public void startTLS(boolean clientMode, String remoteServer, ClientAuth authentication)
throws Exception {
boolean c2s = (remoteServer == null);
KeyStore ksKeys = SSLConfig.getKeyStore();
String keypass = SSLConfig.getKeyPassword();
KeyStore ksTrust = (c2s ? SSLConfig.getc2sTrustStore() : SSLConfig.gets2sTrustStore());
String trustpass = (c2s ? SSLConfig.getc2sTrustPassword() : SSLConfig.gets2sTrustPassword());
if (c2s) Log.debug("NIOConnection: startTLS: using c2s");
else Log.debug("NIOConnection: startTLS: using s2s");
// KeyManager's decide which key material to use.
KeyManager[] km = SSLJiveKeyManagerFactory.getKeyManagers(ksKeys, keypass);
// TrustManager's decide whether to allow connections.
TrustManager[] tm = SSLJiveTrustManagerFactory.getTrustManagers(ksTrust, trustpass);
if (clientMode || authentication == ClientAuth.needed || authentication == ClientAuth.wanted) {
// We might need to verify a certificate from our peer, so get different TrustManager[]'s
if (c2s) {
// Check if we can trust certificates presented by the client
tm = new TrustManager[] {new ClientTrustManager(ksTrust)};
} else {
// Check if we can trust certificates presented by the server
tm = new TrustManager[] {new ServerTrustManager(remoteServer, ksTrust, this)};
}
}
String algorithm = JiveGlobals.getProperty(ConnectionSettings.Client.TLS_ALGORITHM, "TLS");
SSLContext tlsContext = SSLContext.getInstance(algorithm);
tlsContext.init(km, tm, null);
SslFilter filter = new SslFilter(tlsContext);
filter.setUseClientMode(clientMode);
// Disable SSLv3 due to POODLE vulnerability.
filter.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"});
if (authentication == ClientAuth.needed) {
filter.setNeedClientAuth(true);
} else if (authentication == ClientAuth.wanted) {
// Just indicate that we would like to authenticate the client but if client
// certificates are self-signed or have no certificate chain then we are still
// good
filter.setWantClientAuth(true);
}
ioSession.getFilterChain().addAfter(EXECUTOR_FILTER_NAME, TLS_FILTER_NAME, filter);
ioSession.setAttribute(SslFilter.DISABLE_ENCRYPTION_ONCE, Boolean.TRUE);
if (!clientMode) {
// Indicate the client that the server is ready to negotiate TLS
deliverRawText("<proceed xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"/>");
}
}
/** Starts the Jetty instance. */
public void startup() {
restartNeeded = false;
// Add listener for certificate events
certificateListener = new CertificateListener();
CertificateManager.addListener(certificateListener);
adminPort = JiveGlobals.getXMLProperty("adminConsole.port", 9090);
adminSecurePort = JiveGlobals.getXMLProperty("adminConsole.securePort", 9091);
adminServer = new Server();
final QueuedThreadPool tp = new QueuedThreadPool(254);
tp.setName("Jetty-QTP-AdminConsole");
adminServer.setThreadPool(tp);
// Do not send Jetty info in HTTP headers
adminServer.setSendServerVersion(false);
// Create connector for http traffic if it's enabled.
if (adminPort > 0) {
Connector httpConnector = new SelectChannelConnector();
// Listen on a specific network interface if it has been set.
String bindInterface = getBindInterface();
httpConnector.setHost(bindInterface);
httpConnector.setPort(adminPort);
adminServer.addConnector(httpConnector);
}
// Create a connector for https traffic if it's enabled.
sslEnabled = false;
try {
if (adminSecurePort > 0
&& CertificateManager.isRSACertificate(SSLConfig.getKeyStore(), "*")) {
if (!CertificateManager.isRSACertificate(
SSLConfig.getKeyStore(), XMPPServer.getInstance().getServerInfo().getXMPPDomain())) {
Log.warn(
"Admin console: Using RSA certificates but they are not valid for the hosted domain");
}
JiveSslConnector httpsConnector = new JiveSslConnector();
String bindInterface = getBindInterface();
httpsConnector.setHost(bindInterface);
httpsConnector.setPort(adminSecurePort);
httpsConnector.setTrustPassword(SSLConfig.gets2sTrustPassword());
httpsConnector.setTruststoreType(SSLConfig.getStoreType());
httpsConnector.setTruststore(SSLConfig.gets2sTruststoreLocation());
httpsConnector.setNeedClientAuth(false);
httpsConnector.setWantClientAuth(false);
httpsConnector.setKeyPassword(SSLConfig.getKeyPassword());
httpsConnector.setKeystoreType(SSLConfig.getStoreType());
httpsConnector.setKeystore(SSLConfig.getKeystoreLocation());
adminServer.addConnector(httpsConnector);
sslEnabled = true;
}
} catch (Exception e) {
Log.error(e.getMessage(), e);
}
// Make sure that at least one connector was registered.
if (adminServer.getConnectors() == null || adminServer.getConnectors().length == 0) {
adminServer = null;
// Log warning.
log(LocaleUtils.getLocalizedString("admin.console.warning"));
return;
}
HandlerCollection collection = new HandlerCollection();
adminServer.setHandler(collection);
collection.setHandlers(new Handler[] {contexts, new DefaultHandler()});
try {
adminServer.start();
} catch (Exception e) {
Log.error("Could not start admin conosle server", e);
}
// Log the ports that the admin server is listening on.
logAdminConsolePorts();
}