370137 - SslContextFactory does not respect order for [included|excluded]Protocols() and [included|excluded]CipherSuites().
This commit is contained in:
Simone Bordet
parent
cacc5aefa2
commit
ebae11da68
|
|
@ -35,7 +35,7 @@ import java.security.cert.X509CertSelector;
|
|||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import javax.net.ssl.CertPathTrustManagerParameters;
|
||||
|
|
@ -86,7 +86,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
{
|
||||
}
|
||||
}};
|
||||
|
||||
|
||||
private static final Logger LOG = Log.getLogger(SslContextFactory.class);
|
||||
|
||||
public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
|
||||
|
|
@ -107,13 +107,12 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
|
||||
|
||||
/** Excluded protocols. */
|
||||
private final Set<String> _excludeProtocols = new HashSet<String>();
|
||||
// private final Set<String> _excludeProtocols = new HashSet<String>(Collections.singleton("SSLv2Hello"));
|
||||
private final Set<String> _excludeProtocols = new LinkedHashSet<String>();
|
||||
/** Included protocols. */
|
||||
private Set<String> _includeProtocols = null;
|
||||
|
||||
/** Excluded cipher suites. */
|
||||
private final Set<String> _excludeCipherSuites = new HashSet<String>();
|
||||
private final Set<String> _excludeCipherSuites = new LinkedHashSet<String>();
|
||||
/** Included cipher suites. */
|
||||
private Set<String> _includeCipherSuites = null;
|
||||
|
||||
|
|
@ -210,6 +209,8 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
/**
|
||||
* Construct an instance of SslContextFactory
|
||||
* Default constructor for use in XmlConfiguration files
|
||||
* @param trustAll whether to blindly trust all certificates
|
||||
* @see #setTrustAll(boolean)
|
||||
*/
|
||||
public SslContextFactory(boolean trustAll)
|
||||
{
|
||||
|
|
@ -313,7 +314,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @param Protocols
|
||||
* @param protocols
|
||||
* The array of protocol names to exclude from
|
||||
* {@link SSLEngine#setEnabledProtocols(String[])}
|
||||
*/
|
||||
|
|
@ -347,7 +348,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @param Protocols
|
||||
* @param protocols
|
||||
* The array of protocol names to include in
|
||||
* {@link SSLEngine#setEnabledProtocols(String[])}
|
||||
*/
|
||||
|
|
@ -355,7 +356,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
{
|
||||
checkNotStarted();
|
||||
|
||||
_includeProtocols = new HashSet<String>(Arrays.asList(protocols));
|
||||
_includeProtocols = new LinkedHashSet<String>(Arrays.asList(protocols));
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
|
|
@ -411,7 +412,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
{
|
||||
checkNotStarted();
|
||||
|
||||
_includeCipherSuites = new HashSet<String>(Arrays.asList(cipherSuites));
|
||||
_includeCipherSuites = new LinkedHashSet<String>(Arrays.asList(cipherSuites));
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
|
|
@ -444,7 +445,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @param keyStorePath
|
||||
* @param keyStorePath the file system path or URL of the keystore
|
||||
* @deprecated Use {@link #setKeyStorePath(String)}
|
||||
*/
|
||||
@Deprecated
|
||||
|
|
@ -1003,7 +1004,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
* Override this method to provide alternate way to load a keystore.
|
||||
*
|
||||
* @return the key store instance
|
||||
* @throws Exception
|
||||
* @throws Exception if the keystore cannot be loaded
|
||||
*/
|
||||
protected KeyStore loadKeyStore() throws Exception
|
||||
{
|
||||
|
|
@ -1017,7 +1018,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
* Override this method to provide alternate way to load a truststore.
|
||||
*
|
||||
* @return the key store instance
|
||||
* @throws Exception
|
||||
* @throws Exception if the truststore cannot be loaded
|
||||
*/
|
||||
protected KeyStore loadTrustStore() throws Exception
|
||||
{
|
||||
|
|
@ -1040,7 +1041,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
* @param storeProvider keystore provider
|
||||
* @param storePassword keystore password
|
||||
* @return created keystore
|
||||
* @throws Exception
|
||||
* @throws Exception if the keystore cannot be obtained
|
||||
*
|
||||
* @deprecated
|
||||
*/
|
||||
|
|
@ -1059,7 +1060,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*
|
||||
* @param crlPath path of certificate revocation list file
|
||||
* @return Collection of CRL's
|
||||
* @throws Exception
|
||||
* @throws Exception if the certificate revocation list cannot be loaded
|
||||
*/
|
||||
protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
|
||||
{
|
||||
|
|
@ -1199,16 +1200,16 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Select cipher suites to be used by the connector
|
||||
* Select protocols to be used by the connector
|
||||
* based on configured inclusion and exclusion lists
|
||||
* as well as enabled and supported cipher suite lists.
|
||||
* @param enabledCipherSuites Array of enabled cipher suites
|
||||
* @param supportedCipherSuites Array of supported cipher suites
|
||||
* @return Array of cipher suites to enable
|
||||
* as well as enabled and supported protocols.
|
||||
* @param enabledProtocols Array of enabled protocols
|
||||
* @param supportedProtocols Array of supported protocols
|
||||
* @return Array of protocols to enable
|
||||
*/
|
||||
public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
|
||||
{
|
||||
Set<String> selected_protocols = new HashSet<String>();
|
||||
Set<String> selected_protocols = new LinkedHashSet<String>();
|
||||
|
||||
// Set the starting protocols - either from the included or enabled list
|
||||
if (_includeProtocols!=null)
|
||||
|
|
@ -1240,7 +1241,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
|
||||
{
|
||||
Set<String> selected_ciphers = new HashSet<String>();
|
||||
Set<String> selected_ciphers = new LinkedHashSet<String>();
|
||||
|
||||
// Set the starting ciphers - either from the included or enabled list
|
||||
if (_includeCipherSuites!=null)
|
||||
|
|
|
|||
Loading…
Reference in New Issue