From 45bbde408faf0a2b1fcd9f847f591c1c312f502c Mon Sep 17 00:00:00 2001 From: Greg Wilkins Date: Thu, 14 Jul 2016 12:17:52 +1000 Subject: [PATCH 1/2] Fix #708 SslContextFactory: newSslServerSocket/newSslSocket/doStart are not customized --- .../jetty/util/ssl/SslContextFactory.java | 59 ++++++++----------- 1 file changed, 25 insertions(+), 34 deletions(-) diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java index ff7387521e8..1591e7fe34a 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java @@ -400,9 +400,8 @@ public class SslContextFactory extends AbstractLifeCycle // select the protocols and ciphers SSLEngine sslEngine=context.createSSLEngine(); - selectCipherSuites( - sslEngine.getEnabledCipherSuites(), - sslEngine.getSupportedCipherSuites()); + sslEngine.setSSLParameters(customize(sslEngine.getSSLParameters())); + selectCipherSuites(sslEngine.getEnabledCipherSuites(),sslEngine.getSupportedCipherSuites()); selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols()); _factory = new Factory(keyStore,trustStore,context); @@ -1469,20 +1468,11 @@ public class SslContextFactory extends AbstractLifeCycle checkIsStarted(); SSLServerSocketFactory factory = _factory._context.getServerSocketFactory(); - SSLServerSocket socket = (SSLServerSocket) (host==null ? factory.createServerSocket(port,backlog): factory.createServerSocket(port,backlog,InetAddress.getByName(host))); - - if (getWantClientAuth()) - socket.setWantClientAuth(getWantClientAuth()); - if (getNeedClientAuth()) - socket.setNeedClientAuth(getNeedClientAuth()); - - socket.setEnabledCipherSuites(_selectedCipherSuites); - socket.setEnabledProtocols(_selectedProtocols); - + socket.setSSLParameters(customize(socket.getSSLParameters())); return socket; } @@ -1491,17 +1481,8 @@ public class SslContextFactory extends AbstractLifeCycle checkIsStarted(); SSLSocketFactory factory = _factory._context.getSocketFactory(); - SSLSocket socket = (SSLSocket)factory.createSocket(); - - if (getWantClientAuth()) - socket.setWantClientAuth(getWantClientAuth()); - if (getNeedClientAuth()) - socket.setNeedClientAuth(getNeedClientAuth()); - - socket.setEnabledCipherSuites(_selectedCipherSuites); - socket.setEnabledProtocols(_selectedProtocols); - + socket.setSSLParameters(customize(socket.getSSLParameters())); return socket; } @@ -1568,31 +1549,41 @@ public class SslContextFactory extends AbstractLifeCycle return newSSLEngine(hostName, address.getPort()); } + /** + * Customize an SslEngine instance with the configuration of this factory, + * by calling {@link #customize(SSLParameters)} + * @param sslEngine + */ public void customize(SSLEngine sslEngine) { if (LOG.isDebugEnabled()) LOG.debug("Customize {}",sslEngine); - SSLParameters sslParams = sslEngine.getSSLParameters(); + sslEngine.setSSLParameters(customize(sslEngine.getSSLParameters())); + } + + /** + * Customize an SslParameters instance with the configuration of this factory. + * @param sslParams The parameters to customize + * @return The passed instance of sslParams (returned as a convenience) + */ + public SSLParameters customize(SSLParameters sslParams) + { sslParams.setEndpointIdentificationAlgorithm(_endpointIdentificationAlgorithm); sslParams.setUseCipherSuitesOrder(_useCipherSuitesOrder); if (!_certHosts.isEmpty() || !_certWilds.isEmpty()) - { - if (LOG.isDebugEnabled()) - LOG.debug("Enable SNI matching {}",sslEngine); sslParams.setSNIMatchers(Collections.singletonList((SNIMatcher)new AliasSNIMatcher())); - } - sslParams.setCipherSuites(_selectedCipherSuites); - sslParams.setProtocols(_selectedProtocols); - + if (_selectedCipherSuites!=null) + sslParams.setCipherSuites(_selectedCipherSuites); + if (_selectedProtocols!=null) + sslParams.setProtocols(_selectedProtocols); if (getWantClientAuth()) sslParams.setWantClientAuth(true); if (getNeedClientAuth()) sslParams.setNeedClientAuth(true); - - sslEngine.setSSLParameters(sslParams); + return sslParams; } - + public static X509Certificate[] getCertChain(SSLSession sslSession) { try From 112244d6ef8d19cd462912be15128c22995177a1 Mon Sep 17 00:00:00 2001 From: Greg Wilkins Date: Thu, 14 Jul 2016 13:44:49 +1000 Subject: [PATCH 2/2] Fix #708 SslContextFactory: newSslServerSocket/newSslSocket are not customized --- .../main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java | 1 - 1 file changed, 1 deletion(-) diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java index 1591e7fe34a..316dbd68e1b 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java @@ -400,7 +400,6 @@ public class SslContextFactory extends AbstractLifeCycle // select the protocols and ciphers SSLEngine sslEngine=context.createSSLEngine(); - sslEngine.setSSLParameters(customize(sslEngine.getSSLParameters())); selectCipherSuites(sslEngine.getEnabledCipherSuites(),sslEngine.getSupportedCipherSuites()); selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols());