You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by ma...@apache.org on 2014/11/19 18:07:35 UTC
svn commit: r1640599 - in /db/derby/code/branches/10.10: ./
java/client/org/apache/derby/client/net/
java/drda/org/apache/derby/impl/drda/
Author: mamta
Date: Wed Nov 19 17:07:35 2014
New Revision: 1640599
URL: http://svn.apache.org/r1640599
Log:
DERBY-6764(analyze impact of poodle security alert on Derby client - server ssl support)
Backporting to 10.10
Modified:
db/derby/code/branches/10.10/ (props changed)
db/derby/code/branches/10.10/java/client/org/apache/derby/client/net/NaiveTrustManager.java
db/derby/code/branches/10.10/java/client/org/apache/derby/client/net/OpenSocketAction.java
db/derby/code/branches/10.10/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
db/derby/code/branches/10.10/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
Propchange: db/derby/code/branches/10.10/
------------------------------------------------------------------------------
Merged /db/derby/code/branches/10.11:r1639540
Merged /db/derby/code/trunk:r1636509,1636668,1636798
Modified: db/derby/code/branches/10.10/java/client/org/apache/derby/client/net/NaiveTrustManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.10/java/client/org/apache/derby/client/net/NaiveTrustManager.java?rev=1640599&r1=1640598&r2=1640599&view=diff
==============================================================================
--- db/derby/code/branches/10.10/java/client/org/apache/derby/client/net/NaiveTrustManager.java (original)
+++ db/derby/code/branches/10.10/java/client/org/apache/derby/client/net/NaiveTrustManager.java Wed Nov 19 17:07:35 2014
@@ -67,7 +67,7 @@ public class NaiveTrustManager
thisManager = new TrustManager [] {new NaiveTrustManager()};
}
- SSLContext ctx = SSLContext.getInstance("SSL");
+ SSLContext ctx = SSLContext.getInstance("TLS");
if (ctx.getProvider().getName().equals("SunJSSE") &&
(System.getProperty("javax.net.ssl.keyStore") != null) &&
Modified: db/derby/code/branches/10.10/java/client/org/apache/derby/client/net/OpenSocketAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.10/java/client/org/apache/derby/client/net/OpenSocketAction.java?rev=1640599&r1=1640598&r2=1640599&view=diff
==============================================================================
--- db/derby/code/branches/10.10/java/client/org/apache/derby/client/net/OpenSocketAction.java (original)
+++ db/derby/code/branches/10.10/java/client/org/apache/derby/client/net/OpenSocketAction.java Wed Nov 19 17:07:35 2014
@@ -21,9 +21,11 @@
package org.apache.derby.client.net;
+
import java.net.Socket;
import java.security.PrivilegedExceptionAction;
import javax.net.SocketFactory;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
public class OpenSocketAction implements PrivilegedExceptionAction<Socket> {
@@ -66,7 +68,45 @@ public class OpenSocketAction implements
sf = SocketFactory.getDefault();
break;
}
- return sf.createSocket(server_, port_);
+ if (clientSSLMode_ == org.apache.derby.jdbc.ClientBaseDataSourceRoot.SSL_BASIC ||
+ clientSSLMode_ == org.apache.derby.jdbc.ClientBaseDataSourceRoot.SSL_PEER_AUTHENTICATION){
+ //DERBY-6764(analyze impact of poodle security alert on Derby
+ // client - server ssl support)
+ //If SSLv3 and/or SSLv2Hello is one of the enabled protocols,
+ // then we want to remove it from the list of enabled protocols
+ // because of poodle security breach
+ SSLSocket sSocket = (SSLSocket)sf.createSocket(server_, port_);
+ String[] enabledProtocols = sSocket.getEnabledProtocols();
+
+ //If SSLv3 and/or SSLv2Hello is one of the enabled protocols,
+ // then remove it from the list of enabled protocols because of
+ // its security breach.
+ String[] supportedProtocols = new String[enabledProtocols.length];
+ int supportedProtocolsCount = 0;
+ for ( int i = 0; i < enabledProtocols.length; i++ )
+ {
+ if (!(enabledProtocols[i].toUpperCase().contains("SSLV3") ||
+ enabledProtocols[i].toUpperCase().contains("SSLV2HELLO"))) {
+ supportedProtocols[supportedProtocolsCount] =
+ enabledProtocols[i];
+ supportedProtocolsCount++;
+ }
+ }
+ if(supportedProtocolsCount < enabledProtocols.length) {
+ String[] newEnabledProtocolsList = null;
+ //We found that SSLv3 and or SSLv2Hello is one of the enabled
+ // protocols for this jvm. Following code will remove it from
+ // enabled list.
+ newEnabledProtocolsList =
+ new String[supportedProtocolsCount];
+ System.arraycopy(supportedProtocols, 0,
+ newEnabledProtocolsList, 0,
+ supportedProtocolsCount);
+ sSocket.setEnabledProtocols(newEnabledProtocolsList);
+ }
+ return sSocket;
+ } else
+ return sf.createSocket(server_, port_);
}
}
Modified: db/derby/code/branches/10.10/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.10/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java?rev=1640599&r1=1640598&r2=1640599&view=diff
==============================================================================
--- db/derby/code/branches/10.10/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java (original)
+++ db/derby/code/branches/10.10/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java Wed Nov 19 17:07:35 2014
@@ -68,7 +68,7 @@ public class NaiveTrustManager
thisManager = new TrustManager [] {new NaiveTrustManager()};
}
- SSLContext ctx = SSLContext.getInstance("SSL");
+ SSLContext ctx = SSLContext.getInstance("TLS");
if (ctx.getProvider().getName().equals("SunJSSE") &&
(PropertyUtil.getSystemProperty("javax.net.ssl.keyStore") != null) &&
Modified: db/derby/code/branches/10.10/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.10/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java?rev=1640599&r1=1640598&r2=1640599&view=diff
==============================================================================
--- db/derby/code/branches/10.10/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java (original)
+++ db/derby/code/branches/10.10/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java Wed Nov 19 17:07:35 2014
@@ -700,9 +700,17 @@ public final class NetworkServerControlI
case SSL_BASIC:
SSLServerSocketFactory ssf =
(SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
- return (SSLServerSocket)ssf.createServerSocket(portNumber,
- 0,
- hostAddress);
+ SSLServerSocket sss1=
+ (SSLServerSocket)ssf.createServerSocket(portNumber,
+ 0,
+ hostAddress);
+ //DERBY-6764(analyze impact of poodle security alert on
+ // Derby client - server ssl support)
+ String[] removeTwoProtocols =
+ removeSSLv3andSSLv2Hello(
+ sss1.getEnabledProtocols());
+ sss1.setEnabledProtocols(removeTwoProtocols);
+ return sss1;
case SSL_PEER_AUTHENTICATION:
SSLServerSocketFactory ssf2 =
(SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
@@ -710,6 +718,12 @@ public final class NetworkServerControlI
(SSLServerSocket)ssf2.createServerSocket(portNumber,
0,
hostAddress);
+ //DERBY-6764(analyze impact of poodle security alert on
+ // Derby client - server ssl support)
+ removeTwoProtocols =
+ removeSSLv3andSSLv2Hello(
+ sss2.getEnabledProtocols());
+ sss2.setEnabledProtocols(removeTwoProtocols);
sss2.setNeedClientAuth(true);
return sss2;
}
@@ -2605,6 +2619,12 @@ public final class NetworkServerControlI
case SSL_BASIC:
SSLSocket s1 = (SSLSocket)NaiveTrustManager.getSocketFactory().
createSocket(hostAddress, portNumber);
+ //DERBY-6764(analyze impact of poodle security alert on
+ // Derby client - server ssl support)
+ String[] removeTwoProtocols =
+ removeSSLv3andSSLv2Hello(s1.getEnabledProtocols());
+ s1.setEnabledProtocols(
+ removeTwoProtocols);
// Need to handshake now to get proper error reporting.
s1.startHandshake();
return s1;
@@ -2612,6 +2632,12 @@ public final class NetworkServerControlI
case SSL_PEER_AUTHENTICATION:
SSLSocket s2 = (SSLSocket)SSLSocketFactory.getDefault().
createSocket(hostAddress, portNumber);
+ //DERBY-6764(analyze impact of poodle security alert on
+ // Derby client - server ssl support)
+ removeTwoProtocols =
+ removeSSLv3andSSLv2Hello(s2.getEnabledProtocols());
+ s2.setEnabledProtocols(
+ removeTwoProtocols);
// Need to handshake now to get proper error reporting.
s2.startHandshake();
return s2;
@@ -2653,7 +2679,38 @@ public final class NetworkServerControlI
}
}
-
+ //DERBY-6764(analyze impact of poodle security alert on
+ // Derby client - server ssl support)
+ //Remove SSLv3 and SSLv2Hello protocols from list of enabled protocols
+ private String[] removeSSLv3andSSLv2Hello(String[] enabledProtocols) {
+ //If SSLv3 and SSLv2Hello are one of the enabled protocols, then
+ // remove them from the list of enabled protocols because of the
+ // possible security breach.
+ String[] supportedProtocols = new String[enabledProtocols.length];
+ int supportedProtocolsCount = 0;
+ for ( int i = 0; i < enabledProtocols.length; i++ )
+ {
+ if (!(enabledProtocols[i].toUpperCase().contains("SSLV3") ||
+ enabledProtocols[i].toUpperCase().contains("SSLV2HELLO"))) {
+ supportedProtocols[supportedProtocolsCount] = enabledProtocols[i];
+ supportedProtocolsCount++;
+ }
+ }
+ if(supportedProtocolsCount < enabledProtocols.length) {
+ //We found SSLv3 and/or SSLv2Hello as one of the enabled
+ // protocols for this jvm. Following code will remove them from
+ // enabled list.
+ String[] newEnabledProtocolsList = null;
+ newEnabledProtocolsList =
+ new String[supportedProtocolsCount];
+ System.arraycopy(supportedProtocols, 0,
+ newEnabledProtocolsList, 0,
+ supportedProtocolsCount);
+ return(newEnabledProtocolsList);
+ } else
+ return(enabledProtocols);
+ }
+
private void checkAddressIsLocal(InetAddress inetAddr) throws UnknownHostException,Exception
{
if (localAddresses.contains(inetAddr)) {