Attachment #32226 for bug #57234

View | Details | Raw Unified | Return to bug 57234
Collapse All | Expand All




import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Set;

import javax.net.ssl.CertPathTrustManagerParameters;


        // Filter out all the SSL protocols (SSLv2 and SSLv3) from the defaults
        // since they are no longer considered secure
        defaultServerProtocols = filterInsecureProtocols(socket.getEnabledProtocols());

            if (protocol.contains("SSL")) {
                log.debug(sm.getString("jsse.excludeDefaultProtocol", protocol));
                continue;
            }
            filteredProtocols.add(protocol);
        }
        defaultServerProtocols = filteredProtocols.toArray(new String[filteredProtocols.size()]);
        if (defaultServerProtocols.length == 0) {
            log.warn(sm.getString("jsse.noDefaultProtocols"));
        }

            // Certificate encoding algorithm (e.g., SunX509)
            String algorithm = (String) attributes.get("algorithm");
            if (algorithm == null) {
                algorithm = KeyManagerFactory.getDefaultAlgorithm();
            }

            String keystoreType = (String) attributes.get("keystoreType");

        if("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore,
                                                                     new X509CertSelector());
            Collection<? extends CRL> crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);

    }


    public static String[] filterInsecureProtocols(String[] protocols) {
        if (protocols == null) {
            return null;
        }


        List<String> result = new ArrayList<String>(protocols.length);
        for (String protocol : protocols) {
            if (protocol == null || protocol.toUpperCase(Locale.ENGLISH).contains("SSL")) {
                log.debug(sm.getString("jsse.excludeDefaultProtocol", protocol));
            } else {
                result.add(protocol);

Lines 1144-1150 Link Here

(-)java/org/apache/tomcat/util/net/NioEndpoint.java (-1 / +1 lines)
1144	engine.setEnabledProtocols(sslEnabledProtocolsarr);	1144	engine.setEnabledProtocols(sslEnabledProtocolsarr);
1145	} else {	1145	} else {
1146	// Filter out the insecure protocols from the defaults	1146	// Filter out the insecure protocols from the defaults
1147	engine.setEnabledProtocols(JSSESocketFactory.filterInsecureProcotols(	1147	engine.setEnabledProtocols(JSSESocketFactory.filterInsecureProtocols(
1148	engine.getEnabledProtocols()));	1148	engine.getEnabledProtocols()));
1149	}	1149	}
1150		1150

Lines 51-56 Link Here

(-)webapps/docs/changelog.xml (+9 lines)
51	</fix>	51	</fix>
52	</changelog>	52	</changelog>
53	</subsection>	53	</subsection>
		54	<subsection name="Coyote">
		55	<changelog>
		56	<fix>
		57	<bug>57234</bug>: Make SSL protocol filtering to remove insecure
		58	protocols case insensitive. Correct spelling of
		59	filterInsecureProtocols method. (kkolinko/schultz)
		60	</fix>
		61	</changelog>
		62	</subsection>
54	<subsection name="Web applications">	63	<subsection name="Web applications">
55	<changelog>	64	<changelog>
56	<fix>	65	<fix>

Return to bug 57234

Lines 45-50 Link Here

(-)java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (-13 / +7 lines)
45	import java.util.Collection;	45	import java.util.Collection;
46	import java.util.HashSet;	46	import java.util.HashSet;
47	import java.util.List;	47	import java.util.List;
		48	import java.util.Locale;
48	import java.util.Set;	49	import java.util.Set;
49		50
50	import javax.net.ssl.CertPathTrustManagerParameters;	51	import javax.net.ssl.CertPathTrustManagerParameters;
Lines 174-188 Link Here
174		175
175	// Filter out all the SSL protocols (SSLv2 and SSLv3) from the defaults	176	// Filter out all the SSL protocols (SSLv2 and SSLv3) from the defaults
176	// since they are no longer considered secure	177	// since they are no longer considered secure
177	List<String> filteredProtocols = new ArrayList<String>();	178	defaultServerProtocols = filterInsecureProtocols(socket.getEnabledProtocols());
178	for (String protocol : socket.getEnabledProtocols()) {	179
179	if (protocol.contains("SSL")) {
180	log.debug(sm.getString("jsse.excludeDefaultProtocol", protocol));
181	continue;
182	}
183	filteredProtocols.add(protocol);
184	}
185	defaultServerProtocols = filteredProtocols.toArray(new String[filteredProtocols.size()]);
186	if (defaultServerProtocols.length == 0) {	180	if (defaultServerProtocols.length == 0) {
187	log.warn(sm.getString("jsse.noDefaultProtocols"));	181	log.warn(sm.getString("jsse.noDefaultProtocols"));
188	}	182	}
Lines 482-488 Link Here
482	// Certificate encoding algorithm (e.g., SunX509)	476	// Certificate encoding algorithm (e.g., SunX509)
483	String algorithm = (String) attributes.get("algorithm");	477	String algorithm = (String) attributes.get("algorithm");
484	if (algorithm == null) {	478	if (algorithm == null) {
485	algorithm = KeyManagerFactory.getDefaultAlgorithm();;	479	algorithm = KeyManagerFactory.getDefaultAlgorithm();
486	}	480	}
487		481
488	String keystoreType = (String) attributes.get("keystoreType");	482	String keystoreType = (String) attributes.get("keystoreType");
Lines 663-669 Link Here
663	if("PKIX".equalsIgnoreCase(algorithm)) {	657	if("PKIX".equalsIgnoreCase(algorithm)) {
664	PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore,	658	PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore,
665	new X509CertSelector());	659	new X509CertSelector());
666	Collection crls = getCRLs(crlf);	660	Collection<? extends CRL> crls = getCRLs(crlf);
667	CertStoreParameters csp = new CollectionCertStoreParameters(crls);	661	CertStoreParameters csp = new CollectionCertStoreParameters(crls);
668	CertStore store = CertStore.getInstance("Collection", csp);	662	CertStore store = CertStore.getInstance("Collection", csp);
669	xparams.addCertStore(store);	663	xparams.addCertStore(store);
Lines 856-862 Link Here
856	}	850	}
857		851
858		852
859	public static String[] filterInsecureProcotols(String[] protocols) {	853	public static String[] filterInsecureProtocols(String[] protocols) {
860	if (protocols == null) {	854	if (protocols == null) {
861	return null;	855	return null;
862	}	856	}
Lines 863-869 Link Here
863		857
864	List<String> result = new ArrayList<String>(protocols.length);	858	List<String> result = new ArrayList<String>(protocols.length);
865	for (String protocol : protocols) {	859	for (String protocol : protocols) {
866	if (protocol == null \|\| protocol.contains("SSL")) {	860	if (protocol == null \|\| protocol.toUpperCase(Locale.ENGLISH).contains("SSL")) {
867	log.debug(sm.getString("jsse.excludeDefaultProtocol", protocol));	861	log.debug(sm.getString("jsse.excludeDefaultProtocol", protocol));
868	} else {	862	} else {
869	result.add(protocol);	863	result.add(protocol);