You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/10/22 11:25:40 UTC
[3/3] git commit: Disabling SSLv2 on 3.0
Disabling SSLv2 on 3.0
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0f85b210
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0f85b210
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0f85b210
Branch: refs/heads/3.0.x-fixes
Commit: 0f85b210256a552c65ed89d42ccd717ead487337
Parents: bbbf9a7
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Oct 22 10:25:27 2014 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Oct 22 10:25:27 2014 +0100
----------------------------------------------------------------------
.../http_jetty/JettyHTTPServerEngine.java | 241 +------------------
.../https_jetty/CXFJettySslSocketConnector.java | 3 +
2 files changed, 4 insertions(+), 240 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/0f85b210/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index c31aad8..f3eb849 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -477,246 +477,6 @@ public class JettyHTTPServerEngine
++servantCount;
}
-<<<<<<< HEAD
-=======
- private void addServerMBean() {
- if (mBeanContainer == null) {
- return;
- }
-
- try {
- Object o = getContainer(server);
- o.getClass().getMethod("addEventListener", Container.Listener.class).invoke(o, mBeanContainer);
- if (Server.getVersion().startsWith("8")) {
- return;
- }
- mBeanContainer.getClass().getMethod("beanAdded", Container.class, Object.class)
- .invoke(mBeanContainer, null, server);
- } catch (RuntimeException rex) {
- throw rex;
- } catch (Exception r) {
- throw new RuntimeException(r);
- }
- }
- private void removeServerMBean() {
- try {
- mBeanContainer.getClass().getMethod("beanRemoved", Container.class, Object.class)
- .invoke(mBeanContainer, null, server);
- } catch (RuntimeException rex) {
- throw rex;
- } catch (Exception r) {
- throw new RuntimeException(r);
- }
- }
-
- private Connector createConnector(String hosto, int porto) {
- // now we just use the SelectChannelConnector as the default connector
- SslContextFactory sslcf = null;
- if (tlsServerParameters != null) {
- sslcf = new SslContextFactory() {
- protected void doStart() throws Exception {
- setSslContext(createSSLContext(this));
- super.doStart();
- }
- public void checkKeyStore() {
- //we'll handle this later
- }
- };
- decorateCXFJettySslSocketConnector(sslcf);
- }
- AbstractConnector result = null;
- if (!Server.getVersion().startsWith("8")) {
- result = createConnectorJetty9(sslcf, hosto, porto);
- } else {
- result = createConnectorJetty8(sslcf, hosto, porto);
- }
-
- try {
- result.getClass().getMethod("setPort", Integer.TYPE).invoke(result, porto);
- if (hosto != null) {
- result.getClass().getMethod("setHost", String.class).invoke(result, hosto);
- }
- result.getClass().getMethod("setReuseAddress", Boolean.TYPE).invoke(result, isReuseAddress());
- } catch (RuntimeException rex) {
- throw rex;
- } catch (Exception ex) {
- throw new RuntimeException(ex);
- }
-
- return result;
- }
-
- AbstractConnector createConnectorJetty9(SslContextFactory sslcf, String hosto, int porto) {
- //Jetty 9
- AbstractConnector result = null;
- try {
- Class<?> configClass = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConfiguration",
- Server.class);
- Object httpConfig = configClass.newInstance();
- httpConfig.getClass().getMethod("setSendServerVersion", Boolean.TYPE)
- .invoke(httpConfig, getSendServerVersion());
-
- Object httpFactory = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.HttpConnectionFactory",
- Server.class)
- .getConstructor(configClass).newInstance(httpConfig);
-
- Collection<Object> connectionFactories = new ArrayList<Object>();
- result = (AbstractConnector)ClassLoaderUtils.loadClass("org.eclipse.jetty.server.ServerConnector",
- Server.class)
- .getConstructor(Server.class)
- .newInstance(server);
-
- if (tlsServerParameters != null) {
- Class<?> src = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SecureRequestCustomizer",
- Server.class);
- httpConfig.getClass().getMethod("addCustomizer", src.getInterfaces()[0])
- .invoke(httpConfig, src.newInstance());
- Object scf = ClassLoaderUtils.loadClass("org.eclipse.jetty.server.SslConnectionFactory",
- Server.class).getConstructor(SslContextFactory.class,
- String.class)
- .newInstance(sslcf, "HTTP/1.1");
- connectionFactories.add(scf);
- result.getClass().getMethod("setDefaultProtocol", String.class).invoke(result, "SSL-HTTP/1.1");
- }
- connectionFactories.add(httpFactory);
- result.getClass().getMethod("setConnectionFactories", Collection.class)
- .invoke(result, connectionFactories);
-
- if (getMaxIdleTime() > 0) {
- result.getClass().getMethod("setIdleTimeout", Long.TYPE).invoke(result, new Long(getMaxIdleTime()));
- }
-
- } catch (RuntimeException rex) {
- throw rex;
- } catch (Exception ex) {
- throw new RuntimeException(ex);
- }
- return result;
- }
- AbstractConnector createConnectorJetty8(SslContextFactory sslcf, String hosto, int porto) {
- //Jetty 8
- AbstractConnector result = null;
- try {
- if (sslcf == null) {
- result = (AbstractConnector)ClassLoaderUtils
- .loadClass("org.eclipse.jetty.server.nio.SelectChannelConnector",
- Server.class).newInstance();
- } else {
- result = (AbstractConnector)ClassLoaderUtils
- .loadClass("org.eclipse.jetty.server.ssl.SslSelectChannelConnector",
- Server.class).getConstructor(SslContextFactory.class)
- .newInstance(sslcf);
- }
- Server.class.getMethod("setSendServerVersion", Boolean.TYPE).invoke(server, getSendServerVersion());
- if (getMaxIdleTime() > 0) {
- result.getClass().getMethod("setMaxIdleTime", Integer.TYPE).invoke(result, getMaxIdleTime());
- }
- } catch (RuntimeException rex) {
- throw rex;
- } catch (Exception ex) {
- throw new RuntimeException(ex);
- }
- return result;
- }
-
-
- protected SSLContext createSSLContext(SslContextFactory scf) throws Exception {
- String proto = tlsServerParameters.getSecureSocketProtocol() == null
- ? "TLS" : tlsServerParameters.getSecureSocketProtocol();
-
- if (!"SSLv3".equals(proto)) {
- scf.addExcludeProtocols("SSLv3");
- }
- if (!"SSLv2Hello".equals(proto)) {
- scf.addExcludeProtocols("SSLv2Hello");
- }
-
- SSLContext context = tlsServerParameters.getJsseProvider() == null
- ? SSLContext.getInstance(proto)
- : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider());
-
- KeyManager keyManagers[] = tlsServerParameters.getKeyManagers();
- if (tlsServerParameters.getCertAlias() != null) {
- keyManagers = getKeyManagersWithCertAlias(keyManagers);
- }
- context.init(tlsServerParameters.getKeyManagers(),
- tlsServerParameters.getTrustManagers(),
- tlsServerParameters.getSecureRandom());
-
- String[] cs =
- SSLUtils.getCiphersuites(
- tlsServerParameters.getCipherSuites(),
- SSLUtils.getServerSupportedCipherSuites(context),
- tlsServerParameters.getCipherSuitesFilter(),
- LOG, true);
-
- scf.setExcludeCipherSuites(cs);
- return context;
- }
- protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception {
- if (tlsServerParameters.getCertAlias() != null) {
- for (int idx = 0; idx < keyManagers.length; idx++) {
- if (keyManagers[idx] instanceof X509KeyManager) {
- keyManagers[idx] = new AliasedX509ExtendedKeyManager(
- tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
- }
- }
- }
- return keyManagers;
- }
- protected void setClientAuthentication(SslContextFactory con,
- ClientAuthentication clientAuth) {
- con.setWantClientAuth(true);
- if (clientAuth != null) {
- if (clientAuth.isSetWant()) {
- con.setWantClientAuth(clientAuth.isWant());
- }
- if (clientAuth.isSetRequired()) {
- con.setNeedClientAuth(clientAuth.isRequired());
- }
- }
- }
- /**
- * This method sets the security properties for the CXF extension
- * of the JettySslConnector.
- */
- private void decorateCXFJettySslSocketConnector(
- SslContextFactory con
- ) {
- setClientAuthentication(con,
- tlsServerParameters.getClientAuthentication());
- con.setCertAlias(tlsServerParameters.getCertAlias());
- }
-
-
- private static Container getContainer(Object server) {
- if (server instanceof Container) {
- return (Container)server;
- }
- try {
- return (Container)server.getClass().getMethod("getContainer").invoke(server);
- } catch (RuntimeException t) {
- throw t;
- } catch (Throwable t) {
- throw new RuntimeException(t);
- }
- }
-
- private static void logConnector(Connector connector) {
- try {
- String h = (String)connector.getClass().getMethod("getHost").invoke(connector);
- int port = (Integer)connector.getClass().getMethod("getPort").invoke(connector);
- LOG.finer("connector.host: "
- + h == null
- ? "null"
- : "\"" + h + "\"");
- LOG.finer("connector.port: " + port);
- } catch (Throwable t) {
- //ignore
- }
- }
-
->>>>>>> 0d63846... Disable SSLv2Hello
protected void setupThreadPool() {
AbstractConnector aconn = (AbstractConnector) connector;
if (isSetThreadingParameters()) {
@@ -1020,3 +780,4 @@ public class JettyHTTPServerEngine
}
+
http://git-wip-us.apache.org/repos/asf/cxf/blob/0f85b210/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
index c43dcab..39d9953 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
@@ -116,6 +116,9 @@ public class CXFJettySslSocketConnector extends SslSelectChannelConnector {
if (!"SSLv3".equals(proto)) {
getSslContextFactory().addExcludeProtocols("SSLv3");
}
+ if (!"SSLv2Hello".equals(proto)) {
+ getSslContextFactory().addExcludeProtocols("SSLv2Hello");
+ }
SSLContext context = getCxfSslContextFactory().getProvider() == null
? SSLContext.getInstance(proto)