From b3ee90c97584cbe6bb5399825e466093e56d9877 Mon Sep 17 00:00:00 2001 From: Robert Godfrey Date: Thu, 16 Oct 2014 16:12:35 +0000 Subject: QPID-6156 : tidy up and ensure that there is no chance of inadvertantly adding an previously unenabled but supported protocol that is not SSLv3 git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1632376 13f79535-47bb-0310-9956-ffa450edef68 --- .../client/websocket/WebSocketProvider.java | 3 +- .../org/apache/qpid/amqp_1_0/client/SSLUtil.java | 32 +++++++++++++++++----- .../qpid/amqp_1_0/client/TCPTransportProvier.java | 12 +------- .../transport/network/security/ssl/SSLUtil.java | 18 ++++++------ 4 files changed, 37 insertions(+), 28 deletions(-) (limited to 'qpid/java') diff --git a/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java b/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java index 02bf93664e..af871d2bc4 100644 --- a/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java +++ b/qpid/java/amqp-1-0-client-websocket/src/main/java/org/apache/qpid/amqp_1_0/client/websocket/WebSocketProvider.java @@ -33,6 +33,7 @@ import org.eclipse.jetty.websocket.WebSocketClient; import org.eclipse.jetty.websocket.WebSocketClientFactory; import org.apache.qpid.amqp_1_0.client.ConnectionException; +import org.apache.qpid.amqp_1_0.client.SSLUtil; import org.apache.qpid.amqp_1_0.client.TransportProvider; import org.apache.qpid.amqp_1_0.codec.FrameWriter; import org.apache.qpid.amqp_1_0.framing.AMQFrame; @@ -71,7 +72,7 @@ class WebSocketProvider implements TransportProvider sslContextFactory.setSslContext(context); - sslContextFactory.addExcludeProtocols("SSLv3"); + sslContextFactory.addExcludeProtocols(SSLUtil.SSLV3_PROTOCOL); factory.start(); return factory; diff --git a/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java b/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java index 70e5d08f15..225293c42e 100644 --- a/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java +++ b/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/SSLUtil.java @@ -20,13 +20,6 @@ */ package org.apache.qpid.amqp_1_0.client; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509ExtendedKeyManager; import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -37,10 +30,23 @@ import java.security.KeyStore; import java.security.Principal; import java.security.PrivateKey; import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509ExtendedKeyManager; public class SSLUtil { public static final String TRANSPORT_LAYER_SECURITY_CODE = "TLS"; + public static final String SSLV3_PROTOCOL = "SSLv3"; public static SSLContext buildSslContext(final String certAlias, final String keyStorePath, @@ -212,4 +218,16 @@ public class SSLUtil return delegate.chooseEngineServerAlias(keyType, issuers, engine); } } + + public static void removeSSLv3Support(final SSLSocket socket) + { + List enabledProtocols = Arrays.asList(socket.getEnabledProtocols()); + if(enabledProtocols.contains(SSLV3_PROTOCOL)) + { + List allowedProtocols = new ArrayList<>(enabledProtocols); + allowedProtocols.remove(SSLV3_PROTOCOL); + socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); + } + } + } diff --git a/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java b/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java index 1cf270f930..720f12dc0d 100644 --- a/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java +++ b/qpid/java/amqp-1-0-client/src/main/java/org/apache/qpid/amqp_1_0/client/TCPTransportProvier.java @@ -26,9 +26,6 @@ import java.io.OutputStream; import java.net.Socket; import java.net.SocketTimeoutException; import java.nio.ByteBuffer; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; import java.util.concurrent.atomic.AtomicLong; import java.util.logging.Level; import java.util.logging.Logger; @@ -77,15 +74,8 @@ class TCPTransportProvier implements TransportProvider if(sslContext != null) { final SSLSocketFactory socketFactory = sslContext.getSocketFactory(); - SSLSocket sslSocket = (SSLSocket) socketFactory.createSocket(address, port); - List supportedProtocols = Arrays.asList(sslSocket.getSupportedProtocols()); - if(supportedProtocols.contains("SSLv3")) - { - List allowedProtocols = new ArrayList<>(supportedProtocols); - allowedProtocols.remove("SSLv3"); - sslSocket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); - } + SSLUtil.removeSSLv3Support(sslSocket); sslSocket.startHandshake(); conn.setExternalPrincipal(sslSocket.getSession().getLocalPrincipal()); _socket=sslSocket; diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java index 0494f60e23..98229fd2a1 100644 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java @@ -250,10 +250,10 @@ public class SSLUtil public static void removeSSLv3Support(final SSLEngine engine) { - List supportedProtocols = Arrays.asList(engine.getSupportedProtocols()); - if(supportedProtocols.contains(SSLV3_PROTOCOL)) + List enabledProtocols = Arrays.asList(engine.getEnabledProtocols()); + if(enabledProtocols.contains(SSLV3_PROTOCOL)) { - List allowedProtocols = new ArrayList<>(supportedProtocols); + List allowedProtocols = new ArrayList<>(enabledProtocols); allowedProtocols.remove(SSLV3_PROTOCOL); engine.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); } @@ -261,10 +261,10 @@ public class SSLUtil public static void removeSSLv3Support(final SSLSocket socket) { - List supportedProtocols = Arrays.asList(socket.getSupportedProtocols()); - if(supportedProtocols.contains(SSLV3_PROTOCOL)) + List enabledProtocols = Arrays.asList(socket.getEnabledProtocols()); + if(enabledProtocols.contains(SSLV3_PROTOCOL)) { - List allowedProtocols = new ArrayList<>(supportedProtocols); + List allowedProtocols = new ArrayList<>(enabledProtocols); allowedProtocols.remove(SSLV3_PROTOCOL); socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); } @@ -273,10 +273,10 @@ public class SSLUtil public static void removeSSLv3Support(final SSLServerSocket socket) { - List supportedProtocols = Arrays.asList(socket.getSupportedProtocols()); - if(supportedProtocols.contains(SSLV3_PROTOCOL)) + List enabledProtocols = Arrays.asList(socket.getEnabledProtocols()); + if(enabledProtocols.contains(SSLV3_PROTOCOL)) { - List allowedProtocols = new ArrayList<>(supportedProtocols); + List allowedProtocols = new ArrayList<>(enabledProtocols); allowedProtocols.remove(SSLV3_PROTOCOL); socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); } -- cgit v1.2.1