Patch up Jetty to disable SSLv3 (CVE-2014-3566)

2014-11-19 16:40:18 +00:00 · 2014-11-19 16:40:18 +00:00 · 3f95fe22e0
parent 640274d5e1
commit 3f95fe22e0
2 changed files with 59 additions and 1 deletions
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
@ -356,7 +356,7 @@ public class HttpServer implements FilterContainer {
        if ("http".equals(scheme)) {
          listener = HttpServer.createDefaultChannelConnector();
        } else if ("https".equals(scheme)) {
-          SslSocketConnector c = new SslSocketConnector();
+          SslSocketConnector c = new SslSocketConnectorSecure();
          c.setNeedClientAuth(needsClientAuth);
          c.setKeyPassword(keyPassword);

--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/SslSocketConnectorSecure.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/SslSocketConnectorSecure.java
@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hbase.http;
+
+import org.mortbay.jetty.security.SslSocketConnector;
+
+import javax.net.ssl.SSLServerSocket;
+import java.io.IOException;
+import java.net.ServerSocket;
+import java.util.ArrayList;
+
+/**
+ * This subclass of the Jetty SslSocketConnector exists solely to control
+ * the TLS protocol versions allowed.  This is fallout from the POODLE
+ * vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
+ * Only TLS 1.0 and later protocols are allowed.
+ */
+public class SslSocketConnectorSecure extends SslSocketConnector {
+
+  public SslSocketConnectorSecure() {
+    super();
+  }
+
+  /**
+   * Create a new ServerSocket that will not accept SSLv3 connections,
+   * but will accept TLSv1.x connections.
+   */
+  protected ServerSocket newServerSocket(String host, int port,int backlog)
+          throws IOException {
+    SSLServerSocket socket = (SSLServerSocket)
+            super.newServerSocket(host, port, backlog);
+    ArrayList<String> nonSSLProtocols = new ArrayList<String>();
+    for (String p : socket.getEnabledProtocols()) {
+      if (!p.contains("SSLv3")) {
+        nonSSLProtocols.add(p);
+      }
+    }
+    socket.setEnabledProtocols(nonSSLProtocols.toArray(
+            new String[nonSSLProtocols.size()]));
+    return socket;
+  }
+}