Author: rgodfrey
Date: Thu Oct 16 16:12:35 2014
New Revision: 1632376
URL: http://svn.apache.org/r1632376
Log:
QPID-6156 : tidy up and ensure that there is no chance of inadvertantly adding
an previously unenabled but supported protocol that is not SSLv3
Modified:
qpid/trunk/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java
qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java
qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Modified:
qpid/trunk/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java?rev=1632376&r1=1632375&r2=1632376&view=diff
==============================================================================
---
qpid/trunk/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java
(original)
+++
qpid/trunk/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java
Thu Oct 16 16:12:35 2014
@@ -33,6 +33,7 @@ import org.eclipse.jetty.websocket.WebSo
import org.eclipse.jetty.websocket.WebSocketClientFactory;
import org.apache.qpid.amqp_1_0.client.ConnectionException;
+import org.apache.qpid.amqp_1_0.client.SSLUtil;
import org.apache.qpid.amqp_1_0.client.TransportProvider;
import org.apache.qpid.amqp_1_0.codec.FrameWriter;
import org.apache.qpid.amqp_1_0.framing.AMQFrame;
@@ -71,7 +72,7 @@ class WebSocketProvider implements Trans
sslContextFactory.setSslContext(context);
- sslContextFactory.addExcludeProtocols("SSLv3");
+ sslContextFactory.addExcludeProtocols(SSLUtil.SSLV3_PROTOCOL);
factory.start();
return factory;
Modified:
qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java?rev=1632376&r1=1632375&r2=1632376&view=diff
==============================================================================
---
qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java
(original)
+++
qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java
Thu Oct 16 16:12:35 2014
@@ -20,13 +20,6 @@
*/
package org.apache.qpid.amqp_1_0.client;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509ExtendedKeyManager;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@@ -37,10 +30,23 @@ import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509ExtendedKeyManager;
public class SSLUtil
{
public static final String TRANSPORT_LAYER_SECURITY_CODE = "TLS";
+ public static final String SSLV3_PROTOCOL = "SSLv3";
public static SSLContext buildSslContext(final String certAlias,
final String keyStorePath,
@@ -212,4 +218,16 @@ public class SSLUtil
return delegate.chooseEngineServerAlias(keyType, issuers, engine);
}
}
+
+ public static void removeSSLv3Support(final SSLSocket socket)
+ {
+ List<String> enabledProtocols =
Arrays.asList(socket.getEnabledProtocols());
+ if(enabledProtocols.contains(SSLV3_PROTOCOL))
+ {
+ List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
+ allowedProtocols.remove(SSLV3_PROTOCOL);
+ socket.setEnabledProtocols(allowedProtocols.toArray(new
String[allowedProtocols.size()]));
+ }
+ }
+
}
Modified:
qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java?rev=1632376&r1=1632375&r2=1632376&view=diff
==============================================================================
---
qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java
(original)
+++
qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java
Thu Oct 16 16:12:35 2014
@@ -26,9 +26,6 @@ import java.io.OutputStream;
import java.net.Socket;
import java.net.SocketTimeoutException;
import java.nio.ByteBuffer;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
import java.util.concurrent.atomic.AtomicLong;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -77,15 +74,8 @@ class TCPTransportProvier implements Tra
if(sslContext != null)
{
final SSLSocketFactory socketFactory =
sslContext.getSocketFactory();
-
SSLSocket sslSocket = (SSLSocket)
socketFactory.createSocket(address, port);
- List<String> supportedProtocols =
Arrays.asList(sslSocket.getSupportedProtocols());
- if(supportedProtocols.contains("SSLv3"))
- {
- List<String> allowedProtocols = new
ArrayList<>(supportedProtocols);
- allowedProtocols.remove("SSLv3");
- sslSocket.setEnabledProtocols(allowedProtocols.toArray(new
String[allowedProtocols.size()]));
- }
+ SSLUtil.removeSSLv3Support(sslSocket);
sslSocket.startHandshake();
conn.setExternalPrincipal(sslSocket.getSession().getLocalPrincipal());
_socket=sslSocket;
Modified:
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java?rev=1632376&r1=1632375&r2=1632376&view=diff
==============================================================================
---
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
(original)
+++
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Thu Oct 16 16:12:35 2014
@@ -250,10 +250,10 @@ public class SSLUtil
public static void removeSSLv3Support(final SSLEngine engine)
{
- List<String> supportedProtocols =
Arrays.asList(engine.getSupportedProtocols());
- if(supportedProtocols.contains(SSLV3_PROTOCOL))
+ List<String> enabledProtocols =
Arrays.asList(engine.getEnabledProtocols());
+ if(enabledProtocols.contains(SSLV3_PROTOCOL))
{
- List<String> allowedProtocols = new
ArrayList<>(supportedProtocols);
+ List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
allowedProtocols.remove(SSLV3_PROTOCOL);
engine.setEnabledProtocols(allowedProtocols.toArray(new
String[allowedProtocols.size()]));
}
@@ -261,10 +261,10 @@ public class SSLUtil
public static void removeSSLv3Support(final SSLSocket socket)
{
- List<String> supportedProtocols =
Arrays.asList(socket.getSupportedProtocols());
- if(supportedProtocols.contains(SSLV3_PROTOCOL))
+ List<String> enabledProtocols =
Arrays.asList(socket.getEnabledProtocols());
+ if(enabledProtocols.contains(SSLV3_PROTOCOL))
{
- List<String> allowedProtocols = new
ArrayList<>(supportedProtocols);
+ List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
allowedProtocols.remove(SSLV3_PROTOCOL);
socket.setEnabledProtocols(allowedProtocols.toArray(new
String[allowedProtocols.size()]));
}
@@ -273,10 +273,10 @@ public class SSLUtil
public static void removeSSLv3Support(final SSLServerSocket socket)
{
- List<String> supportedProtocols =
Arrays.asList(socket.getSupportedProtocols());
- if(supportedProtocols.contains(SSLV3_PROTOCOL))
+ List<String> enabledProtocols =
Arrays.asList(socket.getEnabledProtocols());
+ if(enabledProtocols.contains(SSLV3_PROTOCOL))
{
- List<String> allowedProtocols = new
ArrayList<>(supportedProtocols);
+ List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
allowedProtocols.remove(SSLV3_PROTOCOL);
socket.setEnabledProtocols(allowedProtocols.toArray(new
String[allowedProtocols.size()]));
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org
For additional commands, e-mail: commits-h...@qpid.apache.org
