You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by rg...@apache.org on 2015/01/28 21:34:16 UTC
svn commit: r1655457 - in /qpid/trunk/qpid/java:
broker-core/src/main/java/org/apache/qpid/server/model/
broker-core/src/main/java/org/apache/qpid/server/model/port/
broker-core/src/main/java/org/apache/qpid/server/protocol/
broker-core/src/main/java/o...
Author: rgodfrey
Date: Wed Jan 28 20:34:16 2015
New Revision: 1655457
URL: http://svn.apache.org/r1655457
Log:
QPID-6345 : Allow enabled cipher suites to be configured
Modified:
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Port.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/protocol/MultiVersionProtocolEngine.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/transport/TCPandSSLTransport.java
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java
qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Port.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Port.java?rev=1655457&r1=1655456&r2=1655457&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Port.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Port.java Wed Jan 28 20:34:16 2015
@@ -60,6 +60,18 @@ public interface Port<X extends Port<X>>
@ManagedAttribute
Collection<TrustStore> getTrustStores();
+ @ManagedContextDefault(name = "qpid.port.enabledCipherSuites" )
+ String DEFAULT_ENABLED_CIPHER_SUITES="[]";
+
+ @ManagedAttribute( defaultValue = "${qpid.port.enabledCipherSuites}")
+ Collection<String> getEnabledCipherSuites();
+
+ @ManagedContextDefault(name = "qpid.port.disabledCipherSuites" )
+ String DEFAULT_DISABLED_CIPHER_SUITES="[]";
+
+ @ManagedAttribute( defaultValue = "${qpid.port.disabledCipherSuites}")
+ Collection<String> getDisabledCipherSuites();
+
Collection<Connection> getConnections();
void start();
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java?rev=1655457&r1=1655456&r2=1655457&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java Wed Jan 28 20:34:16 2015
@@ -66,6 +66,12 @@ abstract public class AbstractPort<X ext
@ManagedAttributeField
private Set<Protocol> _protocols;
+ @ManagedAttributeField
+ private Collection<String> _enabledCipherSuites;
+
+ @ManagedAttributeField
+ private Collection<String> _disabledCipherSuites;
+
public AbstractPort(Map<String, Object> attributes,
Broker<?> broker)
{
@@ -278,6 +284,18 @@ abstract public class AbstractPort<X ext
}
@Override
+ public Collection<String> getEnabledCipherSuites()
+ {
+ return _enabledCipherSuites;
+ }
+
+ @Override
+ public Collection<String> getDisabledCipherSuites()
+ {
+ return _disabledCipherSuites;
+ }
+
+ @Override
public KeyStore getKeyStore()
{
return _keyStore;
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/protocol/MultiVersionProtocolEngine.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/protocol/MultiVersionProtocolEngine.java?rev=1655457&r1=1655456&r2=1655457&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/protocol/MultiVersionProtocolEngine.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/protocol/MultiVersionProtocolEngine.java Wed Jan 28 20:34:16 2015
@@ -502,6 +502,7 @@ public class MultiVersionProtocolEngine
_engine = _sslContext.createSSLEngine();
_engine.setUseClientMode(false);
SSLUtil.removeSSLv3Support(_engine);
+ SSLUtil.updateEnabledCipherSuites(_engine, _port.getEnabledCipherSuites(), _port.getDisabledCipherSuites());
if(_needClientAuth)
{
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/transport/TCPandSSLTransport.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/transport/TCPandSSLTransport.java?rev=1655457&r1=1655456&r2=1655457&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/transport/TCPandSSLTransport.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/transport/TCPandSSLTransport.java Wed Jan 28 20:34:16 2015
@@ -23,12 +23,12 @@ package org.apache.qpid.server.transport
import static org.apache.qpid.transport.ConnectionSettings.WILDCARD_ADDRESS;
import java.net.InetSocketAddress;
+import java.util.Collection;
import java.util.Set;
import javax.net.ssl.SSLContext;
import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.Protocol;
import org.apache.qpid.server.model.Transport;
import org.apache.qpid.server.model.port.AmqpPort;
@@ -115,25 +115,37 @@ class TCPandSSLTransport implements Acce
}
@Override
+ public Collection<String> getEnabledCipherSuites()
+ {
+ return _port.getEnabledCipherSuites();
+ }
+
+ @Override
+ public Collection<String> getDisabledCipherSuites()
+ {
+ return _port.getDisabledCipherSuites();
+ }
+
+ @Override
public boolean needClientAuth()
{
return _port.getNeedClientAuth();
}
@Override
- public Boolean getTcpNoDelay()
+ public boolean getTcpNoDelay()
{
return _port.isTcpNoDelay();
}
@Override
- public Integer getSendBufferSize()
+ public int getSendBufferSize()
{
return _port.getSendBufferSize();
}
@Override
- public Integer getReceiveBufferSize()
+ public int getReceiveBufferSize()
{
return _port.getReceiveBufferSize();
}
Modified: qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java?rev=1655457&r1=1655456&r2=1655457&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java Wed Jan 28 20:34:16 2015
@@ -352,6 +352,17 @@ public class HttpManagement extends Abst
}
SslContextFactory factory = new SslContextFactory();
factory.addExcludeProtocols(SSLUtil.SSLV3_PROTOCOL);
+
+ if(port.getDisabledCipherSuites() != null)
+ {
+ factory.addExcludeCipherSuites(port.getDisabledCipherSuites().toArray(new String[port.getDisabledCipherSuites().size()]));
+ }
+
+ if(port.getEnabledCipherSuites() != null && !port.getEnabledCipherSuites().isEmpty())
+ {
+ factory.setIncludeCipherSuites(port.getEnabledCipherSuites().toArray(new String[port.getEnabledCipherSuites().size()]));
+ }
+
boolean needClientCert = port.getNeedClientAuth() || port.getWantClientAuth();
if (needClientCert && trustStores.isEmpty())
Modified: qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java?rev=1655457&r1=1655456&r2=1655457&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java Wed Jan 28 20:34:16 2015
@@ -146,7 +146,7 @@ public class JMXManagedObjectRegistry im
//create the SSL RMI socket factories
csf = new SslRMIClientSocketFactory();
- ssf = new QpidSslRMIServerSocketFactory(sslContext);
+ ssf = new QpidSslRMIServerSocketFactory(sslContext,_connectorPort.getEnabledCipherSuites(), _connectorPort.getDisabledCipherSuites());
}
else
{
Modified: qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java?rev=1655457&r1=1655456&r2=1655457&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java Wed Jan 28 20:34:16 2015
@@ -24,6 +24,7 @@ import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.net.Socket;
+import java.util.Collection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
@@ -35,6 +36,8 @@ import org.apache.qpid.transport.network
public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory
{
private final SSLContext _sslContext;
+ private final Collection<String> _enabledCipherSuites;
+ private final Collection<String> _disabledCipherSuites;
/**
* SslRMIServerSocketFactory which creates the ServerSocket using the
@@ -43,9 +46,12 @@ public class QpidSslRMIServerSocketFacto
* key store.
*
* @param sslContext previously created sslContext using the desired key store.
- * @throws NullPointerException if the provided {@link SSLContext} is null.
+ * @param enabledCipherSuites
+ *@param disabledCipherSuites @throws NullPointerException if the provided {@link SSLContext} is null.
*/
- public QpidSslRMIServerSocketFactory(SSLContext sslContext) throws NullPointerException
+ public QpidSslRMIServerSocketFactory(SSLContext sslContext,
+ final Collection<String> enabledCipherSuites,
+ final Collection<String> disabledCipherSuites) throws NullPointerException
{
super();
@@ -55,6 +61,8 @@ public class QpidSslRMIServerSocketFacto
}
_sslContext = sslContext;
+ _enabledCipherSuites = enabledCipherSuites;
+ _disabledCipherSuites = disabledCipherSuites;
//TODO: settings + implementation for SSL client auth, updating equals and hashCode appropriately.
}
@@ -77,6 +85,7 @@ public class QpidSslRMIServerSocketFacto
true);
sslSocket.setUseClientMode(false);
SSLUtil.removeSSLv3Support(sslSocket);
+ SSLUtil.updateEnabledCipherSuites(sslSocket, _enabledCipherSuites, _disabledCipherSuites);
return sslSocket;
}
};
Modified: qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java?rev=1655457&r1=1655456&r2=1655457&view=diff
==============================================================================
--- qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java (original)
+++ qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java Wed Jan 28 20:34:16 2015
@@ -21,6 +21,7 @@
package org.apache.qpid.transport;
import java.net.InetSocketAddress;
+import java.util.Collection;
/**
* This interface provides a means for NetworkDrivers to configure TCP options such as incoming and outgoing
@@ -30,17 +31,21 @@ import java.net.InetSocketAddress;
public interface NetworkTransportConfiguration
{
// Taken from Socket
- Boolean getTcpNoDelay();
+ boolean getTcpNoDelay();
// The amount of memory in bytes to allocate to the incoming buffer
- Integer getReceiveBufferSize();
+ int getReceiveBufferSize();
// The amount of memory in bytes to allocate to the outgoing buffer
- Integer getSendBufferSize();
+ int getSendBufferSize();
InetSocketAddress getAddress();
boolean needClientAuth();
boolean wantClientAuth();
+
+ Collection<String> getEnabledCipherSuites();
+
+ Collection<String> getDisabledCipherSuites();
}
Modified: qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java?rev=1655457&r1=1655456&r2=1655457&view=diff
==============================================================================
--- qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java (original)
+++ qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java Wed Jan 28 20:34:16 2015
@@ -190,6 +190,7 @@ public class IoNetworkTransport implemen
SSLServerSocket sslServerSocket = (SSLServerSocket) _serverSocket;
SSLUtil.removeSSLv3Support(sslServerSocket);
+ SSLUtil.updateEnabledCipherSuites(sslServerSocket, config.getEnabledCipherSuites(), config.getDisabledCipherSuites());
if(config.needClientAuth())
{
Modified: qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java?rev=1655457&r1=1655456&r2=1655457&view=diff
==============================================================================
--- qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java (original)
+++ qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java Wed Jan 28 20:34:16 2015
@@ -24,6 +24,9 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
@@ -33,7 +36,10 @@ import java.security.cert.CertificatePar
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashSet;
import java.util.List;
+import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
@@ -266,7 +272,35 @@ public class SSLUtil
return ks;
}
- public static void removeSSLv3Support(final SSLEngine engine)
+ private static interface SSLEntity
+ {
+ String[] getEnabledCipherSuites();
+
+ void setEnabledCipherSuites(String[] strings);
+
+ String[] getEnabledProtocols();
+
+ void setEnabledProtocols(String[] protocols);
+
+ String[] getSupportedCipherSuites();
+
+ String[] getSupportedProtocols();
+ }
+
+ private static SSLEntity asSSLEntity(final Object object, final Class<?> clazz)
+ {
+ return (SSLEntity) Proxy.newProxyInstance(SSLEntity.class.getClassLoader(), new Class[] { SSLEntity.class }, new InvocationHandler()
+ {
+ @Override
+ public Object invoke(final Object proxy, final Method method, final Object[] args) throws Throwable
+ {
+ Method delegateMethod = clazz.getMethod(method.getName(), method.getParameterTypes());
+ return delegateMethod.invoke(object, args);
+ }
+ }) ;
+ }
+
+ private static void removeSSLv3Support(final SSLEntity engine)
{
List<String> enabledProtocols = Arrays.asList(engine.getEnabledProtocols());
if(enabledProtocols.contains(SSLV3_PROTOCOL))
@@ -277,26 +311,61 @@ public class SSLUtil
}
}
- public static void removeSSLv3Support(final SSLSocket socket)
+ public static void removeSSLv3Support(final SSLEngine engine)
{
- List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols());
- if(enabledProtocols.contains(SSLV3_PROTOCOL))
- {
- List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
- allowedProtocols.remove(SSLV3_PROTOCOL);
- socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()]));
- }
+ removeSSLv3Support(asSSLEntity(engine, SSLEngine.class));
}
+ public static void removeSSLv3Support(final SSLSocket socket)
+ {
+ removeSSLv3Support(asSSLEntity(socket, SSLSocket.class));
+ }
public static void removeSSLv3Support(final SSLServerSocket socket)
{
- List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols());
- if(enabledProtocols.contains(SSLV3_PROTOCOL))
+ removeSSLv3Support(asSSLEntity(socket, SSLServerSocket.class));
+ }
+
+ private static void updateEnabledCipherSuites(final SSLEntity entity,
+ final Collection<String> enabledCipherSuites,
+ final Collection<String> disabledCipherSuites)
+ {
+ if(enabledCipherSuites != null && !enabledCipherSuites.isEmpty())
{
- List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
- allowedProtocols.remove(SSLV3_PROTOCOL);
- socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()]));
+ final Set<String> supportedSuites =
+ new HashSet<>(Arrays.asList(entity.getSupportedCipherSuites()));
+ supportedSuites.retainAll(enabledCipherSuites);
+ entity.setEnabledCipherSuites(supportedSuites.toArray(new String[supportedSuites.size()]));
+ }
+
+ if(disabledCipherSuites != null && !disabledCipherSuites.isEmpty())
+ {
+ final Set<String> enabledSuites = new HashSet<>(Arrays.asList(entity.getEnabledCipherSuites()));
+ enabledSuites.removeAll(disabledCipherSuites);
+ entity.setEnabledCipherSuites(enabledSuites.toArray(new String[enabledSuites.size()]));
}
+
+ }
+
+
+ public static void updateEnabledCipherSuites(final SSLEngine engine,
+ final Collection<String> enabledCipherSuites,
+ final Collection<String> disabledCipherSuites)
+ {
+ updateEnabledCipherSuites(asSSLEntity(engine, SSLEngine.class), enabledCipherSuites, disabledCipherSuites);
+ }
+
+ public static void updateEnabledCipherSuites(final SSLServerSocket socket,
+ final Collection<String> enabledCipherSuites,
+ final Collection<String> disabledCipherSuites)
+ {
+ updateEnabledCipherSuites(asSSLEntity(socket, SSLServerSocket.class), enabledCipherSuites, disabledCipherSuites);
+ }
+
+ public static void updateEnabledCipherSuites(final SSLSocket socket,
+ final Collection<String> enabledCipherSuites,
+ final Collection<String> disabledCipherSuites)
+ {
+ updateEnabledCipherSuites(asSSLEntity(socket, SSLSocket.class), enabledCipherSuites, disabledCipherSuites);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org