You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by ma...@apache.org on 2014/11/13 23:22:12 UTC
svn commit: r1639540 - in /db/derby/code/branches/10.11: ./
java/client/org/apache/derby/client/net/
java/drda/org/apache/derby/impl/drda/
Author: mamta
Date: Thu Nov 13 22:22:12 2014
New Revision: 1639540
URL: http://svn.apache.org/r1639540
Log:
DERBY-6764(analyze impact of poodle security alert on Derby client - server ssl support)
Backporting to 10.11
Modified:
db/derby/code/branches/10.11/ (props changed)
db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/NaiveTrustManager.java
db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/OpenSocketAction.java
db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
Propchange: db/derby/code/branches/10.11/
------------------------------------------------------------------------------
Merged /db/derby/code/trunk:r1636509,1636668,1636798
Modified: db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/NaiveTrustManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/NaiveTrustManager.java?rev=1639540&r1=1639539&r2=1639540&view=diff
==============================================================================
--- db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/NaiveTrustManager.java (original)
+++ db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/NaiveTrustManager.java Thu Nov 13 22:22:12 2014
@@ -73,7 +73,7 @@ class NaiveTrustManager
thisManager = new TrustManager [] {new NaiveTrustManager()};
}
- SSLContext ctx = SSLContext.getInstance("SSL");
+ SSLContext ctx = SSLContext.getInstance("TLS");
if (ctx.getProvider().getName().equals("SunJSSE") &&
(System.getProperty("javax.net.ssl.keyStore") != null) &&
Modified: db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/OpenSocketAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/OpenSocketAction.java?rev=1639540&r1=1639539&r2=1639540&view=diff
==============================================================================
--- db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/OpenSocketAction.java (original)
+++ db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/OpenSocketAction.java Thu Nov 13 22:22:12 2014
@@ -22,6 +22,7 @@
package org.apache.derby.client.net;
import java.io.IOException;
+
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
@@ -32,6 +33,7 @@ import java.security.PrivilegedException
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import javax.net.SocketFactory;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import org.apache.derby.jdbc.BasicClientDataSource40;
@@ -75,7 +77,45 @@ class OpenSocketAction implements Privil
sf = SocketFactory.getDefault();
break;
}
- return sf.createSocket(server_, port_);
+ if (clientSSLMode_ == BasicClientDataSource40.SSL_BASIC ||
+ clientSSLMode_ == BasicClientDataSource40.SSL_PEER_AUTHENTICATION){
+ //DERBY-6764(analyze impact of poodle security alert on Derby
+ // client - server ssl support)
+ //If SSLv3 and/or SSLv2Hello is one of the enabled protocols,
+ // then we want to remove it from the list of enabled protocols
+ // because of poodle security breach
+ SSLSocket sSocket = (SSLSocket)sf.createSocket(server_, port_);
+ String[] enabledProtocols = sSocket.getEnabledProtocols();
+
+ //If SSLv3 and/or SSLv2Hello is one of the enabled protocols,
+ // then remove it from the list of enabled protocols because of
+ // its security breach.
+ String[] supportedProtocols = new String[enabledProtocols.length];
+ int supportedProtocolsCount = 0;
+ for ( int i = 0; i < enabledProtocols.length; i++ )
+ {
+ if (!(enabledProtocols[i].toUpperCase().contains("SSLV3") ||
+ enabledProtocols[i].toUpperCase().contains("SSLV2HELLO"))) {
+ supportedProtocols[supportedProtocolsCount] =
+ enabledProtocols[i];
+ supportedProtocolsCount++;
+ }
+ }
+ if(supportedProtocolsCount < enabledProtocols.length) {
+ String[] newEnabledProtocolsList = null;
+ //We found that SSLv3 and or SSLv2Hello is one of the enabled
+ // protocols for this jvm. Following code will remove it from
+ // enabled list.
+ newEnabledProtocolsList =
+ new String[supportedProtocolsCount];
+ System.arraycopy(supportedProtocols, 0,
+ newEnabledProtocolsList, 0,
+ supportedProtocolsCount);
+ sSocket.setEnabledProtocols(newEnabledProtocolsList);
+ }
+ return sSocket;
+ } else
+ return sf.createSocket(server_, port_);
}
}
Modified: db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java?rev=1639540&r1=1639539&r2=1639540&view=diff
==============================================================================
--- db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java (original)
+++ db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java Thu Nov 13 22:22:12 2014
@@ -68,7 +68,7 @@ public class NaiveTrustManager
thisManager = new TrustManager [] {new NaiveTrustManager()};
}
- SSLContext ctx = SSLContext.getInstance("SSL");
+ SSLContext ctx = SSLContext.getInstance("TLS");
if (ctx.getProvider().getName().equals("SunJSSE") &&
(PropertyUtil.getSystemProperty("javax.net.ssl.keyStore") != null) &&
Modified: db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java?rev=1639540&r1=1639539&r2=1639540&view=diff
==============================================================================
--- db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java (original)
+++ db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java Thu Nov 13 22:22:12 2014
@@ -724,9 +724,17 @@ public final class NetworkServerControlI
case SSL_BASIC:
SSLServerSocketFactory ssf =
(SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
- return (SSLServerSocket)ssf.createServerSocket(portNumber,
- 0,
- hostAddress);
+ SSLServerSocket sss1=
+ (SSLServerSocket)ssf.createServerSocket(portNumber,
+ 0,
+ hostAddress);
+ //DERBY-6764(analyze impact of poodle security alert on
+ // Derby client - server ssl support)
+ String[] removeTwoProtocols =
+ removeSSLv3andSSLv2Hello(
+ sss1.getEnabledProtocols());
+ sss1.setEnabledProtocols(removeTwoProtocols);
+ return sss1;
case SSL_PEER_AUTHENTICATION:
SSLServerSocketFactory ssf2 =
(SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
@@ -734,6 +742,12 @@ public final class NetworkServerControlI
(SSLServerSocket)ssf2.createServerSocket(portNumber,
0,
hostAddress);
+ //DERBY-6764(analyze impact of poodle security alert on
+ // Derby client - server ssl support)
+ removeTwoProtocols =
+ removeSSLv3andSSLv2Hello(
+ sss2.getEnabledProtocols());
+ sss2.setEnabledProtocols(removeTwoProtocols);
sss2.setNeedClientAuth(true);
return sss2;
}
@@ -2628,6 +2642,12 @@ public final class NetworkServerControlI
case SSL_BASIC:
SSLSocket s1 = (SSLSocket)NaiveTrustManager.getSocketFactory().
createSocket(hostAddress, portNumber);
+ //DERBY-6764(analyze impact of poodle security alert on
+ // Derby client - server ssl support)
+ String[] removeTwoProtocols =
+ removeSSLv3andSSLv2Hello(s1.getEnabledProtocols());
+ s1.setEnabledProtocols(
+ removeTwoProtocols);
// Need to handshake now to get proper error reporting.
s1.startHandshake();
return s1;
@@ -2635,6 +2655,12 @@ public final class NetworkServerControlI
case SSL_PEER_AUTHENTICATION:
SSLSocket s2 = (SSLSocket)SSLSocketFactory.getDefault().
createSocket(hostAddress, portNumber);
+ //DERBY-6764(analyze impact of poodle security alert on
+ // Derby client - server ssl support)
+ removeTwoProtocols =
+ removeSSLv3andSSLv2Hello(s2.getEnabledProtocols());
+ s2.setEnabledProtocols(
+ removeTwoProtocols);
// Need to handshake now to get proper error reporting.
s2.startHandshake();
return s2;
@@ -2676,7 +2702,38 @@ public final class NetworkServerControlI
}
}
-
+ //DERBY-6764(analyze impact of poodle security alert on
+ // Derby client - server ssl support)
+ //Remove SSLv3 and SSLv2Hello protocols from list of enabled protocols
+ private String[] removeSSLv3andSSLv2Hello(String[] enabledProtocols) {
+ //If SSLv3 and SSLv2Hello are one of the enabled protocols, then
+ // remove them from the list of enabled protocols because of the
+ // possible security breach.
+ String[] supportedProtocols = new String[enabledProtocols.length];
+ int supportedProtocolsCount = 0;
+ for ( int i = 0; i < enabledProtocols.length; i++ )
+ {
+ if (!(enabledProtocols[i].toUpperCase().contains("SSLV3") ||
+ enabledProtocols[i].toUpperCase().contains("SSLV2HELLO"))) {
+ supportedProtocols[supportedProtocolsCount] = enabledProtocols[i];
+ supportedProtocolsCount++;
+ }
+ }
+ if(supportedProtocolsCount < enabledProtocols.length) {
+ //We found SSLv3 and/or SSLv2Hello as one of the enabled
+ // protocols for this jvm. Following code will remove them from
+ // enabled list.
+ String[] newEnabledProtocolsList = null;
+ newEnabledProtocolsList =
+ new String[supportedProtocolsCount];
+ System.arraycopy(supportedProtocols, 0,
+ newEnabledProtocolsList, 0,
+ supportedProtocolsCount);
+ return(newEnabledProtocolsList);
+ } else
+ return(enabledProtocols);
+ }
+
private void checkAddressIsLocal(InetAddress inetAddr) throws UnknownHostException,Exception
{
if (localAddresses.contains(inetAddr)) {