/** {@inheritDoc} */
@Override
public Collection<String> getEnabledSSLCipherSuites() {
final SSLEngine engine = sslEngine;
if (engine != null) {
return Arrays.asList(engine.getEnabledCipherSuites());
}
return super.getEnabledSSLCipherSuites();
}
private SSLEngineConfigurator createSSLEngineConfigurator(HTTPConnectionHandlerCfg config)
throws DirectoryException {
if (!config.isUseSSL()) {
return null;
}
try {
SSLContext sslContext = createSSLContext(config);
SSLEngineConfigurator configurator = new SSLEngineConfigurator(sslContext);
configurator.setClientMode(false);
// configure with defaults from the JVM
final SSLEngine defaults = sslContext.createSSLEngine();
configurator.setEnabledProtocols(defaults.getEnabledProtocols());
configurator.setEnabledCipherSuites(defaults.getEnabledCipherSuites());
final Set<String> protocols = config.getSSLProtocol();
if (!protocols.isEmpty()) {
configurator.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
}
final Set<String> ciphers = config.getSSLCipherSuite();
if (!ciphers.isEmpty()) {
configurator.setEnabledCipherSuites(ciphers.toArray(new String[ciphers.size()]));
}
switch (config.getSSLClientAuthPolicy()) {
case DISABLED:
configurator.setNeedClientAuth(false);
configurator.setWantClientAuth(false);
break;
case REQUIRED:
configurator.setNeedClientAuth(true);
configurator.setWantClientAuth(true);
break;
case OPTIONAL:
default:
configurator.setNeedClientAuth(false);
configurator.setWantClientAuth(true);
break;
}
return configurator;
} catch (Exception e) {
logger.traceException(e);
ResultCode resCode = DirectoryServer.getServerErrorResultCode();
throw new DirectoryException(
resCode, ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e)), e);
}
}
static {
try {
SSLEngine temporary = getContext().createSSLEngine();
temporary.setUseClientMode(true);
String[] enabledCiphers = temporary.getEnabledCipherSuites();
List<String> enabledCiphersList = new LinkedList<>();
for (String cipher : enabledCiphers) {
if (!cipher.contains("anon")
&& !cipher.contains("KRB5")
&& !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
enabledCiphersList.add(cipher);
}
}
ENABLED_NON_KRB_NOT_ANON_CIPHERS = enabledCiphersList.toArray(new String[0]);
} catch (Exception ex) {
throw new Error("Unexpected issue", ex);
}
}
public void testCipherSuitesFilter() throws Exception {
SSLContext controlContext = SSLContext.getInstance("TLS");
controlContext.init(null, null, null);
SSLEngine controlEngine = controlContext.createSSLEngine();
SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
SSLServerSocket controlServerSocket =
(SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();
// default
SSLContextParameters scp = new SSLContextParameters();
SSLContext context = scp.createSSLContext();
CipherSuitesParameters csp = new CipherSuitesParameters();
scp.setCipherSuites(csp);
SSLEngine engine = context.createSSLEngine();
SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
SSLServerSocket serverSocket =
(SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// empty filter
FilterParameters filter = new FilterParameters();
scp.setCipherSuitesFilter(filter);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(0, engine.getEnabledCipherSuites().length);
assertEquals(0, socket.getEnabledCipherSuites().length);
assertEquals(0, serverSocket.getEnabledCipherSuites().length);
// explicit filter
filter.getInclude().add(".*");
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(0, engine.getEnabledCipherSuites().length);
assertEquals(0, socket.getEnabledCipherSuites().length);
assertEquals(0, serverSocket.getEnabledCipherSuites().length);
// explicit filter with excludes (excludes overrides)
filter.getExclude().add(".*");
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(0, engine.getEnabledCipherSuites().length);
assertEquals(0, socket.getEnabledCipherSuites().length);
assertEquals(0, serverSocket.getEnabledCipherSuites().length);
// explicit filter single include
filter.getInclude().clear();
filter.getExclude().clear();
csp.getCipherSuite().add("TLS_RSA_WITH_AES_128_CBC_SHA");
filter.getInclude().add("TLS.*");
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
// not all platforms/JDKs have these cipher suites
if (!isPlatform("aix")) {
assertTrue(engine.getEnabledCipherSuites().length >= 1);
assertStartsWith(engine.getEnabledCipherSuites(), "TLS");
assertTrue(socket.getEnabledCipherSuites().length >= 1);
assertStartsWith(socket.getEnabledCipherSuites(), "TLS");
assertTrue(serverSocket.getEnabledCipherSuites().length >= 1);
assertStartsWith(serverSocket.getEnabledCipherSuites(), "TLS");
}
}
public void testCipherSuites() throws Exception {
SSLContext controlContext = SSLContext.getInstance("TLS");
controlContext.init(null, null, null);
SSLEngine controlEngine = controlContext.createSSLEngine();
SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
SSLServerSocket controlServerSocket =
(SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();
// default
SSLContextParameters scp = new SSLContextParameters();
SSLContext context = scp.createSSLContext();
SSLEngine engine = context.createSSLEngine();
SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
SSLServerSocket serverSocket =
(SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// empty csp
CipherSuitesParameters csp = new CipherSuitesParameters();
scp.setCipherSuites(csp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(0, engine.getEnabledCipherSuites().length);
assertEquals(0, socket.getEnabledCipherSuites().length);
assertEquals(0, serverSocket.getEnabledCipherSuites().length);
// explicit csp
csp.getCipherSuite().add(controlEngine.getEnabledCipherSuites()[0]);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(1, engine.getEnabledCipherSuites().length);
assertEquals(controlEngine.getEnabledCipherSuites()[0], engine.getEnabledCipherSuites()[0]);
assertEquals(1, socket.getEnabledCipherSuites().length);
assertEquals(controlEngine.getEnabledCipherSuites()[0], socket.getEnabledCipherSuites()[0]);
assertEquals(1, serverSocket.getEnabledCipherSuites().length);
assertEquals(
controlEngine.getEnabledCipherSuites()[0], serverSocket.getEnabledCipherSuites()[0]);
// explicit csp overrides filter
FilterParameters filter = new FilterParameters();
filter.getInclude().add(".*");
scp.setCipherSuitesFilter(filter);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(1, engine.getEnabledCipherSuites().length);
assertEquals(controlEngine.getEnabledCipherSuites()[0], engine.getEnabledCipherSuites()[0]);
assertEquals(1, socket.getEnabledCipherSuites().length);
assertEquals(controlEngine.getEnabledCipherSuites()[0], socket.getEnabledCipherSuites()[0]);
assertEquals(1, socket.getEnabledCipherSuites().length);
assertEquals(
controlEngine.getEnabledCipherSuites()[0], serverSocket.getEnabledCipherSuites()[0]);
}
public void testClientParameters() throws Exception {
SSLContext controlContext = SSLContext.getInstance("TLS");
controlContext.init(null, null, null);
SSLEngine controlEngine = controlContext.createSSLEngine();
SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
SSLServerSocket controlServerSocket =
(SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();
SSLContextParameters scp = new SSLContextParameters();
SSLContextClientParameters sccp = new SSLContextClientParameters();
scp.setClientParameters(sccp);
SSLContext context = scp.createSSLContext();
SSLEngine engine = context.createSSLEngine();
SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
SSLServerSocket serverSocket =
(SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// No csp or filter on client params passes through shared config
scp.setCipherSuites(new CipherSuitesParameters());
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(0, socket.getEnabledCipherSuites().length);
// Csp on client params
scp.setCipherSuites(null);
CipherSuitesParameters csp = new CipherSuitesParameters();
sccp.setCipherSuites(csp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertEquals(0, socket.getEnabledCipherSuites().length);
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// Cipher suites filter on client params
FilterParameters filter = new FilterParameters();
filter.getExclude().add(".*");
sccp.setCipherSuites(null);
sccp.setCipherSuitesFilter(filter);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertEquals(0, socket.getEnabledCipherSuites().length);
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// Csp on client overrides cipher suites filter on client
filter.getInclude().add(".*");
filter.getExclude().clear();
sccp.setCipherSuites(csp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertEquals(0, socket.getEnabledCipherSuites().length);
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// Sspp on client params
SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
sccp.setSecureSocketProtocols(sspp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertEquals(0, socket.getEnabledProtocols().length);
checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
// Secure socket protocols filter on client params
filter = new FilterParameters();
filter.getExclude().add(".*");
sccp.setSecureSocketProtocols(null);
sccp.setSecureSocketProtocolsFilter(filter);
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertEquals(0, socket.getEnabledProtocols().length);
checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
// Sspp on client params overrides secure socket protocols filter on client
filter.getInclude().add(".*");
filter.getExclude().clear();
sccp.setSecureSocketProtocols(sspp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertEquals(0, socket.getEnabledProtocols().length);
checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
// Client session timeout only affects client session configuration
sccp.setSessionTimeout("12345");
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(
controlContext.getServerSessionContext().getSessionTimeout(),
context.getServerSessionContext().getSessionTimeout());
assertEquals(12345, context.getClientSessionContext().getSessionTimeout());
}