Author: orudyy
Date: Fri Feb 12 18:27:37 2016
New Revision: 1730088
URL: http://svn.apache.org/viewvc?rev=1730088&view=rev
Log:
QPID-7056: [Java Broker, Java Client] Improve TLS handling
* Respect order of TLS cipher suites
* remove enabled/disabled cipherSuites/protocol context variables in favour of
white/black list
* Support RegEx in TLS protocol/cipherSuite white/black lists
* unify the creation of SSLContext and try several protocols by default.
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/Port.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/port/AmqpPortImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
qpid/java/trunk/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
qpid/java/trunk/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
qpid/java/trunk/common/src/test/java/org/apache/qpid/transport/network/security/ssl/SSLUtilTest.java
qpid/java/trunk/systests/src/main/java/org/apache/qpid/systest/rest/RestTestHelper.java
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
Fri Feb 12 18:27:37 2016
@@ -23,6 +23,7 @@ package org.apache.qpid.server.model;
import java.util.Collection;
import java.util.List;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.EventLoggerProvider;
import org.apache.qpid.server.model.adapter.BrokerAdapter;
@@ -88,6 +89,18 @@ public interface Broker<X extends Broker
@ManagedContextDefault(name = BROKER_MSG_AUTH)
boolean DEFAULT_BROKER_MSG_AUTH = false;
+ @ManagedContextDefault(name =
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST)
+ String DEFAULT_SECURITY_TLS_PROTOCOL_WHITE_LIST = "[\"TLSv1\\\\.[0-9]+\"]";
+
+ @ManagedContextDefault(name =
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST)
+ String DEFAULT_SECURITY_TLS_PROTOCOL_BLACK_LIST = "[\"TLSv1\\\\.0\"]";
+
+ @ManagedContextDefault(name =
CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST)
+ String DEFAULT_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST = "[]";
+
+ @ManagedContextDefault(name =
CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST)
+ String DEFAULT_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST = "[]";
+
@DerivedAttribute
String getBuildVersion();
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/Port.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/Port.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/Port.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/Port.java
Fri Feb 12 18:27:37 2016
@@ -21,10 +21,13 @@
package org.apache.qpid.server.model;
import java.util.Collection;
+import java.util.List;
import java.util.Set;
import com.google.common.util.concurrent.ListenableFuture;
+import org.apache.qpid.configuration.CommonProperties;
+
@ManagedObject( description = Port.CLASS_DESCRIPTION )
public interface Port<X extends Port<X>> extends ConfiguredObject<X>
{
@@ -70,17 +73,11 @@ public interface Port<X extends Port<X>>
@ManagedAttribute
Collection<TrustStore> getTrustStores();
- @ManagedContextDefault(name = "qpid.port.enabledCipherSuites" )
- String DEFAULT_ENABLED_CIPHER_SUITES="[]";
-
- @ManagedAttribute( defaultValue = "${qpid.port.enabledCipherSuites}")
- Collection<String> getEnabledCipherSuites();
-
- @ManagedContextDefault(name = "qpid.port.disabledCipherSuites" )
- String DEFAULT_DISABLED_CIPHER_SUITES="[]";
+ @ManagedAttribute( defaultValue = "${" +
CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST + "}")
+ List<String> getCipherSuiteWhiteList();
- @ManagedAttribute( defaultValue = "${qpid.port.disabledCipherSuites}")
- Collection<String> getDisabledCipherSuites();
+ @ManagedAttribute( defaultValue = "${" +
CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST + "}")
+ List<String> getCipherSuiteBlackList();
Collection<Connection> getConnections();
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
Fri Feb 12 18:27:37 2016
@@ -24,6 +24,7 @@ package org.apache.qpid.server.model.por
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
+import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -72,9 +73,9 @@ abstract public class AbstractPort<X ext
private Set<Protocol> _protocols;
@ManagedAttributeField
- private Collection<String> _enabledCipherSuites;
+ private List<String> _cipherSuiteWhiteList;
@ManagedAttributeField
- private Collection<String> _disabledCipherSuites;
+ private List<String> _cipherSuiteBlackList;
public AbstractPort(Map<String, Object> attributes,
Broker<?> broker)
@@ -269,15 +270,15 @@ abstract public class AbstractPort<X ext
}
@Override
- public Collection<String> getEnabledCipherSuites()
+ public List<String> getCipherSuiteWhiteList()
{
- return _enabledCipherSuites;
+ return _cipherSuiteWhiteList;
}
@Override
- public Collection<String> getDisabledCipherSuites()
+ public List<String> getCipherSuiteBlackList()
{
- return _disabledCipherSuites;
+ return _cipherSuiteBlackList;
}
@Override
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/port/AmqpPortImpl.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/port/AmqpPortImpl.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/port/AmqpPortImpl.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/port/AmqpPortImpl.java
Fri Feb 12 18:27:37 2016
@@ -74,6 +74,7 @@ import org.apache.qpid.server.transport.
import org.apache.qpid.server.util.PortUtil;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
public class AmqpPortImpl extends
AbstractClientAuthCapablePortWithAuthProvider<AmqpPortImpl> implements
AmqpPort<AmqpPortImpl>
{
@@ -384,7 +385,7 @@ public class AmqpPortImpl extends Abstra
try
{
- SSLContext sslContext = SSLContext.getInstance("TLS");
+ SSLContext sslContext = SSLUtil.tryGetSSLContext();
KeyManager[] keyManagers = keyStore.getKeyManagers();
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
Fri Feb 12 18:27:37 2016
@@ -65,6 +65,7 @@ import org.apache.qpid.server.model.Stat
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.model.VirtualHost;
import
org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.transport.util.Functions;
@ManagedObject( category = false )
@@ -218,7 +219,7 @@ public class SiteSpecificTrustStoreImpl
{
URL url = new URL(getSiteUrl());
- SSLContext sslContext = SSLContext.getInstance("TLS");
+ SSLContext sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(new KeyManager[0], new TrustManager[] {new
AlwaysTrustManager()}, null);
try(SSLSocket socket = (SSLSocket)
sslContext.getSocketFactory().createSocket(url.getHost(), url.getPort()))
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
Fri Feb 12 18:27:37 2016
@@ -41,6 +41,7 @@ import javax.naming.directory.SearchCont
import javax.naming.directory.SearchResult;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
@@ -66,7 +67,7 @@ import org.apache.qpid.server.security.a
import org.apache.qpid.server.security.auth.sasl.plain.PlainPasswordCallback;
import org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer;
import org.apache.qpid.server.util.StringUtil;
-import org.apache.qpid.ssl.SSLContextFactory;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
public class SimpleLDAPAuthenticationManagerImpl extends
AbstractAuthenticationManager<SimpleLDAPAuthenticationManagerImpl>
implements
SimpleLDAPAuthenticationManager<SimpleLDAPAuthenticationManagerImpl>
@@ -352,7 +353,7 @@ public class SimpleLDAPAuthenticationMan
}
/**
- * If a trust store has been specified, create a {@link SSLContextFactory}
class that is
+ * If a trust store has been specified, create a {@link SSLSocketFactory}
class that is
* associated with the {@link SSLContext} generated from that trust store.
*
* @return generated socket factory class
@@ -364,7 +365,7 @@ public class SimpleLDAPAuthenticationMan
SSLContext sslContext = null;
try
{
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(null, trustStore.getTrustManagers(), null);
}
catch (GeneralSecurityException e)
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
Fri Feb 12 18:27:37 2016
@@ -20,7 +20,9 @@
package org.apache.qpid.server.transport;
import org.apache.qpid.bytebuffer.QpidByteBuffer;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.server.model.port.AmqpPort;
+import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;
import org.slf4j.Logger;
@@ -313,12 +315,16 @@ public class NonBlockingConnectionTLSDel
}
}
- private SSLEngine createSSLEngine(AmqpPort port)
+ private SSLEngine createSSLEngine(AmqpPort<?> port)
{
SSLEngine sslEngine = port.getSSLContext().createSSLEngine();
sslEngine.setUseClientMode(false);
- SSLUtil.updateProtocolSupport(sslEngine);
- SSLUtil.updateEnabledCipherSuites(sslEngine,
port.getEnabledCipherSuites(), port.getDisabledCipherSuites());
+ final List<String> tlsProtocolWhiteList = (List<String>)
port.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS,
+
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
+ final List<String> tlsProtocolBlackList = (List<String>)
port.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS,
+
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
+ SSLUtil.updateEnabledTlsProtocols(sslEngine, tlsProtocolWhiteList,
tlsProtocolBlackList);
+ SSLUtil.updateEnabledCipherSuites(sslEngine,
port.getCipherSuiteWhiteList(), port.getCipherSuiteBlackList());
if(port.getNeedClientAuth())
{
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java
Fri Feb 12 18:27:37 2016
@@ -118,7 +118,7 @@ public class ConnectionBuilder
final SSLContext sslContext;
try
{
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(null, _trustMangers, null);
}
catch (GeneralSecurityException e)
Modified:
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java
(original)
+++
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java
Fri Feb 12 18:27:37 2016
@@ -30,6 +30,7 @@ import java.net.SocketAddress;
import java.security.KeyStore;
import java.util.Arrays;
import java.util.HashSet;
+import java.util.List;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
@@ -38,12 +39,17 @@ import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
import javax.xml.bind.DatatypeConverter;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.ObjectMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.configuration.CommonProperties;
+import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.Protocol;
import org.apache.qpid.server.model.Transport;
import org.apache.qpid.server.model.port.AmqpPort;
+import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.test.utils.QpidTestCase;
public class TCPandSSLTransportTest extends QpidTestCase
@@ -146,6 +152,12 @@ public class TCPandSSLTransportTest exte
when(port.getContextValue(Long.class,
AmqpPort.PORT_AMQP_THREAD_POOL_KEEP_ALIVE_TIMEOUT)).thenReturn(1l);
when(port.getContextValue(Long.class,
AmqpPort.PORT_AMQP_OUTBOUND_MESSAGE_BUFFER_SIZE)).thenReturn(AmqpPort.DEFAULT_PORT_AMQP_OUTBOUND_MESSAGE_BUFFER_SIZE);
when(port.getContextValue(Integer.class,
AmqpPort.PORT_AMQP_ACCEPT_BACKLOG)).thenReturn(AmqpPort.DEFAULT_PORT_AMQP_ACCEPT_BACKLOG);
+ ObjectMapper mapper = new ObjectMapper();
+ JavaType type =
mapper.getTypeFactory().constructCollectionType(List.class, String.class);
+ List<String> whiteList =
mapper.readValue(Broker.DEFAULT_SECURITY_TLS_PROTOCOL_WHITE_LIST, type);
+ List<String> blackList =
mapper.readValue(Broker.DEFAULT_SECURITY_TLS_PROTOCOL_BLACK_LIST, type);
+ when(port.getContextValue(List.class,
ParameterizedTypes.LIST_OF_STRINGS,
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST)).thenReturn(blackList);
+ when(port.getContextValue(List.class,
ParameterizedTypes.LIST_OF_STRINGS,
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST)).thenReturn(whiteList);
TCPandSSLTransport transport = new TCPandSSLTransport(new
HashSet<>(Arrays.asList(transports)),
port,
Modified:
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
(original)
+++
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
Fri Feb 12 18:27:37 2016
@@ -45,6 +45,7 @@ import javax.servlet.http.HttpServletReq
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.server.management.plugin.filter.ExceptionHandlingFilter;
import org.eclipse.jetty.io.EndPoint;
import org.eclipse.jetty.server.Connector;
@@ -90,6 +91,7 @@ import org.apache.qpid.server.model.*;
import org.apache.qpid.server.model.adapter.AbstractPluginAdapter;
import org.apache.qpid.server.model.port.HttpPort;
import org.apache.qpid.server.model.port.PortManager;
+import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;
@@ -386,28 +388,25 @@ public class HttpManagement extends Abst
{
throw new IllegalConfigurationException("Key store is not
configured. Cannot start management on HTTPS port without keystore");
}
+ final List<String> tlsProtocolWhiteList = getContextValue(List.class,
ParameterizedTypes.LIST_OF_STRINGS,
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
+ final List<String> tlsProtocolBlackList = getContextValue(List.class,
ParameterizedTypes.LIST_OF_STRINGS,
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
SslContextFactory factory = new SslContextFactory()
{
+ @Override
public String[]
selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
{
- List<String> selectedProtocols =
new ArrayList<>(Arrays.asList(enabledProtocols));
-
SSLUtil.updateEnabledProtocols(selectedProtocols, supportedProtocols);
-
- return
selectedProtocols.toArray(new String[selectedProtocols.size()]);
+ return
SSLUtil.filterEnabledProtocols(enabledProtocols, supportedProtocols,
+
tlsProtocolWhiteList, tlsProtocolBlackList);
}
+ @Override
+ public String[]
selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
+ {
+ return
SSLUtil.filterEnabledCipherSuites(enabledCipherSuites, supportedCipherSuites,
+
port.getCipherSuiteWhiteList(), port.getCipherSuiteBlackList());
+ }
};
- if(port.getDisabledCipherSuites() != null)
- {
-
factory.addExcludeCipherSuites(port.getDisabledCipherSuites().toArray(new
String[port.getDisabledCipherSuites().size()]));
- }
-
- if(port.getEnabledCipherSuites() != null &&
!port.getEnabledCipherSuites().isEmpty())
- {
-
factory.setIncludeCipherSuites(port.getEnabledCipherSuites().toArray(new
String[port.getEnabledCipherSuites().size()]));
- }
-
boolean needClientCert = port.getNeedClientAuth() ||
port.getWantClientAuth();
if (needClientCert && trustStores.isEmpty())
@@ -418,7 +417,7 @@ public class HttpManagement extends Abst
try
{
- SSLContext sslContext = SSLContext.getInstance("TLS");
+ SSLContext sslContext = SSLUtil.tryGetSSLContext();
KeyManager[] keyManagers = keyStore.getKeyManagers();
TrustManager[] trustManagers;
Modified:
qpid/java/trunk/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
(original)
+++
qpid/java/trunk/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
Fri Feb 12 18:27:37 2016
@@ -27,7 +27,6 @@ import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
@@ -54,6 +53,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.qpid.bytebuffer.QpidByteBuffer;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.server.transport.MultiVersionProtocolEngine;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.Protocol;
@@ -64,6 +64,7 @@ import org.apache.qpid.server.transport.
import org.apache.qpid.server.transport.ProtocolEngine;
import org.apache.qpid.server.transport.ServerNetworkConnection;
import org.apache.qpid.server.util.Action;
+import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.transport.ByteBufferSender;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;
@@ -119,29 +120,25 @@ class WebSocketProvider implements Accep
}
else if (_transport == Transport.WSS)
{
+ final List<String> tlsProtocolWhiteList =
_port.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS,
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
+ final List<String> tlsProtocolBlackList =
_port.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS,
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
SslContextFactory factory = new SslContextFactory()
{
+ @Override
public String[]
selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
{
- List<String> selectedProtocols
= new ArrayList<>(Arrays.asList(enabledProtocols));
-
SSLUtil.updateEnabledProtocols(selectedProtocols, supportedProtocols);
-
- return
selectedProtocols.toArray(new String[selectedProtocols.size()]);
+ return
SSLUtil.filterEnabledProtocols(enabledProtocols, supportedProtocols,
tlsProtocolWhiteList, tlsProtocolBlackList);
}
+ @Override
+ public String[]
selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
+ {
+ return
SSLUtil.filterEnabledCipherSuites(enabledCipherSuites, supportedCipherSuites,
+
_port.getCipherSuiteWhiteList(), _port.getCipherSuiteBlackList());
+ }
};
factory.setSslContext(_sslContext);
- if(_port.getDisabledCipherSuites() != null)
- {
-
factory.addExcludeCipherSuites(_port.getDisabledCipherSuites().toArray(new
String[_port.getDisabledCipherSuites().size()]));
- }
-
- if(_port.getEnabledCipherSuites() != null &&
!_port.getEnabledCipherSuites().isEmpty())
- {
-
factory.setIncludeCipherSuites(_port.getEnabledCipherSuites().toArray(new
String[_port.getEnabledCipherSuites().size()]));
- }
-
factory.setNeedClientAuth(_port.getNeedClientAuth());
factory.setWantClientAuth(_port.getWantClientAuth());
connector = new SslSelectChannelConnector(factory);
Modified:
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
(original)
+++
qpid/java/trunk/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
Fri Feb 12 18:27:37 2016
@@ -55,12 +55,15 @@ public class CommonProperties
public static final String HANDSHAKE_TIMEOUT_PROP_NAME =
"qpid.handshake_timeout";
public static final int HANDSHAKE_TIMEOUT_DEFAULT = 2;
- public static final String DISABLED_SSL_PROTOCOLS =
"qpid.disabled_ssl_protocols";
- public static final String DISABLED_SSL_PROTOCOLS_DEFAULT = "SSLv3,TLSv1";
-
- public static final String ENABLED_SSL_PROTOCOLS =
"qpid.enabled_ssl_protocols";
- public static final String ENABLED_SSL_PROTOCOLS_DEFAULT =
"TLSv1.1,TLSv1.2";
+ public static final String QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST =
"qpid.security.tls.protocolWhiteList";
+ public static final String QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST_DEFAULT =
"TLSv1\\.[0-9]+";
+ public static final String QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST =
"qpid.security.tls.protocolBlackList";
+ public static final String QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST_DEFAULT =
"TLSv1\\.0";
+ public static final String QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST =
"qpid.security.tls.cipherSuiteWhiteList";
+ public static final String
QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST_DEFAULT = "";
+ public static final String QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST =
"qpid.security.tls.cipherSuiteBlackList";
+ public static final String
QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST_DEFAULT = "";
/** The name of the version properties file to load from the class path. */
public static final String VERSION_RESOURCE = "qpidversion.properties";
Modified:
qpid/java/trunk/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
(original)
+++
qpid/java/trunk/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
Fri Feb 12 18:27:37 2016
@@ -42,8 +42,6 @@ import java.security.NoSuchAlgorithmExce
*/
public class SSLContextFactory
{
- public static final String TRANSPORT_LAYER_SECURITY_CODE = "TLS";
-
private SSLContextFactory()
{
//no instances
@@ -53,8 +51,7 @@ public class SSLContextFactory
throws NoSuchAlgorithmException, KeyManagementException
{
// Initialize the SSLContext to work with our key managers.
- final SSLContext sslContext = SSLContext
- .getInstance(TRANSPORT_LAYER_SECURITY_CODE);
+ final SSLContext sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(keyManagers, trustManagers, null);
Modified:
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
(original)
+++
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
Fri Feb 12 18:27:37 2016
@@ -20,11 +20,16 @@
*/
package org.apache.qpid.transport.network.security;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.ssl.SSLContextFactory;
import org.apache.qpid.transport.ByteBufferSender;
import org.apache.qpid.transport.ConnectionSettings;
@@ -97,11 +102,24 @@ public class SecurityLayerFactory
_hostname = settings.getHost();
}
+ List<String> protocolWhiteList =
+
getSystemPropertyAsList(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST,
+
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST_DEFAULT);
+ List<String> protocolBlackList =
+
getSystemPropertyAsList(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST,
+
CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST_DEFAULT);
+ List<String> cipherSuiteWhiteList =
+
getSystemPropertyAsList(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST,
+
CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST_DEFAULT);
+ List<String> cipherSuiteBlackList =
+
getSystemPropertyAsList(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST,
+
CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST_DEFAULT);
try
{
_engine = sslCtx.createSSLEngine();
_engine.setUseClientMode(true);
- SSLUtil.updateProtocolSupport(_engine);
+ SSLUtil.updateEnabledTlsProtocols(_engine, protocolWhiteList,
protocolBlackList);
+ SSLUtil.updateEnabledCipherSuites(_engine,
cipherSuiteWhiteList, cipherSuiteBlackList);
}
catch(Exception e)
{
@@ -110,6 +128,17 @@ public class SecurityLayerFactory
}
+ private List<String> getSystemPropertyAsList(final String
propertyName, final String defaultValue)
+ {
+ String listAsString = System.getProperty(propertyName,
defaultValue);
+ List<String> listOfStrings = Collections.emptyList();
+ if(listAsString != null && !"".equals(listAsString))
+ {
+ listOfStrings = Arrays.asList(listAsString.split("\\s*,\\s*"));
+ }
+ return listOfStrings;
+ }
+
public ByteBufferSender sender(ByteBufferSender delegate)
{
SSLSender sender = new SSLSender(_engine, _layer.sender(delegate),
_sslStatus);
Modified:
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
(original)
+++
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Fri Feb 12 18:27:37 2016
@@ -27,9 +27,6 @@ import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringReader;
-import java.lang.reflect.InvocationHandler;
-import java.lang.reflect.Method;
-import java.lang.reflect.Proxy;
import java.math.BigInteger;
import java.net.URL;
import java.nio.BufferUnderflowException;
@@ -51,26 +48,23 @@ import java.security.spec.PKCS8EncodedKe
import java.security.spec.RSAPrivateCrtKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashSet;
+import java.util.Iterator;
import java.util.List;
-import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
+import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.xml.bind.DatatypeConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.transport.TransportException;
public class SSLUtil
@@ -78,6 +72,7 @@ public class SSLUtil
private static final Logger LOGGER =
LoggerFactory.getLogger(SSLUtil.class);
private static final Integer DNS_NAME_TYPE = 2;
+ public static final String[] TLS_PROTOCOL_PREFERENCES = new
String[]{"TLSv1.2", "TLSv1.1", "TLS", "TLSv1"};
private SSLUtil()
{
@@ -478,111 +473,134 @@ public class SSLUtil
return new BigInteger(num);
}
- public static String[] getExcludedSSlProtocols()
- {
- String property =
System.getProperty(CommonProperties.DISABLED_SSL_PROTOCOLS,
-
CommonProperties.DISABLED_SSL_PROTOCOLS_DEFAULT);
- return property.split("\\s*,\\s*");
+ public static void updateEnabledTlsProtocols(final SSLEngine engine,
+ final List<String>
protocolWhiteList,
+ final List<String>
protocolBlackList)
+ {
+ String[] filteredProtocols =
filterEnabledProtocols(engine.getEnabledProtocols(),
+
engine.getSupportedProtocols(),
+ protocolWhiteList,
+ protocolBlackList);
+ engine.setEnabledProtocols(filteredProtocols);
}
-
- public static String[] getEnabledSSlProtocols()
+ public static void updateEnabledTlsProtocols(final SSLSocket socket,
+ final List<String>
protocolWhiteList,
+ final List<String>
protocolBlackList)
{
- String property =
System.getProperty(CommonProperties.ENABLED_SSL_PROTOCOLS,
-
CommonProperties.ENABLED_SSL_PROTOCOLS_DEFAULT);
- return property.split("\\s*,\\s*");
+ String[] filteredProtocols =
filterEnabledProtocols(socket.getEnabledProtocols(),
+
socket.getSupportedProtocols(),
+ protocolWhiteList,
+ protocolBlackList);
+ socket.setEnabledProtocols(filteredProtocols);
}
- public static void updateProtocolSupport(final SSLEngine engine)
+ public static String[] filterEnabledProtocols(final String[]
enabledProtocols,
+ final String[]
supportedProtocols,
+ final List<String>
protocolWhiteList,
+ final List<String>
protocolBlackList)
{
- List<String> enabledProtocols = new
ArrayList<>(Arrays.asList(engine.getEnabledProtocols()));
- String[] supportedProtocols = engine.getSupportedProtocols();
- boolean modified = updateEnabledProtocols(enabledProtocols,
supportedProtocols);
- if(modified)
- {
- engine.setEnabledProtocols(enabledProtocols.toArray(new
String[enabledProtocols.size()]));
- }
+ return filterEntries(enabledProtocols, supportedProtocols,
protocolWhiteList, protocolBlackList);
}
- public static boolean updateEnabledProtocols(final List<String>
enabledProtocols, final String[] supportedProtocols)
+ public static String[] filterEnabledCipherSuites(final String[]
enabledCipherSuites,
+ final String[]
supportedCipherSuites,
+ final List<String>
cipherSuiteWhiteList,
+ final List<String>
cipherSuiteBlackList)
{
- boolean modified = false;
- for(String protocol : getExcludedSSlProtocols())
- {
- if (enabledProtocols.contains(protocol))
- {
- enabledProtocols.remove(protocol);
- modified = true;
- }
- }
- for(String protocol : getEnabledSSlProtocols())
- {
- if(!enabledProtocols.contains(protocol) &&
Arrays.asList(supportedProtocols).contains(protocol))
- {
- enabledProtocols.add(protocol);
- modified = true;
- }
- }
- return modified;
+ return filterEntries(enabledCipherSuites, supportedCipherSuites,
cipherSuiteWhiteList, cipherSuiteBlackList);
}
public static void updateEnabledCipherSuites(final SSLEngine engine,
- final Collection<String>
enabledCipherSuites,
- final Collection<String>
disabledCipherSuites)
+ final List<String>
cipherSuitesWhiteList,
+ final List<String>
cipherSuitesBlackList)
{
- if(enabledCipherSuites != null && !enabledCipherSuites.isEmpty())
- {
- final Set<String> supportedSuites =
- new
HashSet<>(Arrays.asList(engine.getSupportedCipherSuites()));
- supportedSuites.retainAll(enabledCipherSuites);
- engine.setEnabledCipherSuites(supportedSuites.toArray(new
String[supportedSuites.size()]));
- }
-
- if(disabledCipherSuites != null && !disabledCipherSuites.isEmpty())
- {
- final Set<String> enabledSuites = new
HashSet<>(Arrays.asList(engine.getEnabledCipherSuites()));
- enabledSuites.removeAll(disabledCipherSuites);
- engine.setEnabledCipherSuites(enabledSuites.toArray(new
String[enabledSuites.size()]));
- }
-
+ String[] filteredCipherSuites =
filterEntries(engine.getEnabledCipherSuites(),
+
engine.getSupportedCipherSuites(),
+ cipherSuitesWhiteList,
+ cipherSuitesBlackList);
+ engine.setEnabledCipherSuites(filteredCipherSuites);
}
public static void updateEnabledCipherSuites(final SSLSocket socket,
- final List<String>
enabledCipherSuites,
- final List<String>
disabledCipherSuites)
+ final List<String>
cipherSuitesWhiteList,
+ final List<String>
cipherSuitesBlackList)
{
- if (enabledCipherSuites != null && !enabledCipherSuites.isEmpty())
+ String[] filteredCipherSuites =
filterEntries(socket.getEnabledCipherSuites(),
+
socket.getSupportedCipherSuites(),
+ cipherSuitesWhiteList,
+ cipherSuitesBlackList);
+ socket.setEnabledCipherSuites(filteredCipherSuites);
+ }
+
+ static String[] filterEntries(final String[] enabledEntries,
+ final String[] supportedEntries,
+ final List<String> whiteList,
+ final List<String> blackList)
+ {
+ List<String> filteredList;
+ if (whiteList != null && !whiteList.isEmpty())
+ {
+ filteredList = new ArrayList<>();
+ List<String> supportedList = new
ArrayList<>(Arrays.asList(supportedEntries));
+ // the outer loop must be over the white list to preserve its order
+ for (String whiteListedRegEx : whiteList)
+ {
+ Iterator<String> supportedIter = supportedList.iterator();
+ while (supportedIter.hasNext())
+ {
+ String supportedEntry = supportedIter.next();
+ if (supportedEntry.matches(whiteListedRegEx))
+ {
+ filteredList.add(supportedEntry);
+ supportedIter.remove();
+ }
+ }
+ }
+ }
+ else
{
- List<String> supportedSuites =
Arrays.asList(socket.getSupportedCipherSuites());
- supportedSuites.retainAll(enabledCipherSuites);
- socket.setEnabledCipherSuites(supportedSuites.toArray(new
String[supportedSuites.size()]));
+ filteredList = new ArrayList<>(Arrays.asList(enabledEntries));
}
- if (disabledCipherSuites != null && !disabledCipherSuites.isEmpty())
+ if (blackList != null && !blackList.isEmpty())
{
- List<String> enabledSuites =
Arrays.asList(socket.getEnabledCipherSuites());
- enabledSuites.removeAll(disabledCipherSuites);
- socket.setEnabledCipherSuites(enabledSuites.toArray(new
String[enabledSuites.size()]));
+ for (String blackListedRegEx : blackList)
+ {
+ Iterator<String> entriesIter = filteredList.iterator();
+ while (entriesIter.hasNext())
+ {
+ if (entriesIter.next().matches(blackListedRegEx))
+ {
+ entriesIter.remove();
+ }
+ }
+ }
}
+
+ return filteredList.toArray(new String[filteredList.size()]);
}
- public static void updateEnabledTlsProtocols(final SSLSocket socket,
- final List<String>
enabledTlsProtocols,
- final List<String>
disabledTlsProtocols)
+ public static SSLContext tryGetSSLContext()
{
- if (enabledTlsProtocols != null && !enabledTlsProtocols.isEmpty())
- {
- List<String> supportedProtocols =
Arrays.asList(socket.getSupportedProtocols());
- supportedProtocols.retainAll(enabledTlsProtocols);
- socket.setEnabledProtocols(supportedProtocols.toArray(new
String[supportedProtocols.size()]));
- }
+ return tryGetSSLContext(TLS_PROTOCOL_PREFERENCES);
+ }
- if (disabledTlsProtocols != null && !disabledTlsProtocols.isEmpty())
+ public static SSLContext tryGetSSLContext(final String[] protocols)
+ {
+ for (String protocol : protocols)
{
- List<String> enabledProtocols =
Arrays.asList(socket.getEnabledProtocols());
- enabledProtocols.removeAll(disabledTlsProtocols);
- socket.setEnabledProtocols(enabledProtocols.toArray(new
String[enabledProtocols.size()]));
+ try
+ {
+ return SSLContext.getInstance(protocol);
+ }
+ catch (NoSuchAlgorithmException e)
+ {
+ // pass and try the next protocol in the list
+ }
}
+ throw new RuntimeException(String.format("Could not create SSLContext
with one of the requested protocols: %s",
+ Arrays.toString(protocols)));
}
}
Modified:
qpid/java/trunk/common/src/test/java/org/apache/qpid/transport/network/security/ssl/SSLUtilTest.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/common/src/test/java/org/apache/qpid/transport/network/security/ssl/SSLUtilTest.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/common/src/test/java/org/apache/qpid/transport/network/security/ssl/SSLUtilTest.java
(original)
+++
qpid/java/trunk/common/src/test/java/org/apache/qpid/transport/network/security/ssl/SSLUtilTest.java
Fri Feb 12 18:27:37 2016
@@ -39,6 +39,40 @@ import org.apache.qpid.transport.Transpo
public class SSLUtilTest extends QpidTestCase
{
+ public void testFilterEntries_empty()
+ {
+ String[] enabled = {};
+ String[] supported = {};
+ List<String> whiteList = Arrays.asList();
+ List<String> blackList = Arrays.asList();
+ String[] result = SSLUtil.filterEntries(enabled, supported, whiteList,
blackList);
+ assertEquals("filtered list is not empty", 0, result.length);
+ }
+
+ public void testFilterEntries_whiteListNotEmpty_blackListEmpty()
+ {
+ List<String> whiteList = Arrays.asList("TLSv1\\.[0-9]+");
+ List<String> blackList = Collections.emptyList();
+ String[] enabled = {"TLS", "TLSv1.1", "TLSv1.2"};
+ String[] expected = {"TLSv1.1", "TLSv1.2"};
+ String[] supported = {"SSLv3", "TLS", "TLSv1", "TLSv1.1", "TLSv1.2"};
+ String[] result = SSLUtil.filterEntries(enabled, supported, whiteList,
blackList);
+ assertTrue("unexpected filtered list: expected " +
Arrays.toString(expected) + " actual " + Arrays.toString(
+ result), Arrays.equals(expected, result));
+ }
+
+ public void testFilterEntries_whiteListEmpty_blackListNotEmpty()
+ {
+ List<String> whiteList = Arrays.asList();
+ List<String> blackList = Arrays.asList("TLSv1\\.[0-9]+");
+ String[] enabled = {"TLS", "TLSv1.1", "TLSv1.2"};
+ String[] expected = {"TLS"};
+ String[] supported = {"SSLv3", "TLS", "TLSv1", "TLSv1.1", "TLSv1.2"};
+ String[] result = SSLUtil.filterEntries(enabled, supported, whiteList,
blackList);
+ assertTrue("unexpected filtered list: expected " +
Arrays.toString(expected) + " actual " + Arrays.toString(
+ result), Arrays.equals(expected, result));
+ }
+
public void testGetIdFromSubjectDN()
{
// "normal" dn
Modified:
qpid/java/trunk/systests/src/main/java/org/apache/qpid/systest/rest/RestTestHelper.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/systests/src/main/java/org/apache/qpid/systest/rest/RestTestHelper.java?rev=1730088&r1=1730087&r2=1730088&view=diff
==============================================================================
---
qpid/java/trunk/systests/src/main/java/org/apache/qpid/systest/rest/RestTestHelper.java
(original)
+++
qpid/java/trunk/systests/src/main/java/org/apache/qpid/systest/rest/RestTestHelper.java
Fri Feb 12 18:27:37 2016
@@ -177,7 +177,7 @@ public class RestTestHelper
KeyManagerFactory.getDefaultAlgorithm(),
_clientAuthAlias);
- final SSLContext sslContext =
SSLContext.getInstance(SSLUtil.getEnabledSSlProtocols()[SSLUtil.getEnabledSSlProtocols().length-1]);
+ final SSLContext sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(keyManagers, trustManagers, null);
@@ -209,8 +209,7 @@ public class RestTestHelper
keyManagers =
SSLContextFactory.getKeyManagers(null, null, null,
null, null);
-
- final SSLContext sslContext =
SSLContext.getInstance(SSLUtil.getEnabledSSlProtocols()[SSLUtil.getEnabledSSlProtocols().length-1]);
+ final SSLContext sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(keyManagers, trustManagers, null);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
