You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/10/20 20:23:19 UTC
[1/3] git commit: Disallow SSLv3 by default in Jetty
Repository: cxf
Updated Branches:
refs/heads/2.7.x-fixes f3bf72b26 -> 8f3a14035
Disallow SSLv3 by default in Jetty
Conflicts:
rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f8669c61
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f8669c61
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f8669c61
Branch: refs/heads/2.7.x-fixes
Commit: f8669c61cdc93bf60c5fce74f056d0feea9083d0
Parents: f3bf72b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Oct 20 12:13:25 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Oct 20 18:11:53 2014 +0100
----------------------------------------------------------------------
.../http_jetty/JettyHTTPServerEngine.java | 237 +++++++++++++++++++
.../org/apache/cxf/systest/ws/ssl/SSLTest.java | 142 +++++++++++
.../org/apache/cxf/systest/ws/ssl/Server.java | 47 ++++
.../apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl | 109 +++++++++
.../org/apache/cxf/systest/ws/ssl/client.xml | 34 +++
.../org/apache/cxf/systest/ws/ssl/server.xml | 69 ++++++
6 files changed, 638 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/f8669c61/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index fbc450e..4583991 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -468,6 +468,243 @@ public class JettyHTTPServerEngine
++servantCount;
}
+<<<<<<< HEAD
+=======
+ private void addServerMBean() {
+ if (mBeanContainer == null) {
+ return;
+ }
+
+ try {
+ Object o = getContainer(server);
+ o.getClass().getMethod("addEventListener", Container.Listener.class).invoke(o, mBeanContainer);
+ if (Server.getVersion().startsWith("8")) {
+ return;
+ }
+ mBeanContainer.getClass().getMethod("beanAdded", Container.class, Object.class)
+ .invoke(mBeanContainer, null, server);
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception r) {
+ throw new RuntimeException(r);
+ }
+ }
+ private void removeServerMBean() {
+ try {
+ mBeanContainer.getClass().getMethod("beanRemoved", Container.class, Object.class)
+ .invoke(mBeanContainer, null, server);
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception r) {
+ throw new RuntimeException(r);
+ }
+ }
+
+ private Connector createConnector(String hosto, int porto) {
+ // now we just use the SelectChannelConnector as the default connector
+ SslContextFactory sslcf = null;
+ if (tlsServerParameters != null) {
+ sslcf = new SslContextFactory() {
+ protected void doStart() throws Exception {
+ setSslContext(createSSLContext(this));
+ super.doStart();
+ }
+ public void checkKeyStore() {
+ //we'll handle this later
+ }
+ };
+ decorateCXFJettySslSocketConnector(sslcf);
+ }
+ AbstractConnector result = null;
+ if (!Server.getVersion().startsWith("8")) {
+ result = createConnectorJetty9(sslcf, hosto, porto);
+ } else {
+ result = createConnectorJetty8(sslcf, hosto, porto);
+ }
+
+ try {
+ result.getClass().getMethod("setPort", Integer.TYPE).invoke(result, porto);
+ if (hosto != null) {
+ result.getClass().getMethod("setHost", String.class).invoke(result, hosto);
+ }
+ result.getClass().getMethod("setReuseAddress", Boolean.TYPE).invoke(result, isReuseAddress());
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception ex) {
+ throw new RuntimeException(ex);
+ }
+
+ return result;
+ }
+
+ AbstractConnector createConnectorJetty9(SslContextFactory sslcf, String hosto, int porto) {
+ //Jetty 9
+ AbstractConnector result = null;
+ try {
+ Class<?> configClass = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConfiguration",
+ Server.class);
+ Object httpConfig = configClass.newInstance();
+ httpConfig.getClass().getMethod("setSendServerVersion", Boolean.TYPE)
+ .invoke(httpConfig, getSendServerVersion());
+
+ Object httpFactory = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConnectionFactory",
+ Server.class)
+ .getConstructor(configClass).newInstance(httpConfig);
+
+ Collection<Object> connectionFactories = new ArrayList<Object>();
+ result = (AbstractConnector)ClassLoaderUtils.loadClass("org.eclipse.jetty.server.ServerConnector",
+ Server.class)
+ .getConstructor(Server.class)
+ .newInstance(server);
+
+ if (tlsServerParameters != null) {
+ Class<?> src = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SecureRequestCustomizer",
+ Server.class);
+ httpConfig.getClass().getMethod("addCustomizer", src.getInterfaces()[0])
+ .invoke(httpConfig, src.newInstance());
+ Object scf = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SslConnectionFactory",
+ Server.class).getConstructor(SslContextFactory.class,
+ String.class)
+ .newInstance(sslcf, "HTTP/1.1");
+ connectionFactories.add(scf);
+ result.getClass().getMethod("setDefaultProtocol", String.class).invoke(result, "SSL-HTTP/1.1");
+ }
+ connectionFactories.add(httpFactory);
+ result.getClass().getMethod("setConnectionFactories", Collection.class)
+ .invoke(result, connectionFactories);
+
+ if (getMaxIdleTime() > 0) {
+ result.getClass().getMethod("setIdleTimeout", Long.TYPE).invoke(result, new Long(getMaxIdleTime()));
+ }
+
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception ex) {
+ throw new RuntimeException(ex);
+ }
+ return result;
+ }
+ AbstractConnector createConnectorJetty8(SslContextFactory sslcf, String hosto, int porto) {
+ //Jetty 8
+ AbstractConnector result = null;
+ try {
+ if (sslcf == null) {
+ result = (AbstractConnector)ClassLoaderUtils
+ .loadClass("org.eclipse.jetty.server.nio.SelectChannelConnector",
+ Server.class).newInstance();
+ } else {
+ result = (AbstractConnector)ClassLoaderUtils
+ .loadClass("org.eclipse.jetty.server.ssl.SslSelectChannelConnector",
+ Server.class).getConstructor(SslContextFactory.class)
+ .newInstance(sslcf);
+ }
+ Server.class.getMethod("setSendServerVersion", Boolean.TYPE).invoke(server, getSendServerVersion());
+ if (getMaxIdleTime() > 0) {
+ result.getClass().getMethod("setMaxIdleTime", Integer.TYPE).invoke(result, getMaxIdleTime());
+ }
+ } catch (RuntimeException rex) {
+ throw rex;
+ } catch (Exception ex) {
+ throw new RuntimeException(ex);
+ }
+ return result;
+ }
+
+
+ protected SSLContext createSSLContext(SslContextFactory scf) throws Exception {
+ String proto = tlsServerParameters.getSecureSocketProtocol() == null
+ ? "TLS" : tlsServerParameters.getSecureSocketProtocol();
+
+ if (!"SSLv3".equals(proto)) {
+ scf.addExcludeProtocols("SSLv3");
+ }
+
+ SSLContext context = tlsServerParameters.getJsseProvider() == null
+ ? SSLContext.getInstance(proto)
+ : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider());
+
+ KeyManager keyManagers[] = tlsServerParameters.getKeyManagers();
+ if (tlsServerParameters.getCertAlias() != null) {
+ keyManagers = getKeyManagersWithCertAlias(keyManagers);
+ }
+ context.init(tlsServerParameters.getKeyManagers(),
+ tlsServerParameters.getTrustManagers(),
+ tlsServerParameters.getSecureRandom());
+
+ String[] cs =
+ SSLUtils.getCiphersuites(
+ tlsServerParameters.getCipherSuites(),
+ SSLUtils.getServerSupportedCipherSuites(context),
+ tlsServerParameters.getCipherSuitesFilter(),
+ LOG, true);
+
+ scf.setExcludeCipherSuites(cs);
+ return context;
+ }
+ protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception {
+ if (tlsServerParameters.getCertAlias() != null) {
+ for (int idx = 0; idx < keyManagers.length; idx++) {
+ if (keyManagers[idx] instanceof X509KeyManager) {
+ keyManagers[idx] = new AliasedX509ExtendedKeyManager(
+ tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
+ }
+ }
+ }
+ return keyManagers;
+ }
+ protected void setClientAuthentication(SslContextFactory con,
+ ClientAuthentication clientAuth) {
+ con.setWantClientAuth(true);
+ if (clientAuth != null) {
+ if (clientAuth.isSetWant()) {
+ con.setWantClientAuth(clientAuth.isWant());
+ }
+ if (clientAuth.isSetRequired()) {
+ con.setNeedClientAuth(clientAuth.isRequired());
+ }
+ }
+ }
+ /**
+ * This method sets the security properties for the CXF extension
+ * of the JettySslConnector.
+ */
+ private void decorateCXFJettySslSocketConnector(
+ SslContextFactory con
+ ) {
+ setClientAuthentication(con,
+ tlsServerParameters.getClientAuthentication());
+ con.setCertAlias(tlsServerParameters.getCertAlias());
+ }
+
+
+ private static Container getContainer(Object server) {
+ if (server instanceof Container) {
+ return (Container)server;
+ }
+ try {
+ return (Container)server.getClass().getMethod("getContainer").invoke(server);
+ } catch (RuntimeException t) {
+ throw t;
+ } catch (Throwable t) {
+ throw new RuntimeException(t);
+ }
+ }
+
+ private static void logConnector(Connector connector) {
+ try {
+ String h = (String)connector.getClass().getMethod("getHost").invoke(connector);
+ int port = (Integer)connector.getClass().getMethod("getPort").invoke(connector);
+ LOG.finer("connector.host: "
+ + h == null
+ ? "null"
+ : "\"" + h + "\"");
+ LOG.finer("connector.port: " + port);
+ } catch (Throwable t) {
+ //ignore
+ }
+ }
+
+>>>>>>> 990f4b1... Disallow SSLv3 by default in Jetty
protected void setupThreadPool() {
AbstractConnector aconn = (AbstractConnector) connector;
if (isSetThreadingParameters()) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/f8669c61/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
new file mode 100644
index 0000000..47c240d
--- /dev/null
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/SSLTest.java
@@ -0,0 +1,142 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.ws.ssl;
+
+import java.io.IOException;
+import java.net.URL;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.configuration.jsse.SSLUtils;
+import org.apache.cxf.systest.ws.common.SecurityTestUtil;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.junit.BeforeClass;
+
+/**
+ * A set of tests SSL protocol support.
+ */
+public class SSLTest extends AbstractBusClientServerTestBase {
+ static final String PORT = allocatePort(Server.class);
+ static final String PORT2 = allocatePort(Server.class, 2);
+
+ @BeforeClass
+ public static void startServers() throws Exception {
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
+ launchServer(Server.class, true)
+ );
+ }
+
+ public static void cleanup() throws Exception {
+ SecurityTestUtil.cleanup();
+ stopAllServers();
+ }
+
+ @org.junit.Test
+ public void testSSLv3NotAllowed() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SSLTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ System.setProperty("https.protocols", "SSLv3");
+
+ URL service = new URL("https://localhost:" + PORT);
+ HttpsURLConnection connection = (HttpsURLConnection) service.openConnection();
+
+ connection.setHostnameVerifier(new DisableCNCheckVerifier());
+
+ SSLContext sslContext = SSLContext.getInstance("SSL");
+ URL keystore = SSLTest.class.getResource("../security/Truststore.jks");
+ TrustManager[] trustManagers =
+ SSLUtils.getTrustStoreManagers(false, "jks", keystore.getPath(),
+ "PKIX", LogUtils.getL7dLogger(SSLTest.class));
+ sslContext.init(null, trustManagers, new java.security.SecureRandom());
+
+ connection.setSSLSocketFactory(sslContext.getSocketFactory());
+
+ try {
+ connection.connect();
+ fail("Failure expected on an SSLv3 connection attempt");
+ } catch (IOException ex) {
+ // expected
+ }
+
+ System.clearProperty("https.protocols");
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testSSLv3Allowed() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SSLTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ System.setProperty("https.protocols", "SSLv3");
+
+ URL service = new URL("https://localhost:" + PORT2);
+ HttpsURLConnection connection = (HttpsURLConnection) service.openConnection();
+
+ connection.setHostnameVerifier(new DisableCNCheckVerifier());
+
+ SSLContext sslContext = SSLContext.getInstance("SSL");
+ URL keystore = SSLTest.class.getResource("../security/Truststore.jks");
+ TrustManager[] trustManagers =
+ SSLUtils.getTrustStoreManagers(false, "jks", keystore.getPath(),
+ "PKIX", LogUtils.getL7dLogger(SSLTest.class));
+ sslContext.init(null, trustManagers, new java.security.SecureRandom());
+
+ connection.setSSLSocketFactory(sslContext.getSocketFactory());
+
+ connection.connect();
+
+ connection.disconnect();
+
+ System.clearProperty("https.protocols");
+
+ bus.shutdown(true);
+ }
+
+ private static final class DisableCNCheckVerifier implements HostnameVerifier {
+
+ @Override
+ public boolean verify(String arg0, SSLSession arg1) {
+ return true;
+ }
+
+ };
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f8669c61/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/Server.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/Server.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/Server.java
new file mode 100644
index 0000000..ce169c3
--- /dev/null
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ssl/Server.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.ws.ssl;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Server extends AbstractBusTestServerBase {
+
+ public Server() {
+
+ }
+
+ protected void run() {
+ URL busFile = Server.class.getResource("server.xml");
+ Bus busLocal = new SpringBusFactory().createBus(busFile);
+ BusFactory.setDefaultBus(busLocal);
+ setBus(busLocal);
+
+ try {
+ new Server();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f8669c61/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
new file mode 100644
index 0000000..ed021f4
--- /dev/null
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<wsdl:definitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://www.example.org/contract/DoubleIt" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsaws="http://www.w3.org/2005/08/addressing" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802" name="DoubleIt" targetNamespace="http://www.example.org/contract/DoubleIt">
+ <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" namespace="http://www.example.org/contract/DoubleIt"/>
+ <wsdl:binding name="DoubleItPlaintextBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItPlaintextPolicy"/>
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction=""/>
+ <wsdl:input>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault"/>
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
+ <wsdl:service name="DoubleItService">
+ <wsdl:port name="DoubleItPlaintextPort" binding="tns:DoubleItPlaintextBinding">
+ <soap:address location="https://localhost:9009/DoubleItUTPlaintext"/>
+ </wsdl:port>
+ <wsdl:port name="DoubleItPlaintextPort2" binding="tns:DoubleItPlaintextBinding">
+ <soap:address location="https://localhost:9009/DoubleItUTPlaintext2"/>
+ </wsdl:port>
+ </wsdl:service>
+ <wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:SupportingTokens>
+ <wsp:Policy>
+ <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssUsernameToken10/>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body/>
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body/>
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body/>
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body/>
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+</wsdl:definitions>
http://git-wip-us.apache.org/repos/asf/cxf/blob/f8669c61/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client.xml
new file mode 100644
index 0000000..d6bbe97
--- /dev/null
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/client.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xmlns:sec="http://cxf.apache.org/configuration/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/poli
cy.xsd">
+ <cxf:bus>
+ <cxf:features>
+ <p:policies/>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+ <http:conduit name="https://localhost:.*">
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+ </sec:trustManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf/blob/f8669c61/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
new file mode 100644
index 0000000..d1593b9
--- /dev/null
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ssl/server.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apa
che.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd ">
+ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+ <cxf:bus>
+ <cxf:features>
+ <p:policies/>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+
+ <httpj:engine-factory id="default-tls-settings">
+ <httpj:engine port="${testutil.ports.Server}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+ </sec:trustManagers>
+ <sec:clientAuthentication want="true" required="false"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Plaintext" address="https://localhost:${testutil.ports.Server}/DoubleItUTPlaintext" serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl" depends-on="default-tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+ <httpj:engine-factory id="allow-sslv3-settings">
+ <httpj:engine port="${testutil.ports.Server.2}">
+ <httpj:tlsServerParameters secureSocketProtocol="SSLv3" >
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+ </sec:trustManagers>
+ <sec:clientAuthentication want="true" required="false"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Plaintext2" address="https://localhost:${testutil.ports.Server.2}/DoubleItUTPlaintext2" serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ssl/DoubleItSSL.wsdl" depends-on="allow-sslv3-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+</beans>
[3/3] git commit: Recording .gitmergeinfo Changes
Posted by co...@apache.org.
Recording .gitmergeinfo Changes
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8f3a1403
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8f3a1403
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8f3a1403
Branch: refs/heads/2.7.x-fixes
Commit: 8f3a14035bc158934c3472ea401b835e15ae1d4d
Parents: 97173e3
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Oct 20 18:12:01 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Oct 20 18:12:01 2014 +0100
----------------------------------------------------------------------
.gitmergeinfo | 3 +++
1 file changed, 3 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/8f3a1403/.gitmergeinfo
----------------------------------------------------------------------
diff --git a/.gitmergeinfo b/.gitmergeinfo
index e2d13d2..cf97b41 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -196,6 +196,7 @@ B 1feb5a7811be010c92ae73477d35f1830212cff7
B 201d18540308db1fe993f3cbc97aa0edc10df4de
B 2022ac7179f5d93aa9d90159b2d7bb0bdc8b9025
B 202da725e8e3870d7c215db93f2558750f486910
+B 203b64d1769cb5ce25f68f4200618f6706f16239
B 20657583f395bdc2a3c693a1c0655b6e19fafe28
B 20d61c8c0fafe96e372a97988eaf26f97ba8487e
B 210d24b399a6bc127748e87d8c5b39f168c5cbc3
@@ -682,6 +683,7 @@ B 73caf0ed33e3a57ae700651ee4f89102c7f3e4ee
B 73ea6c5ce6b86e1b28d3eef94c8ba878e4babffa
B 7454e5a34be4e0d8770d917defa6c11c78ca460a
B 74e64bfec6b338d57f19e825c95e42bc636b2993
+B 74ff0a9012f8fab1cbb0dbb8d52a66ccc5602dbf
B 751953cde2e691140bd7d61584ffccc42c2c17c0
B 7521ad685276b02af30a5fa145dbced0b91058fd
B 7524807b1dc58e4052eac67d623835f9eeb2b458
@@ -1275,6 +1277,7 @@ B dda04a0d825d4fff19eda772b0b1d52c6b5978c2
B ddb5a9740861a2242d97ee582f751cde564e324d
B ddb679067e3067baaf6ec268186113bba73b82d5
B dddd440ffd38f735f205eda9b0ffee12b041d4df
+B de32f9e01c8da68e9e66bfbea59fe7c5f4fe81dc
B de4148e857e10ea136b0f1df66a111be949f244c
B de6c14b0368b2a6570b71719a356441413598a33
B de89cfaeee151bdc3b8386f94cf53c1922b66dcd
[2/3] git commit: Fixing merge
Posted by co...@apache.org.
Fixing merge
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/97173e35
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/97173e35
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/97173e35
Branch: refs/heads/2.7.x-fixes
Commit: 97173e3548f7a2c7d77a9628830c57587a4ef252
Parents: f8669c6
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Oct 20 16:45:14 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Oct 20 18:11:58 2014 +0100
----------------------------------------------------------------------
.../http_jetty/JettyHTTPServerEngine.java | 238 +------------------
.../https_jetty/CXFJettySslSocketConnector.java | 4 +
2 files changed, 5 insertions(+), 237 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/97173e35/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index 4583991..c4b3e8e 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -468,243 +468,6 @@ public class JettyHTTPServerEngine
++servantCount;
}
-<<<<<<< HEAD
-=======
- private void addServerMBean() {
- if (mBeanContainer == null) {
- return;
- }
-
- try {
- Object o = getContainer(server);
- o.getClass().getMethod("addEventListener", Container.Listener.class).invoke(o, mBeanContainer);
- if (Server.getVersion().startsWith("8")) {
- return;
- }
- mBeanContainer.getClass().getMethod("beanAdded", Container.class, Object.class)
- .invoke(mBeanContainer, null, server);
- } catch (RuntimeException rex) {
- throw rex;
- } catch (Exception r) {
- throw new RuntimeException(r);
- }
- }
- private void removeServerMBean() {
- try {
- mBeanContainer.getClass().getMethod("beanRemoved", Container.class, Object.class)
- .invoke(mBeanContainer, null, server);
- } catch (RuntimeException rex) {
- throw rex;
- } catch (Exception r) {
- throw new RuntimeException(r);
- }
- }
-
- private Connector createConnector(String hosto, int porto) {
- // now we just use the SelectChannelConnector as the default connector
- SslContextFactory sslcf = null;
- if (tlsServerParameters != null) {
- sslcf = new SslContextFactory() {
- protected void doStart() throws Exception {
- setSslContext(createSSLContext(this));
- super.doStart();
- }
- public void checkKeyStore() {
- //we'll handle this later
- }
- };
- decorateCXFJettySslSocketConnector(sslcf);
- }
- AbstractConnector result = null;
- if (!Server.getVersion().startsWith("8")) {
- result = createConnectorJetty9(sslcf, hosto, porto);
- } else {
- result = createConnectorJetty8(sslcf, hosto, porto);
- }
-
- try {
- result.getClass().getMethod("setPort", Integer.TYPE).invoke(result, porto);
- if (hosto != null) {
- result.getClass().getMethod("setHost", String.class).invoke(result, hosto);
- }
- result.getClass().getMethod("setReuseAddress", Boolean.TYPE).invoke(result, isReuseAddress());
- } catch (RuntimeException rex) {
- throw rex;
- } catch (Exception ex) {
- throw new RuntimeException(ex);
- }
-
- return result;
- }
-
- AbstractConnector createConnectorJetty9(SslContextFactory sslcf, String hosto, int porto) {
- //Jetty 9
- AbstractConnector result = null;
- try {
- Class<?> configClass = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConfiguration",
- Server.class);
- Object httpConfig = configClass.newInstance();
- httpConfig.getClass().getMethod("setSendServerVersion", Boolean.TYPE)
- .invoke(httpConfig, getSendServerVersion());
-
- Object httpFactory = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConnectionFactory",
- Server.class)
- .getConstructor(configClass).newInstance(httpConfig);
-
- Collection<Object> connectionFactories = new ArrayList<Object>();
- result = (AbstractConnector)ClassLoaderUtils.loadClass("org.eclipse.jetty.server.ServerConnector",
- Server.class)
- .getConstructor(Server.class)
- .newInstance(server);
-
- if (tlsServerParameters != null) {
- Class<?> src = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SecureRequestCustomizer",
- Server.class);
- httpConfig.getClass().getMethod("addCustomizer", src.getInterfaces()[0])
- .invoke(httpConfig, src.newInstance());
- Object scf = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SslConnectionFactory",
- Server.class).getConstructor(SslContextFactory.class,
- String.class)
- .newInstance(sslcf, "HTTP/1.1");
- connectionFactories.add(scf);
- result.getClass().getMethod("setDefaultProtocol", String.class).invoke(result, "SSL-HTTP/1.1");
- }
- connectionFactories.add(httpFactory);
- result.getClass().getMethod("setConnectionFactories", Collection.class)
- .invoke(result, connectionFactories);
-
- if (getMaxIdleTime() > 0) {
- result.getClass().getMethod("setIdleTimeout", Long.TYPE).invoke(result, new Long(getMaxIdleTime()));
- }
-
- } catch (RuntimeException rex) {
- throw rex;
- } catch (Exception ex) {
- throw new RuntimeException(ex);
- }
- return result;
- }
- AbstractConnector createConnectorJetty8(SslContextFactory sslcf, String hosto, int porto) {
- //Jetty 8
- AbstractConnector result = null;
- try {
- if (sslcf == null) {
- result = (AbstractConnector)ClassLoaderUtils
- .loadClass("org.eclipse.jetty.server.nio.SelectChannelConnector",
- Server.class).newInstance();
- } else {
- result = (AbstractConnector)ClassLoaderUtils
- .loadClass("org.eclipse.jetty.server.ssl.SslSelectChannelConnector",
- Server.class).getConstructor(SslContextFactory.class)
- .newInstance(sslcf);
- }
- Server.class.getMethod("setSendServerVersion", Boolean.TYPE).invoke(server, getSendServerVersion());
- if (getMaxIdleTime() > 0) {
- result.getClass().getMethod("setMaxIdleTime", Integer.TYPE).invoke(result, getMaxIdleTime());
- }
- } catch (RuntimeException rex) {
- throw rex;
- } catch (Exception ex) {
- throw new RuntimeException(ex);
- }
- return result;
- }
-
-
- protected SSLContext createSSLContext(SslContextFactory scf) throws Exception {
- String proto = tlsServerParameters.getSecureSocketProtocol() == null
- ? "TLS" : tlsServerParameters.getSecureSocketProtocol();
-
- if (!"SSLv3".equals(proto)) {
- scf.addExcludeProtocols("SSLv3");
- }
-
- SSLContext context = tlsServerParameters.getJsseProvider() == null
- ? SSLContext.getInstance(proto)
- : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider());
-
- KeyManager keyManagers[] = tlsServerParameters.getKeyManagers();
- if (tlsServerParameters.getCertAlias() != null) {
- keyManagers = getKeyManagersWithCertAlias(keyManagers);
- }
- context.init(tlsServerParameters.getKeyManagers(),
- tlsServerParameters.getTrustManagers(),
- tlsServerParameters.getSecureRandom());
-
- String[] cs =
- SSLUtils.getCiphersuites(
- tlsServerParameters.getCipherSuites(),
- SSLUtils.getServerSupportedCipherSuites(context),
- tlsServerParameters.getCipherSuitesFilter(),
- LOG, true);
-
- scf.setExcludeCipherSuites(cs);
- return context;
- }
- protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception {
- if (tlsServerParameters.getCertAlias() != null) {
- for (int idx = 0; idx < keyManagers.length; idx++) {
- if (keyManagers[idx] instanceof X509KeyManager) {
- keyManagers[idx] = new AliasedX509ExtendedKeyManager(
- tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
- }
- }
- }
- return keyManagers;
- }
- protected void setClientAuthentication(SslContextFactory con,
- ClientAuthentication clientAuth) {
- con.setWantClientAuth(true);
- if (clientAuth != null) {
- if (clientAuth.isSetWant()) {
- con.setWantClientAuth(clientAuth.isWant());
- }
- if (clientAuth.isSetRequired()) {
- con.setNeedClientAuth(clientAuth.isRequired());
- }
- }
- }
- /**
- * This method sets the security properties for the CXF extension
- * of the JettySslConnector.
- */
- private void decorateCXFJettySslSocketConnector(
- SslContextFactory con
- ) {
- setClientAuthentication(con,
- tlsServerParameters.getClientAuthentication());
- con.setCertAlias(tlsServerParameters.getCertAlias());
- }
-
-
- private static Container getContainer(Object server) {
- if (server instanceof Container) {
- return (Container)server;
- }
- try {
- return (Container)server.getClass().getMethod("getContainer").invoke(server);
- } catch (RuntimeException t) {
- throw t;
- } catch (Throwable t) {
- throw new RuntimeException(t);
- }
- }
-
- private static void logConnector(Connector connector) {
- try {
- String h = (String)connector.getClass().getMethod("getHost").invoke(connector);
- int port = (Integer)connector.getClass().getMethod("getPort").invoke(connector);
- LOG.finer("connector.host: "
- + h == null
- ? "null"
- : "\"" + h + "\"");
- LOG.finer("connector.port: " + port);
- } catch (Throwable t) {
- //ignore
- }
- }
-
->>>>>>> 990f4b1... Disallow SSLv3 by default in Jetty
protected void setupThreadPool() {
AbstractConnector aconn = (AbstractConnector) connector;
if (isSetThreadingParameters()) {
@@ -1007,3 +770,4 @@ public class JettyHTTPServerEngine
}
}
+
http://git-wip-us.apache.org/repos/asf/cxf/blob/97173e35/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
index 42c5ddf..c43dcab 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
@@ -113,6 +113,10 @@ public class CXFJettySslSocketConnector extends SslSelectChannelConnector {
? "TLS"
: getCxfSslContextFactory().getProtocol();
+ if (!"SSLv3".equals(proto)) {
+ getSslContextFactory().addExcludeProtocols("SSLv3");
+ }
+
SSLContext context = getCxfSslContextFactory().getProvider() == null
? SSLContext.getInstance(proto)
: SSLContext.getInstance(proto, getCxfSslContextFactory().getProvider());