diff options
author | Robert Godfrey <rgodfrey@apache.org> | 2015-01-28 20:34:16 +0000 |
---|---|---|
committer | Robert Godfrey <rgodfrey@apache.org> | 2015-01-28 20:34:16 +0000 |
commit | 8aee348935e03db6b183a04a0a4525f4b2a9b7de (patch) | |
tree | 0f4ebb40c2acaa4e7d1459031db95ebc36090704 | |
parent | ea88320c4b96064dea8ffb039a4ee63ae290b22d (diff) | |
download | qpid-python-8aee348935e03db6b183a04a0a4525f4b2a9b7de.tar.gz |
QPID-6345 : Allow enabled cipher suites to be configured
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1655457 13f79535-47bb-0310-9956-ffa450edef68
10 files changed, 162 insertions, 24 deletions
diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Port.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Port.java index 24528b9a4e..7318a58640 100644 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Port.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/Port.java @@ -60,6 +60,18 @@ public interface Port<X extends Port<X>> extends ConfiguredObject<X> @ManagedAttribute Collection<TrustStore> getTrustStores(); + @ManagedContextDefault(name = "qpid.port.enabledCipherSuites" ) + String DEFAULT_ENABLED_CIPHER_SUITES="[]"; + + @ManagedAttribute( defaultValue = "${qpid.port.enabledCipherSuites}") + Collection<String> getEnabledCipherSuites(); + + @ManagedContextDefault(name = "qpid.port.disabledCipherSuites" ) + String DEFAULT_DISABLED_CIPHER_SUITES="[]"; + + @ManagedAttribute( defaultValue = "${qpid.port.disabledCipherSuites}") + Collection<String> getDisabledCipherSuites(); + Collection<Connection> getConnections(); void start(); diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java index 6d8e65cd17..21827ffe58 100644 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java @@ -66,6 +66,12 @@ abstract public class AbstractPort<X extends AbstractPort<X>> extends AbstractCo @ManagedAttributeField private Set<Protocol> _protocols; + @ManagedAttributeField + private Collection<String> _enabledCipherSuites; + + @ManagedAttributeField + private Collection<String> _disabledCipherSuites; + public AbstractPort(Map<String, Object> attributes, Broker<?> broker) { @@ -278,6 +284,18 @@ abstract public class AbstractPort<X extends AbstractPort<X>> extends AbstractCo } @Override + public Collection<String> getEnabledCipherSuites() + { + return _enabledCipherSuites; + } + + @Override + public Collection<String> getDisabledCipherSuites() + { + return _disabledCipherSuites; + } + + @Override public KeyStore getKeyStore() { return _keyStore; diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/protocol/MultiVersionProtocolEngine.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/protocol/MultiVersionProtocolEngine.java index dd5e01ebc5..49c0812f4a 100755 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/protocol/MultiVersionProtocolEngine.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/protocol/MultiVersionProtocolEngine.java @@ -502,6 +502,7 @@ public class MultiVersionProtocolEngine implements ServerProtocolEngine _engine = _sslContext.createSSLEngine(); _engine.setUseClientMode(false); SSLUtil.removeSSLv3Support(_engine); + SSLUtil.updateEnabledCipherSuites(_engine, _port.getEnabledCipherSuites(), _port.getDisabledCipherSuites()); if(_needClientAuth) { diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/transport/TCPandSSLTransport.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/transport/TCPandSSLTransport.java index b1f6b84b72..8f7a267771 100644 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/transport/TCPandSSLTransport.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/transport/TCPandSSLTransport.java @@ -23,12 +23,12 @@ package org.apache.qpid.server.transport; import static org.apache.qpid.transport.ConnectionSettings.WILDCARD_ADDRESS; import java.net.InetSocketAddress; +import java.util.Collection; import java.util.Set; import javax.net.ssl.SSLContext; import org.apache.qpid.server.model.Broker; -import org.apache.qpid.server.model.Port; import org.apache.qpid.server.model.Protocol; import org.apache.qpid.server.model.Transport; import org.apache.qpid.server.model.port.AmqpPort; @@ -115,25 +115,37 @@ class TCPandSSLTransport implements AcceptingTransport } @Override + public Collection<String> getEnabledCipherSuites() + { + return _port.getEnabledCipherSuites(); + } + + @Override + public Collection<String> getDisabledCipherSuites() + { + return _port.getDisabledCipherSuites(); + } + + @Override public boolean needClientAuth() { return _port.getNeedClientAuth(); } @Override - public Boolean getTcpNoDelay() + public boolean getTcpNoDelay() { return _port.isTcpNoDelay(); } @Override - public Integer getSendBufferSize() + public int getSendBufferSize() { return _port.getSendBufferSize(); } @Override - public Integer getReceiveBufferSize() + public int getReceiveBufferSize() { return _port.getReceiveBufferSize(); } diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java index 7b3e06f7fe..75f4e59242 100644 --- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java +++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java @@ -352,6 +352,17 @@ public class HttpManagement extends AbstractPluginAdapter<HttpManagement> implem } SslContextFactory factory = new SslContextFactory(); factory.addExcludeProtocols(SSLUtil.SSLV3_PROTOCOL); + + if(port.getDisabledCipherSuites() != null) + { + factory.addExcludeCipherSuites(port.getDisabledCipherSuites().toArray(new String[port.getDisabledCipherSuites().size()])); + } + + if(port.getEnabledCipherSuites() != null && !port.getEnabledCipherSuites().isEmpty()) + { + factory.setIncludeCipherSuites(port.getEnabledCipherSuites().toArray(new String[port.getEnabledCipherSuites().size()])); + } + boolean needClientCert = port.getNeedClientAuth() || port.getWantClientAuth(); if (needClientCert && trustStores.isEmpty()) diff --git a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java index 78eba66158..8fc1ea1d8e 100644 --- a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java +++ b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java @@ -146,7 +146,7 @@ public class JMXManagedObjectRegistry implements ManagedObjectRegistry //create the SSL RMI socket factories csf = new SslRMIClientSocketFactory(); - ssf = new QpidSslRMIServerSocketFactory(sslContext); + ssf = new QpidSslRMIServerSocketFactory(sslContext,_connectorPort.getEnabledCipherSuites(), _connectorPort.getDisabledCipherSuites()); } else { diff --git a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java index 5c15a40427..8af9d87672 100644 --- a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java +++ b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java @@ -24,6 +24,7 @@ import java.io.IOException; import java.net.InetSocketAddress; import java.net.ServerSocket; import java.net.Socket; +import java.util.Collection; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocket; @@ -35,6 +36,8 @@ import org.apache.qpid.transport.network.security.ssl.SSLUtil; public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory { private final SSLContext _sslContext; + private final Collection<String> _enabledCipherSuites; + private final Collection<String> _disabledCipherSuites; /** * SslRMIServerSocketFactory which creates the ServerSocket using the @@ -43,9 +46,12 @@ public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory * key store. * * @param sslContext previously created sslContext using the desired key store. - * @throws NullPointerException if the provided {@link SSLContext} is null. + * @param enabledCipherSuites + *@param disabledCipherSuites @throws NullPointerException if the provided {@link SSLContext} is null. */ - public QpidSslRMIServerSocketFactory(SSLContext sslContext) throws NullPointerException + public QpidSslRMIServerSocketFactory(SSLContext sslContext, + final Collection<String> enabledCipherSuites, + final Collection<String> disabledCipherSuites) throws NullPointerException { super(); @@ -55,6 +61,8 @@ public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory } _sslContext = sslContext; + _enabledCipherSuites = enabledCipherSuites; + _disabledCipherSuites = disabledCipherSuites; //TODO: settings + implementation for SSL client auth, updating equals and hashCode appropriately. } @@ -77,6 +85,7 @@ public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory true); sslSocket.setUseClientMode(false); SSLUtil.removeSSLv3Support(sslSocket); + SSLUtil.updateEnabledCipherSuites(sslSocket, _enabledCipherSuites, _disabledCipherSuites); return sslSocket; } }; diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java index 12f8d801dc..7af3b7af39 100644 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/NetworkTransportConfiguration.java @@ -21,6 +21,7 @@ package org.apache.qpid.transport; import java.net.InetSocketAddress; +import java.util.Collection; /** * This interface provides a means for NetworkDrivers to configure TCP options such as incoming and outgoing @@ -30,17 +31,21 @@ import java.net.InetSocketAddress; public interface NetworkTransportConfiguration { // Taken from Socket - Boolean getTcpNoDelay(); + boolean getTcpNoDelay(); // The amount of memory in bytes to allocate to the incoming buffer - Integer getReceiveBufferSize(); + int getReceiveBufferSize(); // The amount of memory in bytes to allocate to the outgoing buffer - Integer getSendBufferSize(); + int getSendBufferSize(); InetSocketAddress getAddress(); boolean needClientAuth(); boolean wantClientAuth(); + + Collection<String> getEnabledCipherSuites(); + + Collection<String> getDisabledCipherSuites(); } diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java index e5bc9fa977..b7998ab8d9 100644 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java @@ -190,6 +190,7 @@ public class IoNetworkTransport implements OutgoingNetworkTransport, IncomingNet SSLServerSocket sslServerSocket = (SSLServerSocket) _serverSocket; SSLUtil.removeSSLv3Support(sslServerSocket); + SSLUtil.updateEnabledCipherSuites(sslServerSocket, config.getEnabledCipherSuites(), config.getDisabledCipherSuites()); if(config.needClientAuth()) { diff --git a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java index b6ae2ab4a3..67dde84440 100644 --- a/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java +++ b/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java @@ -24,6 +24,9 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Method; +import java.lang.reflect.Proxy; import java.net.URL; import java.security.GeneralSecurityException; import java.security.KeyStore; @@ -33,7 +36,10 @@ import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collection; +import java.util.HashSet; import java.util.List; +import java.util.Set; import java.util.SortedSet; import java.util.TreeSet; @@ -266,7 +272,35 @@ public class SSLUtil return ks; } - public static void removeSSLv3Support(final SSLEngine engine) + private static interface SSLEntity + { + String[] getEnabledCipherSuites(); + + void setEnabledCipherSuites(String[] strings); + + String[] getEnabledProtocols(); + + void setEnabledProtocols(String[] protocols); + + String[] getSupportedCipherSuites(); + + String[] getSupportedProtocols(); + } + + private static SSLEntity asSSLEntity(final Object object, final Class<?> clazz) + { + return (SSLEntity) Proxy.newProxyInstance(SSLEntity.class.getClassLoader(), new Class[] { SSLEntity.class }, new InvocationHandler() + { + @Override + public Object invoke(final Object proxy, final Method method, final Object[] args) throws Throwable + { + Method delegateMethod = clazz.getMethod(method.getName(), method.getParameterTypes()); + return delegateMethod.invoke(object, args); + } + }) ; + } + + private static void removeSSLv3Support(final SSLEntity engine) { List<String> enabledProtocols = Arrays.asList(engine.getEnabledProtocols()); if(enabledProtocols.contains(SSLV3_PROTOCOL)) @@ -277,26 +311,61 @@ public class SSLUtil } } - public static void removeSSLv3Support(final SSLSocket socket) + public static void removeSSLv3Support(final SSLEngine engine) { - List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols()); - if(enabledProtocols.contains(SSLV3_PROTOCOL)) - { - List<String> allowedProtocols = new ArrayList<>(enabledProtocols); - allowedProtocols.remove(SSLV3_PROTOCOL); - socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); - } + removeSSLv3Support(asSSLEntity(engine, SSLEngine.class)); } + public static void removeSSLv3Support(final SSLSocket socket) + { + removeSSLv3Support(asSSLEntity(socket, SSLSocket.class)); + } public static void removeSSLv3Support(final SSLServerSocket socket) { - List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols()); - if(enabledProtocols.contains(SSLV3_PROTOCOL)) + removeSSLv3Support(asSSLEntity(socket, SSLServerSocket.class)); + } + + private static void updateEnabledCipherSuites(final SSLEntity entity, + final Collection<String> enabledCipherSuites, + final Collection<String> disabledCipherSuites) + { + if(enabledCipherSuites != null && !enabledCipherSuites.isEmpty()) { - List<String> allowedProtocols = new ArrayList<>(enabledProtocols); - allowedProtocols.remove(SSLV3_PROTOCOL); - socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()])); + final Set<String> supportedSuites = + new HashSet<>(Arrays.asList(entity.getSupportedCipherSuites())); + supportedSuites.retainAll(enabledCipherSuites); + entity.setEnabledCipherSuites(supportedSuites.toArray(new String[supportedSuites.size()])); + } + + if(disabledCipherSuites != null && !disabledCipherSuites.isEmpty()) + { + final Set<String> enabledSuites = new HashSet<>(Arrays.asList(entity.getEnabledCipherSuites())); + enabledSuites.removeAll(disabledCipherSuites); + entity.setEnabledCipherSuites(enabledSuites.toArray(new String[enabledSuites.size()])); } + + } + + + public static void updateEnabledCipherSuites(final SSLEngine engine, + final Collection<String> enabledCipherSuites, + final Collection<String> disabledCipherSuites) + { + updateEnabledCipherSuites(asSSLEntity(engine, SSLEngine.class), enabledCipherSuites, disabledCipherSuites); + } + + public static void updateEnabledCipherSuites(final SSLServerSocket socket, + final Collection<String> enabledCipherSuites, + final Collection<String> disabledCipherSuites) + { + updateEnabledCipherSuites(asSSLEntity(socket, SSLServerSocket.class), enabledCipherSuites, disabledCipherSuites); + } + + public static void updateEnabledCipherSuites(final SSLSocket socket, + final Collection<String> enabledCipherSuites, + final Collection<String> disabledCipherSuites) + { + updateEnabledCipherSuites(asSSLEntity(socket, SSLSocket.class), enabledCipherSuites, disabledCipherSuites); } } |