Author: rgodfrey Date: Thu Oct 16 16:12:35 2014 New Revision: 1632376 URL: http://svn.apache.org/r1632376 Log: QPID-6156 : tidy up and ensure that there is no chance of inadvertantly adding an previously unenabled but supported protocol that is not SSLv3
Modified: qpid/trunk/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java Modified: qpid/trunk/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java?rev=1632376&r1=1632375&r2=1632376&view=diff ============================================================================== --- qpid/trunk/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java (original) +++ qpid/trunk/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java Thu Oct 16 16:12:35 2014 @@ -33,6 +33,7 @@ import org.eclipse.jetty.websocket.WebSo import org.eclipse.jetty.websocket.WebSocketClientFactory; import org.apache.qpid.amqp_1_0.client.ConnectionException; +import org.apache.qpid.amqp_1_0.client.SSLUtil; import org.apache.qpid.amqp_1_0.client.TransportProvider; import org.apache.qpid.amqp_1_0.codec.FrameWriter; import org.apache.qpid.amqp_1_0.framing.AMQFrame; @@ -71,7 +72,7 @@ class WebSocketProvider implements Trans sslContextFactory.setSslContext(context); - sslContextFactory.addExcludeProtocols("SSLv3"); + sslContextFactory.addExcludeProtocols(SSLUtil.SSLV3_PROTOCOL); factory.start(); return factory; Modified: qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java?rev=1632376&r1=1632375&r2=1632376&view=diff ============================================================================== --- qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java (original) +++ qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java Thu Oct 16 16:12:35 2014 @@ -20,13 +20,6 @@ */ package org.apache.qpid.amqp_1_0.client; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509ExtendedKeyManager; import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -37,10 +30,23 @@ import java.security.KeyStore; import java.security.Principal; import java.security.PrivateKey; import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509ExtendedKeyManager; public class SSLUtil { public static final String TRANSPORT_LAYER_SECURITY_CODE = "TLS"; + public static final String SSLV3_PROTOCOL = "SSLv3"; public static SSLContext buildSslContext(final String certAlias, final String keyStorePath, @@ -212,4 +218,16 @@ public class SSLUtil return delegate.chooseEngineServerAlias(keyType, issuers, engine); } } + + public static void removeSSLv3Support(final SSLSocket socket) + { + List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols()); + if(enabledProtocols.contains(SSLV3_PROTOCOL)) + { + List<String> allowedProtocols = new ArrayList<>(enabledProtocols); + allowedProtocols.remove(SSLV3_PROTOCOL); + socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); + } + } + } Modified: qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java?rev=1632376&r1=1632375&r2=1632376&view=diff ============================================================================== --- qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java (original) +++ qpid/trunk/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java Thu Oct 16 16:12:35 2014 @@ -26,9 +26,6 @@ import java.io.OutputStream; import java.net.Socket; import java.net.SocketTimeoutException; import java.nio.ByteBuffer; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; import java.util.concurrent.atomic.AtomicLong; import java.util.logging.Level; import java.util.logging.Logger; @@ -77,15 +74,8 @@ class TCPTransportProvier implements Tra if(sslContext != null) { final SSLSocketFactory socketFactory = sslContext.getSocketFactory(); - SSLSocket sslSocket = (SSLSocket) socketFactory.createSocket(address, port); - List<String> supportedProtocols = Arrays.asList(sslSocket.getSupportedProtocols()); - if(supportedProtocols.contains("SSLv3")) - { - List<String> allowedProtocols = new ArrayList<>(supportedProtocols); - allowedProtocols.remove("SSLv3"); - sslSocket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); - } + SSLUtil.removeSSLv3Support(sslSocket); sslSocket.startHandshake(); conn.setExternalPrincipal(sslSocket.getSession().getLocalPrincipal()); _socket=sslSocket; Modified: qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java?rev=1632376&r1=1632375&r2=1632376&view=diff ============================================================================== --- qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java (original) +++ qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java Thu Oct 16 16:12:35 2014 @@ -250,10 +250,10 @@ public class SSLUtil public static void removeSSLv3Support(final SSLEngine engine) { - List<String> supportedProtocols = Arrays.asList(engine.getSupportedProtocols()); - if(supportedProtocols.contains(SSLV3_PROTOCOL)) + List<String> enabledProtocols = Arrays.asList(engine.getEnabledProtocols()); + if(enabledProtocols.contains(SSLV3_PROTOCOL)) { - List<String> allowedProtocols = new ArrayList<>(supportedProtocols); + List<String> allowedProtocols = new ArrayList<>(enabledProtocols); allowedProtocols.remove(SSLV3_PROTOCOL); engine.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); } @@ -261,10 +261,10 @@ public class SSLUtil public static void removeSSLv3Support(final SSLSocket socket) { - List<String> supportedProtocols = Arrays.asList(socket.getSupportedProtocols()); - if(supportedProtocols.contains(SSLV3_PROTOCOL)) + List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols()); + if(enabledProtocols.contains(SSLV3_PROTOCOL)) { - List<String> allowedProtocols = new ArrayList<>(supportedProtocols); + List<String> allowedProtocols = new ArrayList<>(enabledProtocols); allowedProtocols.remove(SSLV3_PROTOCOL); socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); } @@ -273,10 +273,10 @@ public class SSLUtil public static void removeSSLv3Support(final SSLServerSocket socket) { - List<String> supportedProtocols = Arrays.asList(socket.getSupportedProtocols()); - if(supportedProtocols.contains(SSLV3_PROTOCOL)) + List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols()); + if(enabledProtocols.contains(SSLV3_PROTOCOL)) { - List<String> allowedProtocols = new ArrayList<>(supportedProtocols); + List<String> allowedProtocols = new ArrayList<>(enabledProtocols); allowedProtocols.remove(SSLV3_PROTOCOL); socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); } --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org