You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2015/01/21 13:56:42 UTC
git commit: updated refs/heads/4.3 to 53c0ab8
Repository: cloudstack
Updated Branches:
refs/heads/4.3 bd5fe46e5 -> 53c0ab856
CLOUDSTACK-8160: use preferable protocols
(cherry picked from commit debfcdef788ce0d51be06db0ef10f6815f9b563b)
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Conflicts:
client/tomcatconf/server7-nonssl.xml.in
client/tomcatconf/server7-ssl.xml.in
engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java
plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java
plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
pom.xml
services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
systemvm/scripts/config_ssl.sh
utils/src/com/cloud/utils/nio/NioClient.java
utils/src/com/cloud/utils/rest/RESTServiceConnector.java
utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/53c0ab85
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/53c0ab85
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/53c0ab85
Branch: refs/heads/4.3
Commit: 53c0ab856a4358f508e6ef7488cffaba4d184a03
Parents: bd5fe46
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Wed Jan 21 18:01:34 2015 +0530
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Wed Jan 21 18:24:54 2015 +0530
----------------------------------------------------------------------
client/tomcatconf/server-nonssl.xml.in | 2 +-
client/tomcatconf/server-ssl.xml.in | 2 +-
.../manager/ClusteredAgentManagerImpl.java | 3 +
.../mom/rabbitmq/RabbitMQEventBus.java | 9 ++-
.../xen/resource/XenServerConnectionPool.java | 5 +-
.../cloud/network/utils/HttpClientWrapper.java | 5 +-
.../storage/datastore/util/SolidFireUtil.java | 4 +-
pom.xml | 7 ++-
.../main/java/streamer/SocketWrapperImpl.java | 2 +-
.../ConsoleProxySecureServerFactoryImpl.java | 11 ++--
.../com/cloud/consoleproxy/util/RawHTTP.java | 27 ++++----
.../etc/apache2/sites-available/default-ssl | 1 +
.../debian/config/etc/apache2/vhostexample.conf | 1 +
systemvm/scripts/config_ssl.sh | 6 ++
test/pom.xml | 2 +-
utils/src/com/cloud/utils/nio/Link.java | 5 +-
utils/src/com/cloud/utils/nio/NioClient.java | 3 +
.../src/com/cloud/utils/nio/NioConnection.java | 3 +
.../cloudstack/utils/security/SSLUtils.java | 51 +++++++++++++++
.../ssl/EasySSLProtocolSocketFactory.java | 65 +++++++-------------
.../hypervisor/vmware/util/VmwareClient.java | 4 +-
.../hypervisor/vmware/util/VmwareContext.java | 3 +-
22 files changed, 143 insertions(+), 78 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/client/tomcatconf/server-nonssl.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/server-nonssl.xml.in b/client/tomcatconf/server-nonssl.xml.in
index 847197c..e0debe4 100755
--- a/client/tomcatconf/server-nonssl.xml.in
+++ b/client/tomcatconf/server-nonssl.xml.in
@@ -82,7 +82,7 @@
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
- clientAuth="false" sslProtocol="TLS"
+ clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
keystoreType="PKCS12"
keystoreFile="conf\cloud-localhost.pk12"
keystorePass="password"
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/client/tomcatconf/server-ssl.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/server-ssl.xml.in b/client/tomcatconf/server-ssl.xml.in
index 37bc53d..2e61251 100755
--- a/client/tomcatconf/server-ssl.xml.in
+++ b/client/tomcatconf/server-ssl.xml.in
@@ -82,7 +82,7 @@
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
- clientAuth="false" sslProtocol="TLS"
+ clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
keystoreType="PKCS12"
keystoreFile="conf\cloud-localhost.pk12"
keystorePass="password"
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
----------------------------------------------------------------------
diff --git a/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java b/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
index 2fd1caf..3e970ca 100755
--- a/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
+++ b/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
@@ -51,6 +51,8 @@ import org.apache.cloudstack.managed.context.ManagedContextTimerTask;
import org.apache.cloudstack.utils.identity.ManagementServerNode;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import com.cloud.agent.AgentManager;
import com.cloud.agent.api.Answer;
import com.cloud.agent.api.CancelCommand;
@@ -499,6 +501,7 @@ public class ClusteredAgentManagerImpl extends AgentManagerImpl implements Clust
SSLContext sslContext = Link.initSSLContext(true);
sslEngine = sslContext.createSSLEngine(ip, Port.value());
sslEngine.setUseClientMode(true);
+ sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));
Link.doHandshake(ch, sslEngine, true);
s_logger.info("SSL: Handshake done");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
----------------------------------------------------------------------
diff --git a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
index 30b4475..8e24c03 100644
--- a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
+++ b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
@@ -47,6 +47,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
private static Integer port;
private static String username;
private static String password;
+ private static String secureProtocol = "TLSv1.2";
public static void setVirtualHost(String virtualHost) {
RabbitMQEventBus.virtualHost = virtualHost;
@@ -141,6 +142,10 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
this.port = port;
}
+ public void setSecureProtocol(String protocol) {
+ RabbitMQEventBus.secureProtocol = protocol;
+ }
+
public void setName(String name) {
this.name = name;
}
@@ -369,7 +374,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
}
if (useSsl != null && !useSsl.isEmpty() && useSsl.equalsIgnoreCase("true")) {
- factory.useSslProtocol();
+ factory.useSslProtocol(this.secureProtocol);
}
Connection connection = factory.newConnection();
connection.addShutdownListener(disconnectHandler);
@@ -605,4 +610,4 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
return;
}
}
-}
\ No newline at end of file
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java
index b73bf59..bbcc1a4 100644
--- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java
+++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java
@@ -38,6 +38,9 @@ import org.apache.xmlrpc.client.XmlRpcClientException;
import com.cloud.utils.NumbersUtil;
import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.exception.CloudRuntimeException;
+
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import com.xensource.xenapi.APIVersion;
import com.xensource.xenapi.Connection;
import com.xensource.xenapi.Host;
@@ -79,7 +82,7 @@ public class XenServerConnectionPool {
javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
javax.net.ssl.TrustManager tm = new TrustAllManager();
trustAllCerts[0] = tm;
- javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("TLS");
+ javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, null);
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HostnameVerifier hv = new HostnameVerifier() {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java b/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
index 7dfec92..37ed125 100644
--- a/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
+++ b/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
@@ -24,6 +24,9 @@ import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
+
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.Scheme;
@@ -38,7 +41,7 @@ public class HttpClientWrapper {
public static HttpClient wrapClient(HttpClient base) {
try {
- SSLContext ctx = SSLContext.getInstance("TLS");
+ SSLContext ctx = SSLUtils.getSSLContext();
X509TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
----------------------------------------------------------------------
diff --git a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
index 2d528ef..995973f 100644
--- a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
+++ b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
@@ -47,6 +47,8 @@ import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.BasicClientConnectionManager;
import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
@@ -1011,7 +1013,7 @@ public class SolidFireUtil
private static DefaultHttpClient getHttpClient(int iPort) {
try {
- SSLContext sslContext = SSLContext.getInstance("SSL");
+ SSLContext sslContext = SSLUtils.getSSLContext();
X509TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 5746c59..1468ad7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -58,8 +58,9 @@
<cs.gson.version>1.7.2</cs.gson.version>
<cs.guava.version>14.0-rc1</cs.guava.version>
<cs.xapi.version>5.6.100-1</cs.xapi.version>
- <cs.httpclient.version>3.1</cs.httpclient.version>
- <cs.httpcore.version>4.2.1</cs.httpcore.version>
+ <cs.httpclient.version>4.3.6</cs.httpclient.version>
+ <cs.httpcore.version>4.3.3</cs.httpcore.version>
+ <cs.commons-httpclient.version>3.1</cs.commons-httpclient.version>
<cs.mysql.version>5.1.21</cs.mysql.version>
<cs.xstream.version>1.3.1</cs.xstream.version>
<cs.xmlrpc.version>3.1.3</cs.xmlrpc.version>
@@ -318,7 +319,7 @@
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
- <version>${cs.httpcore.version}</version>
+ <version>${cs.httpclient.version}</version>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
----------------------------------------------------------------------
diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
index 07b3dc9..9d8a458 100755
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
@@ -140,7 +140,7 @@ public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper {
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
sslSocket = (SSLSocket)sslSocketFactory.createSocket(socket, address.getHostName(), address.getPort(), true);
-
+ sslSocket.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
sslSocket.startHandshake();
InputStream sis = sslSocket.getInputStream();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
----------------------------------------------------------------------
diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
index ee0ee13..e58e6fb 100644
--- a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
+++ b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
@@ -21,6 +21,7 @@ import java.io.FileInputStream;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.KeyStore;
+import org.apache.cloudstack.utils.security.SSLUtils;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
@@ -68,7 +69,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
tmf.init(ks);
s_logger.info("Trust manager factory is initialized");
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLUtils.getSSLContext();
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
s_logger.info("SSL context is initialized");
} catch (Exception ioe) {
@@ -90,8 +91,8 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);
s_logger.info("Trust manager factory is initialized");
-
- sslContext = SSLContext.getInstance("TLS");
+
+ sslContext = SSLUtils.getSSLContext();
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
s_logger.info("SSL context is initialized");
} catch(Exception e) {
@@ -133,8 +134,10 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
try {
SSLServerSocket srvSock = null;
SSLServerSocketFactory ssf = sslContext.getServerSocketFactory();
+
srvSock = (SSLServerSocket) ssf.createServerSocket(port);
-
+ srvSock.setEnabledProtocols(SSLUtils.getSupportedProtocols(srvSock.getEnabledProtocols()));
+
s_logger.info("create SSL server socket on port: " + port);
return srvSock;
} catch (Exception ioe) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
----------------------------------------------------------------------
diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
index c77b551..532d599 100644
--- a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
+++ b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
@@ -16,6 +16,8 @@
// under the License.
package com.cloud.consoleproxy.util;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
@@ -136,8 +138,16 @@ public final class RawHTTP {
private Socket _getSocket() throws IOException {
if (useSSL) {
- SSLContext context = getClientSSLContext();
- if(context == null)
+ SSLContext context = null;
+ try {
+ context = SSLUtils.getSSLContext("SunJSSE");
+ } catch (NoSuchAlgorithmException e) {
+ s_logger.error("Unexpected exception ", e);
+ } catch (NoSuchProviderException e) {
+ s_logger.error("Unexpected exception ", e);
+ }
+
+ if (context == null)
throw new IOException("Unable to setup SSL context");
SSLSocket ssl = null;
@@ -145,6 +155,7 @@ public final class RawHTTP {
context.init(null, trustAllCerts, new SecureRandom());
SocketFactory factory = context.getSocketFactory();
ssl = (SSLSocket) factory.createSocket(host, port);
+ ssl.setEnabledProtocols(SSLUtils.getSupportedProtocols(ssl.getEnabledProtocols()));
/* ssl.setSSLParameters(context.getDefaultSSLParameters()); */
} catch (IOException e) {
s_logger.error("IOException: " + e.getMessage(), e);
@@ -234,16 +245,4 @@ public final class RawHTTP {
}
}
}
-
- private SSLContext getClientSSLContext() {
- SSLContext sslContext = null;
- try {
- sslContext = SSLContext.getInstance("SSL", "SunJSSE");
- } catch (NoSuchAlgorithmException e) {
- s_logger.error("Unexpected exception ", e);
- } catch (NoSuchProviderException e) {
- s_logger.error("Unexpected exception ", e);
- }
- return sslContext;
- }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
index 0eea44d..6699f14 100644
--- a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
+++ b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
@@ -42,6 +42,7 @@
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
+ SSLProtocol all -SSLv2 -SSLv3
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
index c1bf8ea..70cb7dc 100644
--- a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
+++ b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
@@ -86,6 +86,7 @@
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
+ SSLProtocol all -SSLv2 -SSLv3
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/systemvm/scripts/config_ssl.sh
----------------------------------------------------------------------
diff --git a/systemvm/scripts/config_ssl.sh b/systemvm/scripts/config_ssl.sh
index e474787..5e00a45 100755
--- a/systemvm/scripts/config_ssl.sh
+++ b/systemvm/scripts/config_ssl.sh
@@ -36,6 +36,7 @@ config_httpd_conf() {
echo " DocumentRoot /var/www/html/" >> /etc/httpd/conf/httpd.conf
echo " ServerName $srvr" >> /etc/httpd/conf/httpd.conf
echo " SSLEngine on" >> /etc/httpd/conf/httpd.conf
+ echo " SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/httpd.conf
echo " SSLCertificateFile /etc/httpd/ssl/certs/realhostip.crt" >> /etc/httpd/conf/httpd.conf
echo " SSLCertificateKeyFile /etc/httpd/ssl/keys/realhostip.key" >> /etc/httpd/conf/httpd.conf
echo "</VirtualHost>" >> /etc/httpd/conf/httpd.conf
@@ -53,6 +54,11 @@ config_apache2_conf() {
sed -i -e "s/NameVirtualHost .*:80/NameVirtualHost $ip:80/g" /etc/apache2/ports.conf
sed -i 's/ssl-cert-snakeoil.key/cert_apache.key/' /etc/apache2/sites-available/default-ssl
sed -i 's/ssl-cert-snakeoil.pem/cert_apache.crt/' /etc/apache2/sites-available/default-ssl
+ sed -i 's/SSLProtocol.*$/SSLProtocol all -SSLv2 -SSLv3/' /etc/apache2/sites-available/default-ssl
+ if [ -f /etc/ssl/certs/cert_apache_chain.crt ]
+ then
+ sed -i -e "s/#SSLCertificateChainFile.*/SSLCertificateChainFile \/etc\/ssl\/certs\/cert_apache_chain.crt/" /etc/apache2/sites-available/default-ssl
+ fi
}
copy_certs() {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/test/pom.xml
----------------------------------------------------------------------
diff --git a/test/pom.xml b/test/pom.xml
index 9058722..58b1e78 100644
--- a/test/pom.xml
+++ b/test/pom.xml
@@ -67,7 +67,7 @@
<dependency>
<groupId>commons-httpclient</groupId>
<artifactId>commons-httpclient</artifactId>
- <version>${cs.httpclient.version}</version>
+ <version>${cs.commons-httpclient.version}</version>
</dependency>
</dependencies>
<build>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/com/cloud/utils/nio/Link.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/nio/Link.java b/utils/src/com/cloud/utils/nio/Link.java
index 374b380..67d88c6 100755
--- a/utils/src/com/cloud/utils/nio/Link.java
+++ b/utils/src/com/cloud/utils/nio/Link.java
@@ -40,6 +40,7 @@ import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import org.apache.cloudstack.utils.security.SSLUtils;
import org.apache.log4j.Logger;
import com.cloud.utils.PropertiesUtil;
@@ -433,7 +434,7 @@ public class Link {
tms[0] = new TrustAllManager();
}
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLUtils.getSSLContext();
sslContext.init(kmf.getKeyManagers(), tms, null);
if (s_logger.isTraceEnabled()) {
s_logger.trace("SSL: SSLcontext has been initialized");
@@ -460,7 +461,7 @@ public class Link {
ByteBuffer out_appBuf =
ByteBuffer.allocate(sslSession.getApplicationBufferSize() + 40);
int count;
- ch.socket().setSoTimeout(10 * 1000);
+ ch.socket().setSoTimeout(30 * 1000);
InputStream inStream = ch.socket().getInputStream();
// Use readCh to make sure the timeout on reading is working
ReadableByteChannel readCh = Channels.newChannel(inStream);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/com/cloud/utils/nio/NioClient.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/nio/NioClient.java b/utils/src/com/cloud/utils/nio/NioClient.java
index 8d12f93..679e9fe 100755
--- a/utils/src/com/cloud/utils/nio/NioClient.java
+++ b/utils/src/com/cloud/utils/nio/NioClient.java
@@ -27,6 +27,8 @@ import javax.net.ssl.SSLEngine;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
public class NioClient extends NioConnection {
private static final Logger s_logger = Logger.getLogger(NioClient.class);
@@ -75,6 +77,7 @@ public class NioClient extends NioConnection {
SSLContext sslContext = Link.initSSLContext(true);
sslEngine = sslContext.createSSLEngine(_host, _port);
sslEngine.setUseClientMode(true);
+ sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));
Link.doHandshake(sch, sslEngine, true);
s_logger.info("SSL: Handshake done");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/com/cloud/utils/nio/NioConnection.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/nio/NioConnection.java b/utils/src/com/cloud/utils/nio/NioConnection.java
index 07c2bea..224609a 100755
--- a/utils/src/com/cloud/utils/nio/NioConnection.java
+++ b/utils/src/com/cloud/utils/nio/NioConnection.java
@@ -38,6 +38,8 @@ import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import org.apache.log4j.Logger;
import com.cloud.utils.concurrency.NamedThreadFactory;
@@ -193,6 +195,7 @@ public abstract class NioConnection implements Runnable {
sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(false);
+ sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));
Link.doHandshake(socketChannel, sslEngine, false);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
new file mode 100644
index 0000000..7f9ee77
--- /dev/null
+++ b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
@@ -0,0 +1,51 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package org.apache.cloudstack.utils.security;
+
+import org.apache.log4j.Logger;
+
+import javax.net.ssl.SSLContext;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.util.HashSet;
+import java.util.Set;
+
+public class SSLUtils {
+ public static final Logger s_logger = Logger.getLogger(SSLUtils.class);
+
+ public static String[] getSupportedProtocols(String[] protocols) {
+ Set set = new HashSet();
+ for (String s : protocols) {
+ if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
+ continue;
+ }
+ set.add(s);
+ }
+ return (String[]) set.toArray(new String[set.size()]);
+ }
+
+ public static SSLContext getSSLContext() throws NoSuchAlgorithmException {
+ return SSLContext.getInstance("TLSv1.2");
+ }
+
+ public static SSLContext getSSLContext(String provider) throws NoSuchAlgorithmException, NoSuchProviderException {
+ return SSLContext.getInstance("TLSv1.2", provider);
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java b/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
index 52f0ea6..76ea8da 100644
--- a/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
+++ b/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
@@ -39,8 +39,11 @@ import java.net.UnknownHostException;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import org.apache.commons.httpclient.ConnectTimeoutException;
import org.apache.commons.httpclient.HttpClientError;
import org.apache.commons.httpclient.params.HttpConnectionParams;
@@ -111,7 +114,7 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory
private static SSLContext createEasySSLContext() {
try {
- SSLContext context = SSLContext.getInstance("SSL");
+ SSLContext context = SSLUtils.getSSLContext();
context.init(
null,
new TrustManager[] {new EasyX509TrustManager(null)},
@@ -130,22 +133,11 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory
return this.sslcontext;
}
- /**
- * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int)
- */
- public Socket createSocket(
- String host,
- int port,
- InetAddress clientHost,
- int clientPort)
- throws IOException, UnknownHostException {
-
- return getSSLContext().getSocketFactory().createSocket(
- host,
- port,
- clientHost,
- clientPort
- );
+ @Override
+ public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException {
+ SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort);
+ socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+ return socket;
}
/**
@@ -159,8 +151,8 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory
*
* @param host the host name/IP
* @param port the port on the host
- * @param clientHost the local host name/IP to bind the socket to
- * @param clientPort the port on the local machine
+ * @param localAddress the local host name/IP to bind the socket to
+ * @param localPort the port on the local machine
* @param params {@link HttpConnectionParams Http connection parameters}
*
* @return Socket a new socket
@@ -184,7 +176,8 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory
if (timeout == 0) {
return socketfactory.createSocket(host, port, localAddress, localPort);
} else {
- Socket socket = socketfactory.createSocket();
+ SSLSocket socket = (SSLSocket) socketfactory.createSocket();
+ socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
SocketAddress localaddr = new InetSocketAddress(localAddress, localPort);
SocketAddress remoteaddr = new InetSocketAddress(host, port);
socket.bind(localaddr);
@@ -193,32 +186,16 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory
}
}
- /**
- * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int)
- */
- public Socket createSocket(String host, int port)
- throws IOException, UnknownHostException {
- return getSSLContext().getSocketFactory().createSocket(
- host,
- port
- );
+ public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
+ SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host, port);
+ socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+ return socket;
}
- /**
- * @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean)
- */
- public Socket createSocket(
- Socket socket,
- String host,
- int port,
- boolean autoClose)
- throws IOException, UnknownHostException {
- return getSSLContext().getSocketFactory().createSocket(
- socket,
- host,
- port,
- autoClose
- );
+ public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
+ SSLSocket s= (SSLSocket) getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
+ s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+ return s;
}
public boolean equals(Object obj) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
----------------------------------------------------------------------
diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
index f196697..49512c0 100644
--- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
+++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
@@ -32,6 +32,8 @@ import javax.xml.ws.WebServiceException;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import com.vmware.vim25.DynamicProperty;
import com.vmware.vim25.InvalidCollectorVersionFaultMsg;
import com.vmware.vim25.InvalidPropertyFaultMsg;
@@ -103,7 +105,7 @@ public class VmwareClient {
javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
javax.net.ssl.TrustManager tm = new TrustAllTrustManager();
trustAllCerts[0] = tm;
- javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
+ javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext();
sslsc.setSessionTimeout(0);
sc.init(null, trustAllCerts, null);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
----------------------------------------------------------------------
diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
index eefb7cb..3182acc 100755
--- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
+++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
@@ -40,6 +40,7 @@ import javax.net.ssl.SSLSession;
import javax.xml.ws.soap.SOAPFaultException;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;
import com.cloud.hypervisor.vmware.mo.DatacenterMO;
import com.cloud.hypervisor.vmware.mo.DatastoreFile;
@@ -77,7 +78,7 @@ public class VmwareContext {
javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
javax.net.ssl.TrustManager tm = new TrustAllManager();
trustAllCerts[0] = tm;
- javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
+ javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, null);
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());