From 114a5bf4abe976daabd12b6c118c4fb70857c8bb Mon Sep 17 00:00:00 2001
From: Oleg Kalnichevski <olegk@apache.org>
Date: Sun, 19 Oct 2014 19:20:56 +0000
Subject: [PATCH] Disable all versions of SSL protocol by default

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1632979 13f79535-47bb-0310-9956-ffa450edef68
---
 .../conn/ssl/SSLConnectionSocketFactory.java  | 12 +++++
 .../http/conn/ssl/TestSSLSocketFactory.java   | 51 +++++++++++++++++++
 2 files changed, 63 insertions(+)

diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java b/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java
index 4c5be354c..363250abd 100644
--- a/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java
+++ b/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java
@@ -33,6 +33,8 @@ import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
 
 import javax.net.SocketFactory;
 import javax.net.ssl.HostnameVerifier;
@@ -356,6 +358,16 @@ public class SSLConnectionSocketFactory implements LayeredConnectionSocketFactor
                 true);
         if (supportedProtocols != null) {
             sslsock.setEnabledProtocols(supportedProtocols);
+        } else {
+            // If supported protocols are not explicitly set, remove all SSL protocol versions
+            final String[] allProtocols = sslsock.getSupportedProtocols();
+            final List<String> enabledProtocols = new ArrayList<String>(allProtocols.length);
+            for (String protocol: allProtocols) {
+                if (!protocol.startsWith("SSL")) {
+                    enabledProtocols.add(protocol);
+                }
+            }
+            sslsock.setEnabledProtocols(enabledProtocols.toArray(new String[enabledProtocols.size()]));
         }
         if (supportedCipherSuites != null) {
             sslsock.setEnabledCipherSuites(supportedCipherSuites);
diff --git a/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java b/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
index 6baf0c35b..3a4cb953c 100644
--- a/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
+++ b/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
@@ -250,4 +250,55 @@ public class TestSSLSocketFactory {
         sslSocket.close();
     }
 
+    @Test
+    public void testTLSOnly() throws Exception {
+        this.server = ServerBootstrap.bootstrap()
+                .setServerInfo(LocalServerTestBase.ORIGIN)
+                .setSslContext(SSLTestContexts.createServerSSLContext())
+                .setSslSetupHandler(new SSLServerSetupHandler() {
+
+                    @Override
+                    public void initialize(final SSLServerSocket socket) throws SSLException {
+                        socket.setEnabledProtocols(new String[] {"TLSv1"});
+                    }
+
+                })
+                .create();
+        this.server.start();
+
+        final HttpContext context = new BasicHttpContext();
+        final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
+                SSLTestContexts.createClientSSLContext());
+        final Socket socket = socketFactory.createSocket(context);
+        final InetSocketAddress remoteAddress = new InetSocketAddress("localhost", this.server.getLocalPort());
+        final HttpHost target = new HttpHost("localhost", this.server.getLocalPort(), "https");
+        final SSLSocket sslSocket = (SSLSocket) socketFactory.connectSocket(0, socket, target, remoteAddress, null, context);
+        final SSLSession sslsession = sslSocket.getSession();
+        Assert.assertNotNull(sslsession);
+    }
+
+    @Test(expected=IOException.class)
+    public void testSSLDisabledByDefault() throws Exception {
+        this.server = ServerBootstrap.bootstrap()
+                .setServerInfo(LocalServerTestBase.ORIGIN)
+                .setSslContext(SSLTestContexts.createServerSSLContext())
+                .setSslSetupHandler(new SSLServerSetupHandler() {
+
+                    @Override
+                    public void initialize(final SSLServerSocket socket) throws SSLException {
+                        socket.setEnabledProtocols(new String[] {"SSLv3"});
+                    }
+
+                })
+                .create();
+        this.server.start();
+
+        final HttpContext context = new BasicHttpContext();
+        final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
+                SSLTestContexts.createClientSSLContext());
+        final Socket socket = socketFactory.createSocket(context);
+        final InetSocketAddress remoteAddress = new InetSocketAddress("localhost", this.server.getLocalPort());
+        final HttpHost target = new HttpHost("localhost", this.server.getLocalPort(), "https");
+        socketFactory.connectSocket(0, socket, target, remoteAddress, null, context);
+    }
 }