exception e) { + e.printStackTrace(); + } + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/990f4b1d/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl new file mode 100644 index 0000000..ed021f4 --- /dev/null +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl @@ -0,0 +1,109 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<wsdl:definitions xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:tns="http://www.example.org/contract/DoubleIt"; xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsaws="http://www.w3.org/2005/08/addressing"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"; name="DoubleIt" targetNamespace="http://www.example.org/contract/DoubleIt";> + <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" namespace="http://www.example.org/contract/DoubleIt"/> + <wsdl:binding name="DoubleItPlaintextBinding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItPlaintextPolicy"/> + <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction=""/> + <wsdl:input> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault"/> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> + <wsdl:service name="DoubleItService"> + <wsdl:port name="DoubleItPlaintextPort" binding="tns:DoubleItPlaintextBinding"> + <soap:address location="https://localhost:9009/DoubleItUTPlaintext"/> + </wsdl:port> + <wsdl:port name="DoubleItPlaintextPort2" binding="tns:DoubleItPlaintextBinding"> + <soap:address location="https://localhost:9009/DoubleItUTPlaintext2"/> + </wsdl:port> + </wsdl:service> + <wsp:Policy wsu:Id="DoubleItPlaintextPolicy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:TransportBinding> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:TransportBinding> + <sp:SupportingTokens> + <wsp:Policy> + <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> + <wsp:Policy> + <sp:WssUsernameToken10/> + </wsp:Policy> + </sp:UsernameToken> + </wsp:Policy> + </sp:SupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> +</wsdl:definitions> http://git-wip-us.apache.org/repos/asf/cxf/blob/990f4b1d/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client.xml new file mode 100644 index 0000000..d6bbe97 --- /dev/null +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client.xml @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:http="http://cxf.apache.org/transports/http/configuration"; xmlns:jaxws="http://cxf.apache.org/jaxws"; xmlns:cxf="http://cxf.apache.org/core"; xmlns:p="http://cxf.apache.org/policy"; xmlns:sec="http://cxf.apache.org/configuration/security"; xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/poli cy.xsd"> + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <http:conduit name="https://localhost:.*";> + <http:tlsClientParameters disableCNCheck="true"> + <sec:trustManagers> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/> + </sec:trustManagers> + </http:tlsClientParameters> + </http:conduit> +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/990f4b1d/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml new file mode 100644 index 0000000..d1593b9 --- /dev/null +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml @@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:jaxws="http://cxf.apache.org/jaxws"; xmlns:http="http://cxf.apache.org/transports/http/configuration"; xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"; xmlns:sec="http://cxf.apache.org/configuration/security"; xmlns:cxf="http://cxf.apache.org/core"; xmlns:p="http://cxf.apache.org/policy"; xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apa che.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd "> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <httpj:engine-factory id="default-tls-settings"> + <httpj:engine port="${testutil.ports.Server}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/> + </sec:trustManagers> + <sec:clientAuthentication want="true" required="false"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="Plaintext" address="https://localhost:${testutil.ports.Server}/DoubleItUTPlaintext"; serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl" depends-on="default-tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + </jaxws:properties> + </jaxws:endpoint> + + <httpj:engine-factory id="allow-sslv3-settings"> + <httpj:engine port="${testutil.ports.Server.2}"> + <httpj:tlsServerParameters secureSocketProtocol="SSLv3" > + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/> + </sec:trustManagers> + <sec:clientAuthentication want="true" required="false"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="Plaintext2" address="https://localhost:${testutil.ports.Server.2}/DoubleItUTPlaintext2"; serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl" depends-on="allow-sslv3-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + </jaxws:properties> + </jaxws:endpoint> + +</beans>
