You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by lq...@apache.org on 2016/02/16 13:28:32 UTC
svn commit: r1730672 - in /qpid/java/branches/6.0.x: ./
broker-core/src/main/java/org/apache/qpid/server/model/
broker-core/src/main/java/org/apache/qpid/server/model/port/
broker-core/src/main/java/org/apache/qpid/server/security/
broker-core/src/main...
Author: lquack
Date: Tue Feb 16 12:28:31 2016
New Revision: 1730672
URL: http://svn.apache.org/viewvc?rev=1730672&view=rev
Log:
QPID-7056: [Java Broker] Improve TLS handling
* Respect order of cipherSuites
* Remove enabled/disabled cipherSuites/protocol context variables in favour of white/black list
* Support RegEx in TLS protocol/cipherSuite white/black lists
* Unify the creation of SSLContext and try several protocols by default
This was merged from the following commits on trunk: 1730088, 1730567, 1730585
Additionally the following work was performed:
* TLSv1 was reenabled
* JMX over TLS respects the configuration
Modified:
qpid/java/branches/6.0.x/ (props changed)
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/Port.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/port/AmqpPortImpl.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java
qpid/java/branches/6.0.x/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java
qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
qpid/java/branches/6.0.x/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java
qpid/java/branches/6.0.x/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java
qpid/java/branches/6.0.x/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
qpid/java/branches/6.0.x/common/src/test/java/org/apache/qpid/transport/network/security/ssl/SSLUtilTest.java
qpid/java/branches/6.0.x/systests/src/main/java/org/apache/qpid/systest/rest/RestTestHelper.java
Propchange: qpid/java/branches/6.0.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Feb 16 12:28:31 2016
@@ -9,5 +9,5 @@
/qpid/branches/java-broker-vhost-refactor/java:1493674-1494547
/qpid/branches/java-network-refactor/qpid/java:805429-821809
/qpid/branches/qpid-2935/qpid/java:1061302-1072333
-/qpid/java/trunk:1715445-1715447,1715586,1715940,1716086-1716087,1716127-1716128,1716141,1716153,1716155,1716194,1716204,1716209,1716227,1716277,1716357,1716368,1716370,1716374,1716432,1716444-1716445,1716455,1716461,1716474,1716489,1716497,1716515,1716555,1716602,1716606-1716610,1716619,1716636,1717269,1717299,1717401,1717446,1717449,1717626,1717691,1717735,1717780,1718744,1718889,1718893,1718918,1718922,1719026,1719028,1719033,1719037,1719047,1719051,1720340,1720664,1721151,1721198,1722019-1722020,1722246,1722339,1722416,1722674,1722678,1722683,1722711,1723064,1723194,1723563,1724216,1724251,1724257,1724292,1724375,1724397,1724432,1724582,1724603,1724780,1724843-1724844,1725295,1725569,1725760,1726176,1726244-1726246,1726249,1726358,1726436,1726449,1726456,1726646,1726653,1726755,1726778,1727532,1727555,1727608,1727951,1727954,1728089,1728167,1728302,1728497,1728501,1728524,1728639,1728772,1729215,1729297,1729347,1729356,1729406,1729408,1729412,1729515,1729638,1729656-1729657,1729
783,1729828,1729832,1729841,1729851,1729904,1729973,1730019,1730025,1730052,1730072,1730494,1730499,1730547,1730559,1730578,1730651
+/qpid/java/trunk:1715445-1715447,1715586,1715940,1716086-1716087,1716127-1716128,1716141,1716153,1716155,1716194,1716204,1716209,1716227,1716277,1716357,1716368,1716370,1716374,1716432,1716444-1716445,1716455,1716461,1716474,1716489,1716497,1716515,1716555,1716602,1716606-1716610,1716619,1716636,1717269,1717299,1717401,1717446,1717449,1717626,1717691,1717735,1717780,1718744,1718889,1718893,1718918,1718922,1719026,1719028,1719033,1719037,1719047,1719051,1720340,1720664,1721151,1721198,1722019-1722020,1722246,1722339,1722416,1722674,1722678,1722683,1722711,1723064,1723194,1723563,1724216,1724251,1724257,1724292,1724375,1724397,1724432,1724582,1724603,1724780,1724843-1724844,1725295,1725569,1725760,1726176,1726244-1726246,1726249,1726358,1726436,1726449,1726456,1726646,1726653,1726755,1726778,1727532,1727555,1727608,1727951,1727954,1728089,1728167,1728302,1728497,1728501,1728524,1728639,1728772,1729215,1729297,1729347,1729356,1729406,1729408,1729412,1729515,1729638,1729656-1729657,1729
783,1729828,1729832,1729841,1729851,1729904,1729973,1730019,1730025,1730052,1730072,1730088,1730494,1730499,1730547,1730559,1730578,1730585,1730651
/qpid/trunk/qpid:796646-796653
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java Tue Feb 16 12:28:31 2016
@@ -23,6 +23,7 @@ package org.apache.qpid.server.model;
import java.util.Collection;
import java.util.List;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.EventLoggerProvider;
import org.apache.qpid.server.model.adapter.BrokerAdapter;
@@ -94,6 +95,18 @@ public interface Broker<X extends Broker
@ManagedContextDefault(name = BROKER_MSG_AUTH)
boolean DEFAULT_BROKER_MSG_AUTH = false;
+ @ManagedContextDefault(name = CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST)
+ String DEFAULT_SECURITY_TLS_PROTOCOL_WHITE_LIST = "[\"TLS.*\"]";
+
+ @ManagedContextDefault(name = CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST)
+ String DEFAULT_SECURITY_TLS_PROTOCOL_BLACK_LIST = "[]";
+
+ @ManagedContextDefault(name = CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST)
+ String DEFAULT_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST = "[]";
+
+ @ManagedContextDefault(name = CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST)
+ String DEFAULT_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST = "[]";
+
@DerivedAttribute
String getBuildVersion();
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/Port.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/Port.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/Port.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/Port.java Tue Feb 16 12:28:31 2016
@@ -21,10 +21,13 @@
package org.apache.qpid.server.model;
import java.util.Collection;
+import java.util.List;
import java.util.Set;
import com.google.common.util.concurrent.ListenableFuture;
+import org.apache.qpid.configuration.CommonProperties;
+
@ManagedObject( description = Port.CLASS_DESCRIPTION )
public interface Port<X extends Port<X>> extends ConfiguredObject<X>
{
@@ -70,17 +73,11 @@ public interface Port<X extends Port<X>>
@ManagedAttribute
Collection<TrustStore> getTrustStores();
- @ManagedContextDefault(name = "qpid.port.enabledCipherSuites" )
- String DEFAULT_ENABLED_CIPHER_SUITES="[]";
-
- @ManagedAttribute( defaultValue = "${qpid.port.enabledCipherSuites}")
- Collection<String> getEnabledCipherSuites();
-
- @ManagedContextDefault(name = "qpid.port.disabledCipherSuites" )
- String DEFAULT_DISABLED_CIPHER_SUITES="[]";
+ @ManagedAttribute( defaultValue = "${" + CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST + "}")
+ List<String> getCipherSuiteWhiteList();
- @ManagedAttribute( defaultValue = "${qpid.port.disabledCipherSuites}")
- Collection<String> getDisabledCipherSuites();
+ @ManagedAttribute( defaultValue = "${" + CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST + "}")
+ List<String> getCipherSuiteBlackList();
Collection<Connection> getConnections();
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java Tue Feb 16 12:28:31 2016
@@ -24,6 +24,7 @@ package org.apache.qpid.server.model.por
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
+import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -72,9 +73,9 @@ abstract public class AbstractPort<X ext
private Set<Protocol> _protocols;
@ManagedAttributeField
- private Collection<String> _enabledCipherSuites;
+ private List<String> _cipherSuiteWhiteList;
@ManagedAttributeField
- private Collection<String> _disabledCipherSuites;
+ private List<String> _cipherSuiteBlackList;
public AbstractPort(Map<String, Object> attributes,
Broker<?> broker)
@@ -275,15 +276,15 @@ abstract public class AbstractPort<X ext
}
@Override
- public Collection<String> getEnabledCipherSuites()
+ public List<String> getCipherSuiteWhiteList()
{
- return _enabledCipherSuites;
+ return _cipherSuiteWhiteList;
}
@Override
- public Collection<String> getDisabledCipherSuites()
+ public List<String> getCipherSuiteBlackList()
{
- return _disabledCipherSuites;
+ return _cipherSuiteBlackList;
}
@Override
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/port/AmqpPortImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/port/AmqpPortImpl.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/port/AmqpPortImpl.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/model/port/AmqpPortImpl.java Tue Feb 16 12:28:31 2016
@@ -74,6 +74,7 @@ import org.apache.qpid.server.util.PortU
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.server.virtualhost.VirtualHostImpl;
import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
public class AmqpPortImpl extends AbstractClientAuthCapablePortWithAuthProvider<AmqpPortImpl> implements AmqpPort<AmqpPortImpl>
{
@@ -384,7 +385,7 @@ public class AmqpPortImpl extends Abstra
try
{
- SSLContext sslContext = SSLContext.getInstance("TLS");
+ SSLContext sslContext = SSLUtil.tryGetSSLContext();
KeyManager[] keyManagers = keyStore.getKeyManagers();
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java Tue Feb 16 12:28:31 2016
@@ -65,6 +65,7 @@ import org.apache.qpid.server.model.Stat
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.model.VirtualHost;
import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.transport.util.Functions;
@ManagedObject( category = false )
@@ -218,7 +219,7 @@ public class SiteSpecificTrustStoreImpl
{
URL url = new URL(getSiteUrl());
- SSLContext sslContext = SSLContext.getInstance("TLS");
+ SSLContext sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(new KeyManager[0], new TrustManager[] {new AlwaysTrustManager()}, null);
try(SSLSocket socket = (SSLSocket) sslContext.getSocketFactory().createSocket(url.getHost(), url.getPort()))
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.java Tue Feb 16 12:28:31 2016
@@ -41,6 +41,7 @@ import javax.naming.directory.SearchCont
import javax.naming.directory.SearchResult;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
@@ -66,7 +67,7 @@ import org.apache.qpid.server.security.a
import org.apache.qpid.server.security.auth.sasl.plain.PlainPasswordCallback;
import org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer;
import org.apache.qpid.server.util.StringUtil;
-import org.apache.qpid.ssl.SSLContextFactory;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
public class SimpleLDAPAuthenticationManagerImpl extends AbstractAuthenticationManager<SimpleLDAPAuthenticationManagerImpl>
implements SimpleLDAPAuthenticationManager<SimpleLDAPAuthenticationManagerImpl>
@@ -352,7 +353,7 @@ public class SimpleLDAPAuthenticationMan
}
/**
- * If a trust store has been specified, create a {@link SSLContextFactory} class that is
+ * If a trust store has been specified, create a {@link SSLSocketFactory} class that is
* associated with the {@link SSLContext} generated from that trust store.
*
* @return generated socket factory class
@@ -364,7 +365,7 @@ public class SimpleLDAPAuthenticationMan
SSLContext sslContext = null;
try
{
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(null, trustStore.getTrustManagers(), null);
}
catch (GeneralSecurityException e)
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.java Tue Feb 16 12:28:31 2016
@@ -20,7 +20,9 @@
package org.apache.qpid.server.transport;
import org.apache.qpid.bytebuffer.QpidByteBuffer;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.server.model.port.AmqpPort;
+import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;
import org.slf4j.Logger;
@@ -313,12 +315,16 @@ public class NonBlockingConnectionTLSDel
}
}
- private SSLEngine createSSLEngine(AmqpPort port)
+ private SSLEngine createSSLEngine(AmqpPort<?> port)
{
SSLEngine sslEngine = port.getSSLContext().createSSLEngine();
sslEngine.setUseClientMode(false);
- SSLUtil.updateProtocolSupport(sslEngine);
- SSLUtil.updateEnabledCipherSuites(sslEngine, port.getEnabledCipherSuites(), port.getDisabledCipherSuites());
+ final List<String> tlsProtocolWhiteList = (List<String>) port.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS,
+ CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
+ final List<String> tlsProtocolBlackList = (List<String>) port.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS,
+ CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
+ SSLUtil.updateEnabledTlsProtocols(sslEngine, tlsProtocolWhiteList, tlsProtocolBlackList);
+ SSLUtil.updateEnabledCipherSuites(sslEngine, port.getCipherSuiteWhiteList(), port.getCipherSuiteBlackList());
if(port.getNeedClientAuth())
{
Modified: qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/main/java/org/apache/qpid/server/util/ConnectionBuilder.java Tue Feb 16 12:28:31 2016
@@ -118,7 +118,7 @@ public class ConnectionBuilder
final SSLContext sslContext;
try
{
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(null, _trustMangers, null);
}
catch (GeneralSecurityException e)
Modified: qpid/java/branches/6.0.x/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java (original)
+++ qpid/java/branches/6.0.x/broker-core/src/test/java/org/apache/qpid/server/transport/TCPandSSLTransportTest.java Tue Feb 16 12:28:31 2016
@@ -30,6 +30,7 @@ import java.net.SocketAddress;
import java.security.KeyStore;
import java.util.Arrays;
import java.util.HashSet;
+import java.util.List;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
@@ -38,12 +39,17 @@ import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
import javax.xml.bind.DatatypeConverter;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.ObjectMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.configuration.CommonProperties;
+import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.Protocol;
import org.apache.qpid.server.model.Transport;
import org.apache.qpid.server.model.port.AmqpPort;
+import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.test.utils.QpidTestCase;
public class TCPandSSLTransportTest extends QpidTestCase
@@ -118,6 +124,12 @@ public class TCPandSSLTransportTest exte
when(port.getContextValue(Long.class, AmqpPort.PORT_AMQP_THREAD_POOL_KEEP_ALIVE_TIMEOUT)).thenReturn(1l);
when(port.getContextValue(Long.class, AmqpPort.PORT_AMQP_OUTBOUND_MESSAGE_BUFFER_SIZE)).thenReturn(AmqpPort.DEFAULT_PORT_AMQP_OUTBOUND_MESSAGE_BUFFER_SIZE);
when(port.getContextValue(Integer.class, AmqpPort.PORT_AMQP_ACCEPT_BACKLOG)).thenReturn(AmqpPort.DEFAULT_PORT_AMQP_ACCEPT_BACKLOG);
+ ObjectMapper mapper = new ObjectMapper();
+ JavaType type = mapper.getTypeFactory().constructCollectionType(List.class, String.class);
+ List<String> whiteList = mapper.readValue(Broker.DEFAULT_SECURITY_TLS_PROTOCOL_WHITE_LIST, type);
+ List<String> blackList = mapper.readValue(Broker.DEFAULT_SECURITY_TLS_PROTOCOL_BLACK_LIST, type);
+ when(port.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST)).thenReturn(blackList);
+ when(port.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST)).thenReturn(whiteList);
TCPandSSLTransport transport = new TCPandSSLTransport(new HashSet<>(Arrays.asList(transports)),
port,
Modified: qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java (original)
+++ qpid/java/branches/6.0.x/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java Tue Feb 16 12:28:31 2016
@@ -45,6 +45,7 @@ import javax.servlet.http.HttpServletReq
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.server.management.plugin.filter.ExceptionHandlingFilter;
import org.eclipse.jetty.io.EndPoint;
import org.eclipse.jetty.server.Connector;
@@ -88,6 +89,7 @@ import org.apache.qpid.server.model.*;
import org.apache.qpid.server.model.adapter.AbstractPluginAdapter;
import org.apache.qpid.server.model.port.HttpPort;
import org.apache.qpid.server.model.port.PortManager;
+import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;
@@ -375,28 +377,25 @@ public class HttpManagement extends Abst
{
throw new IllegalConfigurationException("Key store is not configured. Cannot start management on HTTPS port without keystore");
}
+ final List<String> tlsProtocolWhiteList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
+ final List<String> tlsProtocolBlackList = getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
SslContextFactory factory = new SslContextFactory()
{
+ @Override
public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
{
- List<String> selectedProtocols = new ArrayList<>(Arrays.asList(enabledProtocols));
- SSLUtil.updateEnabledProtocols(selectedProtocols, supportedProtocols);
-
- return selectedProtocols.toArray(new String[selectedProtocols.size()]);
+ return SSLUtil.filterEnabledProtocols(enabledProtocols, supportedProtocols,
+ tlsProtocolWhiteList, tlsProtocolBlackList);
}
+ @Override
+ public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
+ {
+ return SSLUtil.filterEnabledCipherSuites(enabledCipherSuites, supportedCipherSuites,
+ port.getCipherSuiteWhiteList(), port.getCipherSuiteBlackList());
+ }
};
- if(port.getDisabledCipherSuites() != null)
- {
- factory.addExcludeCipherSuites(port.getDisabledCipherSuites().toArray(new String[port.getDisabledCipherSuites().size()]));
- }
-
- if(port.getEnabledCipherSuites() != null && !port.getEnabledCipherSuites().isEmpty())
- {
- factory.setIncludeCipherSuites(port.getEnabledCipherSuites().toArray(new String[port.getEnabledCipherSuites().size()]));
- }
-
boolean needClientCert = port.getNeedClientAuth() || port.getWantClientAuth();
if (needClientCert && trustStores.isEmpty())
@@ -407,7 +406,7 @@ public class HttpManagement extends Abst
try
{
- SSLContext sslContext = SSLContext.getInstance("TLS");
+ SSLContext sslContext = SSLUtil.tryGetSSLContext();
KeyManager[] keyManagers = keyStore.getKeyManagers();
TrustManager[] trustManagers;
Modified: qpid/java/branches/6.0.x/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java (original)
+++ qpid/java/branches/6.0.x/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java Tue Feb 16 12:28:31 2016
@@ -36,6 +36,7 @@ import java.rmi.server.RMIServerSocketFa
import java.rmi.server.UnicastRemoteObject;
import java.security.GeneralSecurityException;
import java.util.HashMap;
+import java.util.List;
import java.util.Set;
import javax.management.JMException;
@@ -52,6 +53,7 @@ import javax.rmi.ssl.SslRMIClientSocketF
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.server.configuration.BrokerProperties;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.messages.ManagementConsoleMessages;
@@ -63,7 +65,9 @@ import org.apache.qpid.server.model.port
import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.security.auth.jmx.JMXPasswordAuthenticator;
import org.apache.qpid.server.util.Action;
+import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
/**
* This class starts up an MBeanserver. If out of the box agent has been enabled then there are no
@@ -164,8 +168,7 @@ public class JMXManagedObjectRegistry im
SSLContext sslContext;
try
{
-
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(keyStore.getKeyManagers(), null, null);
}
catch (GeneralSecurityException e)
@@ -175,9 +178,15 @@ public class JMXManagedObjectRegistry im
//create the SSL RMI socket factories
csf = new SslRMIClientSocketFactory();
+ final List<String> tlsProtocolWhiteList = (List<String>) _connectorPort.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS,
+ CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
+ final List<String> tlsProtocolBlackList = (List<String>) _connectorPort.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS,
+ CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
ssf = new QpidSslRMIServerSocketFactory(sslContext,
- _connectorPort.getEnabledCipherSuites(),
- _connectorPort.getDisabledCipherSuites(),
+ tlsProtocolWhiteList,
+ tlsProtocolBlackList,
+ _connectorPort.getCipherSuiteWhiteList(),
+ _connectorPort.getCipherSuiteBlackList(),
setAllocatedConnectorPort);
}
else
Modified: qpid/java/branches/6.0.x/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java (original)
+++ qpid/java/branches/6.0.x/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java Tue Feb 16 12:28:31 2016
@@ -25,7 +25,6 @@ import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.ArrayList;
-import java.util.Collection;
import java.util.List;
import javax.net.ssl.SSLContext;
@@ -39,8 +38,10 @@ import org.apache.qpid.transport.network
public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory
{
private final SSLContext _sslContext;
- private final List<String> _enabledCipherSuites;
- private final List<String> _disabledCipherSuites;
+ private final List<String> _tlsProtocolWhiteList;
+ private final List<String> _tlsProtocolBlackList;
+ private final List<String> _tlsCipherSuiteWhiteList;
+ private final List<String> _tlsCipherSuiteBlackList;
private final Action<Integer> _portAllocationAction;
/**
@@ -48,14 +49,20 @@ public class QpidSslRMIServerSocketFacto
* supplied SSLContext rather than the system default context normally
* used by the superclass, allowing us to use a configuration-specified
* key store.
- * @param sslContext previously created sslContext using the desired key store.
- * @param enabledCipherSuites
- * @param disabledCipherSuites @throws NullPointerException if the provided {@link SSLContext} is null.
+ * @param sslContext previously created sslContext using the desired key store.
+ * @param tlsProtocolWhiteList if provided only TLS protocols matching the regular expressions in this list will be enabled
+ * @param tlsProtocolBlackList if provided none of the TLS protocols matching the regular expressions in this list will be enabled
+ * @param tlsCipherSuiteWhiteList if provided only TLS cipher suites matching the regular expressions in this list will be enabled
+ * @param tlsCipherSuiteBlackList if provided none of the TLS cipher suites matching the regular expressions in this list will be enabled
+ * @throws NullPointerException if the provided {@link SSLContext} is null.
* @param action
*/
public QpidSslRMIServerSocketFactory(SSLContext sslContext,
- final Collection<String> enabledCipherSuites,
- final Collection<String> disabledCipherSuites, final Action<Integer> action) throws NullPointerException
+ final List<String> tlsProtocolWhiteList,
+ final List<String> tlsProtocolBlackList,
+ final List<String> tlsCipherSuiteWhiteList,
+ final List<String> tlsCipherSuiteBlackList,
+ final Action<Integer> action) throws NullPointerException
{
super();
@@ -65,8 +72,10 @@ public class QpidSslRMIServerSocketFacto
}
_sslContext = sslContext;
- _enabledCipherSuites = enabledCipherSuites == null ? null : new ArrayList(enabledCipherSuites);
- _disabledCipherSuites = disabledCipherSuites == null ? null : new ArrayList(disabledCipherSuites);
+ _tlsProtocolWhiteList = tlsProtocolWhiteList == null ? null : new ArrayList<>(tlsProtocolWhiteList);
+ _tlsProtocolBlackList = tlsProtocolBlackList == null ? null : new ArrayList<>(tlsProtocolBlackList);
+ _tlsCipherSuiteWhiteList = tlsCipherSuiteWhiteList == null ? null : new ArrayList<>(tlsCipherSuiteWhiteList);
+ _tlsCipherSuiteBlackList = tlsCipherSuiteBlackList == null ? null : new ArrayList<>(tlsCipherSuiteBlackList);
_portAllocationAction = action;
//TODO: settings + implementation for SSL client auth, updating equals and hashCode appropriately.
@@ -89,8 +98,8 @@ public class QpidSslRMIServerSocketFacto
socket.getPort(),
true);
sslSocket.setUseClientMode(false);
- SSLUtil.updateProtocolSupport(sslSocket);
- SSLUtil.updateEnabledCipherSuites(sslSocket, _enabledCipherSuites, _disabledCipherSuites);
+ SSLUtil.updateEnabledTlsProtocols(sslSocket, _tlsProtocolWhiteList, _tlsProtocolBlackList);
+ SSLUtil.updateEnabledCipherSuites(sslSocket, _tlsCipherSuiteWhiteList, _tlsCipherSuiteBlackList);
return sslSocket;
}
};
Modified: qpid/java/branches/6.0.x/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java (original)
+++ qpid/java/branches/6.0.x/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java Tue Feb 16 12:28:31 2016
@@ -27,7 +27,6 @@ import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
@@ -54,6 +53,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.qpid.bytebuffer.QpidByteBuffer;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.server.transport.MultiVersionProtocolEngine;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.Protocol;
@@ -64,6 +64,7 @@ import org.apache.qpid.server.transport.
import org.apache.qpid.server.transport.ProtocolEngine;
import org.apache.qpid.server.transport.ServerNetworkConnection;
import org.apache.qpid.server.util.Action;
+import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.transport.ByteBufferSender;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;
@@ -119,29 +120,25 @@ class WebSocketProvider implements Accep
}
else if (_transport == Transport.WSS)
{
+ final List<String> tlsProtocolWhiteList = _port.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST);
+ final List<String> tlsProtocolBlackList = _port.getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST);
SslContextFactory factory = new SslContextFactory()
{
+ @Override
public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
{
- List<String> selectedProtocols = new ArrayList<>(Arrays.asList(enabledProtocols));
- SSLUtil.updateEnabledProtocols(selectedProtocols, supportedProtocols);
-
- return selectedProtocols.toArray(new String[selectedProtocols.size()]);
+ return SSLUtil.filterEnabledProtocols(enabledProtocols, supportedProtocols, tlsProtocolWhiteList, tlsProtocolBlackList);
}
+ @Override
+ public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
+ {
+ return SSLUtil.filterEnabledCipherSuites(enabledCipherSuites, supportedCipherSuites,
+ _port.getCipherSuiteWhiteList(), _port.getCipherSuiteBlackList());
+ }
};
factory.setSslContext(_sslContext);
- if(_port.getDisabledCipherSuites() != null)
- {
- factory.addExcludeCipherSuites(_port.getDisabledCipherSuites().toArray(new String[_port.getDisabledCipherSuites().size()]));
- }
-
- if(_port.getEnabledCipherSuites() != null && !_port.getEnabledCipherSuites().isEmpty())
- {
- factory.setIncludeCipherSuites(_port.getEnabledCipherSuites().toArray(new String[_port.getEnabledCipherSuites().size()]));
- }
-
factory.setNeedClientAuth(_port.getNeedClientAuth());
factory.setWantClientAuth(_port.getWantClientAuth());
connector = new SslSelectChannelConnector(factory);
Modified: qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java (original)
+++ qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/configuration/CommonProperties.java Tue Feb 16 12:28:31 2016
@@ -55,12 +55,15 @@ public class CommonProperties
public static final String HANDSHAKE_TIMEOUT_PROP_NAME = "qpid.handshake_timeout";
public static final int HANDSHAKE_TIMEOUT_DEFAULT = 2;
- public static final String DISABLED_SSL_PROTOCOLS = "qpid.disabled_ssl_protocols";
- public static final String DISABLED_SSL_PROTOCOLS_DEFAULT = "SSLv3";
-
- public static final String ENABLED_SSL_PROTOCOLS = "qpid.enabled_ssl_protocols";
- public static final String ENABLED_SSL_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2";
+ public static final String QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST = "qpid.security.tls.protocolWhiteList";
+ public static final String QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST_DEFAULT = "TLS.*";
+ public static final String QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST = "qpid.security.tls.protocolBlackList";
+ public static final String QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST_DEFAULT = "";
+ public static final String QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST = "qpid.security.tls.cipherSuiteWhiteList";
+ public static final String QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST_DEFAULT = "";
+ public static final String QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST = "qpid.security.tls.cipherSuiteBlackList";
+ public static final String QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST_DEFAULT = "";
/** The name of the version properties file to load from the class path. */
public static final String VERSION_RESOURCE = "qpidversion.properties";
Modified: qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java (original)
+++ qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/ssl/SSLContextFactory.java Tue Feb 16 12:28:31 2016
@@ -42,8 +42,6 @@ import java.security.NoSuchAlgorithmExce
*/
public class SSLContextFactory
{
- public static final String TRANSPORT_LAYER_SECURITY_CODE = "TLS";
-
private SSLContextFactory()
{
//no instances
@@ -53,8 +51,7 @@ public class SSLContextFactory
throws NoSuchAlgorithmException, KeyManagementException
{
// Initialize the SSLContext to work with our key managers.
- final SSLContext sslContext = SSLContext
- .getInstance(TRANSPORT_LAYER_SECURITY_CODE);
+ final SSLContext sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(keyManagers, trustManagers, null);
Modified: qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java (original)
+++ qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java Tue Feb 16 12:28:31 2016
@@ -20,11 +20,16 @@
*/
package org.apache.qpid.transport.network.security;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
+import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.ssl.SSLContextFactory;
import org.apache.qpid.transport.ByteBufferSender;
import org.apache.qpid.transport.ConnectionSettings;
@@ -97,11 +102,24 @@ public class SecurityLayerFactory
_hostname = settings.getHost();
}
+ List<String> protocolWhiteList =
+ getSystemPropertyAsList(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST,
+ CommonProperties.QPID_SECURITY_TLS_PROTOCOL_WHITE_LIST_DEFAULT);
+ List<String> protocolBlackList =
+ getSystemPropertyAsList(CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST,
+ CommonProperties.QPID_SECURITY_TLS_PROTOCOL_BLACK_LIST_DEFAULT);
+ List<String> cipherSuiteWhiteList =
+ getSystemPropertyAsList(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST,
+ CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_WHITE_LIST_DEFAULT);
+ List<String> cipherSuiteBlackList =
+ getSystemPropertyAsList(CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST,
+ CommonProperties.QPID_SECURITY_TLS_CIPHER_SUITE_BLACK_LIST_DEFAULT);
try
{
_engine = sslCtx.createSSLEngine();
_engine.setUseClientMode(true);
- SSLUtil.updateProtocolSupport(_engine);
+ SSLUtil.updateEnabledTlsProtocols(_engine, protocolWhiteList, protocolBlackList);
+ SSLUtil.updateEnabledCipherSuites(_engine, cipherSuiteWhiteList, cipherSuiteBlackList);
}
catch(Exception e)
{
@@ -110,6 +128,17 @@ public class SecurityLayerFactory
}
+ private List<String> getSystemPropertyAsList(final String propertyName, final String defaultValue)
+ {
+ String listAsString = System.getProperty(propertyName, defaultValue);
+ List<String> listOfStrings = Collections.emptyList();
+ if(listAsString != null && !"".equals(listAsString))
+ {
+ listOfStrings = Arrays.asList(listAsString.split("\\s*,\\s*"));
+ }
+ return listOfStrings;
+ }
+
public ByteBufferSender sender(ByteBufferSender delegate)
{
SSLSender sender = new SSLSender(_engine, _layer.sender(delegate), _sslStatus);
Modified: qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java (original)
+++ qpid/java/branches/6.0.x/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java Tue Feb 16 12:28:31 2016
@@ -27,9 +27,6 @@ import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringReader;
-import java.lang.reflect.InvocationHandler;
-import java.lang.reflect.Method;
-import java.lang.reflect.Proxy;
import java.math.BigInteger;
import java.net.URL;
import java.nio.BufferUnderflowException;
@@ -51,26 +48,23 @@ import java.security.spec.PKCS8EncodedKe
import java.security.spec.RSAPrivateCrtKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashSet;
+import java.util.Iterator;
import java.util.List;
-import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
+import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.xml.bind.DatatypeConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.apache.qpid.configuration.CommonProperties;
import org.apache.qpid.transport.TransportException;
public class SSLUtil
@@ -78,6 +72,7 @@ public class SSLUtil
private static final Logger LOGGER = LoggerFactory.getLogger(SSLUtil.class);
private static final Integer DNS_NAME_TYPE = 2;
+ public static final String[] TLS_PROTOCOL_PREFERENCES = new String[]{"TLSv1.2", "TLSv1.1", "TLS", "TLSv1"};
private SSLUtil()
{
@@ -478,124 +473,135 @@ public class SSLUtil
return new BigInteger(num);
}
- public static String[] getExcludedSSlProtocols()
- {
- String property = System.getProperty(CommonProperties.DISABLED_SSL_PROTOCOLS,
- CommonProperties.DISABLED_SSL_PROTOCOLS_DEFAULT);
- return property.split("\\s*,\\s*");
+ public static void updateEnabledTlsProtocols(final SSLEngine engine,
+ final List<String> protocolWhiteList,
+ final List<String> protocolBlackList)
+ {
+ String[] filteredProtocols = filterEnabledProtocols(engine.getEnabledProtocols(),
+ engine.getSupportedProtocols(),
+ protocolWhiteList,
+ protocolBlackList);
+ engine.setEnabledProtocols(filteredProtocols);
}
-
- public static String[] getEnabledSSlProtocols()
+ public static void updateEnabledTlsProtocols(final SSLSocket socket,
+ final List<String> protocolWhiteList,
+ final List<String> protocolBlackList)
{
- String property = System.getProperty(CommonProperties.ENABLED_SSL_PROTOCOLS,
- CommonProperties.ENABLED_SSL_PROTOCOLS_DEFAULT);
- return property.split("\\s*,\\s*");
+ String[] filteredProtocols = filterEnabledProtocols(socket.getEnabledProtocols(),
+ socket.getSupportedProtocols(),
+ protocolWhiteList,
+ protocolBlackList);
+ socket.setEnabledProtocols(filteredProtocols);
}
- public static void updateProtocolSupport(final SSLEngine engine)
+ public static String[] filterEnabledProtocols(final String[] enabledProtocols,
+ final String[] supportedProtocols,
+ final List<String> protocolWhiteList,
+ final List<String> protocolBlackList)
{
- List<String> enabledProtocols = new ArrayList<>(Arrays.asList(engine.getEnabledProtocols()));
- String[] supportedProtocols = engine.getSupportedProtocols();
- boolean modified = updateEnabledProtocols(enabledProtocols, supportedProtocols);
- if(modified)
- {
- engine.setEnabledProtocols(enabledProtocols.toArray(new String[enabledProtocols.size()]));
- }
+ return filterEntries(enabledProtocols, supportedProtocols, protocolWhiteList, protocolBlackList);
}
- // version overloaded on SSLSocket is needed for RMI
- public static void updateProtocolSupport(final SSLSocket serverSocket)
+ public static String[] filterEnabledCipherSuites(final String[] enabledCipherSuites,
+ final String[] supportedCipherSuites,
+ final List<String> cipherSuiteWhiteList,
+ final List<String> cipherSuiteBlackList)
{
- List<String> enabledProtocols = new ArrayList<>(Arrays.asList(serverSocket.getEnabledProtocols()));
- String[] supportedProtocols = serverSocket.getSupportedProtocols();
- boolean modified = updateEnabledProtocols(enabledProtocols, supportedProtocols);
- if(modified)
- {
- serverSocket.setEnabledProtocols(enabledProtocols.toArray(new String[enabledProtocols.size()]));
- }
- }
-
- public static boolean updateEnabledProtocols(final List<String> enabledProtocols, final String[] supportedProtocols)
- {
- boolean modified = false;
- for(String protocol : getExcludedSSlProtocols())
- {
- if (enabledProtocols.contains(protocol))
- {
- enabledProtocols.remove(protocol);
- modified = true;
- }
- }
- for(String protocol : getEnabledSSlProtocols())
- {
- if(!enabledProtocols.contains(protocol) && Arrays.asList(supportedProtocols).contains(protocol))
- {
- enabledProtocols.add(protocol);
- modified = true;
- }
- }
- return modified;
+ return filterEntries(enabledCipherSuites, supportedCipherSuites, cipherSuiteWhiteList, cipherSuiteBlackList);
}
public static void updateEnabledCipherSuites(final SSLEngine engine,
- final Collection<String> enabledCipherSuites,
- final Collection<String> disabledCipherSuites)
+ final List<String> cipherSuitesWhiteList,
+ final List<String> cipherSuitesBlackList)
{
- if(enabledCipherSuites != null && !enabledCipherSuites.isEmpty())
- {
- final Set<String> supportedSuites =
- new HashSet<>(Arrays.asList(engine.getSupportedCipherSuites()));
- supportedSuites.retainAll(enabledCipherSuites);
- engine.setEnabledCipherSuites(supportedSuites.toArray(new String[supportedSuites.size()]));
- }
-
- if(disabledCipherSuites != null && !disabledCipherSuites.isEmpty())
- {
- final Set<String> enabledSuites = new HashSet<>(Arrays.asList(engine.getEnabledCipherSuites()));
- enabledSuites.removeAll(disabledCipherSuites);
- engine.setEnabledCipherSuites(enabledSuites.toArray(new String[enabledSuites.size()]));
- }
-
+ String[] filteredCipherSuites = filterEntries(engine.getEnabledCipherSuites(),
+ engine.getSupportedCipherSuites(),
+ cipherSuitesWhiteList,
+ cipherSuitesBlackList);
+ engine.setEnabledCipherSuites(filteredCipherSuites);
}
// version overloaded on SSLSocket is needed for RMI
public static void updateEnabledCipherSuites(final SSLSocket socket,
- final List<String> enabledCipherSuites,
- final List<String> disabledCipherSuites)
+ final List<String> cipherSuitesWhiteList,
+ final List<String> cipherSuitesBlackList)
{
- if (enabledCipherSuites != null && !enabledCipherSuites.isEmpty())
+ String[] filteredCipherSuites = filterEntries(socket.getEnabledCipherSuites(),
+ socket.getSupportedCipherSuites(),
+ cipherSuitesWhiteList,
+ cipherSuitesBlackList);
+ socket.setEnabledCipherSuites(filteredCipherSuites);
+ }
+
+ static String[] filterEntries(final String[] enabledEntries,
+ final String[] supportedEntries,
+ final List<String> whiteList,
+ final List<String> blackList)
+ {
+ List<String> filteredList;
+ if (whiteList != null && !whiteList.isEmpty())
+ {
+ filteredList = new ArrayList<>();
+ List<String> supportedList = new ArrayList<>(Arrays.asList(supportedEntries));
+ // the outer loop must be over the white list to preserve its order
+ for (String whiteListedRegEx : whiteList)
+ {
+ Iterator<String> supportedIter = supportedList.iterator();
+ while (supportedIter.hasNext())
+ {
+ String supportedEntry = supportedIter.next();
+ if (supportedEntry.matches(whiteListedRegEx))
+ {
+ filteredList.add(supportedEntry);
+ supportedIter.remove();
+ }
+ }
+ }
+ }
+ else
{
- List<String> supportedSuites = Arrays.asList(socket.getSupportedCipherSuites());
- supportedSuites.retainAll(enabledCipherSuites);
- socket.setEnabledCipherSuites(supportedSuites.toArray(new String[supportedSuites.size()]));
+ filteredList = new ArrayList<>(Arrays.asList(enabledEntries));
}
- if (disabledCipherSuites != null && !disabledCipherSuites.isEmpty())
+ if (blackList != null && !blackList.isEmpty())
{
- List<String> enabledSuites = Arrays.asList(socket.getEnabledCipherSuites());
- enabledSuites.removeAll(disabledCipherSuites);
- socket.setEnabledCipherSuites(enabledSuites.toArray(new String[enabledSuites.size()]));
+ for (String blackListedRegEx : blackList)
+ {
+ Iterator<String> entriesIter = filteredList.iterator();
+ while (entriesIter.hasNext())
+ {
+ if (entriesIter.next().matches(blackListedRegEx))
+ {
+ entriesIter.remove();
+ }
+ }
+ }
}
+
+ return filteredList.toArray(new String[filteredList.size()]);
}
- public static void updateEnabledTlsProtocols(final SSLSocket socket,
- final List<String> enabledTlsProtocols,
- final List<String> disabledTlsProtocols)
+ public static SSLContext tryGetSSLContext() throws NoSuchAlgorithmException
{
- if (enabledTlsProtocols != null && !enabledTlsProtocols.isEmpty())
- {
- List<String> supportedProtocols = Arrays.asList(socket.getSupportedProtocols());
- supportedProtocols.retainAll(enabledTlsProtocols);
- socket.setEnabledProtocols(supportedProtocols.toArray(new String[supportedProtocols.size()]));
- }
+ return tryGetSSLContext(TLS_PROTOCOL_PREFERENCES);
+ }
- if (disabledTlsProtocols != null && !disabledTlsProtocols.isEmpty())
+ public static SSLContext tryGetSSLContext(final String[] protocols) throws NoSuchAlgorithmException
+ {
+ for (String protocol : protocols)
{
- List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols());
- enabledProtocols.removeAll(disabledTlsProtocols);
- socket.setEnabledProtocols(enabledProtocols.toArray(new String[enabledProtocols.size()]));
+ try
+ {
+ return SSLContext.getInstance(protocol);
+ }
+ catch (NoSuchAlgorithmException e)
+ {
+ // pass and try the next protocol in the list
+ }
}
+ throw new NoSuchAlgorithmException(String.format("Could not create SSLContext with one of the requested protocols: %s",
+ Arrays.toString(protocols)));
}
}
Modified: qpid/java/branches/6.0.x/common/src/test/java/org/apache/qpid/transport/network/security/ssl/SSLUtilTest.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/common/src/test/java/org/apache/qpid/transport/network/security/ssl/SSLUtilTest.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/common/src/test/java/org/apache/qpid/transport/network/security/ssl/SSLUtilTest.java (original)
+++ qpid/java/branches/6.0.x/common/src/test/java/org/apache/qpid/transport/network/security/ssl/SSLUtilTest.java Tue Feb 16 12:28:31 2016
@@ -39,6 +39,40 @@ import org.apache.qpid.transport.Transpo
public class SSLUtilTest extends QpidTestCase
{
+ public void testFilterEntries_empty()
+ {
+ String[] enabled = {};
+ String[] supported = {};
+ List<String> whiteList = Arrays.asList();
+ List<String> blackList = Arrays.asList();
+ String[] result = SSLUtil.filterEntries(enabled, supported, whiteList, blackList);
+ assertEquals("filtered list is not empty", 0, result.length);
+ }
+
+ public void testFilterEntries_whiteListNotEmpty_blackListEmpty()
+ {
+ List<String> whiteList = Arrays.asList("TLSv1\\.[0-9]+");
+ List<String> blackList = Collections.emptyList();
+ String[] enabled = {"TLS", "TLSv1.1", "TLSv1.2"};
+ String[] expected = {"TLSv1.1", "TLSv1.2"};
+ String[] supported = {"SSLv3", "TLS", "TLSv1", "TLSv1.1", "TLSv1.2"};
+ String[] result = SSLUtil.filterEntries(enabled, supported, whiteList, blackList);
+ assertTrue("unexpected filtered list: expected " + Arrays.toString(expected) + " actual " + Arrays.toString(
+ result), Arrays.equals(expected, result));
+ }
+
+ public void testFilterEntries_whiteListEmpty_blackListNotEmpty()
+ {
+ List<String> whiteList = Arrays.asList();
+ List<String> blackList = Arrays.asList("TLSv1\\.[0-9]+");
+ String[] enabled = {"TLS", "TLSv1.1", "TLSv1.2"};
+ String[] expected = {"TLS"};
+ String[] supported = {"SSLv3", "TLS", "TLSv1", "TLSv1.1", "TLSv1.2"};
+ String[] result = SSLUtil.filterEntries(enabled, supported, whiteList, blackList);
+ assertTrue("unexpected filtered list: expected " + Arrays.toString(expected) + " actual " + Arrays.toString(
+ result), Arrays.equals(expected, result));
+ }
+
public void testGetIdFromSubjectDN()
{
// "normal" dn
Modified: qpid/java/branches/6.0.x/systests/src/main/java/org/apache/qpid/systest/rest/RestTestHelper.java
URL: http://svn.apache.org/viewvc/qpid/java/branches/6.0.x/systests/src/main/java/org/apache/qpid/systest/rest/RestTestHelper.java?rev=1730672&r1=1730671&r2=1730672&view=diff
==============================================================================
--- qpid/java/branches/6.0.x/systests/src/main/java/org/apache/qpid/systest/rest/RestTestHelper.java (original)
+++ qpid/java/branches/6.0.x/systests/src/main/java/org/apache/qpid/systest/rest/RestTestHelper.java Tue Feb 16 12:28:31 2016
@@ -157,8 +157,7 @@ public class RestTestHelper
KeyManagerFactory.getDefaultAlgorithm(),
CERT_ALIAS_APP1);
-
- final SSLContext sslContext = SSLContext.getInstance(SSLUtil.getEnabledSSlProtocols()[SSLUtil.getEnabledSSlProtocols().length-1]);
+ final SSLContext sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(keyManagers, trustManagers, null);
@@ -190,8 +189,7 @@ public class RestTestHelper
keyManagers =
SSLContextFactory.getKeyManagers(null, null, null, null, null);
-
- final SSLContext sslContext = SSLContext.getInstance(SSLUtil.getEnabledSSlProtocols()[SSLUtil.getEnabledSSlProtocols().length-1]);
+ final SSLContext sslContext = SSLUtil.tryGetSSLContext();
sslContext.init(keyManagers, trustManagers, null);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org