You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2014/11/06 00:32:16 UTC

git commit: ARGUS-158 - SSL service disables SSLv3 protocol

Repository: incubator-argus
Updated Branches:
  refs/heads/master b61836fae -> 5883627df


ARGUS-158 - SSL service disables SSLv3 protocol


Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/5883627d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/5883627d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/5883627d

Branch: refs/heads/master
Commit: 5883627dfd9c1b74fa055321593ccd7549f2185c
Parents: b61836f
Author: sneethiraj <sn...@apache.org>
Authored: Wed Nov 5 18:32:08 2014 -0500
Committer: sneethiraj <sn...@apache.org>
Committed: Wed Nov 5 18:32:08 2014 -0500

----------------------------------------------------------------------
 .../xasecure/server/tomcat/EmbededServer.java   |  4 ++++
 .../UnixAuthenticationService.java              | 25 +++++++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/5883627d/embededwebserver/src/main/java/com/xasecure/server/tomcat/EmbededServer.java
----------------------------------------------------------------------
diff --git a/embededwebserver/src/main/java/com/xasecure/server/tomcat/EmbededServer.java b/embededwebserver/src/main/java/com/xasecure/server/tomcat/EmbededServer.java
index 7adc1aa..fd014e7 100644
--- a/embededwebserver/src/main/java/com/xasecure/server/tomcat/EmbededServer.java
+++ b/embededwebserver/src/main/java/com/xasecure/server/tomcat/EmbededServer.java
@@ -111,6 +111,10 @@ public class EmbededServer {
 			ssl.setAttribute("keyAlias", getConfig("https.attrib.keyAlias") ) ;
 			ssl.setAttribute("keystorePass", getConfig("https.attrib.keystorePass"));
 			ssl.setAttribute("keystoreFile",  getConfig("https.attrib.keystoreFile")) ;
+			
+			String enabledProtocols = "TLSv1, TLSv1.1, TLSv1.2" ;
+			ssl.setAttribute("sslEnabledProtocols", enabledProtocols ) ;
+			
 			server.getService().addConnector(ssl); 
 		}
 

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/5883627d/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
----------------------------------------------------------------------
diff --git a/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java b/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
index 107ba40..bd9eac2 100644
--- a/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
+++ b/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
@@ -28,12 +28,15 @@ import java.net.Socket;
 import java.security.KeyStore;
 import java.security.SecureRandom;
 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Properties;
+import java.util.Set;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLServerSocketFactory;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
@@ -48,7 +51,7 @@ public class UnixAuthenticationService {
 	
 	private static final String serviceName = "UnixAuthenticationService" ;
 	
-	private static final String SSL_ALGORITHM = "SSLv3" ;
+	private static final String SSL_ALGORITHM = "TLS" ;
 	private static final String REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM = "authServicePort" ;
 	private static final String SSL_KEYSTORE_PATH_PARAM = "keyStore" ;
 	private static final String SSL_KEYSTORE_PATH_PASSWORD_PARAM = "keyStorePassword" ;
@@ -216,6 +219,26 @@ public class UnixAuthenticationService {
 		SSLServerSocketFactory sf = context.getServerSocketFactory() ; 
 
 		ServerSocket socket = (SSLEnabled ? sf.createServerSocket(portNum) :  new ServerSocket(portNum) ) ;
+		
+		if (SSLEnabled) {
+			SSLServerSocket secureSocket = (SSLServerSocket) socket ;
+			String[] protocols = secureSocket.getEnabledProtocols() ;
+			Set<String> allowedProtocols = new HashSet<String>() ;
+			for(String ep : protocols) {
+				if (! ep.toUpperCase().startsWith("SSLV3")) {
+					LOG.info("Enabling Protocol: [" + ep + "]");
+					allowedProtocols.add(ep) ;
+				}
+				else {
+					LOG.info("Disabling Protocol: [" + ep + "]");
+				}
+			}
+			
+			if (!allowedProtocols.isEmpty()) {
+				secureSocket.setEnabledProtocols(allowedProtocols.toArray(new String[0]));
+			}
+		}
+		
 				
 		Socket client = null ;