This is an automated email from the ASF dual-hosted git repository.
bhaisaab pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/master by this push:
new e1c4b1b Enhance SSL protocol used by Console Proxy
e1c4b1b is described below
commit e1c4b1b226c45b9941731d7aaf53ef0fbdb9946e
Author: gabrascher <gabrasc...@hotmail.com>
AuthorDate: Wed Jul 12 15:44:30 2017 -0300
Enhance SSL protocol used by Console Proxy
Current SSL protocol and ciphers used in SystemVMs are not the
recommended. To analyze it is possible to use tests such as from SSL
Labs (https://www.ssllabs.com/ssltest/). This commit changes the grade
from C to -A
---
.../ConsoleProxySecureServerFactoryImpl.java | 5 +-
systemvm/scripts/_run.sh | 2 +-
.../apache/cloudstack/utils/security/SSLUtils.java | 23 ++++++-
.../com/cloud/utils/security/SSLUtilsTest.java | 79 ++++++++++++++++++++++
4 files changed, 104 insertions(+), 5 deletions(-)
diff --git
a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
index 5df971c..df879fe 100644
---
a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
+++
b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
@@ -91,6 +91,8 @@ public class ConsoleProxySecureServerFactoryImpl implements
ConsoleProxyServerFa
SSLParameters sslparams = c.getDefaultSSLParameters();
params.setSSLParameters(sslparams);
+ params.setProtocols(SSLUtils.getRecommendedProtocols());
+ params.setCipherSuites(SSLUtils.getRecommendedCiphers());
// statement above could throw IAE if any params invalid.
// eg. if app has a UI and parameters supplied by a user.
}
@@ -110,7 +112,8 @@ public class ConsoleProxySecureServerFactoryImpl implements
ConsoleProxyServerFa
SSLServerSocket srvSock = null;
SSLServerSocketFactory ssf = sslContext.getServerSocketFactory();
srvSock = (SSLServerSocket)ssf.createServerSocket(port);
-
srvSock.setEnabledProtocols(SSLUtils.getSupportedProtocols(srvSock.getEnabledProtocols()));
+ srvSock.setEnabledProtocols(SSLUtils.getRecommendedProtocols());
+ srvSock.setEnabledCipherSuites(SSLUtils.getRecommendedCiphers());
s_logger.info("create SSL server socket on port: " + port);
return srvSock;
diff --git a/systemvm/scripts/_run.sh b/systemvm/scripts/_run.sh
index 3792261..6d77002 100755
--- a/systemvm/scripts/_run.sh
+++ b/systemvm/scripts/_run.sh
@@ -68,4 +68,4 @@ if [ "$(uname -m | grep '64')" == "" ]; then
fi
fi
-java -Djavax.net.ssl.trustStore=./certs/realhostip.keystore
-Djsse.enableSNIExtension=false -Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP
com.cloud.agent.AgentShell $keyvalues $@
+java -Djavax.net.ssl.trustStore=./certs/realhostip.keystore
-Djdk.tls.ephemeralDHKeySize=2048 -Djsse.enableSNIExtension=false
-Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP com.cloud.agent.AgentShell $keyvalues
$@
diff --git
a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
index c1fc2d6..8016f5a 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/security/SSLUtils.java
@@ -39,7 +39,24 @@ public class SSLUtils {
}
set.add(s);
}
- return (String[]) set.toArray(new String[set.size()]);
+ return set.toArray(new String[set.size()]);
+ }
+
+ /**
+ * It returns recommended protocols that are considered secure.
+ */
+ public static String[] getRecommendedProtocols() {
+ return new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
+ }
+
+ /**
+ * It returns recommended ciphers that are considered secure.
+ */
+ public static String[] getRecommendedCiphers() {
+ return new String[] { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+ "TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+ "TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" };
}
public static String[] getSupportedCiphers() throws
NoSuchAlgorithmException {
@@ -49,10 +66,10 @@ public class SSLUtils {
}
public static SSLContext getSSLContext() throws NoSuchAlgorithmException {
- return SSLContext.getInstance("TLSv1");
+ return SSLContext.getInstance("TLSv1.2");
}
public static SSLContext getSSLContext(String provider) throws
NoSuchAlgorithmException, NoSuchProviderException {
- return SSLContext.getInstance("TLSv1", provider);
+ return SSLContext.getInstance("TLSv1.2", provider);
}
}
diff --git a/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
new file mode 100644
index 0000000..625b538
--- /dev/null
+++ b/utils/src/test/java/com/cloud/utils/security/SSLUtilsTest.java
@@ -0,0 +1,79 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.cloud.utils.security;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.util.ArrayList;
+import java.util.Arrays;
+
+import org.apache.cloudstack.utils.security.SSLUtils;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Spy;
+import org.mockito.runners.MockitoJUnitRunner;
+
+@RunWith(MockitoJUnitRunner.class)
+public class SSLUtilsTest {
+
+ @Spy
+ private SSLUtils spySSLUtils;
+
+ @Test
+ public void getRecommendedProtocolsTest() {
+ ArrayList<String> protocolsList = new
ArrayList<>(Arrays.asList(spySSLUtils.getRecommendedProtocols()));
+ verifyProtocols(protocolsList);
+ }
+
+ @Test
+ public void getRecommendedCiphers() {
+ String[] expectedCiphers = { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+ "TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+ "TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" };
+ Assert.assertArrayEquals(expectedCiphers,
spySSLUtils.getRecommendedCiphers());
+ }
+
+ @Test
+ public void getSSLContextTest() throws NoSuchAlgorithmException {
+ Assert.assertEquals("TLSv1.2",
spySSLUtils.getSSLContext().getProtocol());
+ }
+
+ @Test
+ public void getSSLContextTestStringAsParameter() throws
NoSuchAlgorithmException, NoSuchProviderException {
+ Assert.assertEquals("TLSv1.2",
spySSLUtils.getSSLContext("SunJSSE").getProtocol());
+ }
+
+ @Test
+ public void getSupportedProtocolsTest() {
+ ArrayList<String> protocolsList = new
ArrayList<>(Arrays.asList(spySSLUtils.getSupportedProtocols(new String[] {
"TLSv1", "TLSv1.1", "TLSv1.2", "SSLv3", "SSLv2Hello" })));
+ verifyProtocols(protocolsList);
+ }
+
+ private void verifyProtocols(ArrayList<String> protocolsList) {
+ Assert.assertTrue(protocolsList.contains("TLSv1"));
+ Assert.assertTrue(protocolsList.contains("TLSv1.1"));
+ Assert.assertTrue(protocolsList.contains("TLSv1.2"));
+ Assert.assertFalse(protocolsList.contains("SSLv3"));
+ Assert.assertFalse(protocolsList.contains("SSLv2Hello"));
+ }
+
+}
--
To stop receiving notification emails like this one, please contact
['"commits@cloudstack.apache.org" <commits@cloudstack.apache.org>'].
