You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by ol...@apache.org on 2014/10/19 21:20:57 UTC
svn commit: r1632979 - in /httpcomponents/httpclient/trunk/httpclient/src:
main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java
test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
Author: olegk
Date: Sun Oct 19 19:20:56 2014
New Revision: 1632979
URL: http://svn.apache.org/r1632979
Log:
Disable all versions of SSL protocol by default
Modified:
httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java
httpcomponents/httpclient/trunk/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
Modified: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java?rev=1632979&r1=1632978&r2=1632979&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java (original)
+++ httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java Sun Oct 19 19:20:56 2014
@@ -33,6 +33,8 @@ import java.net.InetSocketAddress;
import java.net.Socket;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
import javax.net.SocketFactory;
import javax.net.ssl.HostnameVerifier;
@@ -356,6 +358,16 @@ public class SSLConnectionSocketFactory
true);
if (supportedProtocols != null) {
sslsock.setEnabledProtocols(supportedProtocols);
+ } else {
+ // If supported protocols are not explicitly set, remove all SSL protocol versions
+ final String[] allProtocols = sslsock.getSupportedProtocols();
+ final List<String> enabledProtocols = new ArrayList<String>(allProtocols.length);
+ for (String protocol: allProtocols) {
+ if (!protocol.startsWith("SSL")) {
+ enabledProtocols.add(protocol);
+ }
+ }
+ sslsock.setEnabledProtocols(enabledProtocols.toArray(new String[enabledProtocols.size()]));
}
if (supportedCipherSuites != null) {
sslsock.setEnabledCipherSuites(supportedCipherSuites);
Modified: httpcomponents/httpclient/trunk/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java?rev=1632979&r1=1632978&r2=1632979&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java (original)
+++ httpcomponents/httpclient/trunk/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java Sun Oct 19 19:20:56 2014
@@ -250,4 +250,55 @@ public class TestSSLSocketFactory {
sslSocket.close();
}
+ @Test
+ public void testTLSOnly() throws Exception {
+ this.server = ServerBootstrap.bootstrap()
+ .setServerInfo(LocalServerTestBase.ORIGIN)
+ .setSslContext(SSLTestContexts.createServerSSLContext())
+ .setSslSetupHandler(new SSLServerSetupHandler() {
+
+ @Override
+ public void initialize(final SSLServerSocket socket) throws SSLException {
+ socket.setEnabledProtocols(new String[] {"TLSv1"});
+ }
+
+ })
+ .create();
+ this.server.start();
+
+ final HttpContext context = new BasicHttpContext();
+ final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
+ SSLTestContexts.createClientSSLContext());
+ final Socket socket = socketFactory.createSocket(context);
+ final InetSocketAddress remoteAddress = new InetSocketAddress("localhost", this.server.getLocalPort());
+ final HttpHost target = new HttpHost("localhost", this.server.getLocalPort(), "https");
+ final SSLSocket sslSocket = (SSLSocket) socketFactory.connectSocket(0, socket, target, remoteAddress, null, context);
+ final SSLSession sslsession = sslSocket.getSession();
+ Assert.assertNotNull(sslsession);
+ }
+
+ @Test(expected=IOException.class)
+ public void testSSLDisabledByDefault() throws Exception {
+ this.server = ServerBootstrap.bootstrap()
+ .setServerInfo(LocalServerTestBase.ORIGIN)
+ .setSslContext(SSLTestContexts.createServerSSLContext())
+ .setSslSetupHandler(new SSLServerSetupHandler() {
+
+ @Override
+ public void initialize(final SSLServerSocket socket) throws SSLException {
+ socket.setEnabledProtocols(new String[] {"SSLv3"});
+ }
+
+ })
+ .create();
+ this.server.start();
+
+ final HttpContext context = new BasicHttpContext();
+ final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
+ SSLTestContexts.createClientSSLContext());
+ final Socket socket = socketFactory.createSocket(context);
+ final InetSocketAddress remoteAddress = new InetSocketAddress("localhost", this.server.getLocalPort());
+ final HttpHost target = new HttpHost("localhost", this.server.getLocalPort(), "https");
+ socketFactory.connectSocket(0, socket, target, remoteAddress, null, context);
+ }
}