summaryrefslogtreecommitdiff
path: root/java/common/src/main/java/org/apache/qpid/transport/network/security
diff options
context:
space:
mode:
authorRobert Godfrey <rgodfrey@apache.org>2014-10-17 13:58:04 +0000
committerRobert Godfrey <rgodfrey@apache.org>2014-10-17 13:58:04 +0000
commit5e8136af6e36d5f2689dd07e70095546c0120dbc (patch)
tree4b824e122d1cbb810e632dd4286c31227a16f414 /java/common/src/main/java/org/apache/qpid/transport/network/security
parente823be1ce23fc8970afc7f437eb84c164c70d837 (diff)
downloadqpid-python-QPID-6125-ProtocolRefactoring.tar.gz
git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/QPID-6125-ProtocolRefactoring@1632579 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'java/common/src/main/java/org/apache/qpid/transport/network/security')
-rw-r--r--java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java10
-rw-r--r--java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java39
2 files changed, 45 insertions, 4 deletions
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java b/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
index bfd1ae8181..2a2f3d8362 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
@@ -20,6 +20,11 @@
*/
package org.apache.qpid.transport.network.security;
+import java.nio.ByteBuffer;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+
import org.apache.qpid.ssl.SSLContextFactory;
import org.apache.qpid.transport.ConnectionSettings;
import org.apache.qpid.transport.Receiver;
@@ -31,10 +36,6 @@ import org.apache.qpid.transport.network.security.ssl.SSLReceiver;
import org.apache.qpid.transport.network.security.ssl.SSLSender;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLEngine;
-import java.nio.ByteBuffer;
-
public class SecurityLayerFactory
{
private SecurityLayerFactory()
@@ -100,6 +101,7 @@ public class SecurityLayerFactory
{
_engine = sslCtx.createSSLEngine();
_engine.setUseClientMode(true);
+ SSLUtil.removeSSLv3Support(_engine);
}
catch(Exception e)
{
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java b/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
index 487b0c485b..98229fd2a1 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
@@ -30,6 +30,8 @@ import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
import java.util.SortedSet;
import java.util.TreeSet;
@@ -39,6 +41,8 @@ import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLSocket;
import org.apache.qpid.transport.TransportException;
import org.apache.qpid.transport.util.Logger;
@@ -47,6 +51,7 @@ public class SSLUtil
{
private static final Logger log = Logger.get(SSLUtil.class);
private static final Integer DNS_NAME_TYPE = 2;
+ public static final String SSLV3_PROTOCOL = "SSLv3";
private SSLUtil()
{
@@ -242,4 +247,38 @@ public class SSLUtil
}
return ks;
}
+
+ public static void removeSSLv3Support(final SSLEngine engine)
+ {
+ List<String> enabledProtocols = Arrays.asList(engine.getEnabledProtocols());
+ if(enabledProtocols.contains(SSLV3_PROTOCOL))
+ {
+ List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
+ allowedProtocols.remove(SSLV3_PROTOCOL);
+ engine.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()]));
+ }
+ }
+
+ public static void removeSSLv3Support(final SSLSocket socket)
+ {
+ List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols());
+ if(enabledProtocols.contains(SSLV3_PROTOCOL))
+ {
+ List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
+ allowedProtocols.remove(SSLV3_PROTOCOL);
+ socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()]));
+ }
+ }
+
+
+ public static void removeSSLv3Support(final SSLServerSocket socket)
+ {
+ List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols());
+ if(enabledProtocols.contains(SSLV3_PROTOCOL))
+ {
+ List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
+ allowedProtocols.remove(SSLV3_PROTOCOL);
+ socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()]));
+ }
+ }
}