Пример #1
0
 /** {@inheritDoc} */
 @Override
 public Collection<String> getEnabledSSLProtocols() {
   final SSLEngine engine = sslEngine;
   if (engine != null) {
     return Arrays.asList(engine.getEnabledProtocols());
   }
   return super.getEnabledSSLProtocols();
 }
Пример #2
0
  private SSLEngineConfigurator createSSLEngineConfigurator(HTTPConnectionHandlerCfg config)
      throws DirectoryException {
    if (!config.isUseSSL()) {
      return null;
    }

    try {
      SSLContext sslContext = createSSLContext(config);
      SSLEngineConfigurator configurator = new SSLEngineConfigurator(sslContext);
      configurator.setClientMode(false);

      // configure with defaults from the JVM
      final SSLEngine defaults = sslContext.createSSLEngine();
      configurator.setEnabledProtocols(defaults.getEnabledProtocols());
      configurator.setEnabledCipherSuites(defaults.getEnabledCipherSuites());

      final Set<String> protocols = config.getSSLProtocol();
      if (!protocols.isEmpty()) {
        configurator.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
      }

      final Set<String> ciphers = config.getSSLCipherSuite();
      if (!ciphers.isEmpty()) {
        configurator.setEnabledCipherSuites(ciphers.toArray(new String[ciphers.size()]));
      }

      switch (config.getSSLClientAuthPolicy()) {
        case DISABLED:
          configurator.setNeedClientAuth(false);
          configurator.setWantClientAuth(false);
          break;
        case REQUIRED:
          configurator.setNeedClientAuth(true);
          configurator.setWantClientAuth(true);
          break;
        case OPTIONAL:
        default:
          configurator.setNeedClientAuth(false);
          configurator.setWantClientAuth(true);
          break;
      }

      return configurator;
    } catch (Exception e) {
      logger.traceException(e);
      ResultCode resCode = DirectoryServer.getServerErrorResultCode();
      throw new DirectoryException(
          resCode, ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e)), e);
    }
  }
Пример #3
0
  public void testSecureSocketProtocolsFilter() throws Exception {
    SSLContext controlContext = SSLContext.getInstance("TLS");
    controlContext.init(null, null, null);
    SSLEngine controlEngine = controlContext.createSSLEngine();
    SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
    SSLServerSocket controlServerSocket =
        (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();

    // default
    SSLContextParameters scp = new SSLContextParameters();

    SSLContext context = scp.createSSLContext();

    SSLEngine engine = context.createSSLEngine();
    SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
    SSLServerSocket serverSocket =
        (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // empty filter

    FilterParameters filter = new FilterParameters();
    scp.setSecureSocketProtocolsFilter(filter);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, engine.getEnabledProtocols().length);
    assertEquals(0, socket.getEnabledProtocols().length);
    assertEquals(0, serverSocket.getEnabledProtocols().length);

    // explicit filter

    filter.getInclude().add(".*");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // explicit filter with excludes (excludes overrides)
    filter.getExclude().add(".*");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, engine.getEnabledProtocols().length);
    assertEquals(0, socket.getEnabledProtocols().length);
    assertEquals(0, serverSocket.getEnabledProtocols().length);

    // explicit filter single include
    filter.getInclude().clear();
    filter.getExclude().clear();
    filter.getInclude().add("TLS.*");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    // not all platforms/JDKs have these cipher suites
    if (!isPlatform("aix")) {
      assertTrue(engine.getEnabledProtocols().length >= 1);
      assertStartsWith(engine.getEnabledProtocols(), "TLS");
      assertTrue(socket.getEnabledProtocols().length >= 1);
      assertStartsWith(socket.getEnabledProtocols(), "TLS");
      assertTrue(socket.getEnabledProtocols().length >= 1);
      assertStartsWith(serverSocket.getEnabledProtocols(), "TLS");
    }
  }
Пример #4
0
  public void testSecureSocketProtocols() throws Exception {
    SSLContext controlContext = SSLContext.getInstance("TLS");
    controlContext.init(null, null, null);
    SSLEngine controlEngine = controlContext.createSSLEngine();
    SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
    SSLServerSocket controlServerSocket =
        (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();

    // default
    SSLContextParameters scp = new SSLContextParameters();

    SSLContext context = scp.createSSLContext();

    SSLEngine engine = context.createSSLEngine();
    SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
    SSLServerSocket serverSocket =
        (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // empty sspp

    SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
    scp.setSecureSocketProtocols(sspp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, engine.getEnabledProtocols().length);
    assertEquals(0, socket.getEnabledProtocols().length);
    assertEquals(0, serverSocket.getEnabledProtocols().length);

    // explicit sspp

    sspp.getSecureSocketProtocol().add("TLSv1");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(1, engine.getEnabledProtocols().length);
    assertEquals("TLSv1", engine.getEnabledProtocols()[0]);
    assertEquals(1, socket.getEnabledProtocols().length);
    assertEquals("TLSv1", socket.getEnabledProtocols()[0]);
    assertEquals(1, serverSocket.getEnabledProtocols().length);
    assertEquals("TLSv1", serverSocket.getEnabledProtocols()[0]);

    // explicit sspp overrides filter

    FilterParameters filter = new FilterParameters();
    filter.getInclude().add(".*");
    scp.setSecureSocketProtocolsFilter(filter);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    // not all platforms/JDKs have these cipher suites
    if (!isPlatform("aix")) {
      assertEquals(1, engine.getEnabledProtocols().length);
      assertEquals("TLSv1", engine.getEnabledProtocols()[0]);
      assertEquals(1, socket.getEnabledProtocols().length);
      assertEquals("TLSv1", socket.getEnabledProtocols()[0]);
      assertEquals(1, socket.getEnabledProtocols().length);
      assertEquals("TLSv1", serverSocket.getEnabledProtocols()[0]);
    }
  }
Пример #5
0
  public void testClientParameters() throws Exception {
    SSLContext controlContext = SSLContext.getInstance("TLS");
    controlContext.init(null, null, null);
    SSLEngine controlEngine = controlContext.createSSLEngine();
    SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
    SSLServerSocket controlServerSocket =
        (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();

    SSLContextParameters scp = new SSLContextParameters();
    SSLContextClientParameters sccp = new SSLContextClientParameters();

    scp.setClientParameters(sccp);
    SSLContext context = scp.createSSLContext();

    SSLEngine engine = context.createSSLEngine();
    SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
    SSLServerSocket serverSocket =
        (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // No csp or filter on client params passes through shared config
    scp.setCipherSuites(new CipherSuitesParameters());
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, socket.getEnabledCipherSuites().length);

    // Csp on client params
    scp.setCipherSuites(null);
    CipherSuitesParameters csp = new CipherSuitesParameters();
    sccp.setCipherSuites(csp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Cipher suites filter on client params
    FilterParameters filter = new FilterParameters();
    filter.getExclude().add(".*");
    sccp.setCipherSuites(null);
    sccp.setCipherSuitesFilter(filter);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Csp on client overrides cipher suites filter on client
    filter.getInclude().add(".*");
    filter.getExclude().clear();
    sccp.setCipherSuites(csp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Sspp on client params
    SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
    sccp.setSecureSocketProtocols(sspp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Secure socket protocols filter on client params
    filter = new FilterParameters();
    filter.getExclude().add(".*");
    sccp.setSecureSocketProtocols(null);
    sccp.setSecureSocketProtocolsFilter(filter);
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Sspp on client params overrides  secure socket protocols filter on client
    filter.getInclude().add(".*");
    filter.getExclude().clear();
    sccp.setSecureSocketProtocols(sspp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Client session timeout only affects client session configuration
    sccp.setSessionTimeout("12345");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(
        controlContext.getServerSessionContext().getSessionTimeout(),
        context.getServerSessionContext().getSessionTimeout());
    assertEquals(12345, context.getClientSessionContext().getSessionTimeout());
  }