You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by ni...@apache.org on 2014/10/22 11:45:16 UTC
[04/11] git commit: CAMEL-7940 Disable SSL security protocol by
default
CAMEL-7940 Disable SSL security protocol by default
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/c4706ee5
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/c4706ee5
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/c4706ee5
Branch: refs/heads/master
Commit: c4706ee5fe25874fd309a83b44d6c093b9917678
Parents: eb2cd50
Author: Willem Jiang <wi...@gmail.com>
Authored: Wed Oct 22 14:14:26 2014 +0800
Committer: Willem Jiang <wi...@gmail.com>
Committed: Wed Oct 22 15:41:49 2014 +0800
----------------------------------------------------------------------
.../util/jsse/BaseSSLContextParameters.java | 4 ++
.../util/jsse/SSLContextParametersTest.java | 46 ++++++++++++--------
2 files changed, 32 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/c4706ee5/camel-core/src/main/java/org/apache/camel/util/jsse/BaseSSLContextParameters.java
----------------------------------------------------------------------
diff --git a/camel-core/src/main/java/org/apache/camel/util/jsse/BaseSSLContextParameters.java b/camel-core/src/main/java/org/apache/camel/util/jsse/BaseSSLContextParameters.java
index f92d815..1bb807f 100644
--- a/camel-core/src/main/java/org/apache/camel/util/jsse/BaseSSLContextParameters.java
+++ b/camel-core/src/main/java/org/apache/camel/util/jsse/BaseSSLContextParameters.java
@@ -66,6 +66,9 @@ public abstract class BaseSSLContextParameters extends JsseParameters {
protected static final List<String> DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_INCLUDE =
Collections.unmodifiableList(Arrays.asList(".*"));
+ protected static final List<String> DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_EXCLUDE =
+ Collections.unmodifiableList(Arrays.asList("SSL.*"));
+
private static final Logger LOG = LoggerFactory.getLogger(BaseSSLContextParameters.class);
private static final String LS = System.getProperty("line.separator");
@@ -281,6 +284,7 @@ public abstract class BaseSSLContextParameters extends JsseParameters {
FilterParameters filter = new FilterParameters();
filter.getInclude().addAll(DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_INCLUDE);
+ filter.getExclude().addAll(DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_EXCLUDE);
return filter;
}
http://git-wip-us.apache.org/repos/asf/camel/blob/c4706ee5/camel-core/src/test/java/org/apache/camel/util/jsse/SSLContextParametersTest.java
----------------------------------------------------------------------
diff --git a/camel-core/src/test/java/org/apache/camel/util/jsse/SSLContextParametersTest.java b/camel-core/src/test/java/org/apache/camel/util/jsse/SSLContextParametersTest.java
index bc163c2..99bd6fd 100644
--- a/camel-core/src/test/java/org/apache/camel/util/jsse/SSLContextParametersTest.java
+++ b/camel-core/src/test/java/org/apache/camel/util/jsse/SSLContextParametersTest.java
@@ -42,6 +42,13 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest {
Arrays.asList(new Pattern[0]));
assertEquals(2, result.size());
assertStartsWith(result, "TLS");
+
+ result = parameters.filter(null,
+ Arrays.asList(new String[]{"SSLv3", "TLSv1", "TLSv1.1"}),
+ Arrays.asList(new Pattern[]{Pattern.compile(".*")}),
+ Arrays.asList(new Pattern[]{Pattern.compile("SSL.*")}));
+ assertEquals(2, result.size());
+ assertStartsWith(result, "TLS");
try {
assertStartsWith((String[]) null, "TLS");
fail("We chould got an exception here!");
@@ -246,8 +253,8 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest {
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
- assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
- assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
+ assertFalse(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
+ assertFalse(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
assertEquals(0, serverSocket.getEnabledProtocols().length);
// Secure socket protocols filter on client params
@@ -259,8 +266,8 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest {
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
- assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
- assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
+ assertStartsWith(engine.getEnabledProtocols(), "TLS");
+ assertStartsWith(socket.getEnabledProtocols(), "TLS");
assertEquals(0, serverSocket.getEnabledProtocols().length);
// Sspp on client params overrides secure socket protocols filter on client
@@ -272,8 +279,8 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest {
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
- assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
- assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
+ assertStartsWith(engine.getEnabledProtocols(), "TLS");
+ assertStartsWith(socket.getEnabledProtocols(), "TLS");
assertEquals(0, serverSocket.getEnabledProtocols().length);
// Server session timeout only affects server session configuration
@@ -377,9 +384,9 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest {
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
- assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
+ assertStartsWith(engine.getEnabledProtocols(), "TLS");
assertEquals(0, socket.getEnabledProtocols().length);
- checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
+ assertStartsWith(serverSocket.getEnabledProtocols(), "TLS");
// Secure socket protocols filter on client params
filter = new FilterParameters();
@@ -390,9 +397,9 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest {
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
- assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
+ assertStartsWith(engine.getEnabledProtocols(), "TLS");
assertEquals(0, socket.getEnabledProtocols().length);
- checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
+ assertStartsWith(serverSocket.getEnabledProtocols(), "TLS");
// Sspp on client params overrides secure socket protocols filter on client
filter.getInclude().add(".*");
@@ -403,9 +410,9 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest {
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
- assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
+ assertStartsWith(engine.getEnabledProtocols(), "TLS");
assertEquals(0, socket.getEnabledProtocols().length);
- checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
+ assertStartsWith(serverSocket.getEnabledProtocols(), "TLS");
// Client session timeout only affects client session configuration
sccp.setSessionTimeout("12345");
@@ -581,9 +588,11 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest {
SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
SSLServerSocket serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
- assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
- assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
- checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
+ // default disable the SSL* protocols
+ assertStartsWith(engine.getEnabledProtocols(), "TLS");
+ assertStartsWith(socket.getEnabledProtocols(), "TLS");
+ assertStartsWith(serverSocket.getEnabledProtocols(), "TLS");
+ //checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
// empty sspp
@@ -650,9 +659,10 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest {
SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
SSLServerSocket serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
- assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
- assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
- checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
+ // default disable the SSL* protocols
+ assertStartsWith(engine.getEnabledProtocols(), "TLS");
+ assertStartsWith(socket.getEnabledProtocols(), "TLS");
+ assertStartsWith(serverSocket.getEnabledProtocols(), "TLS");
// empty filter