You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2015/01/21 13:35:18 UTC
[2/2] git commit: updated refs/heads/master to 664186f
CLOUDSTACK-8160: use preferable protocols
(cherry picked from commit debfcdef788ce0d51be06db0ef10f6815f9b563b)
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/664186f4
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/664186f4
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/664186f4
Branch: refs/heads/master
Commit: 664186f483e15e572553f86b3cdec33d2e96b9be
Parents: e7c8002
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Wed Jan 21 18:01:34 2015 +0530
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Wed Jan 21 18:04:45 2015 +0530
----------------------------------------------------------------------
client/tomcatconf/server-nonssl.xml.in | 2 +-
client/tomcatconf/server-ssl.xml.in | 2 +-
client/tomcatconf/server7-nonssl.xml.in | 2 +-
client/tomcatconf/server7-ssl.xml.in | 2 +-
.../manager/ClusteredAgentManagerImpl.java | 2 +
.../mom/rabbitmq/RabbitMQEventBus.java | 7 ++-
.../resource/XenServerConnectionPool.java | 4 +-
.../opendaylight/api/NeutronRestApi.java | 19 ++++++--
.../cloud/network/utils/HttpClientWrapper.java | 4 +-
.../storage/datastore/util/ElastistorUtil.java | 3 +-
.../datastore/util/NexentaNmsClient.java | 4 +-
.../storage/datastore/util/SolidFireUtil.java | 4 +-
.../main/java/streamer/SocketWrapperImpl.java | 2 +-
.../ConsoleProxySecureServerFactoryImpl.java | 6 ++-
.../com/cloud/consoleproxy/util/RawHTTP.java | 25 +++++-----
.../etc/apache2/sites-available/default-ssl | 1 +
.../debian/config/etc/apache2/vhostexample.conf | 1 +
systemvm/scripts/config_ssl.sh | 2 +
utils/src/com/cloud/utils/nio/Link.java | 3 +-
utils/src/com/cloud/utils/nio/NioClient.java | 3 ++
.../src/com/cloud/utils/nio/NioConnection.java | 3 ++
.../cloud/utils/rest/RESTServiceConnector.java | 20 ++++++--
.../cloudstack/utils/security/SSLUtils.java | 51 ++++++++++++++++++++
.../ssl/EasySSLProtocolSocketFactory.java | 24 ++++++---
.../hypervisor/vmware/util/VmwareClient.java | 4 +-
.../hypervisor/vmware/util/VmwareContext.java | 3 +-
26 files changed, 156 insertions(+), 47 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/client/tomcatconf/server-nonssl.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/server-nonssl.xml.in b/client/tomcatconf/server-nonssl.xml.in
index 847197c..e0debe4 100755
--- a/client/tomcatconf/server-nonssl.xml.in
+++ b/client/tomcatconf/server-nonssl.xml.in
@@ -82,7 +82,7 @@
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
- clientAuth="false" sslProtocol="TLS"
+ clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
keystoreType="PKCS12"
keystoreFile="conf\cloud-localhost.pk12"
keystorePass="password"
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/client/tomcatconf/server-ssl.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/server-ssl.xml.in b/client/tomcatconf/server-ssl.xml.in
index 37bc53d..2e61251 100755
--- a/client/tomcatconf/server-ssl.xml.in
+++ b/client/tomcatconf/server-ssl.xml.in
@@ -82,7 +82,7 @@
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
- clientAuth="false" sslProtocol="TLS"
+ clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
keystoreType="PKCS12"
keystoreFile="conf\cloud-localhost.pk12"
keystorePass="password"
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/client/tomcatconf/server7-nonssl.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/server7-nonssl.xml.in b/client/tomcatconf/server7-nonssl.xml.in
index 16085d7..7ea251a 100755
--- a/client/tomcatconf/server7-nonssl.xml.in
+++ b/client/tomcatconf/server7-nonssl.xml.in
@@ -82,7 +82,7 @@
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
- clientAuth="false" sslProtocol="TLS"
+ clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
keystoreType="PKCS12"
keystoreFile="conf\cloud-localhost.pk12"
keystorePass="password"
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/client/tomcatconf/server7-ssl.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/server7-ssl.xml.in b/client/tomcatconf/server7-ssl.xml.in
index e8f3f10..97421ba 100755
--- a/client/tomcatconf/server7-ssl.xml.in
+++ b/client/tomcatconf/server7-ssl.xml.in
@@ -82,7 +82,7 @@
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
- clientAuth="false" sslProtocol="TLS"
+ clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
keystoreType="PKCS12"
keystoreFile="conf\cloud-localhost.pk12"
keystorePass="password"
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
----------------------------------------------------------------------
diff --git a/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java b/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
index ca978ff..e38489b 100644
--- a/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
+++ b/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
@@ -53,6 +53,7 @@ import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.managed.context.ManagedContextRunnable;
import org.apache.cloudstack.managed.context.ManagedContextTimerTask;
import org.apache.cloudstack.utils.identity.ManagementServerNode;
+import org.apache.cloudstack.utils.security.SSLUtils;
import com.cloud.agent.AgentManager;
import com.cloud.agent.api.Answer;
@@ -505,6 +506,7 @@ public class ClusteredAgentManagerImpl extends AgentManagerImpl implements Clust
SSLContext sslContext = Link.initSSLContext(true);
sslEngine = sslContext.createSSLEngine(ip, Port.value());
sslEngine.setUseClientMode(true);
+ sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));
Link.doHandshake(ch1, sslEngine, true);
s_logger.info("SSL: Handshake done");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
----------------------------------------------------------------------
diff --git a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
index 2d389f2..25ecb75 100644
--- a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
+++ b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
@@ -59,6 +59,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
private static Integer port;
private static String username;
private static String password;
+ private static String secureProtocol = "TLSv1.2";
public synchronized static void setVirtualHost(String virtualHost) {
RabbitMQEventBus.virtualHost = virtualHost;
@@ -153,6 +154,10 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
RabbitMQEventBus.port = port;
}
+ public void setSecureProtocol(String protocol) {
+ RabbitMQEventBus.secureProtocol = protocol;
+ }
+
@Override
public void setName(String name) {
this.name = name;
@@ -373,7 +378,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
}
if (useSsl != null && !useSsl.isEmpty() && useSsl.equalsIgnoreCase("true")) {
- factory.useSslProtocol();
+ factory.useSslProtocol(this.secureProtocol);
}
Connection connection = factory.newConnection();
connection.addShutdownListener(disconnectHandler);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java
index 762c6dc..8df415e 100644
--- a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java
+++ b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java
@@ -35,6 +35,8 @@ import org.apache.log4j.Logger;
import org.apache.xmlrpc.XmlRpcException;
import org.apache.xmlrpc.client.XmlRpcClientException;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import com.xensource.xenapi.APIVersion;
import com.xensource.xenapi.Connection;
import com.xensource.xenapi.Host;
@@ -77,7 +79,7 @@ public class XenServerConnectionPool {
javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
javax.net.ssl.TrustManager tm = new TrustAllManager();
trustAllCerts[0] = tm;
- javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("TLS");
+ javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, null);
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HostnameVerifier hv = new HostnameVerifier() {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java b/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
index 8c67a98..63d81a8 100644
--- a/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
+++ b/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
@@ -19,6 +19,7 @@
package org.apache.cloudstack.network.opendaylight.api;
+import org.apache.cloudstack.utils.security.SSLUtils;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
@@ -33,6 +34,7 @@ import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
@@ -175,7 +177,7 @@ public class NeutronRestApi {
try {
// Install the all-trusting trust manager
- SSLContext sc = SSLContext.getInstance("SSL");
+ SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, new java.security.SecureRandom());
ssf = sc.getSocketFactory();
} catch (KeyManagementException e) {
@@ -187,17 +189,23 @@ public class NeutronRestApi {
@Override
public Socket createSocket(final String host, final int port) throws IOException {
- return ssf.createSocket(host, port);
+ SSLSocket s = (SSLSocket) ssf.createSocket(host, port);
+ s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+ return s;
}
@Override
public Socket createSocket(final String address, final int port, final InetAddress localAddress, final int localPort) throws IOException, UnknownHostException {
- return ssf.createSocket(address, port, localAddress, localPort);
+ SSLSocket s = (SSLSocket) ssf.createSocket(address, port, localAddress, localPort);
+ s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+ return s;
}
@Override
public Socket createSocket(final Socket socket, final String host, final int port, final boolean autoClose) throws IOException, UnknownHostException {
- return ssf.createSocket(socket, host, port, autoClose);
+ SSLSocket s = (SSLSocket) ssf.createSocket(socket, host, port, autoClose);
+ s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+ return s;
}
@Override
@@ -207,7 +215,8 @@ public class NeutronRestApi {
if (timeout == 0) {
return createSocket(host, port, localAddress, localPort);
} else {
- Socket s = ssf.createSocket();
+ SSLSocket s = (SSLSocket) ssf.createSocket();
+ s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
s.bind(new InetSocketAddress(localAddress, localPort));
s.connect(new InetSocketAddress(host, port), timeout);
return s;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java b/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
index 8fdc82d..014cefb 100644
--- a/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
+++ b/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
@@ -27,6 +27,8 @@ import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.Scheme;
@@ -39,7 +41,7 @@ public class HttpClientWrapper {
public static HttpClient wrapClient(HttpClient base) {
try {
- SSLContext ctx = SSLContext.getInstance("TLS");
+ SSLContext ctx = SSLUtils.getSSLContext();
X509TrustManager tm = new X509TrustManager() {
@Override
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
----------------------------------------------------------------------
diff --git a/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java b/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
index 7f2da72..7e1a5cb 100644
--- a/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
+++ b/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
@@ -39,6 +39,7 @@ import javax.ws.rs.core.UriBuilder;
import org.apache.http.auth.InvalidCredentialsException;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;
import com.google.gson.Gson;
import com.google.gson.annotations.SerializedName;
@@ -1086,7 +1087,7 @@ public class ElastistorUtil {
// Install the all-trusting trust manager
try {
- SSLContext sc = SSLContext.getInstance("TLS");
+ SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(hv);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java
----------------------------------------------------------------------
diff --git a/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java b/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java
index beebb44..e1a59f7 100644
--- a/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java
+++ b/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java
@@ -45,6 +45,8 @@ import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.BasicClientConnectionManager;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import com.google.gson.Gson;
import com.google.gson.annotations.SerializedName;
@@ -80,7 +82,7 @@ public class NexentaNmsClient {
protected DefaultHttpClient getHttpsClient() {
try {
- SSLContext sslContext = SSLContext.getInstance("SSL");
+ SSLContext sslContext = SSLUtils.getSSLContext();
X509TrustManager tm = new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
----------------------------------------------------------------------
diff --git a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
index 174dc18..8ff4454 100644
--- a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
+++ b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
@@ -54,6 +54,8 @@ import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.BasicClientConnectionManager;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
@@ -1688,7 +1690,7 @@ public class SolidFireUtil {
private static DefaultHttpClient getHttpClient(int iPort) {
try {
- SSLContext sslContext = SSLContext.getInstance("SSL");
+ SSLContext sslContext = SSLUtils.getSSLContext();
X509TrustManager tm = new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
----------------------------------------------------------------------
diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
index da89a0d..abb5b84 100644
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
@@ -139,7 +139,7 @@ public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper {
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
sslSocket = (SSLSocket)sslSocketFactory.createSocket(socket, address.getHostName(), address.getPort(), true);
-
+ sslSocket.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
sslSocket.startHandshake();
InputStream sis = sslSocket.getInputStream();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
----------------------------------------------------------------------
diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
index 75d23b1..e15ddd4 100644
--- a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
+++ b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
@@ -21,6 +21,7 @@ import com.sun.net.httpserver.HttpServer;
import com.sun.net.httpserver.HttpsConfigurator;
import com.sun.net.httpserver.HttpsParameters;
import com.sun.net.httpserver.HttpsServer;
+import org.apache.cloudstack.utils.security.SSLUtils;
import org.apache.log4j.Logger;
import javax.net.ssl.KeyManagerFactory;
@@ -71,7 +72,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
tmf.init(ks);
s_logger.info("Trust manager factory is initialized");
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLUtils.getSSLContext();
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
s_logger.info("SSL context is initialized");
} catch (Exception ioe) {
@@ -94,7 +95,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
tmf.init(ks);
s_logger.info("Trust manager factory is initialized");
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLUtils.getSSLContext();
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
s_logger.info("SSL context is initialized");
} catch (Exception e) {
@@ -139,6 +140,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
SSLServerSocket srvSock = null;
SSLServerSocketFactory ssf = sslContext.getServerSocketFactory();
srvSock = (SSLServerSocket)ssf.createServerSocket(port);
+ srvSock.setEnabledProtocols(SSLUtils.getSupportedProtocols(srvSock.getEnabledProtocols()));
s_logger.info("create SSL server socket on port: " + port);
return srvSock;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
----------------------------------------------------------------------
diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
index 2a115b2..8f78fb3 100644
--- a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
+++ b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
@@ -16,6 +16,8 @@
// under the License.
package com.cloud.consoleproxy.util;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
@@ -134,7 +136,15 @@ public final class RawHTTP {
private Socket _getSocket() throws IOException {
if (useSSL) {
- SSLContext context = getClientSSLContext();
+ SSLContext context = null;
+ try {
+ context = SSLUtils.getSSLContext("SunJSSE");
+ } catch (NoSuchAlgorithmException e) {
+ s_logger.error("Unexpected exception ", e);
+ } catch (NoSuchProviderException e) {
+ s_logger.error("Unexpected exception ", e);
+ }
+
if (context == null)
throw new IOException("Unable to setup SSL context");
@@ -143,6 +153,7 @@ public final class RawHTTP {
context.init(null, trustAllCerts, new SecureRandom());
SocketFactory factory = context.getSocketFactory();
ssl = (SSLSocket)factory.createSocket(host, port);
+ ssl.setEnabledProtocols(SSLUtils.getSupportedProtocols(ssl.getEnabledProtocols()));
/* ssl.setSSLParameters(context.getDefaultSSLParameters()); */
} catch (IOException e) {
s_logger.error("IOException: " + e.getMessage(), e);
@@ -229,16 +240,4 @@ public final class RawHTTP {
}
}
}
-
- private SSLContext getClientSSLContext() {
- SSLContext sslContext = null;
- try {
- sslContext = SSLContext.getInstance("SSL", "SunJSSE");
- } catch (NoSuchAlgorithmException e) {
- s_logger.error("Unexpected exception ", e);
- } catch (NoSuchProviderException e) {
- s_logger.error("Unexpected exception ", e);
- }
- return sslContext;
- }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
index 0eea44d..6699f14 100644
--- a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
+++ b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
@@ -42,6 +42,7 @@
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
+ SSLProtocol all -SSLv2 -SSLv3
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
index c1bf8ea..70cb7dc 100644
--- a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
+++ b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
@@ -86,6 +86,7 @@
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
+ SSLProtocol all -SSLv2 -SSLv3
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/systemvm/scripts/config_ssl.sh
----------------------------------------------------------------------
diff --git a/systemvm/scripts/config_ssl.sh b/systemvm/scripts/config_ssl.sh
index 6971055..0659737 100755
--- a/systemvm/scripts/config_ssl.sh
+++ b/systemvm/scripts/config_ssl.sh
@@ -37,6 +37,7 @@ config_httpd_conf() {
echo " DocumentRoot /var/www/html/" >> /etc/httpd/conf/httpd.conf
echo " ServerName $srvr" >> /etc/httpd/conf/httpd.conf
echo " SSLEngine on" >> /etc/httpd/conf/httpd.conf
+ echo " SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/httpd.conf
echo " SSLCertificateFile /etc/httpd/ssl/certs/realhostip.crt" >> /etc/httpd/conf/httpd.conf
echo " SSLCertificateKeyFile /etc/httpd/ssl/keys/realhostip.key" >> /etc/httpd/conf/httpd.conf
echo "</VirtualHost>" >> /etc/httpd/conf/httpd.conf
@@ -54,6 +55,7 @@ config_apache2_conf() {
sed -i -e "s/NameVirtualHost .*:80/NameVirtualHost $ip:80/g" /etc/apache2/ports.conf
sed -i 's/ssl-cert-snakeoil.key/cert_apache.key/' /etc/apache2/sites-available/default-ssl
sed -i 's/ssl-cert-snakeoil.pem/cert_apache.crt/' /etc/apache2/sites-available/default-ssl
+ sed -i 's/SSLProtocol.*$/SSLProtocol all -SSLv2 -SSLv3/' /etc/apache2/sites-available/default-ssl
if [ -f /etc/ssl/certs/cert_apache_chain.crt ]
then
sed -i -e "s/#SSLCertificateChainFile.*/SSLCertificateChainFile \/etc\/ssl\/certs\/cert_apache_chain.crt/" /etc/apache2/sites-available/default-ssl
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/utils/src/com/cloud/utils/nio/Link.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/nio/Link.java b/utils/src/com/cloud/utils/nio/Link.java
index 904afbb..971c253 100644
--- a/utils/src/com/cloud/utils/nio/Link.java
+++ b/utils/src/com/cloud/utils/nio/Link.java
@@ -44,6 +44,7 @@ import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import org.apache.cloudstack.utils.security.SSLUtils;
import org.apache.log4j.Logger;
import com.cloud.utils.PropertiesUtil;
@@ -443,7 +444,7 @@ public class Link {
tms[0] = new TrustAllManager();
}
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLUtils.getSSLContext();
sslContext.init(kmf.getKeyManagers(), tms, null);
if (s_logger.isTraceEnabled()) {
s_logger.trace("SSL: SSLcontext has been initialized");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/utils/src/com/cloud/utils/nio/NioClient.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/nio/NioClient.java b/utils/src/com/cloud/utils/nio/NioClient.java
index 5b00105..2f742f9 100644
--- a/utils/src/com/cloud/utils/nio/NioClient.java
+++ b/utils/src/com/cloud/utils/nio/NioClient.java
@@ -31,6 +31,8 @@ import javax.net.ssl.SSLEngine;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
public class NioClient extends NioConnection {
private static final Logger s_logger = Logger.getLogger(NioClient.class);
@@ -74,6 +76,7 @@ public class NioClient extends NioConnection {
SSLContext sslContext = Link.initSSLContext(true);
sslEngine = sslContext.createSSLEngine(_host, _port);
sslEngine.setUseClientMode(true);
+ sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));
Link.doHandshake(_clientConnection, sslEngine, true);
s_logger.info("SSL: Handshake done");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/utils/src/com/cloud/utils/nio/NioConnection.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/nio/NioConnection.java b/utils/src/com/cloud/utils/nio/NioConnection.java
index 773b1b0..34679b8 100644
--- a/utils/src/com/cloud/utils/nio/NioConnection.java
+++ b/utils/src/com/cloud/utils/nio/NioConnection.java
@@ -41,6 +41,8 @@ import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import org.apache.log4j.Logger;
import com.cloud.utils.concurrency.NamedThreadFactory;
@@ -198,6 +200,7 @@ public abstract class NioConnection implements Runnable {
sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(false);
+ sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));
Link.doHandshake(socketChannel, sslEngine, false);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/utils/src/com/cloud/utils/rest/RESTServiceConnector.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/rest/RESTServiceConnector.java b/utils/src/com/cloud/utils/rest/RESTServiceConnector.java
index 7cc2e89..487610a 100644
--- a/utils/src/com/cloud/utils/rest/RESTServiceConnector.java
+++ b/utils/src/com/cloud/utils/rest/RESTServiceConnector.java
@@ -37,6 +37,7 @@ import java.util.Map;
import java.util.Map.Entry;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
@@ -61,6 +62,8 @@ import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import com.google.gson.FieldNamingPolicy;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
@@ -334,7 +337,7 @@ public class RESTServiceConnector {
try {
// Install the all-trusting trust manager
- final SSLContext sc = SSLContext.getInstance("SSL");
+ final SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, new java.security.SecureRandom());
ssf = sc.getSocketFactory();
} catch (final KeyManagementException e) {
@@ -346,17 +349,23 @@ public class RESTServiceConnector {
@Override
public Socket createSocket(final String host, final int port) throws IOException {
- return ssf.createSocket(host, port);
+ SSLSocket socket = (SSLSocket) ssf.createSocket(host, port);
+ socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+ return socket;
}
@Override
public Socket createSocket(final String address, final int port, final InetAddress localAddress, final int localPort) throws IOException, UnknownHostException {
- return ssf.createSocket(address, port, localAddress, localPort);
+ SSLSocket socket = (SSLSocket) ssf.createSocket(address, port, localAddress, localPort);
+ socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+ return socket;
}
@Override
public Socket createSocket(final Socket socket, final String host, final int port, final boolean autoClose) throws IOException, UnknownHostException {
- return ssf.createSocket(socket, host, port, autoClose);
+ SSLSocket s = (SSLSocket) ssf.createSocket(socket, host, port, autoClose);
+ s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+ return s;
}
@Override
@@ -366,7 +375,8 @@ public class RESTServiceConnector {
if (timeout == 0) {
return createSocket(host, port, localAddress, localPort);
} else {
- final Socket s = ssf.createSocket();
+ final SSLSocket s = (SSLSocket) ssf.createSocket();
+ s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
s.bind(new InetSocketAddress(localAddress, localPort));
s.connect(new InetSocketAddress(host, port), timeout);
return s;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
new file mode 100644
index 0000000..7f9ee77
--- /dev/null
+++ b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
@@ -0,0 +1,51 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package org.apache.cloudstack.utils.security;
+
+import org.apache.log4j.Logger;
+
+import javax.net.ssl.SSLContext;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.util.HashSet;
+import java.util.Set;
+
+public class SSLUtils {
+ public static final Logger s_logger = Logger.getLogger(SSLUtils.class);
+
+ public static String[] getSupportedProtocols(String[] protocols) {
+ Set set = new HashSet();
+ for (String s : protocols) {
+ if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
+ continue;
+ }
+ set.add(s);
+ }
+ return (String[]) set.toArray(new String[set.size()]);
+ }
+
+ public static SSLContext getSSLContext() throws NoSuchAlgorithmException {
+ return SSLContext.getInstance("TLSv1.2");
+ }
+
+ public static SSLContext getSSLContext(String provider) throws NoSuchAlgorithmException, NoSuchProviderException {
+ return SSLContext.getInstance("TLSv1.2", provider);
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java b/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
index 42650fc..d180f5d 100644
--- a/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
+++ b/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
@@ -19,6 +19,7 @@
package org.apache.commons.httpclient.contrib.ssl;
+import org.apache.cloudstack.utils.security.SSLUtils;
import org.apache.commons.httpclient.ConnectTimeoutException;
import org.apache.commons.httpclient.HttpClientError;
import org.apache.commons.httpclient.params.HttpConnectionParams;
@@ -28,6 +29,7 @@ import org.apache.commons.logging.LogFactory;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import java.io.IOException;
import java.net.InetAddress;
@@ -99,7 +101,7 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory {
private static SSLContext createEasySSLContext() {
try {
- SSLContext context = SSLContext.getInstance("SSL");
+ SSLContext context = SSLUtils.getSSLContext();
context.init(null, new TrustManager[] {new EasyX509TrustManager(null)}, null);
return context;
} catch (Exception e) {
@@ -120,8 +122,9 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory {
*/
@Override
public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException {
-
- return getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort);
+ SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort);
+ socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+ return socket;
}
/**
@@ -135,8 +138,8 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory {
*
* @param host the host name/IP
* @param port the port on the host
- * @param clientHost the local host name/IP to bind the socket to
- * @param clientPort the port on the local machine
+ * @param localAddress the local host name/IP to bind the socket to
+ * @param localPort the port on the local machine
* @param params {@link HttpConnectionParams Http connection parameters}
*
* @return Socket a new socket
@@ -156,7 +159,8 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory {
if (timeout == 0) {
return socketfactory.createSocket(host, port, localAddress, localPort);
} else {
- Socket socket = socketfactory.createSocket();
+ SSLSocket socket = (SSLSocket) socketfactory.createSocket();
+ socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
SocketAddress localaddr = new InetSocketAddress(localAddress, localPort);
SocketAddress remoteaddr = new InetSocketAddress(host, port);
socket.bind(localaddr);
@@ -170,11 +174,15 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory {
*/
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
- return getSSLContext().getSocketFactory().createSocket(host, port);
+ SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host, port);
+ socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+ return socket;
}
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
- return getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
+ SSLSocket s= (SSLSocket) getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
+ s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+ return s;
}
@Override
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
----------------------------------------------------------------------
diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
index 9284569..cc657a6 100644
--- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
+++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
@@ -32,6 +32,8 @@ import javax.xml.ws.handler.MessageContext;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
import com.vmware.vim25.DynamicProperty;
import com.vmware.vim25.InvalidCollectorVersionFaultMsg;
import com.vmware.vim25.InvalidPropertyFaultMsg;
@@ -103,7 +105,7 @@ public class VmwareClient {
javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
javax.net.ssl.TrustManager tm = new TrustAllTrustManager();
trustAllCerts[0] = tm;
- javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
+ javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext();
sslsc.setSessionTimeout(0);
sc.init(null, trustAllCerts, null);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/664186f4/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
----------------------------------------------------------------------
diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
index 08456c4..cb0c4d7 100644
--- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
+++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
@@ -41,6 +41,7 @@ import javax.net.ssl.SSLSession;
import javax.xml.ws.soap.SOAPFaultException;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;
import com.vmware.vim25.ManagedObjectReference;
import com.vmware.vim25.ObjectContent;
@@ -79,7 +80,7 @@ public class VmwareContext {
javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
javax.net.ssl.TrustManager tm = new TrustAllManager();
trustAllCerts[0] = tm;
- javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
+ javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, null);
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());