You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/10/05 15:16:53 UTC
[cxf] branch 3.2.x-fixes updated (4c64888 -> 625ede2)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git.
from 4c64888 Allow more customization of Operation responses
new 57b7cd1 Remove default ciphersuite filter inclusion (which isn't used anyway)
new d31bbad CXF-7865 - Enable default ciphersuites exclusion filter
new 625ede2 Recording .gitmergeinfo Changes
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.gitmergeinfo | 4 ++
.../apache/cxf/configuration/jsse/SSLUtils.java | 59 ++++++++++++++--------
.../https/ciphersuites/CipherSuitesTest.java | 54 ++++++++++++++++++++
3 files changed, 97 insertions(+), 20 deletions(-)
[cxf] 02/03: CXF-7865 - Enable default ciphersuites exclusion filter
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit d31bbade6b05dea0b02a3f2ed3d8b5a714f2a5e9
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 5 14:09:59 2018 +0100
CXF-7865 - Enable default ciphersuites exclusion filter
(cherry picked from commit e60e8ab5d7414a0dc581c5666873e1ab0413b107)
# Conflicts:
# core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
---
.../apache/cxf/configuration/jsse/SSLUtils.java | 58 +++++++++++++++-------
.../https/ciphersuites/CipherSuitesTest.java | 54 ++++++++++++++++++++
2 files changed, 93 insertions(+), 19 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
index 62c660b..ad616e7 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
@@ -31,12 +31,12 @@ import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
-import java.util.Collections;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import java.util.stream.Collectors;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
@@ -68,13 +68,12 @@ public final class SSLUtils {
private static final String HTTPS_CIPHER_SUITES = "https.cipherSuites";
/**
- * By default, exclude NULL, anon, EXPORT, DES ciphersuites
+ * By default, exclude NULL, anon and EXPORT ciphersuites
*/
private static final List<String> DEFAULT_CIPHERSUITE_FILTERS_EXCLUDE =
- Arrays.asList(new String[] {".*_NULL_.*",
- ".*_anon_.*",
- ".*_EXPORT_.*",
- ".*_DES_.*"});
+ Arrays.asList(new String[] {".*NULL.*",
+ ".*anon.*",
+ ".*EXPORT.*"});
private static volatile KeyManager[] defaultManagers;
@@ -400,16 +399,27 @@ public final class SSLUtils {
String[] supportedCipherSuites,
Logger log, boolean exclude) {
// We have explicit filters, so use the "include/exclude" cipherSuiteFilter configuration
+ List<Pattern> includes = new ArrayList<>();
+ List<Pattern> excludes = new ArrayList<>();
+
+ if (filters != null) {
+ // We must have an inclusion pattern specified or no ciphersuites are filtered
+ compileRegexPatterns(includes, filters.getInclude(), true, log);
+
+ if (filters.isSetExclude()) {
+ // If we have specified excludes, then the default excludes are ignored
+ compileRegexPatterns(excludes, filters.getExclude(), false, log);
+ } else {
+ // Otherwise use the default excludes, but remove from the default excludes any
+ // ciphersuites explicitly matched by the inclusion filters
+ List<String> filteredExcludes =
+ filterDefaultExcludes(filters.getInclude(), DEFAULT_CIPHERSUITE_FILTERS_EXCLUDE);
+ compileRegexPatterns(excludes, filteredExcludes, false, log);
+ }
+ }
+
List<String> filteredCipherSuites = new ArrayList<>();
List<String> excludedCipherSuites = new ArrayList<>();
- List<Pattern> includes =
- filters != null
- ? compileRegexPatterns(filters.getInclude(), true, log)
- : Collections.emptyList();
- List<Pattern> excludes =
- filters != null
- ? compileRegexPatterns(filters.getExclude(), false, log)
- : compileRegexPatterns(DEFAULT_CIPHERSUITE_FILTERS_EXCLUDE, true, log);
for (int i = 0; i < supportedCipherSuites.length; i++) {
if (matchesOneOf(supportedCipherSuites[i], includes)
&& !matchesOneOf(supportedCipherSuites[i], excludes)) {
@@ -440,6 +450,19 @@ public final class SSLUtils {
return getCiphersFromList(filteredCipherSuites, log, exclude);
}
+ private static List<String> filterDefaultExcludes(List<String> includes, List<String> defaultExcludes) {
+ if (includes != null && !includes.isEmpty()) {
+ // Filter the default exclusion filters to remove any that explicitly match the inclusion filters
+ // e.g. if the user wants the NULL ciphersuite then remove it from the default excludes
+ return defaultExcludes.stream()
+ .filter(ex -> !includes.stream()
+ .anyMatch(inc -> inc.matches(ex)))
+ .collect(Collectors.toList());
+ }
+
+ return defaultExcludes;
+ }
+
private static String[] getSystemCiphersuites(Logger log) {
String jvmCipherSuites = System.getProperty(HTTPS_CIPHER_SUITES);
if ((jvmCipherSuites != null) && (!jvmCipherSuites.isEmpty())) {
@@ -450,10 +473,8 @@ public final class SSLUtils {
}
- private static List<Pattern> compileRegexPatterns(List<String> regexes,
- boolean include,
- Logger log) {
- List<Pattern> patterns = new ArrayList<>();
+ private static void compileRegexPatterns(List<Pattern> patterns, List<String> regexes,
+ boolean include, Logger log) {
if (regexes != null) {
String msg = include
? "CIPHERSUITE_INCLUDE_FILTER"
@@ -463,7 +484,6 @@ public final class SSLUtils {
patterns.add(Pattern.compile(s));
}
}
- return patterns;
}
private static boolean matchesOneOf(String s, List<Pattern> patterns) {
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
index 382e21a..2564e35 100644
--- a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
@@ -22,11 +22,13 @@ package org.apache.cxf.systest.https.ciphersuites;
import java.net.URL;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
+import java.util.Arrays;
import java.util.Collections;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
+import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.xml.ws.BindingProvider;
@@ -34,7 +36,10 @@ import javax.xml.ws.BindingProvider;
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.configuration.jsse.SSLUtils;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
+import org.apache.cxf.configuration.security.FiltersType;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
@@ -593,6 +598,55 @@ public class CipherSuitesTest extends AbstractBusClientServerTestBase {
bus.shutdown(true);
}
+ @org.junit.Test
+ public void testDefaultCipherSuitesFilterExcluded() throws Exception {
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, null, new java.security.SecureRandom());
+
+ FiltersType filtersType = new FiltersType();
+ filtersType.getInclude().add(".*_AES_.*");
+ String[] supportedCipherSuites = sslContext.getSocketFactory().getSupportedCipherSuites();
+ String[] filteredCipherSuites = SSLUtils.getFilteredCiphersuites(filtersType, supportedCipherSuites,
+ LogUtils.getL7dLogger(CipherSuitesTest.class), false);
+
+ // Check we have no anon/EXPORT/NULL/etc ciphersuites
+ assertFalse(Arrays.stream(
+ filteredCipherSuites).anyMatch(c -> c.matches(".*NULL|anon|EXPORT.*")));
+ }
+
+ @org.junit.Test
+ public void testExclusionFilter() throws Exception {
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, null, new java.security.SecureRandom());
+
+ FiltersType filtersType = new FiltersType();
+ filtersType.getInclude().add(".*_AES_.*");
+ filtersType.getExclude().add(".*anon.*");
+ String[] supportedCipherSuites = sslContext.getSocketFactory().getSupportedCipherSuites();
+ String[] filteredCipherSuites = SSLUtils.getFilteredCiphersuites(filtersType, supportedCipherSuites,
+ LogUtils.getL7dLogger(CipherSuitesTest.class), false);
+
+ // Check we have no anon ciphersuites
+ assertFalse(Arrays.stream(
+ filteredCipherSuites).anyMatch(c -> c.matches(".*anon.*")));
+ }
+
+ @org.junit.Test
+ public void testInclusionFilter() throws Exception {
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, null, new java.security.SecureRandom());
+
+ FiltersType filtersType = new FiltersType();
+ filtersType.getInclude().add(".*anon.*");
+ String[] supportedCipherSuites = sslContext.getSocketFactory().getSupportedCipherSuites();
+ String[] filteredCipherSuites = SSLUtils.getFilteredCiphersuites(filtersType, supportedCipherSuites,
+ LogUtils.getL7dLogger(CipherSuitesTest.class), false);
+
+ // Check we have anon ciphersuites
+ assertTrue(Arrays.stream(
+ filteredCipherSuites).anyMatch(c -> c.matches(".*anon.*")));
+ }
+
private static class NoOpX509TrustManager implements X509TrustManager {
NoOpX509TrustManager() {
[cxf] 01/03: Remove default ciphersuite filter inclusion (which
isn't used anyway)
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 57b7cd196db37ccede566a9fb89d6c160769dcd7
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 5 10:56:21 2018 +0100
Remove default ciphersuite filter inclusion (which isn't used anyway)
(cherry picked from commit 86d7c657499b73bdbbd6ba9f1579e76ca0715357)
---
core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
index a974159..62c660b 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
@@ -31,6 +31,7 @@ import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collections;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -66,8 +67,6 @@ public final class SSLUtils {
private static final String HTTPS_CIPHER_SUITES = "https.cipherSuites";
- private static final List<String> DEFAULT_CIPHERSUITE_FILTERS_INCLUDE =
- Arrays.asList(new String[] {".*"});
/**
* By default, exclude NULL, anon, EXPORT, DES ciphersuites
*/
@@ -406,7 +405,7 @@ public final class SSLUtils {
List<Pattern> includes =
filters != null
? compileRegexPatterns(filters.getInclude(), true, log)
- : compileRegexPatterns(DEFAULT_CIPHERSUITE_FILTERS_INCLUDE, true, log);
+ : Collections.emptyList();
List<Pattern> excludes =
filters != null
? compileRegexPatterns(filters.getExclude(), false, log)
[cxf] 03/03: Recording .gitmergeinfo Changes
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 625ede281698a59d6fae18851eaf5ceff5e93d7e
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 5 16:16:41 2018 +0100
Recording .gitmergeinfo Changes
---
.gitmergeinfo | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/.gitmergeinfo b/.gitmergeinfo
index f700480..ec8680c 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -1,6 +1,7 @@
origin/master
B 01559f20020110407ceb142e4ec53eaddcaeb9d4
B 057f4dc521f02227d7b36bbb508835a9edb69e15
+B 143145643b3bb2f0a7ba97ec216bc59de754fd94
B 25e88017b49bde5a53bce8dab3ecc93aab6dd040
B 26568235d6db6ef44a74dac1ea1746319913c354
B 37e9a9b3ed51cb9042fd288ab5f9b847e96bff1d
@@ -12,6 +13,7 @@ B 4da42032f95e667a402b113d6daf4bd0514c6d60
B 58e72337226f4e963abfc6f1a65625d86b7003b5
B 9db243c1aa44732996514200b490eb63683540b4
B a3295e61bcf8c00c13a79707841a58131fd9c97d
+B a9c0c7705f70054a70eb3e95439d2a37731e0332
B acc697f1c88f392bd952e07d50a9ae2ce0b76411
B ae994168f50894010f1f148ec3b6f35b17e4b63b
B b8236c923ba409087e8db6132963924151918efc
@@ -32,6 +34,8 @@ M 3904a477e70fe6385777120bfe4820ff9a7713f3
M 3aaaad57c6bf541825c6ccfe427de2bae2c246d9
M 4f8ae843f56e3ef84af43ae90f507e196726f0bf
M 504a1b7827bc76f3c5106b901b44e54513db17aa
+M 86d7c657499b73bdbbd6ba9f1579e76ca0715357
M 886a055d49d844e445721e4752c7a6360cbe8b9a
+M e60e8ab5d7414a0dc581c5666873e1ab0413b107
M eaa14b96ea5275ff9ee27cf937cd498ca3dcd47f
M efb2c3082fe8799a9d90a696e31239551b4f1823