예제 #1
0
 /** {@inheritDoc} */
 @Override
 public Collection<String> getEnabledSSLCipherSuites() {
   final SSLEngine engine = sslEngine;
   if (engine != null) {
     return Arrays.asList(engine.getEnabledCipherSuites());
   }
   return super.getEnabledSSLCipherSuites();
 }
예제 #2
0
  private SSLEngineConfigurator createSSLEngineConfigurator(HTTPConnectionHandlerCfg config)
      throws DirectoryException {
    if (!config.isUseSSL()) {
      return null;
    }

    try {
      SSLContext sslContext = createSSLContext(config);
      SSLEngineConfigurator configurator = new SSLEngineConfigurator(sslContext);
      configurator.setClientMode(false);

      // configure with defaults from the JVM
      final SSLEngine defaults = sslContext.createSSLEngine();
      configurator.setEnabledProtocols(defaults.getEnabledProtocols());
      configurator.setEnabledCipherSuites(defaults.getEnabledCipherSuites());

      final Set<String> protocols = config.getSSLProtocol();
      if (!protocols.isEmpty()) {
        configurator.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
      }

      final Set<String> ciphers = config.getSSLCipherSuite();
      if (!ciphers.isEmpty()) {
        configurator.setEnabledCipherSuites(ciphers.toArray(new String[ciphers.size()]));
      }

      switch (config.getSSLClientAuthPolicy()) {
        case DISABLED:
          configurator.setNeedClientAuth(false);
          configurator.setWantClientAuth(false);
          break;
        case REQUIRED:
          configurator.setNeedClientAuth(true);
          configurator.setWantClientAuth(true);
          break;
        case OPTIONAL:
        default:
          configurator.setNeedClientAuth(false);
          configurator.setWantClientAuth(true);
          break;
      }

      return configurator;
    } catch (Exception e) {
      logger.traceException(e);
      ResultCode resCode = DirectoryServer.getServerErrorResultCode();
      throw new DirectoryException(
          resCode, ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e)), e);
    }
  }
예제 #3
0
 static {
   try {
     SSLEngine temporary = getContext().createSSLEngine();
     temporary.setUseClientMode(true);
     String[] enabledCiphers = temporary.getEnabledCipherSuites();
     List<String> enabledCiphersList = new LinkedList<>();
     for (String cipher : enabledCiphers) {
       if (!cipher.contains("anon")
           && !cipher.contains("KRB5")
           && !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
         enabledCiphersList.add(cipher);
       }
     }
     ENABLED_NON_KRB_NOT_ANON_CIPHERS = enabledCiphersList.toArray(new String[0]);
   } catch (Exception ex) {
     throw new Error("Unexpected issue", ex);
   }
 }
예제 #4
0
  public void testCipherSuitesFilter() throws Exception {
    SSLContext controlContext = SSLContext.getInstance("TLS");
    controlContext.init(null, null, null);
    SSLEngine controlEngine = controlContext.createSSLEngine();
    SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
    SSLServerSocket controlServerSocket =
        (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();

    // default
    SSLContextParameters scp = new SSLContextParameters();

    SSLContext context = scp.createSSLContext();

    CipherSuitesParameters csp = new CipherSuitesParameters();
    scp.setCipherSuites(csp);

    SSLEngine engine = context.createSSLEngine();
    SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
    SSLServerSocket serverSocket =
        (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // empty filter
    FilterParameters filter = new FilterParameters();
    scp.setCipherSuitesFilter(filter);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, engine.getEnabledCipherSuites().length);
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertEquals(0, serverSocket.getEnabledCipherSuites().length);

    // explicit filter
    filter.getInclude().add(".*");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, engine.getEnabledCipherSuites().length);
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertEquals(0, serverSocket.getEnabledCipherSuites().length);

    // explicit filter with excludes (excludes overrides)
    filter.getExclude().add(".*");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, engine.getEnabledCipherSuites().length);
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertEquals(0, serverSocket.getEnabledCipherSuites().length);

    // explicit filter single include

    filter.getInclude().clear();
    filter.getExclude().clear();
    csp.getCipherSuite().add("TLS_RSA_WITH_AES_128_CBC_SHA");
    filter.getInclude().add("TLS.*");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    // not all platforms/JDKs have these cipher suites
    if (!isPlatform("aix")) {
      assertTrue(engine.getEnabledCipherSuites().length >= 1);
      assertStartsWith(engine.getEnabledCipherSuites(), "TLS");
      assertTrue(socket.getEnabledCipherSuites().length >= 1);
      assertStartsWith(socket.getEnabledCipherSuites(), "TLS");
      assertTrue(serverSocket.getEnabledCipherSuites().length >= 1);
      assertStartsWith(serverSocket.getEnabledCipherSuites(), "TLS");
    }
  }
예제 #5
0
  public void testCipherSuites() throws Exception {
    SSLContext controlContext = SSLContext.getInstance("TLS");
    controlContext.init(null, null, null);
    SSLEngine controlEngine = controlContext.createSSLEngine();
    SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
    SSLServerSocket controlServerSocket =
        (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();

    // default
    SSLContextParameters scp = new SSLContextParameters();

    SSLContext context = scp.createSSLContext();

    SSLEngine engine = context.createSSLEngine();
    SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
    SSLServerSocket serverSocket =
        (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // empty csp

    CipherSuitesParameters csp = new CipherSuitesParameters();
    scp.setCipherSuites(csp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, engine.getEnabledCipherSuites().length);
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertEquals(0, serverSocket.getEnabledCipherSuites().length);

    // explicit csp

    csp.getCipherSuite().add(controlEngine.getEnabledCipherSuites()[0]);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(1, engine.getEnabledCipherSuites().length);
    assertEquals(controlEngine.getEnabledCipherSuites()[0], engine.getEnabledCipherSuites()[0]);
    assertEquals(1, socket.getEnabledCipherSuites().length);
    assertEquals(controlEngine.getEnabledCipherSuites()[0], socket.getEnabledCipherSuites()[0]);
    assertEquals(1, serverSocket.getEnabledCipherSuites().length);
    assertEquals(
        controlEngine.getEnabledCipherSuites()[0], serverSocket.getEnabledCipherSuites()[0]);

    // explicit csp overrides filter

    FilterParameters filter = new FilterParameters();
    filter.getInclude().add(".*");
    scp.setCipherSuitesFilter(filter);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(1, engine.getEnabledCipherSuites().length);
    assertEquals(controlEngine.getEnabledCipherSuites()[0], engine.getEnabledCipherSuites()[0]);
    assertEquals(1, socket.getEnabledCipherSuites().length);
    assertEquals(controlEngine.getEnabledCipherSuites()[0], socket.getEnabledCipherSuites()[0]);
    assertEquals(1, socket.getEnabledCipherSuites().length);
    assertEquals(
        controlEngine.getEnabledCipherSuites()[0], serverSocket.getEnabledCipherSuites()[0]);
  }
예제 #6
0
  public void testClientParameters() throws Exception {
    SSLContext controlContext = SSLContext.getInstance("TLS");
    controlContext.init(null, null, null);
    SSLEngine controlEngine = controlContext.createSSLEngine();
    SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
    SSLServerSocket controlServerSocket =
        (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();

    SSLContextParameters scp = new SSLContextParameters();
    SSLContextClientParameters sccp = new SSLContextClientParameters();

    scp.setClientParameters(sccp);
    SSLContext context = scp.createSSLContext();

    SSLEngine engine = context.createSSLEngine();
    SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
    SSLServerSocket serverSocket =
        (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // No csp or filter on client params passes through shared config
    scp.setCipherSuites(new CipherSuitesParameters());
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, socket.getEnabledCipherSuites().length);

    // Csp on client params
    scp.setCipherSuites(null);
    CipherSuitesParameters csp = new CipherSuitesParameters();
    sccp.setCipherSuites(csp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Cipher suites filter on client params
    FilterParameters filter = new FilterParameters();
    filter.getExclude().add(".*");
    sccp.setCipherSuites(null);
    sccp.setCipherSuitesFilter(filter);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Csp on client overrides cipher suites filter on client
    filter.getInclude().add(".*");
    filter.getExclude().clear();
    sccp.setCipherSuites(csp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Sspp on client params
    SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
    sccp.setSecureSocketProtocols(sspp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Secure socket protocols filter on client params
    filter = new FilterParameters();
    filter.getExclude().add(".*");
    sccp.setSecureSocketProtocols(null);
    sccp.setSecureSocketProtocolsFilter(filter);
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Sspp on client params overrides  secure socket protocols filter on client
    filter.getInclude().add(".*");
    filter.getExclude().clear();
    sccp.setSecureSocketProtocols(sspp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Client session timeout only affects client session configuration
    sccp.setSessionTimeout("12345");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(
        controlContext.getServerSessionContext().getSessionTimeout(),
        context.getServerSessionContext().getSessionTimeout());
    assertEquals(12345, context.getClientSessionContext().getSessionTimeout());
  }