5 files changed, 87 insertions, 15 deletions

diff --git a/java/common/src/main/java/org/apache/qpid/configuration/ClientProperties.java b/java/common/src/main/java/org/apache/qpid/configuration/ClientProperties.java
index b29e77f14d..86f5ddeeed 100644
--- a/java/common/src/main/java/org/apache/qpid/configuration/ClientProperties.java
+++ b/java/common/src/main/java/org/apache/qpid/configuration/ClientProperties.java
@@ -134,6 +134,18 @@ public class ClientProperties
     public static final int DEFAULT_SYNC_OPERATION_TIMEOUT = 60000;
 
     /**
+     * System properties to change the default timeout used whilst closing connections
+     * and underlying sessions.
+     */
+    public static final String QPID_CLOSE_TIMEOUT = "qpid.close_timeout";
+
+    /**
+     * A default timeout value for close operations
+     */
+    public static final int DEFAULT_CLOSE_TIMEOUT = 2000;
+
+
+    /**
      * System properties to change the default value used for TCP_NODELAY
      */
     public static final String QPID_TCP_NODELAY_PROP_NAME = "qpid.tcp_nodelay";
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/IncomingNetworkTransport.java b/java/common/src/main/java/org/apache/qpid/transport/network/IncomingNetworkTransport.java
index 8437ef1a94..e0cd9cac1a 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/IncomingNetworkTransport.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/IncomingNetworkTransport.java
@@ -20,14 +20,16 @@
  */
 package org.apache.qpid.transport.network;
 
+import javax.net.ssl.SSLContext;
+
 import org.apache.qpid.protocol.ProtocolEngineFactory;
 import org.apache.qpid.transport.NetworkTransportConfiguration;
 
-import javax.net.ssl.SSLContext;
-
 public interface IncomingNetworkTransport extends NetworkTransport
 {
     public void accept(NetworkTransportConfiguration config,
                        ProtocolEngineFactory factory,
                        SSLContext sslContext);
-}
\ No newline at end of file
+
+    public int getAcceptingPort();
+}
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java b/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java
index 4ccb88bbf8..068e19fbc4 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/io/IoNetworkTransport.java
@@ -27,12 +27,12 @@ import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
 import java.nio.ByteBuffer;
-import java.security.Principal;
+
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLServerSocketFactory;
-import javax.net.ssl.SSLSocket;
+
+import org.slf4j.LoggerFactory;
 
 import org.apache.qpid.configuration.CommonProperties;
 import org.apache.qpid.protocol.ProtocolEngine;
@@ -41,9 +41,11 @@ import org.apache.qpid.transport.ConnectionSettings;
 import org.apache.qpid.transport.NetworkTransportConfiguration;
 import org.apache.qpid.transport.Receiver;
 import org.apache.qpid.transport.TransportException;
-import org.apache.qpid.transport.network.*;
-
-import org.slf4j.LoggerFactory;
+import org.apache.qpid.transport.network.IncomingNetworkTransport;
+import org.apache.qpid.transport.network.NetworkConnection;
+import org.apache.qpid.transport.network.OutgoingNetworkTransport;
+import org.apache.qpid.transport.network.TransportActivity;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
 
 public class IoNetworkTransport implements OutgoingNetworkTransport, IncomingNetworkTransport
 {
@@ -150,6 +152,11 @@ public class IoNetworkTransport implements OutgoingNetworkTransport, IncomingNet
         }
     }
 
+    public int getAcceptingPort()
+    {
+        return _acceptor == null ? -1 : _acceptor.getPort();
+    }
+
     private class AcceptingThread extends Thread
     {
         private volatile boolean _closed = false;
@@ -179,14 +186,19 @@ public class IoNetworkTransport implements OutgoingNetworkTransport, IncomingNet
                 SSLServerSocketFactory socketFactory = _sslContext.getServerSocketFactory();
                 _serverSocket = socketFactory.createServerSocket();
 
+                SSLServerSocket sslServerSocket = (SSLServerSocket) _serverSocket;
+
+                SSLUtil.removeSSLv3Support(sslServerSocket);
+
                 if(config.needClientAuth())
                 {
-                    ((SSLServerSocket)_serverSocket).setNeedClientAuth(true);
+                    sslServerSocket.setNeedClientAuth(true);
                 }
                 else if(config.wantClientAuth())
                 {
-                    ((SSLServerSocket)_serverSocket).setWantClientAuth(true);
+                    sslServerSocket.setWantClientAuth(true);
                 }
+
             }
 
             _serverSocket.setReuseAddress(true);
@@ -215,6 +227,11 @@ public class IoNetworkTransport implements OutgoingNetworkTransport, IncomingNet
             }
         }
 
+        private int getPort()
+        {
+            return _serverSocket.getLocalPort();
+        }
+
         @Override
         public void run()
         {
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java b/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
index bfd1ae8181..2a2f3d8362 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/security/SecurityLayerFactory.java
@@ -20,6 +20,11 @@
  */
 package org.apache.qpid.transport.network.security;
 
+import java.nio.ByteBuffer;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+
 import org.apache.qpid.ssl.SSLContextFactory;
 import org.apache.qpid.transport.ConnectionSettings;
 import org.apache.qpid.transport.Receiver;
@@ -31,10 +36,6 @@ import org.apache.qpid.transport.network.security.ssl.SSLReceiver;
 import org.apache.qpid.transport.network.security.ssl.SSLSender;
 import org.apache.qpid.transport.network.security.ssl.SSLUtil;
 
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLEngine;
-import java.nio.ByteBuffer;
-
 public class SecurityLayerFactory
 {
     private SecurityLayerFactory()
@@ -100,6 +101,7 @@ public class SecurityLayerFactory
             {
                 _engine = sslCtx.createSSLEngine();
                 _engine.setUseClientMode(true);
+                SSLUtil.removeSSLv3Support(_engine);
             }
             catch(Exception e)
             {
diff --git a/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java b/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
index 487b0c485b..98229fd2a1 100644
--- a/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
+++ b/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java
@@ -30,6 +30,8 @@ import java.security.Principal;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 import java.util.SortedSet;
 import java.util.TreeSet;
@@ -39,6 +41,8 @@ import javax.naming.ldap.LdapName;
 import javax.naming.ldap.Rdn;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLSocket;
 
 import org.apache.qpid.transport.TransportException;
 import org.apache.qpid.transport.util.Logger;
@@ -47,6 +51,7 @@ public class SSLUtil
 {
     private static final Logger log = Logger.get(SSLUtil.class);
     private static final Integer DNS_NAME_TYPE = 2;
+    public static final String SSLV3_PROTOCOL = "SSLv3";
 
     private SSLUtil()
     {
@@ -242,4 +247,38 @@ public class SSLUtil
         }
         return ks;
     }
+
+    public static void removeSSLv3Support(final SSLEngine engine)
+    {
+        List<String> enabledProtocols = Arrays.asList(engine.getEnabledProtocols());
+        if(enabledProtocols.contains(SSLV3_PROTOCOL))
+        {
+            List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
+            allowedProtocols.remove(SSLV3_PROTOCOL);
+            engine.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()]));
+        }
+    }
+
+    public static void removeSSLv3Support(final SSLSocket socket)
+    {
+        List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols());
+        if(enabledProtocols.contains(SSLV3_PROTOCOL))
+        {
+            List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
+            allowedProtocols.remove(SSLV3_PROTOCOL);
+            socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()]));
+        }
+    }
+
+
+    public static void removeSSLv3Support(final SSLServerSocket socket)
+    {
+        List<String> enabledProtocols = Arrays.asList(socket.getEnabledProtocols());
+        if(enabledProtocols.contains(SSLV3_PROTOCOL))
+        {
+            List<String> allowedProtocols = new ArrayList<>(enabledProtocols);
+            allowedProtocols.remove(SSLV3_PROTOCOL);
+            socket.setEnabledProtocols(allowedProtocols.toArray(new String[allowedProtocols.size()]));
+        }
+    }
 }