luehe 2003/08/11 14:46:41
Modified: util/java/org/apache/tomcat/util/net/jsse
JSSE14SocketFactory.java JSSESocketFactory.java
Log:
- Added support for specifying comma-separated list of SSL protocol
variants to be enabled
This may be useful to disable the less secure SSLv2.
- Fixed bug where if none of the requested ciphers were actually supported, no
error was reported
Revision Changes Path
1.9 +5 -1
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
Index: JSSE14SocketFactory.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- JSSE14SocketFactory.java 11 Aug 2003 18:12:29 -0000 1.8
+++ JSSE14SocketFactory.java 11 Aug 2003 21:46:41 -0000 1.9
@@ -133,7 +133,11 @@
sslProxy = context.getServerSocketFactory();
// Determine which cipher suites to enable
- enabledCiphers = getEnabledCiphers(sslProxy.getSupportedCipherSuites());
+ String requestedCiphers = (String)attributes.get("ciphers");
+ if (requestedCiphers != null) {
+ enabledCiphers = getEnabledCiphers(requestedCiphers,
+
sslProxy.getSupportedCipherSuites());
+ }
} catch(Exception e) {
if( e instanceof IOException )
1.5 +75 -15
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Index: JSSESocketFactory.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- JSSESocketFactory.java 18 Jul 2003 05:26:45 -0000 1.4
+++ JSSESocketFactory.java 11 Aug 2003 21:46:41 -0000 1.5
@@ -155,25 +155,28 @@
public void handshake(Socket sock) throws IOException {
((SSLSocket)sock).startHandshake();
}
-
+
/*
* Determines the SSL cipher suites to be enabled.
*
- * @return Array of SSL cipher suites to be enabled, or null if the
- * cipherSuites property was not specified (meaning that all supported
- * cipher suites are to be enabled)
+ * @param requestedCiphers Comma-separated list of requested ciphers
+ * @param supportedCiphers Array of supported ciphers
+ *
+ * @return Array of SSL cipher suites to be enabled, or null if none of the
+ * requested ciphers are supported
*/
- protected String[] getEnabledCiphers(String[] supportedCiphers) {
+ protected String[] getEnabledCiphers(String requestedCiphers,
+ String[] supportedCiphers) {
String[] enabledCiphers = null;
- String attrValue = (String)attributes.get("ciphers");
- if (attrValue != null) {
+ if (requestedCiphers != null) {
Vector vec = null;
int fromIndex = 0;
- int index = attrValue.indexOf(',', fromIndex);
+ int index = requestedCiphers.indexOf(',', fromIndex);
while (index != -1) {
- String cipher = attrValue.substring(fromIndex, index).trim();
+ String cipher
+ = requestedCiphers.substring(fromIndex, index).trim();
/*
* Check to see if the requested cipher is among the supported
* ciphers, i.e., may be enabled
@@ -189,7 +192,7 @@
}
}
fromIndex = index+1;
- index = attrValue.indexOf(',', fromIndex);
+ index = requestedCiphers.indexOf(',', fromIndex);
}
if (vec != null) {
@@ -200,7 +203,7 @@
return enabledCiphers;
}
-
+
/*
* Gets the SSL server's keystore password.
*/
@@ -288,15 +291,72 @@
*/
abstract void init() throws IOException ;
+ /*
+ * Determines the SSL protocol variants to be enabled.
+ *
+ * @param requestedProtocols Comma-separated list of requested SSL
+ * protocol variants
+ * @param supportedProtocols Array of supported SSL protocol variants
+ *
+ * @return Array of SSL protocol variants to be enabled, or null if none of
+ * the requested protocol variants are supported
+ */
+ private String[] getEnabledProtocols(String requestedProtocols,
+ String[] supportedProtocols) {
+
+ String[] enabledProtocols = null;
+
+ if (requestedProtocols != null) {
+ Vector vec = null;
+ int fromIndex = 0;
+ int index = requestedProtocols.indexOf(',', fromIndex);
+ while (index != -1) {
+ String protocol
+ = requestedProtocols.substring(fromIndex, index).trim();
+ /*
+ * Check to see if the requested protocol is among the
+ * supported protocols, i.e., may be enabled
+ */
+ for (int i=0; supportedProtocols != null
+ && i<supportedProtocols.length; i++) {
+ if (supportedProtocols[i].equals(protocol)) {
+ if (vec == null) {
+ vec = new Vector();
+ }
+ vec.addElement(protocol);
+ break;
+ }
+ }
+ fromIndex = index+1;
+ index = requestedProtocols.indexOf(',', fromIndex);
+ }
+
+ if (vec != null) {
+ enabledProtocols = new String[vec.size()];
+ vec.copyInto(enabledProtocols);
+ }
+ }
+
+ return enabledProtocols;
+ }
+
/**
- * Sets the SSL server socket properties (such as enabled cipher suites,
- * etc.)
+ * Configures the given SSL server socket with the requested cipher suites,
+ * protocol versions, and need for client authentication
*/
private void initServerSocket(ServerSocket ssocket) {
- SSLServerSocket socket=(SSLServerSocket)ssocket;
- if (enabledCiphers != null) {
+ SSLServerSocket socket = (SSLServerSocket) ssocket;
+
+ if (attributes.get("ciphers") != null) {
socket.setEnabledCipherSuites(enabledCiphers);
+ }
+
+ String requestedProtocols = (String) attributes.get("protocols");
+ if (requestedProtocols != null) {
+ socket.setEnabledProtocols(getEnabledProtocols(
+ requestedProtocols,
+ socket.getSupportedProtocols()));
}
// we don't know if client auth is needed -
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
