/** {@inheritDoc} */ @Override public Collection<String> getEnabledSSLProtocols() { final SSLEngine engine = sslEngine; if (engine != null) { return Arrays.asList(engine.getEnabledProtocols()); } return super.getEnabledSSLProtocols(); }
private SSLEngineConfigurator createSSLEngineConfigurator(HTTPConnectionHandlerCfg config) throws DirectoryException { if (!config.isUseSSL()) { return null; } try { SSLContext sslContext = createSSLContext(config); SSLEngineConfigurator configurator = new SSLEngineConfigurator(sslContext); configurator.setClientMode(false); // configure with defaults from the JVM final SSLEngine defaults = sslContext.createSSLEngine(); configurator.setEnabledProtocols(defaults.getEnabledProtocols()); configurator.setEnabledCipherSuites(defaults.getEnabledCipherSuites()); final Set<String> protocols = config.getSSLProtocol(); if (!protocols.isEmpty()) { configurator.setEnabledProtocols(protocols.toArray(new String[protocols.size()])); } final Set<String> ciphers = config.getSSLCipherSuite(); if (!ciphers.isEmpty()) { configurator.setEnabledCipherSuites(ciphers.toArray(new String[ciphers.size()])); } switch (config.getSSLClientAuthPolicy()) { case DISABLED: configurator.setNeedClientAuth(false); configurator.setWantClientAuth(false); break; case REQUIRED: configurator.setNeedClientAuth(true); configurator.setWantClientAuth(true); break; case OPTIONAL: default: configurator.setNeedClientAuth(false); configurator.setWantClientAuth(true); break; } return configurator; } catch (Exception e) { logger.traceException(e); ResultCode resCode = DirectoryServer.getServerErrorResultCode(); throw new DirectoryException( resCode, ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e)), e); } }
public void testSecureSocketProtocolsFilter() throws Exception { SSLContext controlContext = SSLContext.getInstance("TLS"); controlContext.init(null, null, null); SSLEngine controlEngine = controlContext.createSSLEngine(); SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket(); SSLServerSocket controlServerSocket = (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket(); // default SSLContextParameters scp = new SSLContextParameters(); SSLContext context = scp.createSSLContext(); SSLEngine engine = context.createSSLEngine(); SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket(); SSLServerSocket serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols())); assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols())); checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols()); // empty filter FilterParameters filter = new FilterParameters(); scp.setSecureSocketProtocolsFilter(filter); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals(0, engine.getEnabledProtocols().length); assertEquals(0, socket.getEnabledProtocols().length); assertEquals(0, serverSocket.getEnabledProtocols().length); // explicit filter filter.getInclude().add(".*"); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols())); assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols())); checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols()); // explicit filter with excludes (excludes overrides) filter.getExclude().add(".*"); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals(0, engine.getEnabledProtocols().length); assertEquals(0, socket.getEnabledProtocols().length); assertEquals(0, serverSocket.getEnabledProtocols().length); // explicit filter single include filter.getInclude().clear(); filter.getExclude().clear(); filter.getInclude().add("TLS.*"); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); // not all platforms/JDKs have these cipher suites if (!isPlatform("aix")) { assertTrue(engine.getEnabledProtocols().length >= 1); assertStartsWith(engine.getEnabledProtocols(), "TLS"); assertTrue(socket.getEnabledProtocols().length >= 1); assertStartsWith(socket.getEnabledProtocols(), "TLS"); assertTrue(socket.getEnabledProtocols().length >= 1); assertStartsWith(serverSocket.getEnabledProtocols(), "TLS"); } }
public void testSecureSocketProtocols() throws Exception { SSLContext controlContext = SSLContext.getInstance("TLS"); controlContext.init(null, null, null); SSLEngine controlEngine = controlContext.createSSLEngine(); SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket(); SSLServerSocket controlServerSocket = (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket(); // default SSLContextParameters scp = new SSLContextParameters(); SSLContext context = scp.createSSLContext(); SSLEngine engine = context.createSSLEngine(); SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket(); SSLServerSocket serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols())); assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols())); checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols()); // empty sspp SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters(); scp.setSecureSocketProtocols(sspp); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals(0, engine.getEnabledProtocols().length); assertEquals(0, socket.getEnabledProtocols().length); assertEquals(0, serverSocket.getEnabledProtocols().length); // explicit sspp sspp.getSecureSocketProtocol().add("TLSv1"); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals(1, engine.getEnabledProtocols().length); assertEquals("TLSv1", engine.getEnabledProtocols()[0]); assertEquals(1, socket.getEnabledProtocols().length); assertEquals("TLSv1", socket.getEnabledProtocols()[0]); assertEquals(1, serverSocket.getEnabledProtocols().length); assertEquals("TLSv1", serverSocket.getEnabledProtocols()[0]); // explicit sspp overrides filter FilterParameters filter = new FilterParameters(); filter.getInclude().add(".*"); scp.setSecureSocketProtocolsFilter(filter); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); // not all platforms/JDKs have these cipher suites if (!isPlatform("aix")) { assertEquals(1, engine.getEnabledProtocols().length); assertEquals("TLSv1", engine.getEnabledProtocols()[0]); assertEquals(1, socket.getEnabledProtocols().length); assertEquals("TLSv1", socket.getEnabledProtocols()[0]); assertEquals(1, socket.getEnabledProtocols().length); assertEquals("TLSv1", serverSocket.getEnabledProtocols()[0]); } }
public void testClientParameters() throws Exception { SSLContext controlContext = SSLContext.getInstance("TLS"); controlContext.init(null, null, null); SSLEngine controlEngine = controlContext.createSSLEngine(); SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket(); SSLServerSocket controlServerSocket = (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket(); SSLContextParameters scp = new SSLContextParameters(); SSLContextClientParameters sccp = new SSLContextClientParameters(); scp.setClientParameters(sccp); SSLContext context = scp.createSSLContext(); SSLEngine engine = context.createSSLEngine(); SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket(); SSLServerSocket serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue( Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites())); assertTrue( Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites())); assertTrue( Arrays.equals( this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()), serverSocket.getEnabledCipherSuites())); // No csp or filter on client params passes through shared config scp.setCipherSuites(new CipherSuitesParameters()); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals(0, socket.getEnabledCipherSuites().length); // Csp on client params scp.setCipherSuites(null); CipherSuitesParameters csp = new CipherSuitesParameters(); sccp.setCipherSuites(csp); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue( Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites())); assertEquals(0, socket.getEnabledCipherSuites().length); assertTrue( Arrays.equals( this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()), serverSocket.getEnabledCipherSuites())); // Cipher suites filter on client params FilterParameters filter = new FilterParameters(); filter.getExclude().add(".*"); sccp.setCipherSuites(null); sccp.setCipherSuitesFilter(filter); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue( Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites())); assertEquals(0, socket.getEnabledCipherSuites().length); assertTrue( Arrays.equals( this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()), serverSocket.getEnabledCipherSuites())); // Csp on client overrides cipher suites filter on client filter.getInclude().add(".*"); filter.getExclude().clear(); sccp.setCipherSuites(csp); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue( Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites())); assertEquals(0, socket.getEnabledCipherSuites().length); assertTrue( Arrays.equals( this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()), serverSocket.getEnabledCipherSuites())); // Sspp on client params SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters(); sccp.setSecureSocketProtocols(sspp); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols())); assertEquals(0, socket.getEnabledProtocols().length); checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols()); // Secure socket protocols filter on client params filter = new FilterParameters(); filter.getExclude().add(".*"); sccp.setSecureSocketProtocols(null); sccp.setSecureSocketProtocolsFilter(filter); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols())); assertEquals(0, socket.getEnabledProtocols().length); checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols()); // Sspp on client params overrides secure socket protocols filter on client filter.getInclude().add(".*"); filter.getExclude().clear(); sccp.setSecureSocketProtocols(sspp); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols())); assertEquals(0, socket.getEnabledProtocols().length); checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols()); // Client session timeout only affects client session configuration sccp.setSessionTimeout("12345"); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals( controlContext.getServerSessionContext().getSessionTimeout(), context.getServerSessionContext().getSessionTimeout()); assertEquals(12345, context.getClientSessionContext().getSessionTimeout()); }