Author: rgodfrey
Date: Wed Dec 9 17:16:18 2015
New Revision: 1718918
URL: http://svn.apache.org/viewvc?rev=1718918&view=rev
Log:
QPID-6938 : disable support for TLSv1
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
qpid/java/trunk/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java?rev=1718918&r1=1718917&r2=1718918&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
Wed Dec 9 17:16:18 2015
@@ -313,7 +313,7 @@ public class NonBlockingConnectionTLSDel
{
SSLEngine sslEngine = port.getSSLContext().createSSLEngine();
sslEngine.setUseClientMode(false);
- SSLUtil.removeSSLv3Support(sslEngine);
+ SSLUtil.updateProtocolSupport(sslEngine);
SSLUtil.updateEnabledCipherSuites(sslEngine,
port.getEnabledCipherSuites(), port.getDisabledCipherSuites());
if(port.getNeedClientAuth())
Modified:
qpid/java/trunk/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java?rev=1718918&r1=1718917&r2=1718918&view=diff
==============================================================================
---
qpid/java/trunk/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
(original)
+++
qpid/java/trunk/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
Wed Dec 9 17:16:18 2015
@@ -27,6 +27,7 @@ import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
@@ -121,6 +122,17 @@ class WebSocketProvider implements Accep
SslContextFactory factory = new SslContextFactory();
factory.setSslContext(_sslContext);
factory.addExcludeProtocols(SSLUtil.getExcludedSSlProtocols());
+
+ if(_port.getDisabledCipherSuites() != null)
+ {
+
factory.addExcludeCipherSuites(_port.getDisabledCipherSuites().toArray(new
String[_port.getDisabledCipherSuites().size()]));
+ }
+
+ if(_port.getEnabledCipherSuites() != null &&
!_port.getEnabledCipherSuites().isEmpty())
+ {
+
factory.setIncludeCipherSuites(_port.getEnabledCipherSuites().toArray(new
String[_port.getEnabledCipherSuites().size()]));
+ }
+
factory.setNeedClientAuth(_port.getNeedClientAuth());
factory.setWantClientAuth(_port.getWantClientAuth());
connector = new SslSelectChannelConnector(factory);
Modified:
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java?rev=1718918&r1=1718917&r2=1718918&view=diff
==============================================================================
---
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
(original)
+++
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
Wed Dec 9 17:16:18 2015
@@ -56,7 +56,11 @@ public class CommonProperties
public static final int HANDSHAKE_TIMEOUT_DEFAULT = 2;
public static final String DISABLED_SSL_PROTOCOLS =
"qpid.disabled_ssl_protocols";
- public static final String DISABLED_SSL_PROTOCOLS_DEFAULT = "SSLv3";
//temp removed "SSLv3,TLSv1";
+ public static final String DISABLED_SSL_PROTOCOLS_DEFAULT = "SSLv3,TLSv1";
+
+ public static final String ENABLED_SSL_PROTOCOLS =
"qpid.enabled_ssl_protocols";
+ public static final String ENABLED_SSL_PROTOCOLS_DEFAULT =
"TLSv1.1,TLSv1.2";
+
/** The name of the version properties file to load from the class path. */
public static final String VERSION_RESOURCE = "qpidversion.properties";
Modified:
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java?rev=1718918&r1=1718917&r2=1718918&view=diff
==============================================================================
---
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
(original)
+++
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
Wed Dec 9 17:16:18 2015
@@ -101,7 +101,7 @@ public class SecurityLayerFactory
{
_engine = sslCtx.createSSLEngine();
_engine.setUseClientMode(true);
- SSLUtil.removeSSLv3Support(_engine);
+ SSLUtil.updateProtocolSupport(_engine);
}
catch(Exception e)
{
Modified:
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java?rev=1718918&r1=1718917&r2=1718918&view=diff
==============================================================================
---
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
(original)
+++
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Wed Dec 9 17:16:18 2015
@@ -485,26 +485,48 @@ public class SSLUtil
return property.split("\\s*,\\s*");
}
- public static void removeSSLv3Support(final SSLEngine engine)
+
+ public static String[] getEnabledSSlProtocols()
+ {
+ String property =
System.getProperty(CommonProperties.ENABLED_SSL_PROTOCOLS,
+
CommonProperties.ENABLED_SSL_PROTOCOLS_DEFAULT);
+ return property.split("\\s*,\\s*");
+ }
+
+ public static void updateProtocolSupport(final SSLEngine engine)
+ {
+ List<String> enabledProtocols = new
ArrayList<>(Arrays.asList(engine.getEnabledProtocols()));
+ String[] supportedProtocols = engine.getSupportedProtocols();
+ boolean modified = updateEnabledProtocols(enabledProtocols,
supportedProtocols);
+ if(modified)
+ {
+ engine.setEnabledProtocols(enabledProtocols.toArray(new
String[enabledProtocols.size()]));
+ }
+ }
+
+ public static boolean updateEnabledProtocols(final List<String>
enabledProtocols, final String[] supportedProtocols)
{
- List<String> allowedProtocols = new
ArrayList<>(Arrays.asList(engine.getEnabledProtocols()));
boolean modified = false;
for(String protocol : getExcludedSSlProtocols())
{
- if (allowedProtocols.contains(protocol))
+ if (enabledProtocols.contains(protocol))
{
- allowedProtocols.remove(protocol);
+ enabledProtocols.remove(protocol);
modified = true;
}
}
- if(modified)
+ for(String protocol : getEnabledSSlProtocols())
{
- engine.setEnabledProtocols(allowedProtocols.toArray(new
String[allowedProtocols.size()]));
+ if(!enabledProtocols.contains(protocol) &&
Arrays.asList(supportedProtocols).contains(protocol))
+ {
+ enabledProtocols.add(protocol);
+ modified = true;
+ }
}
+ return modified;
}
-
public static void updateEnabledCipherSuites(final SSLEngine engine,
final Collection<String>
enabledCipherSuites,
final Collection<String>
disabledCipherSuites)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
