You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2014/11/06 00:32:16 UTC
git commit: ARGUS-158 - SSL service disables SSLv3 protocol
Repository: incubator-argus
Updated Branches:
refs/heads/master b61836fae -> 5883627df
ARGUS-158 - SSL service disables SSLv3 protocol
Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/5883627d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/5883627d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/5883627d
Branch: refs/heads/master
Commit: 5883627dfd9c1b74fa055321593ccd7549f2185c
Parents: b61836f
Author: sneethiraj <sn...@apache.org>
Authored: Wed Nov 5 18:32:08 2014 -0500
Committer: sneethiraj <sn...@apache.org>
Committed: Wed Nov 5 18:32:08 2014 -0500
----------------------------------------------------------------------
.../xasecure/server/tomcat/EmbededServer.java | 4 ++++
.../UnixAuthenticationService.java | 25 +++++++++++++++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/5883627d/embededwebserver/src/main/java/com/xasecure/server/tomcat/EmbededServer.java
----------------------------------------------------------------------
diff --git a/embededwebserver/src/main/java/com/xasecure/server/tomcat/EmbededServer.java b/embededwebserver/src/main/java/com/xasecure/server/tomcat/EmbededServer.java
index 7adc1aa..fd014e7 100644
--- a/embededwebserver/src/main/java/com/xasecure/server/tomcat/EmbededServer.java
+++ b/embededwebserver/src/main/java/com/xasecure/server/tomcat/EmbededServer.java
@@ -111,6 +111,10 @@ public class EmbededServer {
ssl.setAttribute("keyAlias", getConfig("https.attrib.keyAlias") ) ;
ssl.setAttribute("keystorePass", getConfig("https.attrib.keystorePass"));
ssl.setAttribute("keystoreFile", getConfig("https.attrib.keystoreFile")) ;
+
+ String enabledProtocols = "TLSv1, TLSv1.1, TLSv1.2" ;
+ ssl.setAttribute("sslEnabledProtocols", enabledProtocols ) ;
+
server.getService().addConnector(ssl);
}
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/5883627d/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
----------------------------------------------------------------------
diff --git a/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java b/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
index 107ba40..bd9eac2 100644
--- a/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
+++ b/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
@@ -28,12 +28,15 @@ import java.net.Socket;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.ArrayList;
+import java.util.HashSet;
import java.util.List;
import java.util.Properties;
+import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
@@ -48,7 +51,7 @@ public class UnixAuthenticationService {
private static final String serviceName = "UnixAuthenticationService" ;
- private static final String SSL_ALGORITHM = "SSLv3" ;
+ private static final String SSL_ALGORITHM = "TLS" ;
private static final String REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM = "authServicePort" ;
private static final String SSL_KEYSTORE_PATH_PARAM = "keyStore" ;
private static final String SSL_KEYSTORE_PATH_PASSWORD_PARAM = "keyStorePassword" ;
@@ -216,6 +219,26 @@ public class UnixAuthenticationService {
SSLServerSocketFactory sf = context.getServerSocketFactory() ;
ServerSocket socket = (SSLEnabled ? sf.createServerSocket(portNum) : new ServerSocket(portNum) ) ;
+
+ if (SSLEnabled) {
+ SSLServerSocket secureSocket = (SSLServerSocket) socket ;
+ String[] protocols = secureSocket.getEnabledProtocols() ;
+ Set<String> allowedProtocols = new HashSet<String>() ;
+ for(String ep : protocols) {
+ if (! ep.toUpperCase().startsWith("SSLV3")) {
+ LOG.info("Enabling Protocol: [" + ep + "]");
+ allowedProtocols.add(ep) ;
+ }
+ else {
+ LOG.info("Disabling Protocol: [" + ep + "]");
+ }
+ }
+
+ if (!allowedProtocols.isEmpty()) {
+ secureSocket.setEnabledProtocols(allowedProtocols.toArray(new String[0]));
+ }
+ }
+
Socket client = null ;