You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@qpid.apache.org by rh...@apache.org on 2014/10/16 18:05:12 UTC

svn commit: r1632372 - /qpid/proton/trunk/proton-j/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java

Author: rhs
Date: Thu Oct 16 16:05:11 2014
New Revision: 1632372

URL: http://svn.apache.org/r1632372
Log:
PROTON-717: disable SSLv3

Modified:
    qpid/proton/trunk/proton-j/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java

Modified: qpid/proton/trunk/proton-j/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java
URL: http://svn.apache.org/viewvc/qpid/proton/trunk/proton-j/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java?rev=1632372&r1=1632371&r2=1632372&view=diff
==============================================================================
--- qpid/proton/trunk/proton-j/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java (original)
+++ qpid/proton/trunk/proton-j/src/main/java/org/apache/qpid/proton/engine/impl/ssl/SslEngineFacadeFactory.java Thu Oct 16 16:05:11 2014
@@ -204,9 +204,24 @@ public class SslEngineFacadeFactory
         boolean useClientMode = mode == SslDomain.Mode.CLIENT ? true : false;
         sslEngine.setUseClientMode(useClientMode);
 
+        removeSSLv3Support(sslEngine);
+
         return sslEngine;
     }
 
+    private static final String SSLV3_PROTOCOL = "SSLv3";
+
+    private static void removeSSLv3Support(final SSLEngine engine)
+    {
+        List<String> enabledProtocols = Arrays.asList(engine.getEnabledProtocols());
+        if(enabledProtocols.contains(SSLV3_PROTOCOL))
+        {
+            List<String> allowedProtocols = new ArrayList<String>(enabledProtocols);
+            allowedProtocols.remove(SSLV3_PROTOCOL);
+            engine.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()]));
+        }
+    }
+
     /**
      * @param sslPeerDetails is allowed to be null. A non-null value is used to hint that SSL resumption
      * should be attempted



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org