You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2015/03/13 13:02:22 UTC
git commit: updated refs/heads/master to c8901a7
Repository: cloudstack
Updated Branches:
refs/heads/master 6c71d3bae -> c8901a799
utils: use a better extended implementation of SSLSocketFactory
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
(cherry picked from commit b4a5a32a7488ecd93f295670e7f641fc32198aa7)
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/c8901a79
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/c8901a79
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/c8901a79
Branch: refs/heads/master
Commit: c8901a799076859f9bc0100ad0ace2677d2270d9
Parents: 6c71d3b
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Fri Mar 13 17:31:30 2015 +0530
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Fri Mar 13 17:32:07 2015 +0530
----------------------------------------------------------------------
.../resource/XenServerConnectionPool.java | 45 ++++---
.../opendaylight/api/NeutronRestApi.java | 38 +++---
.../storage/datastore/util/ElastistorUtil.java | 45 ++++---
.../main/java/streamer/SocketWrapperImpl.java | 29 +++--
.../com/cloud/consoleproxy/util/RawHTTP.java | 16 +--
.../cloud/utils/rest/RESTServiceConnector.java | 60 +++++----
.../cloudstack/utils/security/SSLUtils.java | 7 ++
.../utils/security/SecureSSLSocketFactory.java | 124 +++++++++++++++++++
.../hypervisor/vmware/util/VmwareClient.java | 36 +++---
.../hypervisor/vmware/util/VmwareContext.java | 44 ++++---
10 files changed, 282 insertions(+), 162 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c8901a79/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java
index 8df415e..9bc8d9e 100644
--- a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java
+++ b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java
@@ -16,6 +16,26 @@
// under the License.
package com.cloud.hypervisor.xenserver.resource;
+import com.cloud.utils.NumbersUtil;
+import com.cloud.utils.PropertiesUtil;
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.xensource.xenapi.APIVersion;
+import com.xensource.xenapi.Connection;
+import com.xensource.xenapi.Host;
+import com.xensource.xenapi.Pool;
+import com.xensource.xenapi.Session;
+import com.xensource.xenapi.Types;
+import com.xensource.xenapi.Types.BadServerResponse;
+import com.xensource.xenapi.Types.XenAPIException;
+import org.apache.cloudstack.utils.security.SSLUtils;
+import org.apache.cloudstack.utils.security.SecureSSLSocketFactory;
+import org.apache.log4j.Logger;
+import org.apache.xmlrpc.XmlRpcException;
+import org.apache.xmlrpc.client.XmlRpcClientException;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLSession;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
@@ -27,29 +47,6 @@ import java.util.Map;
import java.util.Properties;
import java.util.Queue;
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLSession;
-
-import org.apache.log4j.Logger;
-import org.apache.xmlrpc.XmlRpcException;
-import org.apache.xmlrpc.client.XmlRpcClientException;
-
-import org.apache.cloudstack.utils.security.SSLUtils;
-
-import com.xensource.xenapi.APIVersion;
-import com.xensource.xenapi.Connection;
-import com.xensource.xenapi.Host;
-import com.xensource.xenapi.Pool;
-import com.xensource.xenapi.Session;
-import com.xensource.xenapi.Types;
-import com.xensource.xenapi.Types.BadServerResponse;
-import com.xensource.xenapi.Types.XenAPIException;
-
-import com.cloud.utils.NumbersUtil;
-import com.cloud.utils.PropertiesUtil;
-import com.cloud.utils.exception.CloudRuntimeException;
-
public class XenServerConnectionPool {
private static final Logger s_logger = Logger.getLogger(XenServerConnectionPool.class);
protected HashMap<String /* poolUuid */, XenServerConnection> _conns = new HashMap<String, XenServerConnection>();
@@ -81,7 +78,7 @@ public class XenServerConnectionPool {
trustAllCerts[0] = tm;
javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, null);
- javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+ javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(new SecureSSLSocketFactory(sc));
HostnameVerifier hv = new HostnameVerifier() {
@Override
public boolean verify(String hostName, SSLSession session) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c8901a79/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java b/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
index 528a4ac..ab6595e 100644
--- a/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
+++ b/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
@@ -20,6 +20,24 @@
package org.apache.cloudstack.network.opendaylight.api;
import org.apache.cloudstack.utils.security.SSLUtils;
+import org.apache.cloudstack.utils.security.SecureSSLSocketFactory;
+import org.apache.commons.httpclient.ConnectTimeoutException;
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.HttpException;
+import org.apache.commons.httpclient.HttpMethodBase;
+import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
+import org.apache.commons.httpclient.cookie.CookiePolicy;
+import org.apache.commons.httpclient.params.HttpConnectionParams;
+import org.apache.commons.httpclient.protocol.Protocol;
+import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
+import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
+import org.apache.log4j.Logger;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
@@ -33,24 +51,6 @@ import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
-
-import org.apache.commons.httpclient.ConnectTimeoutException;
-import org.apache.commons.httpclient.HttpClient;
-import org.apache.commons.httpclient.HttpException;
-import org.apache.commons.httpclient.HttpMethodBase;
-import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
-import org.apache.commons.httpclient.cookie.CookiePolicy;
-import org.apache.commons.httpclient.params.HttpConnectionParams;
-import org.apache.commons.httpclient.protocol.Protocol;
-import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
-import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
-import org.apache.log4j.Logger;
-
public class NeutronRestApi {
private static final Logger s_logger = Logger.getLogger(NeutronRestApi.class);
@@ -179,7 +179,7 @@ public class NeutronRestApi {
// Install the all-trusting trust manager
SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, new java.security.SecureRandom());
- ssf = sc.getSocketFactory();
+ ssf = new SecureSSLSocketFactory(sc);
} catch (KeyManagementException e) {
throw new IOException(e);
} catch (NoSuchAlgorithmException e) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c8901a79/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
----------------------------------------------------------------------
diff --git a/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java b/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
index 564ba8e..861c180 100644
--- a/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
+++ b/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
@@ -19,11 +19,21 @@
package org.apache.cloudstack.storage.datastore.util;
-import java.net.ConnectException;
-import java.security.InvalidParameterException;
-import java.security.SecureRandom;
-import java.security.cert.X509Certificate;
-import java.util.HashMap;
+import com.cloud.agent.api.Answer;
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.google.gson.Gson;
+import com.google.gson.annotations.SerializedName;
+import com.sun.jersey.api.client.Client;
+import com.sun.jersey.api.client.ClientResponse;
+import com.sun.jersey.api.client.WebResource;
+import com.sun.jersey.api.client.config.ClientConfig;
+import com.sun.jersey.api.client.config.DefaultClientConfig;
+import com.sun.jersey.core.util.MultivaluedMapImpl;
+import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.utils.security.SSLUtils;
+import org.apache.cloudstack.utils.security.SecureSSLSocketFactory;
+import org.apache.http.auth.InvalidCredentialsException;
+import org.apache.log4j.Logger;
import javax.naming.ServiceUnavailableException;
import javax.net.ssl.HostnameVerifier;
@@ -36,24 +46,11 @@ import javax.net.ssl.X509TrustManager;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.UriBuilder;
-
-import org.apache.http.auth.InvalidCredentialsException;
-import org.apache.log4j.Logger;
-import org.apache.cloudstack.utils.security.SSLUtils;
-
-import com.google.gson.Gson;
-import com.google.gson.annotations.SerializedName;
-import com.sun.jersey.api.client.Client;
-import com.sun.jersey.api.client.ClientResponse;
-import com.sun.jersey.api.client.WebResource;
-import com.sun.jersey.api.client.config.ClientConfig;
-import com.sun.jersey.api.client.config.DefaultClientConfig;
-import com.sun.jersey.core.util.MultivaluedMapImpl;
-
-import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-
-import com.cloud.agent.api.Answer;
-import com.cloud.utils.exception.CloudRuntimeException;
+import java.net.ConnectException;
+import java.security.InvalidParameterException;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
public class ElastistorUtil {
@@ -1098,7 +1095,7 @@ public class ElastistorUtil {
try {
SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, new SecureRandom());
- HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+ HttpsURLConnection.setDefaultSSLSocketFactory(new SecureSSLSocketFactory(sc));
HttpsURLConnection.setDefaultHostnameVerifier(hv);
} catch (Exception e) {
;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c8901a79/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
----------------------------------------------------------------------
diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
index 14089ce..4713173 100644
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
@@ -16,9 +16,18 @@
// under the License.
package streamer;
-import static streamer.debug.MockServer.Packet.PacketType.CLIENT;
-import static streamer.debug.MockServer.Packet.PacketType.SERVER;
+import org.apache.cloudstack.utils.security.SSLUtils;
+import org.apache.cloudstack.utils.security.SecureSSLSocketFactory;
+import streamer.debug.MockServer;
+import streamer.debug.MockServer.Packet;
+import streamer.ssl.SSLState;
+import streamer.ssl.TrustAllX509TrustManager;
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
@@ -26,18 +35,8 @@ import java.net.InetSocketAddress;
import java.net.Socket;
import java.util.HashMap;
-import javax.net.SocketFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManager;
-
-import org.apache.cloudstack.utils.security.SSLUtils;
-
-import streamer.debug.MockServer;
-import streamer.debug.MockServer.Packet;
-import streamer.ssl.SSLState;
-import streamer.ssl.TrustAllX509TrustManager;
+import static streamer.debug.MockServer.Packet.PacketType.CLIENT;
+import static streamer.debug.MockServer.Packet.PacketType.SERVER;
public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper {
@@ -137,7 +136,7 @@ public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper {
// Trust all certificates (FIXME: insecure)
sslContext.init(null, new TrustManager[] {new TrustAllX509TrustManager(sslState)}, null);
- SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
+ SSLSocketFactory sslSocketFactory = new SecureSSLSocketFactory(sslContext);
sslSocket = (SSLSocket)sslSocketFactory.createSocket(socket, address.getHostName(), address.getPort(), true);
sslSocket.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslSocket.getEnabledProtocols()));
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c8901a79/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
----------------------------------------------------------------------
diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
index 8f78fb3..21b6241 100644
--- a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
+++ b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
@@ -17,7 +17,13 @@
package com.cloud.consoleproxy.util;
import org.apache.cloudstack.utils.security.SSLUtils;
+import org.apache.cloudstack.utils.security.SecureSSLSocketFactory;
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
@@ -32,12 +38,6 @@ import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
-import javax.net.SocketFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
-
//
// This file is originally from XenConsole with modifications
//
@@ -151,7 +151,7 @@ public final class RawHTTP {
SSLSocket ssl = null;
try {
context.init(null, trustAllCerts, new SecureRandom());
- SocketFactory factory = context.getSocketFactory();
+ SocketFactory factory = new SecureSSLSocketFactory(context);
ssl = (SSLSocket)factory.createSocket(host, port);
ssl.setEnabledProtocols(SSLUtils.getSupportedProtocols(ssl.getEnabledProtocols()));
/* ssl.setSSLParameters(context.getDefaultSSLParameters()); */
@@ -160,6 +160,8 @@ public final class RawHTTP {
throw e;
} catch (KeyManagementException e) {
s_logger.error("KeyManagementException: " + e.getMessage(), e);
+ } catch (NoSuchAlgorithmException e) {
+ s_logger.error("NoSuchAlgorithmException: " + e.getMessage(), e);
}
return ssl;
} else {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c8901a79/utils/src/com/cloud/utils/rest/RESTServiceConnector.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/rest/RESTServiceConnector.java b/utils/src/com/cloud/utils/rest/RESTServiceConnector.java
index cdacd1f..6ededcb 100644
--- a/utils/src/com/cloud/utils/rest/RESTServiceConnector.java
+++ b/utils/src/com/cloud/utils/rest/RESTServiceConnector.java
@@ -19,29 +19,13 @@
package com.cloud.utils.rest;
-import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.lang.reflect.Type;
-import java.net.InetAddress;
-import java.net.InetSocketAddress;
-import java.net.MalformedURLException;
-import java.net.Socket;
-import java.net.URL;
-import java.net.UnknownHostException;
-import java.security.KeyManagementException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
-
+import com.google.gson.FieldNamingPolicy;
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.google.gson.JsonDeserializer;
+import com.google.gson.reflect.TypeToken;
+import org.apache.cloudstack.utils.security.SSLUtils;
+import org.apache.cloudstack.utils.security.SecureSSLSocketFactory;
import org.apache.commons.httpclient.ConnectTimeoutException;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpException;
@@ -62,13 +46,27 @@ import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
import org.apache.log4j.Logger;
-import org.apache.cloudstack.utils.security.SSLUtils;
-
-import com.google.gson.FieldNamingPolicy;
-import com.google.gson.Gson;
-import com.google.gson.GsonBuilder;
-import com.google.gson.JsonDeserializer;
-import com.google.gson.reflect.TypeToken;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.lang.reflect.Type;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.MalformedURLException;
+import java.net.Socket;
+import java.net.URL;
+import java.net.UnknownHostException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
/**
* This abstraction encapsulates client side code for REST service communication. It encapsulates
@@ -339,7 +337,7 @@ public class RESTServiceConnector {
// Install the all-trusting trust manager
final SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, new java.security.SecureRandom());
- ssf = sc.getSocketFactory();
+ ssf = new SecureSSLSocketFactory(sc);
} catch (final KeyManagementException e) {
throw new IOException(e);
} catch (final NoSuchAlgorithmException e) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c8901a79/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
index 3de4c50..5ea89b1 100644
--- a/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
+++ b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
@@ -24,6 +24,7 @@ import org.apache.log4j.Logger;
import javax.net.ssl.SSLContext;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
+import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
@@ -41,6 +42,12 @@ public class SSLUtils {
return (String[]) set.toArray(new String[set.size()]);
}
+ public static String[] getSupportedCiphers() throws NoSuchAlgorithmException {
+ String[] availableCiphers = getSSLContext().getSocketFactory().getSupportedCipherSuites();
+ Arrays.sort(availableCiphers);
+ return availableCiphers;
+ }
+
public static SSLContext getSSLContext() throws NoSuchAlgorithmException {
return SSLContext.getInstance("TLSv1");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c8901a79/utils/src/org/apache/cloudstack/utils/security/SecureSSLSocketFactory.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/cloudstack/utils/security/SecureSSLSocketFactory.java b/utils/src/org/apache/cloudstack/utils/security/SecureSSLSocketFactory.java
new file mode 100644
index 0000000..fa9d492
--- /dev/null
+++ b/utils/src/org/apache/cloudstack/utils/security/SecureSSLSocketFactory.java
@@ -0,0 +1,124 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package org.apache.cloudstack.utils.security;
+
+import org.apache.log4j.Logger;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+
+public class SecureSSLSocketFactory extends SSLSocketFactory {
+
+ public static final Logger s_logger = Logger.getLogger(SecureSSLSocketFactory.class);
+ private SSLContext _sslContext;
+
+ public SecureSSLSocketFactory() throws NoSuchAlgorithmException {
+ _sslContext = SSLUtils.getSSLContext();
+ }
+
+ public SecureSSLSocketFactory(SSLContext sslContext) throws NoSuchAlgorithmException {
+ if (sslContext != null) {
+ _sslContext = sslContext;
+ } else {
+ _sslContext = SSLUtils.getSSLContext();
+ }
+ }
+
+ public SecureSSLSocketFactory(KeyManager[] km, TrustManager[] tm, SecureRandom random) throws NoSuchAlgorithmException, KeyManagementException, IOException {
+ _sslContext = SSLUtils.getSSLContext();
+ _sslContext.init(km, tm, random);
+ }
+
+ @Override
+ public String[] getDefaultCipherSuites() {
+ return getSupportedCipherSuites();
+ }
+
+ @Override
+ public String[] getSupportedCipherSuites() {
+ String[] ciphers = null;
+ try {
+ ciphers = SSLUtils.getSupportedCiphers();
+ } catch (NoSuchAlgorithmException e) {
+ s_logger.error("SecureSSLSocketFactory::getDefaultCipherSuites found no cipher suites");
+ }
+ return ciphers;
+ }
+
+ @Override
+ public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
+ SSLSocketFactory factory = _sslContext.getSocketFactory();
+ Socket socket = factory.createSocket(s, host, port, autoClose);
+ if (socket instanceof SSLSocket) {
+ ((SSLSocket)socket).setEnabledProtocols(SSLUtils.getSupportedProtocols(((SSLSocket)socket).getEnabledProtocols()));
+ }
+ return socket;
+ }
+
+ @Override
+ public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
+ SSLSocketFactory factory = _sslContext.getSocketFactory();
+ Socket socket = factory.createSocket(host, port);
+ if (socket instanceof SSLSocket) {
+ ((SSLSocket)socket).setEnabledProtocols(SSLUtils.getSupportedProtocols(((SSLSocket)socket).getEnabledProtocols()));
+ }
+ return socket;
+ }
+
+ @Override
+ public Socket createSocket(String host, int port, InetAddress inetAddress, int localPort) throws IOException, UnknownHostException {
+ SSLSocketFactory factory = _sslContext.getSocketFactory();
+ Socket socket = factory.createSocket(host, port, inetAddress, localPort);
+ if (socket instanceof SSLSocket) {
+ ((SSLSocket)socket).setEnabledProtocols(SSLUtils.getSupportedProtocols(((SSLSocket)socket).getEnabledProtocols()));
+ }
+ return socket;
+ }
+
+ @Override
+ public Socket createSocket(InetAddress inetAddress, int localPort) throws IOException {
+ SSLSocketFactory factory = _sslContext.getSocketFactory();
+ Socket socket = factory.createSocket(inetAddress, localPort);
+ if (socket instanceof SSLSocket) {
+ ((SSLSocket)socket).setEnabledProtocols(SSLUtils.getSupportedProtocols(((SSLSocket)socket).getEnabledProtocols()));
+ }
+ return socket;
+ }
+
+ @Override
+ public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
+ SSLSocketFactory factory = this._sslContext.getSocketFactory();
+ Socket socket = factory.createSocket(address, port, localAddress, localPort);
+ if (socket instanceof SSLSocket) {
+ ((SSLSocket)socket).setEnabledProtocols(SSLUtils.getSupportedProtocols(((SSLSocket)socket).getEnabledProtocols()));
+ }
+ return socket;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c8901a79/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
----------------------------------------------------------------------
diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
index cc657a6..f3f7e0c 100644
--- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
+++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
@@ -16,24 +16,6 @@
// under the License.
package com.cloud.hypervisor.vmware.util;
-import java.lang.reflect.Method;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
-import java.util.StringTokenizer;
-
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLSession;
-import javax.xml.ws.BindingProvider;
-import javax.xml.ws.WebServiceException;
-import javax.xml.ws.handler.MessageContext;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.utils.security.SSLUtils;
-
import com.vmware.vim25.DynamicProperty;
import com.vmware.vim25.InvalidCollectorVersionFaultMsg;
import com.vmware.vim25.InvalidPropertyFaultMsg;
@@ -56,6 +38,22 @@ import com.vmware.vim25.TraversalSpec;
import com.vmware.vim25.UpdateSet;
import com.vmware.vim25.VimPortType;
import com.vmware.vim25.VimService;
+import org.apache.cloudstack.utils.security.SSLUtils;
+import org.apache.cloudstack.utils.security.SecureSSLSocketFactory;
+import org.apache.log4j.Logger;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLSession;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.WebServiceException;
+import javax.xml.ws.handler.MessageContext;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.StringTokenizer;
/**
* A wrapper class to handle Vmware vsphere connection and disconnection.
@@ -109,7 +107,7 @@ public class VmwareClient {
javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext();
sslsc.setSessionTimeout(0);
sc.init(null, trustAllCerts, null);
- javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+ javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(new SecureSSLSocketFactory(sc));
}
private final ManagedObjectReference svcInstRef = new ManagedObjectReference();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c8901a79/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
----------------------------------------------------------------------
diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
index cb0c4d7..bec4b37 100644
--- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
+++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
@@ -16,6 +16,26 @@
// under the License.
package com.cloud.hypervisor.vmware.util;
+import com.cloud.hypervisor.vmware.mo.DatacenterMO;
+import com.cloud.hypervisor.vmware.mo.DatastoreFile;
+import com.cloud.utils.ActionDelegate;
+import com.vmware.vim25.ManagedObjectReference;
+import com.vmware.vim25.ObjectContent;
+import com.vmware.vim25.ObjectSpec;
+import com.vmware.vim25.PropertyFilterSpec;
+import com.vmware.vim25.PropertySpec;
+import com.vmware.vim25.ServiceContent;
+import com.vmware.vim25.TaskInfo;
+import com.vmware.vim25.TraversalSpec;
+import com.vmware.vim25.VimPortType;
+import org.apache.cloudstack.utils.security.SSLUtils;
+import org.apache.cloudstack.utils.security.SecureSSLSocketFactory;
+import org.apache.log4j.Logger;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLSession;
+import javax.xml.ws.soap.SOAPFaultException;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.BufferedReader;
@@ -35,28 +55,6 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLSession;
-import javax.xml.ws.soap.SOAPFaultException;
-
-import org.apache.log4j.Logger;
-import org.apache.cloudstack.utils.security.SSLUtils;
-
-import com.vmware.vim25.ManagedObjectReference;
-import com.vmware.vim25.ObjectContent;
-import com.vmware.vim25.ObjectSpec;
-import com.vmware.vim25.PropertyFilterSpec;
-import com.vmware.vim25.PropertySpec;
-import com.vmware.vim25.ServiceContent;
-import com.vmware.vim25.TaskInfo;
-import com.vmware.vim25.TraversalSpec;
-import com.vmware.vim25.VimPortType;
-
-import com.cloud.hypervisor.vmware.mo.DatacenterMO;
-import com.cloud.hypervisor.vmware.mo.DatastoreFile;
-import com.cloud.utils.ActionDelegate;
-
public class VmwareContext {
private static final Logger s_logger = Logger.getLogger(VmwareContext.class);
@@ -82,7 +80,7 @@ public class VmwareContext {
trustAllCerts[0] = tm;
javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
sc.init(null, trustAllCerts, null);
- javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+ javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(new SecureSSLSocketFactory(sc));
HostnameVerifier hv = new HostnameVerifier() {
@Override