Author: rgodfrey
Date: Wed Mar 9 16:11:56 2016
New Revision: 1734283
URL: http://svn.apache.org/viewvc?rev=1734283&view=rev
Log:
QPID-7113 : When using Java 8, if the cipher suite white list is set then set
broker to use the cipher suite order for preference
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java?rev=1734283&r1=1734282&r2=1734283&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
Wed Mar 9 16:11:56 2016
@@ -319,6 +319,10 @@ public class NonBlockingConnectionTLSDel
sslEngine.setUseClientMode(false);
SSLUtil.updateEnabledTlsProtocols(sslEngine,
port.getTlsProtocolWhiteList(), port.getTlsProtocolBlackList());
SSLUtil.updateEnabledCipherSuites(sslEngine,
port.getTlsCipherSuiteWhiteList(), port.getTlsCipherSuiteBlackList());
+ if(port.getTlsCipherSuiteWhiteList() != null &&
!port.getTlsCipherSuiteWhiteList().isEmpty())
+ {
+ SSLUtil.useCipherOrderIfPossible(sslEngine.getSSLParameters());
+ }
if(port.getNeedClientAuth())
{
Modified:
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java?rev=1734283&r1=1734282&r2=1734283&view=diff
==============================================================================
---
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
(original)
+++
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
Wed Mar 9 16:11:56 2016
@@ -36,6 +36,9 @@ import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.servlet.DispatcherType;
@@ -402,6 +405,22 @@ public class HttpManagement extends Abst
port.getTlsCipherSuiteWhiteList(),
port.getTlsCipherSuiteBlackList());
}
+
+ @Override
+ public void customize(final SSLEngine
sslEngine)
+ {
+ super.customize(sslEngine);
+
useCipherOrderIfPossible(sslEngine.getSSLParameters());
+ }
+
+ private void
useCipherOrderIfPossible(final SSLParameters sslParameters)
+ {
+
if(port.getTlsCipherSuiteWhiteList() != null
+ &&
!port.getTlsCipherSuiteWhiteList().isEmpty())
+ {
+
SSLUtil.useCipherOrderIfPossible(sslParameters);
+ }
+ }
};
boolean needClientCert = port.getNeedClientAuth() ||
port.getWantClientAuth();
Modified:
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java?rev=1734283&r1=1734282&r2=1734283&view=diff
==============================================================================
---
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
(original)
+++
qpid/java/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Wed Mar 9 16:11:56 2016
@@ -27,6 +27,8 @@ import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringReader;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
import java.math.BigInteger;
import java.net.URL;
import java.nio.BufferUnderflowException;
@@ -58,6 +60,7 @@ import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import javax.xml.bind.DatatypeConverter;
@@ -74,6 +77,24 @@ public class SSLUtil
private static final Integer DNS_NAME_TYPE = 2;
public static final String[] TLS_PROTOCOL_PREFERENCES = new
String[]{"TLSv1.2", "TLSv1.1", "TLS", "TLSv1"};
+ private static final Method SSL_PARAMATERS_SET_USER_CIPHER_SUITES_ORDER;
+
+ static
+ {
+ Method method;
+ try
+ {
+ method = SSLParameters.class.getMethod("setUseCipherSuitesOrder",
Boolean.TYPE);
+ }
+ catch (NoSuchMethodException e)
+ {
+ method = null;
+ }
+
+ SSL_PARAMATERS_SET_USER_CIPHER_SUITES_ORDER = method;
+ }
+
+
private SSLUtil()
{
}
@@ -603,4 +624,19 @@ public class SSLUtil
throw new NoSuchAlgorithmException(String.format("Could not create
SSLContext with one of the requested protocols: %s",
Arrays.toString(protocols)));
}
+
+ public static void useCipherOrderIfPossible(final SSLParameters
sslParameters)
+ {
+ if(SSL_PARAMATERS_SET_USER_CIPHER_SUITES_ORDER != null)
+ {
+ try
+ {
+
SSL_PARAMATERS_SET_USER_CIPHER_SUITES_ORDER.invoke(sslParameters, Boolean.TRUE);
+ }
+ catch (IllegalAccessException | InvocationTargetException e)
+ {
+ LOGGER.debug("Unable to invoke
SSLParameters.setCipherSuiteOrder", e);
+ }
+ }
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org
For additional commands, e-mail: commits-h...@qpid.apache.org
