Esempio n. 1
0
  public void startTLS(boolean clientMode, String remoteServer, ClientAuth authentication)
      throws Exception {
    boolean c2s = (remoteServer == null);
    KeyStore ksKeys = SSLConfig.getKeyStore();
    String keypass = SSLConfig.getKeyPassword();

    KeyStore ksTrust = (c2s ? SSLConfig.getc2sTrustStore() : SSLConfig.gets2sTrustStore());
    String trustpass = (c2s ? SSLConfig.getc2sTrustPassword() : SSLConfig.gets2sTrustPassword());
    if (c2s) Log.debug("NIOConnection: startTLS: using c2s");
    else Log.debug("NIOConnection: startTLS: using s2s");
    // KeyManager's decide which key material to use.
    KeyManager[] km = SSLJiveKeyManagerFactory.getKeyManagers(ksKeys, keypass);

    // TrustManager's decide whether to allow connections.
    TrustManager[] tm = SSLJiveTrustManagerFactory.getTrustManagers(ksTrust, trustpass);

    if (clientMode || authentication == ClientAuth.needed || authentication == ClientAuth.wanted) {
      // We might need to verify a certificate from our peer, so get different TrustManager[]'s
      if (c2s) {
        // Check if we can trust certificates presented by the client
        tm = new TrustManager[] {new ClientTrustManager(ksTrust)};
      } else {
        // Check if we can trust certificates presented by the server
        tm = new TrustManager[] {new ServerTrustManager(remoteServer, ksTrust, this)};
      }
    }

    String algorithm = JiveGlobals.getProperty(ConnectionSettings.Client.TLS_ALGORITHM, "TLS");
    SSLContext tlsContext = SSLContext.getInstance(algorithm);

    tlsContext.init(km, tm, null);

    SslFilter filter = new SslFilter(tlsContext);
    filter.setUseClientMode(clientMode);
    // Disable SSLv3 due to POODLE vulnerability.
    filter.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"});
    if (authentication == ClientAuth.needed) {
      filter.setNeedClientAuth(true);
    } else if (authentication == ClientAuth.wanted) {
      // Just indicate that we would like to authenticate the client but if client
      // certificates are self-signed or have no certificate chain then we are still
      // good
      filter.setWantClientAuth(true);
    }
    ioSession.getFilterChain().addAfter(EXECUTOR_FILTER_NAME, TLS_FILTER_NAME, filter);
    ioSession.setAttribute(SslFilter.DISABLE_ENCRYPTION_ONCE, Boolean.TRUE);

    if (!clientMode) {
      // Indicate the client that the server is ready to negotiate TLS
      deliverRawText("<proceed xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"/>");
    }
  }
  /** Starts the Jetty instance. */
  public void startup() {
    restartNeeded = false;

    // Add listener for certificate events
    certificateListener = new CertificateListener();
    CertificateManager.addListener(certificateListener);

    adminPort = JiveGlobals.getXMLProperty("adminConsole.port", 9090);
    adminSecurePort = JiveGlobals.getXMLProperty("adminConsole.securePort", 9091);
    adminServer = new Server();
    final QueuedThreadPool tp = new QueuedThreadPool(254);
    tp.setName("Jetty-QTP-AdminConsole");
    adminServer.setThreadPool(tp);

    // Do not send Jetty info in HTTP headers
    adminServer.setSendServerVersion(false);

    // Create connector for http traffic if it's enabled.
    if (adminPort > 0) {
      Connector httpConnector = new SelectChannelConnector();
      // Listen on a specific network interface if it has been set.
      String bindInterface = getBindInterface();
      httpConnector.setHost(bindInterface);
      httpConnector.setPort(adminPort);
      adminServer.addConnector(httpConnector);
    }

    // Create a connector for https traffic if it's enabled.
    sslEnabled = false;
    try {
      if (adminSecurePort > 0
          && CertificateManager.isRSACertificate(SSLConfig.getKeyStore(), "*")) {
        if (!CertificateManager.isRSACertificate(
            SSLConfig.getKeyStore(), XMPPServer.getInstance().getServerInfo().getXMPPDomain())) {
          Log.warn(
              "Admin console: Using RSA certificates but they are not valid for the hosted domain");
        }

        JiveSslConnector httpsConnector = new JiveSslConnector();
        String bindInterface = getBindInterface();
        httpsConnector.setHost(bindInterface);
        httpsConnector.setPort(adminSecurePort);

        httpsConnector.setTrustPassword(SSLConfig.gets2sTrustPassword());
        httpsConnector.setTruststoreType(SSLConfig.getStoreType());
        httpsConnector.setTruststore(SSLConfig.gets2sTruststoreLocation());
        httpsConnector.setNeedClientAuth(false);
        httpsConnector.setWantClientAuth(false);

        httpsConnector.setKeyPassword(SSLConfig.getKeyPassword());
        httpsConnector.setKeystoreType(SSLConfig.getStoreType());
        httpsConnector.setKeystore(SSLConfig.getKeystoreLocation());
        adminServer.addConnector(httpsConnector);

        sslEnabled = true;
      }
    } catch (Exception e) {
      Log.error(e.getMessage(), e);
    }

    // Make sure that at least one connector was registered.
    if (adminServer.getConnectors() == null || adminServer.getConnectors().length == 0) {
      adminServer = null;
      // Log warning.
      log(LocaleUtils.getLocalizedString("admin.console.warning"));
      return;
    }

    HandlerCollection collection = new HandlerCollection();
    adminServer.setHandler(collection);
    collection.setHandlers(new Handler[] {contexts, new DefaultHandler()});

    try {
      adminServer.start();
    } catch (Exception e) {
      Log.error("Could not start admin conosle server", e);
    }

    // Log the ports that the admin server is listening on.
    logAdminConsolePorts();
  }