public void testSetEnabledProtocolsAffectsGetter() throws Exception {
SSLServerSocket socket =
(SSLServerSocket) SSLServerSocketFactory.getDefault().createServerSocket();
String[] protocols = new String[] {socket.getSupportedProtocols()[0]};
socket.setEnabledProtocols(protocols);
assertEquals(Arrays.asList(protocols), Arrays.asList(socket.getEnabledProtocols()));
}
/**
* Configures the given SSL server socket with the requested cipher suites, protocol versions, and
* need for client authentication
*/
private void initServerSocket(ServerSocket ssocket) {
SSLServerSocket socket = (SSLServerSocket) ssocket;
socket.setEnabledCipherSuites(enabledCiphers);
socket.setEnabledProtocols(enabledProtocols);
// we don't know if client auth is needed -
// after parsing the request we may re-handshake
configureClientAuth(socket);
configureUseServerCipherSuitesOrder(socket);
}
public static TServerSocket getServerSSLSocket(
String hiveHost,
int portNum,
String keyStorePath,
String keyStorePassWord,
List<String> sslVersionBlacklist,
int socketTimeout,
boolean keepAlive)
throws TTransportException, UnknownHostException {
TSSLTransportFactory.TSSLTransportParameters params =
new TSSLTransportFactory.TSSLTransportParameters();
params.setKeyStore(keyStorePath, keyStorePassWord);
InetSocketAddress serverAddress;
if (hiveHost == null || hiveHost.isEmpty()) {
// Wildcard bind
serverAddress = new InetSocketAddress(portNum);
} else {
serverAddress = new InetSocketAddress(hiveHost, portNum);
}
TServerSocket thriftServerSocket =
TSSLTransportFactory.getServerSocket(
portNum, socketTimeout, serverAddress.getAddress(), params);
if (thriftServerSocket.getServerSocket() instanceof SSLServerSocket) {
List<String> sslVersionBlacklistLocal = new ArrayList<String>();
for (String sslVersion : sslVersionBlacklist) {
sslVersionBlacklistLocal.add(sslVersion.trim().toLowerCase());
}
SSLServerSocket sslServerSocket = (SSLServerSocket) thriftServerSocket.getServerSocket();
List<String> enabledProtocols = new ArrayList<String>();
for (String protocol : sslServerSocket.getEnabledProtocols()) {
if (sslVersionBlacklistLocal.contains(protocol.toLowerCase())) {
LOG.debug("Disabling SSL Protocol: " + protocol);
} else {
enabledProtocols.add(protocol);
}
}
sslServerSocket.setEnabledProtocols(enabledProtocols.toArray(new String[0]));
LOG.info(
"SSL Server Socket Enabled Protocols: "
+ Arrays.toString(sslServerSocket.getEnabledProtocols()));
}
if (keepAlive) {
thriftServerSocket = new TServerSocketKeepAlive(thriftServerSocket.getServerSocket());
}
return thriftServerSocket;
}
public void setEnabledProtocols(String[] protocols) {
s.setEnabledProtocols(protocols);
}
protected void setEnabledProtocols(SSLServerSocket socket, String[] protocols) {
if (protocols != null) {
socket.setEnabledProtocols(protocols);
}
}
public void setConfiguration(ListenerConfigurationItem cfg, boolean noKeepAlive)
throws KeyStoreException, NoSuchAlgorithmException, CertificateException,
UnrecoverableKeyException, KeyManagementException, IOException {
keepAlive = !noKeepAlive;
config = cfg;
Map props = config.getProperties();
String s = (String) props.get("port");
if (s != null) port = new Integer(s).intValue();
s = (String) props.get("backlog");
if (s != null) backlog = new Integer(s).intValue();
if (keepAlive) {
s = (String) props.get("keepAlive");
if (s != null) keepAlive = new Boolean(s).booleanValue();
}
String useSSL = (String) props.get("useSSL");
String trustAll = (String) props.get("trustAll");
if (requiresSSL || "true".equalsIgnoreCase(useSSL)) {
KeyManager[] keyManagers = null;
TrustManager[] trustManagers = null;
String keyManager = (String) props.get("keyManager");
if (keyManager != null && keyManager.length() > 0) {
try {
KeyManager manager = (KeyManager) Configuration.getBean(keyManager);
keyManagers = new KeyManager[] {manager};
} catch (Exception e) {
e.printStackTrace();
}
} else {
String keystore = (String) props.get("keyStore");
String keystoreType = (String) props.get("keyStoreType");
String keystorePassword = (String) props.get("keyStorePassword");
String keyPassword = (String) props.get("keyPassword");
if (keystore != null) {
if (keystoreType == null) keystoreType = "pkcs12";
KeyStore ks = KeyStore.getInstance(keystoreType);
ks.load(
new FileInputStream(keystore),
keystorePassword == null ? null : keystorePassword.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, keyPassword == null ? null : keyPassword.toCharArray());
keyManagers = kmf.getKeyManagers();
}
}
String trustManager = (String) props.get("trustManager");
if (trustManager != null && trustManager.length() > 0) {
try {
TrustManager manager = (TrustManager) Configuration.getBean(trustManager);
trustManagers = new TrustManager[] {manager};
} catch (Exception e) {
e.printStackTrace();
}
} else if ("true".equalsIgnoreCase(trustAll)) {
trustManagers =
new TrustManager[] {
new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) {}
public void checkServerTrusted(X509Certificate[] chain, String authType) {}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
};
} else {
String keystore = (String) props.get("caStore");
String keystoreType = (String) props.get("caStoreType");
String keystorePassword = (String) props.get("caStorePassword");
if (keystore != null) {
if (keystoreType == null) keystoreType = "pkcs12";
KeyStore caKeys = KeyStore.getInstance(keystoreType);
caKeys.load(
new FileInputStream(keystore),
keystorePassword == null ? null : keystorePassword.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(caKeys);
trustManagers = tmf.getTrustManagers();
}
}
SSLContext sslContext = SSLContext.getInstance("SSLv3");
sslContext.init(keyManagers, trustManagers, null);
ServerSocketFactory socketFactory = sslContext.getServerSocketFactory();
SSLServerSocket sslServerSocket =
(SSLServerSocket) socketFactory.createServerSocket(port, backlog);
serverSocket = sslServerSocket;
if (sslWantClientAuth) sslServerSocket.setWantClientAuth(true);
if (sslNeedClientAuth) sslServerSocket.setNeedClientAuth(true);
if (sslEnabledProtocols != null) sslServerSocket.setEnabledProtocols(sslEnabledProtocols);
if (sslEnabledCiphers != null) sslServerSocket.setEnabledCipherSuites(sslEnabledCiphers);
usingSSL = true;
} else {
serverSocket = new ServerSocket(port, backlog);
}
serverSocket.setReuseAddress(true);
setActive(true);
}