camel-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ningji...@apache.org
Subject [04/11] git commit: CAMEL-7940 Disable SSL security protocol by default
Date Wed, 22 Oct 2014 09:45:16 GMT
CAMEL-7940 Disable SSL security protocol by default


Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/c4706ee5
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/c4706ee5
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/c4706ee5

Branch: refs/heads/master
Commit: c4706ee5fe25874fd309a83b44d6c093b9917678
Parents: eb2cd50
Author: Willem Jiang <willem.jiang@gmail.com>
Authored: Wed Oct 22 14:14:26 2014 +0800
Committer: Willem Jiang <willem.jiang@gmail.com>
Committed: Wed Oct 22 15:41:49 2014 +0800

----------------------------------------------------------------------
 .../util/jsse/BaseSSLContextParameters.java     |  4 ++
 .../util/jsse/SSLContextParametersTest.java     | 46 ++++++++++++--------
 2 files changed, 32 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/camel/blob/c4706ee5/camel-core/src/main/java/org/apache/camel/util/jsse/BaseSSLContextParameters.java
----------------------------------------------------------------------
diff --git a/camel-core/src/main/java/org/apache/camel/util/jsse/BaseSSLContextParameters.java
b/camel-core/src/main/java/org/apache/camel/util/jsse/BaseSSLContextParameters.java
index f92d815..1bb807f 100644
--- a/camel-core/src/main/java/org/apache/camel/util/jsse/BaseSSLContextParameters.java
+++ b/camel-core/src/main/java/org/apache/camel/util/jsse/BaseSSLContextParameters.java
@@ -66,6 +66,9 @@ public abstract class BaseSSLContextParameters extends JsseParameters {
     protected static final List<String> DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_INCLUDE
=
         Collections.unmodifiableList(Arrays.asList(".*"));
     
+    protected static final List<String> DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_EXCLUDE
=
+        Collections.unmodifiableList(Arrays.asList("SSL.*"));
+    
     private static final Logger LOG = LoggerFactory.getLogger(BaseSSLContextParameters.class);
     
     private static final String LS = System.getProperty("line.separator");
@@ -281,6 +284,7 @@ public abstract class BaseSSLContextParameters extends JsseParameters
{
         FilterParameters filter = new FilterParameters();
         
         filter.getInclude().addAll(DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_INCLUDE);
+        filter.getExclude().addAll(DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_EXCLUDE);
         
         return filter; 
     }

http://git-wip-us.apache.org/repos/asf/camel/blob/c4706ee5/camel-core/src/test/java/org/apache/camel/util/jsse/SSLContextParametersTest.java
----------------------------------------------------------------------
diff --git a/camel-core/src/test/java/org/apache/camel/util/jsse/SSLContextParametersTest.java
b/camel-core/src/test/java/org/apache/camel/util/jsse/SSLContextParametersTest.java
index bc163c2..99bd6fd 100644
--- a/camel-core/src/test/java/org/apache/camel/util/jsse/SSLContextParametersTest.java
+++ b/camel-core/src/test/java/org/apache/camel/util/jsse/SSLContextParametersTest.java
@@ -42,6 +42,13 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest
{
                           Arrays.asList(new Pattern[0]));
         assertEquals(2, result.size());
         assertStartsWith(result, "TLS");
+        
+        result = parameters.filter(null, 
+                           Arrays.asList(new String[]{"SSLv3", "TLSv1", "TLSv1.1"}),
+                           Arrays.asList(new Pattern[]{Pattern.compile(".*")}),
+                           Arrays.asList(new Pattern[]{Pattern.compile("SSL.*")}));
+        assertEquals(2, result.size());
+        assertStartsWith(result, "TLS");
         try {
             assertStartsWith((String[]) null, "TLS");
             fail("We chould got an exception here!");
@@ -246,8 +253,8 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest
{
         socket = (SSLSocket) context.getSocketFactory().createSocket();
         serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
         
-        assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
-        assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
+        assertFalse(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
+        assertFalse(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
         assertEquals(0, serverSocket.getEnabledProtocols().length);
         
         // Secure socket protocols filter on client params
@@ -259,8 +266,8 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest
{
         socket = (SSLSocket) context.getSocketFactory().createSocket();
         serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
         
-        assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
-        assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
+        assertStartsWith(engine.getEnabledProtocols(), "TLS");
+        assertStartsWith(socket.getEnabledProtocols(), "TLS");
         assertEquals(0, serverSocket.getEnabledProtocols().length);
         
         // Sspp on client params overrides  secure socket protocols filter on client
@@ -272,8 +279,8 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest
{
         socket = (SSLSocket) context.getSocketFactory().createSocket();
         serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
         
-        assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
-        assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
+        assertStartsWith(engine.getEnabledProtocols(), "TLS");
+        assertStartsWith(socket.getEnabledProtocols(), "TLS");
         assertEquals(0, serverSocket.getEnabledProtocols().length);
         
         // Server session timeout only affects server session configuration
@@ -377,9 +384,9 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest
{
         socket = (SSLSocket) context.getSocketFactory().createSocket();
         serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
         
-        assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
+        assertStartsWith(engine.getEnabledProtocols(), "TLS");
         assertEquals(0, socket.getEnabledProtocols().length);
-        checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
+        assertStartsWith(serverSocket.getEnabledProtocols(), "TLS");
         
         // Secure socket protocols filter on client params
         filter = new FilterParameters();
@@ -390,9 +397,9 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest
{
         socket = (SSLSocket) context.getSocketFactory().createSocket();
         serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
         
-        assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
+        assertStartsWith(engine.getEnabledProtocols(), "TLS");
         assertEquals(0, socket.getEnabledProtocols().length);
-        checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
+        assertStartsWith(serverSocket.getEnabledProtocols(), "TLS");
 
         // Sspp on client params overrides  secure socket protocols filter on client
         filter.getInclude().add(".*");
@@ -403,9 +410,9 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest
{
         socket = (SSLSocket) context.getSocketFactory().createSocket();
         serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
         
-        assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
+        assertStartsWith(engine.getEnabledProtocols(), "TLS");
         assertEquals(0, socket.getEnabledProtocols().length);
-        checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
+        assertStartsWith(serverSocket.getEnabledProtocols(), "TLS");
         
         // Client session timeout only affects client session configuration
         sccp.setSessionTimeout("12345");
@@ -581,9 +588,11 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest
{
         SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
         SSLServerSocket serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
         
-        assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
-        assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
-        checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
+        // default disable the SSL* protocols
+        assertStartsWith(engine.getEnabledProtocols(), "TLS");
+        assertStartsWith(socket.getEnabledProtocols(), "TLS");
+        assertStartsWith(serverSocket.getEnabledProtocols(), "TLS");
+        //checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
         
         // empty sspp
         
@@ -650,9 +659,10 @@ public class SSLContextParametersTest extends AbstractJsseParametersTest
{
         SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
         SSLServerSocket serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
         
-        assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
-        assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
-        checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
+        // default disable the SSL* protocols
+        assertStartsWith(engine.getEnabledProtocols(), "TLS");
+        assertStartsWith(socket.getEnabledProtocols(), "TLS");
+        assertStartsWith(serverSocket.getEnabledProtocols(), "TLS");
 
         // empty filter
         


Mime
View raw message