Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

358674 Added include/exclude protocols to SslContextFactory

This commit is contained in:
Greg Wilkins 2011-09-23 08:02:42 +10:00
parent af7252b719
commit 75645cef0e
14 changed files with 365 additions and 265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java
View File

@ -88,33 +88,13 @@ public class LikeJettyXml
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
});
cf.setProtocol("TLSv1.1");
cf.addExcludeProtocols(new String[]{"TLSv1","SSLv3"});
ssl_connector.setStatsOn(true);
server.addConnector(ssl_connector);
ssl_connector.open();
SslSocketConnector ssls_connector = new SslSocketConnector();
ssls_connector.setPort(8444);
cf = ssls_connector.getSslContextFactory();
cf.setKeyStore(jetty_home + "/etc/keystore");
cf.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
cf.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
cf.setTrustStore(jetty_home + "/etc/keystore");
cf.setTrustStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
cf.setExcludeCipherSuites(
new String[] {
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
});
ssls_connector.setStatsOn(true);
server.addConnector(ssls_connector);
ssls_connector.open();
Ajp13SocketConnector ajp = new Ajp13SocketConnector();

2
jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java
View File

@ -178,7 +178,7 @@ public class HttpClient extends HttpBuffers implements Attributes, Dumpable
/* ------------------------------------------------------------ */
/**
* @return the threadPool
* @return the threadpool
*/
public ThreadPool getThreadPool()
{

10
jetty-client/src/main/java/org/eclipse/jetty/client/SelectConnector.java
View File

@ -51,7 +51,6 @@ class SelectConnector extends AbstractLifeCycle implements HttpClient.Connector
private final HttpClient _httpClient;
private final Manager _selectorManager=new Manager();
private final Map<SocketChannel, Timeout.Task> _connectingChannels = new ConcurrentHashMap<SocketChannel, Timeout.Task>();
private SSLContext _sslContext;
private Buffers _sslBuffers;
/**
@ -211,19 +210,16 @@ class SelectConnector extends AbstractLifeCycle implements HttpClient.Connector
private synchronized SSLEngine newSslEngine(SocketChannel channel) throws IOException
{
SslContextFactory sslContextFactory = _httpClient.getSslContextFactory();
if (_sslContext == null)
_sslContext = sslContextFactory.getSslContext();
SSLEngine sslEngine;
if (channel != null && sslContextFactory.isSessionCachingEnabled())
if (channel != null)
{
String peerHost = channel.socket().getInetAddress().getHostAddress();
int peerPort = channel.socket().getPort();
sslEngine = _sslContext.createSSLEngine(peerHost, peerPort);
sslEngine = sslContextFactory.newSslEngine(peerHost, peerPort);
}
else
{
sslEngine = _sslContext.createSSLEngine();
sslEngine = sslContextFactory.newSslEngine();
}
sslEngine.setUseClientMode(true);
sslEngine.beginHandshake();

15
jetty-client/src/main/java/org/eclipse/jetty/client/SocketConnector.java
View File

@ -45,18 +45,9 @@ class SocketConnector extends AbstractLifeCycle implements HttpClient.Connector
public void startConnection(final HttpDestination destination) throws IOException
{
Socket socket=null;
if ( destination.isSecure() )
{
SSLContext sslContext = _httpClient.getSSLContext();
socket = sslContext.getSocketFactory().createSocket();
}
else
{
LOG.debug("Using Regular Socket");
socket = SocketFactory.getDefault().createSocket();
}
Socket socket= destination.isSecure()
?_httpClient.getSslContextFactory().newSslSocket()
:SocketFactory.getDefault().createSocket();
socket.setSoTimeout(0);
socket.setTcpNoDelay(true);

2
jetty-client/src/test/java/org/eclipse/jetty/client/helperClasses/GenericServerHandler.java
View File

@ -68,7 +68,7 @@ public class GenericServerHandler extends AbstractHandler
}
catch (InterruptedException e)
{
LOG.warn(e);
LOG.debug(e);
}
catch (IOException e)
{

469
jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java
View File

@ -21,6 +21,7 @@ import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.security.InvalidParameterException;
import java.security.KeyStore;
import java.security.SecureRandom;
@ -42,7 +43,11 @@ import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
@ -51,9 +56,12 @@ import javax.net.ssl.X509TrustManager;
import org.eclipse.jetty.http.security.Password;
import org.eclipse.jetty.util.IO;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.security.CertificateUtils;
import org.eclipse.jetty.util.security.CertificateValidator;
import org.junit.experimental.categories.Categories.IncludeCategory;
/* ------------------------------------------------------------ */
@ -65,6 +73,8 @@ import org.eclipse.jetty.util.security.CertificateValidator;
*/
public class SslContextFactory extends AbstractLifeCycle
{
private static final Logger LOG = Log.getLogger(SslContextFactory.class);
public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
(Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
"SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
@ -82,8 +92,13 @@ public class SslContextFactory extends AbstractLifeCycle
/** String name of keystore password property. */
public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
/** Excluded protocols. */
private final Set<String> _excludeProtocols = new HashSet<String>(Collections.singleton("SSLv2Hello"));
/** Included protocols. */
private Set<String> _includeProtocols = null;
/** Excluded cipher suites. */
private Set<String> _excludeCipherSuites = null;
private final Set<String> _excludeCipherSuites = new HashSet<String>();
/** Included cipher suites. */
private Set<String> _includeCipherSuites = null;
@ -196,6 +211,7 @@ public class SslContextFactory extends AbstractLifeCycle
if (_keyStoreInputStream == null && _keyStorePath == null &&
_trustStoreInputStream == null && _trustStorePath == null )
{
LOG.info("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
// Create a trust manager that does not validate certificate chains
TrustManager trustAllCerts = new X509TrustManager()
{
@ -218,11 +234,115 @@ public class SslContextFactory extends AbstractLifeCycle
}
else
{
createSSLContext();
// verify that keystore and truststore
// parameters are set up correctly
try
{
checkKeyStore();
}
catch(IllegalStateException e)
{
LOG.ignore(e);
}
KeyStore keyStore = loadKeyStore();
KeyStore trustStore = loadTrustStore();
Collection<? extends CRL> crls = loadCRL(_crlPath);
if (_validateCerts && keyStore != null)
{
if (_certAlias == null)
{
List<String> aliases = Collections.list(keyStore.aliases());
_certAlias = aliases.size() == 1 ? aliases.get(0) : null;
}
Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
if (cert == null)
{
throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias));
}
CertificateValidator validator = new CertificateValidator(trustStore, crls);
validator.setMaxCertPathLength(_maxCertPathLength);
validator.setEnableCRLDP(_enableCRLDP);
validator.setEnableOCSP(_enableOCSP);
validator.setOcspResponderURL(_ocspResponderURL);
validator.validate(keyStore, cert);
}
KeyManager[] keyManagers = getKeyManagers(keyStore);
TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
_context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider);
_context.init(keyManagers,trustManagers,secureRandom);
SSLEngine engine=newSslEngine();
LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols()));
LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites()));
}
}
}
/* ------------------------------------------------------------ */
/**
* @return The array of protocol names to exclude from
* {@link SSLEngine#setEnabledProtocols(String[])}
*/
public String[] getExcludeProtocols()
{
return _excludeProtocols.toArray(new String[_excludeProtocols.size()]);
}
/* ------------------------------------------------------------ */
/**
* @param Protocols
* The array of protocol names to exclude from
* {@link SSLEngine#setEnabledProtocols(String[])}
*/
public void setExcludeProtocols(String... protocols)
{
checkNotStarted();
_excludeProtocols.clear();
_excludeProtocols.addAll(Arrays.asList(protocols));
}
/* ------------------------------------------------------------ */
/**
* @param protocol Protocol names to add to {@link SSLEngine#setEnabledProtocols(String[])}
*/
public void addExcludeProtocols(String... protocol)
{
checkNotStarted();
_excludeProtocols.addAll(Arrays.asList(protocol));
}
/* ------------------------------------------------------------ */
/**
* @return The array of protocol names to include in
* {@link SSLEngine#setEnabledProtocols(String[])}
*/
public String[] getIncludeProtocols()
{
return _includeProtocols.toArray(new String[_includeProtocols.size()]);
}
/* ------------------------------------------------------------ */
/**
* @param Protocols
* The array of protocol names to include in
* {@link SSLEngine#setEnabledProtocols(String[])}
*/
public void setIncludeProtocols(String... protocols)
{
checkNotStarted();
_includeProtocols = new HashSet<String>(Arrays.asList(protocols));
}
/* ------------------------------------------------------------ */
/**
* @return The array of cipher suite names to exclude from
@ -239,11 +359,21 @@ public class SslContextFactory extends AbstractLifeCycle
* The array of cipher suite names to exclude from
* {@link SSLEngine#setEnabledCipherSuites(String[])}
*/
public void setExcludeCipherSuites(String[] cipherSuites)
public void setExcludeCipherSuites(String... cipherSuites)
{
checkStarted();
_excludeCipherSuites = new HashSet<String>(Arrays.asList(cipherSuites));
checkNotStarted();
_excludeCipherSuites.clear();
_excludeCipherSuites.addAll(Arrays.asList(cipherSuites));
}
/* ------------------------------------------------------------ */
/**
* @param cipher Cipher names to add to {@link SSLEngine#setEnabledCipherSuites(String[])}
*/
public void addExcludeCipherSuites(String... cipher)
{
checkNotStarted();
_excludeCipherSuites.addAll(Arrays.asList(cipher));
}
/* ------------------------------------------------------------ */
@ -262,9 +392,9 @@ public class SslContextFactory extends AbstractLifeCycle
* The array of cipher suite names to include in
* {@link SSLEngine#setEnabledCipherSuites(String[])}
*/
public void setIncludeCipherSuites(String[] cipherSuites)
public void setIncludeCipherSuites(String... cipherSuites)
{
checkStarted();
checkNotStarted();
_includeCipherSuites = new HashSet<String>(Arrays.asList(cipherSuites));
}
@ -285,7 +415,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setKeyStore(String keyStorePath)
{
checkStarted();
checkNotStarted();
_keyStorePath = keyStorePath;
}
@ -306,7 +436,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setKeyStoreProvider(String keyStoreProvider)
{
checkStarted();
checkNotStarted();
_keyStoreProvider = keyStoreProvider;
}
@ -327,7 +457,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setKeyStoreType(String keyStoreType)
{
checkStarted();
checkNotStarted();
_keyStoreType = keyStoreType;
}
@ -341,7 +471,7 @@ public class SslContextFactory extends AbstractLifeCycle
@Deprecated
public InputStream getKeyStoreInputStream()
{
checkConfig();
checkKeyStore();
return _keyStoreInputStream;
}
@ -355,7 +485,7 @@ public class SslContextFactory extends AbstractLifeCycle
@Deprecated
public void setKeyStoreInputStream(InputStream keyStoreInputStream)
{
checkStarted();
checkNotStarted();
_keyStoreInputStream = keyStoreInputStream;
}
@ -376,7 +506,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setCertAlias(String certAlias)
{
checkStarted();
checkNotStarted();
_certAlias = certAlias;
}
@ -397,7 +527,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setTrustStore(String trustStorePath)
{
checkStarted();
checkNotStarted();
_trustStorePath = trustStorePath;
}
@ -418,7 +548,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setTrustStoreProvider(String trustStoreProvider)
{
checkStarted();
checkNotStarted();
_trustStoreProvider = trustStoreProvider;
}
@ -439,7 +569,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setTrustStoreType(String trustStoreType)
{
checkStarted();
checkNotStarted();
_trustStoreType = trustStoreType;
}
@ -453,7 +583,7 @@ public class SslContextFactory extends AbstractLifeCycle
@Deprecated
public InputStream getTrustStoreInputStream()
{
checkConfig();
checkKeyStore();
return _trustStoreInputStream;
}
@ -467,7 +597,7 @@ public class SslContextFactory extends AbstractLifeCycle
@Deprecated
public void setTrustStoreInputStream(InputStream trustStoreInputStream)
{
checkStarted();
checkNotStarted();
_trustStoreInputStream = trustStoreInputStream;
}
@ -490,7 +620,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setNeedClientAuth(boolean needClientAuth)
{
checkStarted();
checkNotStarted();
_needClientAuth = needClientAuth;
}
@ -513,7 +643,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setWantClientAuth(boolean wantClientAuth)
{
checkStarted();
checkNotStarted();
_wantClientAuth = wantClientAuth;
}
@ -545,7 +675,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setValidateCerts(boolean validateCerts)
{
checkStarted();
checkNotStarted();
_validateCerts = validateCerts;
}
@ -566,7 +696,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setValidatePeerCerts(boolean validatePeerCerts)
{
checkStarted();
checkNotStarted();
_validatePeerCerts = validatePeerCerts;
}
@ -593,7 +723,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setAllowRenegotiate(boolean allowRenegotiate)
{
checkStarted();
checkNotStarted();
_allowRenegotiate = allowRenegotiate;
}
@ -605,7 +735,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setKeyStorePassword(String password)
{
checkStarted();
checkNotStarted();
_keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
}
@ -617,7 +747,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setKeyManagerPassword(String password)
{
checkStarted();
checkNotStarted();
_keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
}
@ -629,7 +759,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setTrustStorePassword(String password)
{
checkStarted();
checkNotStarted();
_trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
}
@ -652,7 +782,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setProvider(String provider)
{
checkStarted();
checkNotStarted();
_sslProvider = provider;
}
@ -675,7 +805,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setProtocol(String protocol)
{
checkStarted();
checkNotStarted();
_sslProtocol = protocol;
}
@ -700,7 +830,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setSecureRandomAlgorithm(String algorithm)
{
checkStarted();
checkNotStarted();
_secureRandomAlgorithm = algorithm;
}
@ -721,7 +851,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setSslKeyManagerFactoryAlgorithm(String algorithm)
{
checkStarted();
checkNotStarted();
_keyManagerFactoryAlgorithm = algorithm;
}
@ -742,7 +872,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setTrustManagerFactoryAlgorithm(String algorithm)
{
checkStarted();
checkNotStarted();
_trustManagerFactoryAlgorithm = algorithm;
}
@ -763,7 +893,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setCrlPath(String crlPath)
{
checkStarted();
checkNotStarted();
_crlPath = crlPath;
}
@ -786,7 +916,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setMaxCertPathLength(int maxCertPathLength)
{
checkStarted();
checkNotStarted();
_maxCertPathLength = maxCertPathLength;
}
@ -797,6 +927,8 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public SSLContext getSslContext()
{
if (!isStarted())
throw new IllegalStateException(getState());
return _context;
}
@ -807,60 +939,11 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setSslContext(SSLContext sslContext)
{
checkStarted();
checkNotStarted();
_context = sslContext;
}
/* ------------------------------------------------------------ */
/**
* @throws Exception
*/
protected void createSSLContext() throws Exception
{
// verify that keystore and truststore
// parameters are set up correctly
checkConfig();
KeyStore keyStore = loadKeyStore();
KeyStore trustStore = loadTrustStore();
Collection<? extends CRL> crls = loadCRL(_crlPath);
if (_validateCerts && keyStore != null)
{
if (_certAlias == null)
{
List<String> aliases = Collections.list(keyStore.aliases());
_certAlias = aliases.size() == 1 ? aliases.get(0) : null;
}
Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
if (cert == null)
{
throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias));
}
CertificateValidator validator = new CertificateValidator(trustStore, crls);
validator.setMaxCertPathLength(_maxCertPathLength);
validator.setEnableCRLDP(_enableCRLDP);
validator.setEnableOCSP(_enableOCSP);
validator.setOcspResponderURL(_ocspResponderURL);
validator.validate(keyStore, cert);
}
KeyManager[] keyManagers = getKeyManagers(keyStore);
TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
_context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider);
_context.init(keyManagers,trustManagers,secureRandom);
SSLSessionContext sslSessionContext = _context.getServerSessionContext();
sslSessionContext.setSessionCacheSize(_sslSessionCacheSize);
sslSessionContext.setSessionTimeout(_sslSessionTimeout);
}
/* ------------------------------------------------------------ */
/**
* Override this method to provide alternate way to load a keystore.
@ -1014,33 +1097,27 @@ public class SslContextFactory extends AbstractLifeCycle
/* ------------------------------------------------------------ */
/**
* Check configuration. Ensures that if keystore has been
* Check KetyStore Configuration. Ensures that if keystore has been
* configured but there's no truststore, that keystore is
* used as truststore.
* @return true SslContextFactory configuration can be used in server connector.
* @throws IllegalStateException if SslContextFactory configuration can't be used.
*/
public boolean checkConfig()
public void checkKeyStore()
{
boolean check = true;
if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null)
throw new IllegalStateException("SSL doesn't have a valid keystore");
// if the keystore has been configured but there is no
// truststore configured, use the keystore as the truststore
if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
{
// configuration doesn't have a valid keystore
check = false;
}
else
{
// if the keystore has been configured but there is no
// truststore configured, use the keystore as the truststore
if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
{
_trustStore = _keyStore;
_trustStorePath = _keyStorePath;
_trustStoreInputStream = _keyStoreInputStream;
_trustStoreType = _keyStoreType;
_trustStoreProvider = _keyStoreProvider;
_trustStorePassword = _keyStorePassword;
_trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
}
_trustStore = _keyStore;
_trustStorePath = _keyStorePath;
_trustStoreInputStream = _keyStoreInputStream;
_trustStoreType = _keyStoreType;
_trustStoreProvider = _keyStoreProvider;
_trustStorePassword = _keyStorePassword;
_trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
}
// It's the same stream we cannot read it twice, so read it once in memory
@ -1057,11 +1134,9 @@ public class SslContextFactory extends AbstractLifeCycle
}
catch (Exception ex)
{
throw new RuntimeException(ex);
throw new IllegalStateException(ex);
}
}
return check;
}
/* ------------------------------------------------------------ */
@ -1073,57 +1148,68 @@ public class SslContextFactory extends AbstractLifeCycle
* @param supportedCipherSuites Array of supported cipher suites
* @return Array of cipher suites to enable
*/
public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
{
Set<String> selectedCipherSuites = null;
if (enabledCipherSuites != null)
Set<String> selected_protocols = new HashSet<String>();
// Set the starting protocols - either from the included or enabled list
if (_includeProtocols!=null)
{
selectedCipherSuites = new HashSet<String>(Arrays.asList(enabledCipherSuites));
// Use only the supported included protocols
for (String protocol : supportedProtocols)
if (_includeProtocols.contains(protocol))
selected_protocols.add(protocol);
}
else
selected_protocols.addAll(Arrays.asList(enabledProtocols));
// Remove any excluded protocols
if (_excludeProtocols != null)
selected_protocols.removeAll(_excludeProtocols);
return selected_protocols.toArray(new String[selected_protocols.size()]);
}
/* ------------------------------------------------------------ */
/**
* Select cipher suites to be used by the connector
* based on configured inclusion and exclusion lists
* as well as enabled and supported cipher suite lists.
* @param enabledCipherSuites Array of enabled cipher suites
* @param supportedCipherSuites Array of supported cipher suites
* @return Array of cipher suites to enable
*/
public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
{
Set<String> selected_ciphers = new HashSet<String>();
// Set the starting ciphers - either from the included or enabled list
if (_includeCipherSuites!=null)
{
selectedCipherSuites = new HashSet<String>();
// Use only the supported included ciphers
for (String cipherSuite : supportedCipherSuites)
if (_includeCipherSuites.contains(cipherSuite))
selected_ciphers.add(cipherSuite);
}
if ((supportedCipherSuites != null && supportedCipherSuites.length > 0) &&
(_includeCipherSuites != null && _includeCipherSuites.size() > 0))
{
Set<String> supportedCSList = new HashSet<String>(Arrays.asList(supportedCipherSuites));
for (String cipherName : _includeCipherSuites)
{
if ((!selectedCipherSuites.contains(cipherName)) &&
supportedCSList.contains(cipherName))
{
selectedCipherSuites.add(cipherName);
}
}
}
if (_excludeCipherSuites != null && _excludeCipherSuites.size() > 0)
{
for (String cipherName : _excludeCipherSuites)
{
if (selectedCipherSuites.contains(cipherName))
{
selectedCipherSuites.remove(cipherName);
}
}
}
return selectedCipherSuites.toArray(new String[selectedCipherSuites.size()]);
else
selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));
// Remove any excluded ciphers
if (_excludeCipherSuites != null)
selected_ciphers.removeAll(_excludeCipherSuites);
return selected_ciphers.toArray(new String[selected_ciphers.size()]);
}
/* ------------------------------------------------------------ */
/**
* Check if the lifecycle has been started and throw runtime exception
*/
protected void checkStarted()
protected void checkNotStarted()
{
if (isStarted())
{
throw new IllegalStateException("Cannot modify configuration after SslContextFactory was started");
}
throw new IllegalStateException("Cannot modify configuration when "+getState());
}
/* ------------------------------------------------------------ */
@ -1141,7 +1227,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setEnableCRLDP(boolean enableCRLDP)
{
checkStarted();
checkNotStarted();
_enableCRLDP = enableCRLDP;
}
@ -1161,7 +1247,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setEnableOCSP(boolean enableOCSP)
{
checkStarted();
checkNotStarted();
_enableOCSP = enableOCSP;
}
@ -1181,7 +1267,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setOcspResponderURL(String ocspResponderURL)
{
checkStarted();
checkNotStarted();
_ocspResponderURL = ocspResponderURL;
}
@ -1192,7 +1278,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setKeyStore(KeyStore keyStore)
{
checkStarted();
checkNotStarted();
_keyStore = keyStore;
}
@ -1203,7 +1289,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setTrustStore(KeyStore trustStore)
{
checkStarted();
checkNotStarted();
_trustStore = trustStore;
}
@ -1214,7 +1300,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setKeyStoreResource(Resource resource)
{
checkStarted();
checkNotStarted();
try
{
@ -1233,7 +1319,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public void setTrustStore(Resource resource)
{
checkStarted();
checkNotStarted();
try
{
@ -1299,4 +1385,83 @@ public class SslContextFactory extends AbstractLifeCycle
{
_sslSessionTimeout = sslSessionTimeout;
}
/* ------------------------------------------------------------ */
public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException
{
SSLServerSocketFactory factory = _context.getServerSocketFactory();
SSLServerSocket socket =
(SSLServerSocket) (host==null ?
factory.createServerSocket(port,backlog):
factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
if (getWantClientAuth())
socket.setWantClientAuth(getWantClientAuth());
if (getNeedClientAuth())
socket.setNeedClientAuth(getNeedClientAuth());
socket.setEnabledCipherSuites(selectCipherSuites(
socket.getEnabledCipherSuites(),
socket.getSupportedCipherSuites()));
socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
return socket;
}
/* ------------------------------------------------------------ */
public SSLSocket newSslSocket() throws IOException
{
SSLSocketFactory factory = _context.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
if (getWantClientAuth())
socket.setWantClientAuth(getWantClientAuth());
if (getNeedClientAuth())
socket.setNeedClientAuth(getNeedClientAuth());
socket.setEnabledCipherSuites(selectCipherSuites(
socket.getEnabledCipherSuites(),
socket.getSupportedCipherSuites()));
socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
return socket;
}
/* ------------------------------------------------------------ */
public SSLEngine newSslEngine(String host,int port)
{
SSLEngine sslEngine=isSessionCachingEnabled()
?_context.createSSLEngine(host, port)
:_context.createSSLEngine();
customize(sslEngine);
return sslEngine;
}
/* ------------------------------------------------------------ */
public SSLEngine newSslEngine()
{
SSLEngine sslEngine=_context.createSSLEngine();
customize(sslEngine);
return sslEngine;
}
/* ------------------------------------------------------------ */
public void customize(SSLEngine sslEngine)
{
if (getWantClientAuth())
sslEngine.setWantClientAuth(getWantClientAuth());
if (getNeedClientAuth())
sslEngine.setNeedClientAuth(getNeedClientAuth());
sslEngine.setEnabledCipherSuites(selectCipherSuites(
sslEngine.getEnabledCipherSuites(),
sslEngine.getSupportedCipherSuites()));
sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols()));
}
}

44
jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java
View File

@ -16,6 +16,8 @@ package org.eclipse.jetty.server.ssl;
import java.io.IOException;
import java.nio.channels.SelectionKey;
import java.nio.channels.SocketChannel;
import java.util.Arrays;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
@ -36,7 +38,6 @@ import org.eclipse.jetty.io.nio.SslSelectChannelEndPoint;
import org.eclipse.jetty.server.HttpConnection;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.nio.SelectChannelConnector;
import org.eclipse.jetty.util.log.Log;
/* ------------------------------------------------------------ */
/**
@ -97,7 +98,9 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
SslSelectChannelEndPoint sslHttpChannelEndpoint=(SslSelectChannelEndPoint)endpoint;
SSLEngine sslEngine=sslHttpChannelEndpoint.getSSLEngine();
SSLSession sslSession=sslEngine.getSession();
System.err.println(sslSession.getProtocol());
SslCertificates.customize(sslSession,endpoint,request);
}
@ -565,33 +568,19 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
protected SSLEngine createSSLEngine(SocketChannel channel) throws IOException
{
SSLEngine engine;
if (channel != null && _sslContextFactory.isSessionCachingEnabled())
if (channel != null)
{
String peerHost = channel.socket().getInetAddress().getHostAddress();
int peerPort = channel.socket().getPort();
engine = _sslContextFactory.getSslContext().createSSLEngine(peerHost, peerPort);
engine = _sslContextFactory.newSslEngine(peerHost, peerPort);
}
else
{
engine = _sslContextFactory.getSslContext().createSSLEngine();
engine = _sslContextFactory.newSslEngine();
}
customizeEngine(engine);
return engine;
}
/* ------------------------------------------------------------ */
private void customizeEngine(SSLEngine engine)
{
engine.setUseClientMode(false);
if (_sslContextFactory.getWantClientAuth())
engine.setWantClientAuth(_sslContextFactory.getWantClientAuth());
if (_sslContextFactory.getNeedClientAuth())
engine.setNeedClientAuth(_sslContextFactory.getNeedClientAuth());
engine.setEnabledCipherSuites(
_sslContextFactory.selectCipherSuites(engine.getEnabledCipherSuites(),
engine.getSupportedCipherSuites()));
return engine;
}
/* ------------------------------------------------------------ */
@ -601,22 +590,13 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
@Override
protected void doStart() throws Exception
{
if (!_sslContextFactory.checkConfig())
{
throw new IllegalStateException("SSL context is not configured correctly.");
}
_sslContextFactory.checkKeyStore();
_sslContextFactory.start();
SSLEngine sslEngine = _sslContextFactory.getSslContext().createSSLEngine();
SSLEngine sslEngine = _sslContextFactory.newSslEngine();
sslEngine.setUseClientMode(false);
sslEngine.setWantClientAuth(_sslContextFactory.getWantClientAuth());
sslEngine.setNeedClientAuth(_sslContextFactory.getNeedClientAuth());
sslEngine.setEnabledCipherSuites(_sslContextFactory.selectCipherSuites(
sslEngine.getEnabledCipherSuites(),
sslEngine.getSupportedCipherSuites()));
SSLSession sslSession = sslEngine.getSession();

29
jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSocketConnector.java
View File

@ -335,11 +335,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
@Override
public void open() throws IOException
{
if (!_sslContextFactory.checkConfig())
{
throw new IllegalStateException("SSL context is not configured correctly.");
}
_sslContextFactory.checkKeyStore();
try
{
_sslContextFactory.start();
@ -358,11 +354,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
@Override
protected void doStart() throws Exception
{
if (!_sslContextFactory.checkConfig())
{
throw new IllegalStateException("SSL context is not configured correctly.");
}
_sslContextFactory.checkKeyStore();
_sslContextFactory.start();
super.doStart();
@ -394,22 +386,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
@Override
protected ServerSocket newServerSocket(String host, int port,int backlog) throws IOException
{
SSLServerSocketFactory factory = _sslContextFactory.getSslContext().getServerSocketFactory();
SSLServerSocket socket =
(SSLServerSocket) (host==null ?
factory.createServerSocket(port,backlog):
factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
if (_sslContextFactory.getWantClientAuth())
socket.setWantClientAuth(_sslContextFactory.getWantClientAuth());
if (_sslContextFactory.getNeedClientAuth())
socket.setNeedClientAuth(_sslContextFactory.getNeedClientAuth());
socket.setEnabledCipherSuites(_sslContextFactory.selectCipherSuites(
socket.getEnabledCipherSuites(),
socket.getSupportedCipherSuites()));
return socket;
return _sslContextFactory.newSslServerSocket(host,port,backlog);
}
/* ------------------------------------------------------------ */

2
jetty-server/src/test/java/org/eclipse/jetty/server/HttpServerTestBase.java
View File

@ -425,7 +425,7 @@ public abstract class HttpServerTestBase extends HttpServerTestFixture
while(len>=0)
{
Thread.sleep(500);
Thread.sleep(100);
len=is.read(buf);
if (len>0)
total+=len;

3
jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java
View File

@ -133,7 +133,7 @@ public class SSLEngineTest
@Test
public void testBigResponse() throws Exception
{
SSLContext ctx=SSLContext.getInstance("SSLv3");
SSLContext ctx=SSLContext.getInstance("TLS");
ctx.init(null,s_dummyTrustManagers,new java.security.SecureRandom());
int port=connector.getLocalPort();
@ -367,4 +367,5 @@ public class SSLEngineTest
response.flushBuffer();
}
}
}

4
jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelServerTest.java
View File

@ -60,14 +60,14 @@ public class SslSelectChannelServerTest extends HttpServerTestBase
keystore.load(new FileInputStream(connector.getKeystore()), "storepwd".toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keystore);
__sslContext = SSLContext.getInstance("SSL");
__sslContext = SSLContext.getInstance("TLS");
__sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
try
{
HttpsURLConnection.setDefaultHostnameVerifier(__hostnameverifier);
SSLContext sc = SSLContext.getInstance("SSL");
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, __trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}

8
jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketServerTest.java
View File

@ -15,8 +15,10 @@ package org.eclipse.jetty.server.ssl;
import java.io.FileInputStream;
import java.net.Socket;
import java.security.KeyStore;
import java.util.Arrays;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
import org.eclipse.jetty.http.ssl.SslContextFactory;
@ -37,7 +39,9 @@ public class SslSocketServerTest extends HttpServerTestBase
@Override
protected Socket newSocket(String host, int port) throws Exception
{
return __sslContext.getSocketFactory().createSocket(host,port);
SSLSocket socket = (SSLSocket)__sslContext.getSocketFactory().createSocket(host,port);
socket.setEnabledProtocols(new String[] {"TLSv1"});
return socket;
}
@ -59,7 +63,7 @@ public class SslSocketServerTest extends HttpServerTestBase
keystore.load(new FileInputStream(connector.getKeystore()), "storepwd".toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keystore);
__sslContext = SSLContext.getInstance("SSL");
__sslContext = SSLContext.getInstance("TLSv1");
__sslContext.init(null, trustManagerFactory.getTrustManagers(), null);

11
jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketTimeoutTest.java
View File

@ -18,6 +18,7 @@ import java.net.Socket;
import java.security.KeyStore;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
import org.eclipse.jetty.http.ssl.SslContextFactory;
@ -26,12 +27,14 @@ import org.junit.BeforeClass;
public class SslSocketTimeoutTest extends ConnectorTimeoutTest
{
static SSLContext _sslContext;
static SSLContext __sslContext;
@Override
protected Socket newSocket(String host, int port) throws Exception
{
return _sslContext.getSocketFactory().createSocket(host,port);
SSLSocket socket = (SSLSocket)__sslContext.getSocketFactory().createSocket(host,port);
socket.setEnabledProtocols(new String[] {"TLSv1"});
return socket;
}
@BeforeClass
@ -53,8 +56,8 @@ public class SslSocketTimeoutTest extends ConnectorTimeoutTest
keystore.load(new FileInputStream(connector.getKeystore()), "storepwd".toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keystore);
_sslContext = SSLContext.getInstance("SSL");
_sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
__sslContext = SSLContext.getInstance("TLSv1");
__sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
}

7
tests/test-integration/src/test/java/org/eclipse/jetty/test/support/rawhttp/HttpsSocketImpl.java
View File

@ -25,6 +25,7 @@ import java.net.SocketAddress;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
@ -78,7 +79,7 @@ public class HttpsSocketImpl implements HttpSocket
try
{
// TODO real trust manager
this.sslContext = SSLContext.getInstance("SSL");
this.sslContext = SSLContext.getInstance("TLS");
sslContext.init(null,trustAllCerts,new java.security.SecureRandom());
}
catch (Exception e)
@ -87,11 +88,13 @@ public class HttpsSocketImpl implements HttpSocket
}
sslfactory = sslContext.getSocketFactory();
}
public Socket connect(InetAddress host, int port) throws IOException
{
Socket sslsock = sslfactory.createSocket();
SSLSocket sslsock = (SSLSocket)sslfactory.createSocket();
sslsock.setEnabledProtocols(new String[] {"TLSv1"});
SocketAddress address = new InetSocketAddress(host,port);
sslsock.connect(address);
return sslsock;