QPID-6345 : Allow enabled cipher suites to be configured

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1655457 13f79535-47bb-0310-9956-ffa450edef68

3 files changed, 23 insertions, 3 deletions

diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
index 7b3e06f7fe..75f4e59242 100644
--- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
+++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
@@ -352,6 +352,17 @@ public class HttpManagement extends AbstractPluginAdapter<HttpManagement> implem
         }
         SslContextFactory factory = new SslContextFactory();
         factory.addExcludeProtocols(SSLUtil.SSLV3_PROTOCOL);
+
+        if(port.getDisabledCipherSuites() != null)
+        {
+            factory.addExcludeCipherSuites(port.getDisabledCipherSuites().toArray(new String[port.getDisabledCipherSuites().size()]));
+        }
+
+        if(port.getEnabledCipherSuites() != null && !port.getEnabledCipherSuites().isEmpty())
+        {
+            factory.setIncludeCipherSuites(port.getEnabledCipherSuites().toArray(new String[port.getEnabledCipherSuites().size()]));
+        }
+
         boolean needClientCert = port.getNeedClientAuth() || port.getWantClientAuth();
 
         if (needClientCert && trustStores.isEmpty())
diff --git a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java
index 78eba66158..8fc1ea1d8e 100644
--- a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java
+++ b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/JMXManagedObjectRegistry.java
@@ -146,7 +146,7 @@ public class JMXManagedObjectRegistry implements ManagedObjectRegistry
 
             //create the SSL RMI socket factories
             csf = new SslRMIClientSocketFactory();
-            ssf = new QpidSslRMIServerSocketFactory(sslContext);
+            ssf = new QpidSslRMIServerSocketFactory(sslContext,_connectorPort.getEnabledCipherSuites(), _connectorPort.getDisabledCipherSuites());
         }
         else
         {
diff --git a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java
index 5c15a40427..8af9d87672 100644
--- a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java
+++ b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java
@@ -24,6 +24,7 @@ import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.ServerSocket;
 import java.net.Socket;
+import java.util.Collection;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
@@ -35,6 +36,8 @@ import org.apache.qpid.transport.network.security.ssl.SSLUtil;
 public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory
 {
     private final SSLContext _sslContext;
+    private final Collection<String> _enabledCipherSuites;
+    private final Collection<String> _disabledCipherSuites;
 
     /**
      * SslRMIServerSocketFactory which creates the ServerSocket using the
@@ -43,9 +46,12 @@ public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory
      * key store.
      *
      * @param sslContext previously created sslContext using the desired key store.
-     * @throws NullPointerException if the provided {@link SSLContext} is null.
+     * @param enabledCipherSuites
+     *@param disabledCipherSuites @throws NullPointerException if the provided {@link SSLContext} is null.
      */
-    public QpidSslRMIServerSocketFactory(SSLContext sslContext) throws NullPointerException
+    public QpidSslRMIServerSocketFactory(SSLContext sslContext,
+                                         final Collection<String> enabledCipherSuites,
+                                         final Collection<String> disabledCipherSuites) throws NullPointerException
     {
         super();
 
@@ -55,6 +61,8 @@ public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory
         }
 
         _sslContext = sslContext;
+        _enabledCipherSuites = enabledCipherSuites;
+        _disabledCipherSuites = disabledCipherSuites;
 
         //TODO: settings + implementation for SSL client auth, updating equals and hashCode appropriately.
     }
@@ -77,6 +85,7 @@ public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory
                                                          true);
                 sslSocket.setUseClientMode(false);
                 SSLUtil.removeSSLv3Support(sslSocket);
+                SSLUtil.updateEnabledCipherSuites(sslSocket, _enabledCipherSuites, _disabledCipherSuites);
                 return sslSocket;
             }
         };