Author: rgodfrey
Date: Wed Dec 9 15:42:37 2015
New Revision: 1718889
URL: http://svn.apache.org/viewvc?rev=1718889&view=rev
Log:
QPID-6938 : Disable TLSv1 support by default
Modified:
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Modified:
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java?rev=1718889&r1=1718888&r2=1718889&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java
(original)
+++
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java
Wed Dec 9 15:42:37 2015
@@ -64,6 +64,34 @@ public class TCPandSSLTransportTest exte
}
+ public void testNoTLSv1SupportOnSharedPort() throws Exception
+ {
+ try
+ {
+ checkSSLExcluded("TLSv1", Transport.TCP, Transport.SSL);
+ fail("Should not be able to connect using SSLv3");
+ }
+ catch(SSLHandshakeException e)
+ {
+ // pass
+ }
+ }
+
+
+ public void testNoTLSv1SupportOnSSLOnlyPort() throws Exception
+ {
+ try
+ {
+ checkSSLExcluded("TLSv1", Transport.SSL);
+ fail("Should not be able to connect using SSLv3");
+ }
+ catch(SSLHandshakeException e)
+ {
+ // pass
+ }
+ }
+
+
public void testNoSSLv3SupportOnSharedPort() throws Exception
{
try
Modified:
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java?rev=1718889&r1=1718888&r2=1718889&view=diff
==============================================================================
---
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
(original)
+++
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
Wed Dec 9 15:42:37 2015
@@ -55,6 +55,9 @@ public class CommonProperties
public static final String HANDSHAKE_TIMEOUT_PROP_NAME =
"qpid.handshake_timeout";
public static final int HANDSHAKE_TIMEOUT_DEFAULT = 2;
+ public static final String DISABLED_SSL_PROTOCOLS =
"qpid.disabled_ssl_protocols";
+ public static final String DISABLED_SSL_PROTOCOLS_DEFAULT = "SSLv3,TLSv1";
+
/** The name of the version properties file to load from the class path. */
public static final String VERSION_RESOURCE = "qpidversion.properties";
Modified:
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java?rev=1718889&r1=1718888&r2=1718889&view=diff
==============================================================================
---
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
(original)
+++
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Wed Dec 9 15:42:37 2015
@@ -70,6 +70,7 @@ import javax.xml.bind.DatatypeConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.transport.TransportException;
public class SSLUtil
@@ -478,100 +479,54 @@ public class SSLUtil
return new BigInteger(num);
}
- private static interface SSLEntity
+ public static String[] getExcludedSSlProtocols()
{
- String[] getEnabledCipherSuites();
-
- void setEnabledCipherSuites(String[] strings);
-
- String[] getEnabledProtocols();
-
- void setEnabledProtocols(String[] protocols);
-
- String[] getSupportedCipherSuites();
-
- String[] getSupportedProtocols();
+ String property =
System.getProperty(CommonProperties.DISABLED_SSL_PROTOCOLS,
+
CommonProperties.DISABLED_SSL_PROTOCOLS_DEFAULT);
+ return property.split("\\s*,\\s*");
}
- private static SSLEntity asSSLEntity(final Object object, final Class<?>
clazz)
+ public static void removeSSLv3Support(final SSLEngine engine)
{
- return (SSLEntity)
Proxy.newProxyInstance(SSLEntity.class.getClassLoader(), new Class[] {
SSLEntity.class }, new InvocationHandler()
+ List<String> allowedProtocols = new
ArrayList<>(Arrays.asList(engine.getEnabledProtocols()));
+ boolean modified = false;
+ for(String protocol : getExcludedSSlProtocols())
{
- @Override
- public Object invoke(final Object proxy, final Method method,
final Object[] args) throws Throwable
+ if (allowedProtocols.contains(protocol))
{
- Method delegateMethod = clazz.getMethod(method.getName(),
method.getParameterTypes());
- return delegateMethod.invoke(object, args);
+ allowedProtocols.remove(protocol);
+ modified = true;
}
- }) ;
- }
-
- private static void removeSSLv3Support(final SSLEntity engine)
- {
- List<String> enabledProtocols =
Arrays.asList(engine.getEnabledProtocols());
- if(enabledProtocols.contains(SSLV3_PROTOCOL))
+ }
+ if(modified)
{
- List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
- allowedProtocols.remove(SSLV3_PROTOCOL);
engine.setEnabledProtocols(allowedProtocols.toArray(new
String[allowedProtocols.size()]));
}
}
- public static void removeSSLv3Support(final SSLEngine engine)
- {
- removeSSLv3Support(asSSLEntity(engine, SSLEngine.class));
- }
- public static void removeSSLv3Support(final SSLSocket socket)
- {
- removeSSLv3Support(asSSLEntity(socket, SSLSocket.class));
- }
-
- public static void removeSSLv3Support(final SSLServerSocket socket)
- {
- removeSSLv3Support(asSSLEntity(socket, SSLServerSocket.class));
- }
- private static void updateEnabledCipherSuites(final SSLEntity entity,
- final Collection<String>
enabledCipherSuites,
- final Collection<String>
disabledCipherSuites)
+ public static void updateEnabledCipherSuites(final SSLEngine engine,
+ final Collection<String>
enabledCipherSuites,
+ final Collection<String>
disabledCipherSuites)
{
if(enabledCipherSuites != null && !enabledCipherSuites.isEmpty())
{
final Set<String> supportedSuites =
- new
HashSet<>(Arrays.asList(entity.getSupportedCipherSuites()));
+ new
HashSet<>(Arrays.asList(engine.getSupportedCipherSuites()));
supportedSuites.retainAll(enabledCipherSuites);
- entity.setEnabledCipherSuites(supportedSuites.toArray(new
String[supportedSuites.size()]));
+ engine.setEnabledCipherSuites(supportedSuites.toArray(new
String[supportedSuites.size()]));
}
if(disabledCipherSuites != null && !disabledCipherSuites.isEmpty())
{
- final Set<String> enabledSuites = new
HashSet<>(Arrays.asList(entity.getEnabledCipherSuites()));
+ final Set<String> enabledSuites = new
HashSet<>(Arrays.asList(engine.getEnabledCipherSuites()));
enabledSuites.removeAll(disabledCipherSuites);
- entity.setEnabledCipherSuites(enabledSuites.toArray(new
String[enabledSuites.size()]));
+ engine.setEnabledCipherSuites(enabledSuites.toArray(new
String[enabledSuites.size()]));
}
}
- public static void updateEnabledCipherSuites(final SSLEngine engine,
- final Collection<String>
enabledCipherSuites,
- final Collection<String>
disabledCipherSuites)
- {
- updateEnabledCipherSuites(asSSLEntity(engine, SSLEngine.class),
enabledCipherSuites, disabledCipherSuites);
- }
- public static void updateEnabledCipherSuites(final SSLServerSocket socket,
- final Collection<String>
enabledCipherSuites,
- final Collection<String>
disabledCipherSuites)
- {
- updateEnabledCipherSuites(asSSLEntity(socket, SSLServerSocket.class),
enabledCipherSuites, disabledCipherSuites);
- }
-
- public static void updateEnabledCipherSuites(final SSLSocket socket,
- final Collection<String>
enabledCipherSuites,
- final Collection<String>
disabledCipherSuites)
- {
- updateEnabledCipherSuites(asSSLEntity(socket, SSLSocket.class),
enabledCipherSuites, disabledCipherSuites);
- }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
