cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject git commit: updated refs/heads/4.3 to 53c0ab8
Date Wed, 21 Jan 2015 12:56:42 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.3 bd5fe46e5 -> 53c0ab856


CLOUDSTACK-8160: use preferable protocols

(cherry picked from commit debfcdef788ce0d51be06db0ef10f6815f9b563b)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

Conflicts:
	client/tomcatconf/server7-nonssl.xml.in
	client/tomcatconf/server7-ssl.xml.in
	engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
	plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
	plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java
	plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
	plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
	plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
	plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java
	plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
	pom.xml
	services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
	services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
	systemvm/scripts/config_ssl.sh
	utils/src/com/cloud/utils/nio/NioClient.java
	utils/src/com/cloud/utils/rest/RESTServiceConnector.java
	utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
	vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/53c0ab85
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/53c0ab85
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/53c0ab85

Branch: refs/heads/4.3
Commit: 53c0ab856a4358f508e6ef7488cffaba4d184a03
Parents: bd5fe46
Author: Rohit Yadav <rohit.yadav@shapeblue.com>
Authored: Wed Jan 21 18:01:34 2015 +0530
Committer: Rohit Yadav <rohit.yadav@shapeblue.com>
Committed: Wed Jan 21 18:24:54 2015 +0530

----------------------------------------------------------------------
 client/tomcatconf/server-nonssl.xml.in          |  2 +-
 client/tomcatconf/server-ssl.xml.in             |  2 +-
 .../manager/ClusteredAgentManagerImpl.java      |  3 +
 .../mom/rabbitmq/RabbitMQEventBus.java          |  9 ++-
 .../xen/resource/XenServerConnectionPool.java   |  5 +-
 .../cloud/network/utils/HttpClientWrapper.java  |  5 +-
 .../storage/datastore/util/SolidFireUtil.java   |  4 +-
 pom.xml                                         |  7 ++-
 .../main/java/streamer/SocketWrapperImpl.java   |  2 +-
 .../ConsoleProxySecureServerFactoryImpl.java    | 11 ++--
 .../com/cloud/consoleproxy/util/RawHTTP.java    | 27 ++++----
 .../etc/apache2/sites-available/default-ssl     |  1 +
 .../debian/config/etc/apache2/vhostexample.conf |  1 +
 systemvm/scripts/config_ssl.sh                  |  6 ++
 test/pom.xml                                    |  2 +-
 utils/src/com/cloud/utils/nio/Link.java         |  5 +-
 utils/src/com/cloud/utils/nio/NioClient.java    |  3 +
 .../src/com/cloud/utils/nio/NioConnection.java  |  3 +
 .../cloudstack/utils/security/SSLUtils.java     | 51 +++++++++++++++
 .../ssl/EasySSLProtocolSocketFactory.java       | 65 +++++++-------------
 .../hypervisor/vmware/util/VmwareClient.java    |  4 +-
 .../hypervisor/vmware/util/VmwareContext.java   |  3 +-
 22 files changed, 143 insertions(+), 78 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/client/tomcatconf/server-nonssl.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/server-nonssl.xml.in b/client/tomcatconf/server-nonssl.xml.in
index 847197c..e0debe4 100755
--- a/client/tomcatconf/server-nonssl.xml.in
+++ b/client/tomcatconf/server-nonssl.xml.in
@@ -82,7 +82,7 @@
     <!--
     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" 
+               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
                keystoreType="PKCS12"
 	       keystoreFile="conf\cloud-localhost.pk12" 
 	       keystorePass="password"

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/client/tomcatconf/server-ssl.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/server-ssl.xml.in b/client/tomcatconf/server-ssl.xml.in
index 37bc53d..2e61251 100755
--- a/client/tomcatconf/server-ssl.xml.in
+++ b/client/tomcatconf/server-ssl.xml.in
@@ -82,7 +82,7 @@
     <!--
     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" 
+               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
                keystoreType="PKCS12"
 	       keystoreFile="conf\cloud-localhost.pk12" 
 	       keystorePass="password"

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
----------------------------------------------------------------------
diff --git a/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
b/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
index 2fd1caf..3e970ca 100755
--- a/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
+++ b/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
@@ -51,6 +51,8 @@ import org.apache.cloudstack.managed.context.ManagedContextTimerTask;
 import org.apache.cloudstack.utils.identity.ManagementServerNode;
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.api.Answer;
 import com.cloud.agent.api.CancelCommand;
@@ -499,6 +501,7 @@ public class ClusteredAgentManagerImpl extends AgentManagerImpl implements
Clust
                         SSLContext sslContext = Link.initSSLContext(true);
                         sslEngine = sslContext.createSSLEngine(ip, Port.value());
                         sslEngine.setUseClientMode(true);
+                        sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));
 
                         Link.doHandshake(ch, sslEngine, true);
                         s_logger.info("SSL: Handshake done");

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
----------------------------------------------------------------------
diff --git a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
index 30b4475..8e24c03 100644
--- a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
+++ b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
@@ -47,6 +47,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
     private static Integer port;
     private static String username;
     private static String password;
+    private static String secureProtocol = "TLSv1.2";
 
     public static void setVirtualHost(String virtualHost) {
         RabbitMQEventBus.virtualHost = virtualHost;
@@ -141,6 +142,10 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus
{
         this.port = port;
     }
 
+    public void setSecureProtocol(String protocol) {
+        RabbitMQEventBus.secureProtocol = protocol;
+    }
+
     public void setName(String name) {
         this.name = name;
     }
@@ -369,7 +374,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus
{
             }
 
             if (useSsl != null && !useSsl.isEmpty() && useSsl.equalsIgnoreCase("true"))
{
-                factory.useSslProtocol();
+                factory.useSslProtocol(this.secureProtocol);
             }
             Connection connection = factory.newConnection();
             connection.addShutdownListener(disconnectHandler);
@@ -605,4 +610,4 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus
{
             return;
         }
     }
-}
\ No newline at end of file
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java
b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java
index b73bf59..bbcc1a4 100644
--- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java
+++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/XenServerConnectionPool.java
@@ -38,6 +38,9 @@ import org.apache.xmlrpc.client.XmlRpcClientException;
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.PropertiesUtil;
 import com.cloud.utils.exception.CloudRuntimeException;
+
+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import com.xensource.xenapi.APIVersion;
 import com.xensource.xenapi.Connection;
 import com.xensource.xenapi.Host;
@@ -79,7 +82,7 @@ public class XenServerConnectionPool {
             javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];

             javax.net.ssl.TrustManager tm = new TrustAllManager(); 
             trustAllCerts[0] = tm; 
-            javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("TLS"); 
+            javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
             sc.init(null, trustAllCerts, null); 
             javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
             HostnameVerifier hv = new HostnameVerifier() {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
b/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
index 7dfec92..37ed125 100644
--- a/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
+++ b/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
@@ -24,6 +24,9 @@ import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
+
+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import org.apache.http.client.HttpClient;
 import org.apache.http.conn.ClientConnectionManager;
 import org.apache.http.conn.scheme.Scheme;
@@ -38,7 +41,7 @@ public class HttpClientWrapper {
  
     public static HttpClient wrapClient(HttpClient base) {
         try {
-            SSLContext ctx = SSLContext.getInstance("TLS");
+            SSLContext ctx = SSLUtils.getSSLContext();
             X509TrustManager tm = new X509TrustManager() {
  
                 public void checkClientTrusted(X509Certificate[] xcs, String string) throws
CertificateException {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
----------------------------------------------------------------------
diff --git a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
index 2d528ef..995973f 100644
--- a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
+++ b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
@@ -47,6 +47,8 @@ import org.apache.http.impl.client.DefaultHttpClient;
 import org.apache.http.impl.conn.BasicClientConnectionManager;
 
 import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 
@@ -1011,7 +1013,7 @@ public class SolidFireUtil
 
     private static DefaultHttpClient getHttpClient(int iPort) {
         try {
-            SSLContext sslContext = SSLContext.getInstance("SSL");
+            SSLContext sslContext = SSLUtils.getSSLContext();
             X509TrustManager tm = new X509TrustManager() {
                 public void checkClientTrusted(X509Certificate[] xcs, String string) throws
CertificateException {
                 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 5746c59..1468ad7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -58,8 +58,9 @@
     <cs.gson.version>1.7.2</cs.gson.version>
     <cs.guava.version>14.0-rc1</cs.guava.version>
     <cs.xapi.version>5.6.100-1</cs.xapi.version>
-    <cs.httpclient.version>3.1</cs.httpclient.version>
-    <cs.httpcore.version>4.2.1</cs.httpcore.version>
+    <cs.httpclient.version>4.3.6</cs.httpclient.version>
+    <cs.httpcore.version>4.3.3</cs.httpcore.version>
+    <cs.commons-httpclient.version>3.1</cs.commons-httpclient.version>
     <cs.mysql.version>5.1.21</cs.mysql.version>
     <cs.xstream.version>1.3.1</cs.xstream.version>
     <cs.xmlrpc.version>3.1.3</cs.xmlrpc.version>
@@ -318,7 +319,7 @@
       <dependency>
         <groupId>org.apache.httpcomponents</groupId>
         <artifactId>httpclient</artifactId>
-        <version>${cs.httpcore.version}</version>
+        <version>${cs.httpclient.version}</version>
       </dependency>
       <dependency>
         <groupId>com.thoughtworks.xstream</groupId>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
----------------------------------------------------------------------
diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
index 07b3dc9..9d8a458 100755
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
@@ -140,7 +140,7 @@ public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper
{
 
             SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
             sslSocket = (SSLSocket)sslSocketFactory.createSocket(socket, address.getHostName(),
address.getPort(), true);
-
+            sslSocket.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
             sslSocket.startHandshake();
 
             InputStream sis = sslSocket.getInputStream();

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
----------------------------------------------------------------------
diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
index ee0ee13..e58e6fb 100644
--- a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
+++ b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
@@ -21,6 +21,7 @@ import java.io.FileInputStream;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.security.KeyStore;
+import org.apache.cloudstack.utils.security.SSLUtils;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
@@ -68,7 +69,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
                 tmf.init(ks);
                 s_logger.info("Trust manager factory is initialized");
 
-                sslContext = SSLContext.getInstance("TLS");
+                sslContext = SSLUtils.getSSLContext();
                 sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
                 s_logger.info("SSL context is initialized");
             } catch (Exception ioe) {
@@ -90,8 +91,8 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
                 TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
                 tmf.init(ks);
                 s_logger.info("Trust manager factory is initialized");
-        
-                sslContext = SSLContext.getInstance("TLS");
+
+                sslContext = SSLUtils.getSSLContext();
                 sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
                 s_logger.info("SSL context is initialized");
             } catch(Exception e) {
@@ -133,8 +134,10 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
         try {
             SSLServerSocket srvSock = null;
             SSLServerSocketFactory ssf = sslContext.getServerSocketFactory();
+
             srvSock = (SSLServerSocket) ssf.createServerSocket(port);
-            
+            srvSock.setEnabledProtocols(SSLUtils.getSupportedProtocols(srvSock.getEnabledProtocols()));
+
             s_logger.info("create SSL server socket on port: " + port);
             return srvSock;
         } catch (Exception ioe) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
----------------------------------------------------------------------
diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
index c77b551..532d599 100644
--- a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
+++ b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
@@ -16,6 +16,8 @@
 // under the License.
 package com.cloud.consoleproxy.util;
 
+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -136,8 +138,16 @@ public final class RawHTTP {
 
     private Socket _getSocket() throws IOException {
         if (useSSL) {
-            SSLContext context = getClientSSLContext();
-            if(context == null)
+            SSLContext context = null;
+            try {
+                context = SSLUtils.getSSLContext("SunJSSE");
+            } catch (NoSuchAlgorithmException e) {
+                s_logger.error("Unexpected exception ", e);
+            } catch (NoSuchProviderException e) {
+                s_logger.error("Unexpected exception ", e);
+            }
+
+            if (context == null)
                 throw new IOException("Unable to setup SSL context");
             
             SSLSocket ssl = null;
@@ -145,6 +155,7 @@ public final class RawHTTP {
                 context.init(null, trustAllCerts, new SecureRandom());
                 SocketFactory factory = context.getSocketFactory();
                 ssl = (SSLSocket) factory.createSocket(host, port);
+                ssl.setEnabledProtocols(SSLUtils.getSupportedProtocols(ssl.getEnabledProtocols()));
                 /* ssl.setSSLParameters(context.getDefaultSSLParameters()); */
             } catch (IOException e) {
                 s_logger.error("IOException: " + e.getMessage(), e);
@@ -234,16 +245,4 @@ public final class RawHTTP {
             }
         }
     }
-    
-    private SSLContext getClientSSLContext() {
-        SSLContext sslContext = null;
-        try {
-            sslContext = SSLContext.getInstance("SSL", "SunJSSE");
-        } catch (NoSuchAlgorithmException e) {
-            s_logger.error("Unexpected exception ", e);
-        } catch (NoSuchProviderException e) {
-            s_logger.error("Unexpected exception ", e);
-        }
-        return sslContext;
-    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
index 0eea44d..6699f14 100644
--- a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
+++ b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
@@ -42,6 +42,7 @@
 	#   SSL Engine Switch:
 	#   Enable/Disable SSL for this virtual host.
 	SSLEngine on
+	SSLProtocol all -SSLv2 -SSLv3
 
 	#   A self-signed (snakeoil) certificate can be created by installing
 	#   the ssl-cert package. See

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
index c1bf8ea..70cb7dc 100644
--- a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
+++ b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
@@ -86,6 +86,7 @@
 	#   SSL Engine Switch:
 	#   Enable/Disable SSL for this virtual host.
 	SSLEngine on
+	SSLProtocol all -SSLv2 -SSLv3
 
 	#   A self-signed (snakeoil) certificate can be created by installing
 	#   the ssl-cert package. See

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/systemvm/scripts/config_ssl.sh
----------------------------------------------------------------------
diff --git a/systemvm/scripts/config_ssl.sh b/systemvm/scripts/config_ssl.sh
index e474787..5e00a45 100755
--- a/systemvm/scripts/config_ssl.sh
+++ b/systemvm/scripts/config_ssl.sh
@@ -36,6 +36,7 @@ config_httpd_conf() {
   echo "  DocumentRoot /var/www/html/" >> /etc/httpd/conf/httpd.conf
   echo "  ServerName $srvr" >> /etc/httpd/conf/httpd.conf
   echo "  SSLEngine on" >>  /etc/httpd/conf/httpd.conf
+  echo "  SSLProtocol all -SSLv2 -SSLv3" >>  /etc/httpd/conf/httpd.conf
   echo "  SSLCertificateFile /etc/httpd/ssl/certs/realhostip.crt" >>  /etc/httpd/conf/httpd.conf
   echo "  SSLCertificateKeyFile /etc/httpd/ssl/keys/realhostip.key" >> /etc/httpd/conf/httpd.conf
   echo "</VirtualHost>" >> /etc/httpd/conf/httpd.conf
@@ -53,6 +54,11 @@ config_apache2_conf() {
   sed -i -e "s/NameVirtualHost .*:80/NameVirtualHost $ip:80/g" /etc/apache2/ports.conf
   sed -i  's/ssl-cert-snakeoil.key/cert_apache.key/' /etc/apache2/sites-available/default-ssl
   sed -i  's/ssl-cert-snakeoil.pem/cert_apache.crt/' /etc/apache2/sites-available/default-ssl
+  sed -i  's/SSLProtocol.*$/SSLProtocol all -SSLv2 -SSLv3/' /etc/apache2/sites-available/default-ssl
+  if [ -f /etc/ssl/certs/cert_apache_chain.crt ]
+  then
+    sed -i -e "s/#SSLCertificateChainFile.*/SSLCertificateChainFile \/etc\/ssl\/certs\/cert_apache_chain.crt/"
/etc/apache2/sites-available/default-ssl
+  fi
 }
 
 copy_certs() {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/test/pom.xml
----------------------------------------------------------------------
diff --git a/test/pom.xml b/test/pom.xml
index 9058722..58b1e78 100644
--- a/test/pom.xml
+++ b/test/pom.xml
@@ -67,7 +67,7 @@
         <dependency>
             <groupId>commons-httpclient</groupId>
             <artifactId>commons-httpclient</artifactId>
-            <version>${cs.httpclient.version}</version>
+            <version>${cs.commons-httpclient.version}</version>
         </dependency>
     </dependencies>
     <build>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/com/cloud/utils/nio/Link.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/nio/Link.java b/utils/src/com/cloud/utils/nio/Link.java
index 374b380..67d88c6 100755
--- a/utils/src/com/cloud/utils/nio/Link.java
+++ b/utils/src/com/cloud/utils/nio/Link.java
@@ -40,6 +40,7 @@ import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 
+import org.apache.cloudstack.utils.security.SSLUtils;
 import org.apache.log4j.Logger;
 
 import com.cloud.utils.PropertiesUtil;
@@ -433,7 +434,7 @@ public class Link {
             tms[0] = new TrustAllManager();
         }
 
-        sslContext = SSLContext.getInstance("TLS");
+        sslContext = SSLUtils.getSSLContext();
         sslContext.init(kmf.getKeyManagers(), tms, null);
         if (s_logger.isTraceEnabled()) {
             s_logger.trace("SSL: SSLcontext has been initialized");
@@ -460,7 +461,7 @@ public class Link {
         ByteBuffer out_appBuf =
                 ByteBuffer.allocate(sslSession.getApplicationBufferSize() + 40);
         int count;
-        ch.socket().setSoTimeout(10 * 1000);
+        ch.socket().setSoTimeout(30 * 1000);
         InputStream inStream = ch.socket().getInputStream();
         // Use readCh to make sure the timeout on reading is working
         ReadableByteChannel readCh = Channels.newChannel(inStream);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/com/cloud/utils/nio/NioClient.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/nio/NioClient.java b/utils/src/com/cloud/utils/nio/NioClient.java
index 8d12f93..679e9fe 100755
--- a/utils/src/com/cloud/utils/nio/NioClient.java
+++ b/utils/src/com/cloud/utils/nio/NioClient.java
@@ -27,6 +27,8 @@ import javax.net.ssl.SSLEngine;
 
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.utils.security.SSLUtils;
+
 public class NioClient extends NioConnection {
     private static final Logger s_logger = Logger.getLogger(NioClient.class);
     
@@ -75,6 +77,7 @@ public class NioClient extends NioConnection {
         	SSLContext sslContext = Link.initSSLContext(true);
         	sslEngine = sslContext.createSSLEngine(_host, _port);
         	sslEngine.setUseClientMode(true);
+        	sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));
 
         	Link.doHandshake(sch, sslEngine, true);
         	s_logger.info("SSL: Handshake done");

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/com/cloud/utils/nio/NioConnection.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/nio/NioConnection.java b/utils/src/com/cloud/utils/nio/NioConnection.java
index 07c2bea..224609a 100755
--- a/utils/src/com/cloud/utils/nio/NioConnection.java
+++ b/utils/src/com/cloud/utils/nio/NioConnection.java
@@ -38,6 +38,8 @@ import java.util.concurrent.TimeUnit;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 
+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import org.apache.log4j.Logger;
 
 import com.cloud.utils.concurrency.NamedThreadFactory;
@@ -193,6 +195,7 @@ public abstract class NioConnection implements Runnable {
             sslEngine = sslContext.createSSLEngine();
             sslEngine.setUseClientMode(false);
             sslEngine.setNeedClientAuth(false);
+            sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));
 
             Link.doHandshake(socketChannel, sslEngine, false);
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
new file mode 100644
index 0000000..7f9ee77
--- /dev/null
+++ b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
@@ -0,0 +1,51 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package org.apache.cloudstack.utils.security;
+
+import org.apache.log4j.Logger;
+
+import javax.net.ssl.SSLContext;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.util.HashSet;
+import java.util.Set;
+
+public class SSLUtils {
+    public static final Logger s_logger = Logger.getLogger(SSLUtils.class);
+
+    public static String[] getSupportedProtocols(String[] protocols) {
+        Set set = new HashSet();
+        for (String s : protocols) {
+            if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
+                continue;
+            }
+            set.add(s);
+        }
+        return (String[]) set.toArray(new String[set.size()]);
+    }
+
+    public static SSLContext getSSLContext() throws NoSuchAlgorithmException {
+        return SSLContext.getInstance("TLSv1.2");
+    }
+
+    public static SSLContext getSSLContext(String provider) throws NoSuchAlgorithmException,
NoSuchProviderException {
+        return SSLContext.getInstance("TLSv1.2", provider);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
b/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
index 52f0ea6..76ea8da 100644
--- a/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
+++ b/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
@@ -39,8 +39,11 @@ import java.net.UnknownHostException;
 
 import javax.net.SocketFactory;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;
 
+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import org.apache.commons.httpclient.ConnectTimeoutException;
 import org.apache.commons.httpclient.HttpClientError;
 import org.apache.commons.httpclient.params.HttpConnectionParams;
@@ -111,7 +114,7 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory
 
     private static SSLContext createEasySSLContext() {
         try {
-            SSLContext context = SSLContext.getInstance("SSL");
+            SSLContext context = SSLUtils.getSSLContext();
             context.init(
               null, 
               new TrustManager[] {new EasyX509TrustManager(null)}, 
@@ -130,22 +133,11 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory
         return this.sslcontext;
     }
 
-    /**
-     * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int)
-     */
-    public Socket createSocket(
-        String host,
-        int port,
-        InetAddress clientHost,
-        int clientPort)
-        throws IOException, UnknownHostException {
-
-        return getSSLContext().getSocketFactory().createSocket(
-            host,
-            port,
-            clientHost,
-            clientPort
-        );
+    @Override
+    public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort)
throws IOException, UnknownHostException {
+        SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host,
port, clientHost, clientPort);
+        socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+        return socket;
     }
 
     /**
@@ -159,8 +151,8 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory
      *  
      * @param host the host name/IP
      * @param port the port on the host
-     * @param clientHost the local host name/IP to bind the socket to
-     * @param clientPort the port on the local machine
+     * @param localAddress the local host name/IP to bind the socket to
+     * @param localPort the port on the local machine
      * @param params {@link HttpConnectionParams Http connection parameters}
      * 
      * @return Socket a new socket
@@ -184,7 +176,8 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory
         if (timeout == 0) {
             return socketfactory.createSocket(host, port, localAddress, localPort);
         } else {
-            Socket socket = socketfactory.createSocket();
+            SSLSocket socket = (SSLSocket)  socketfactory.createSocket();
+            socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
             SocketAddress localaddr = new InetSocketAddress(localAddress, localPort);
             SocketAddress remoteaddr = new InetSocketAddress(host, port);
             socket.bind(localaddr);
@@ -193,32 +186,16 @@ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory
         }
     }
 
-    /**
-     * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int)
-     */
-    public Socket createSocket(String host, int port)
-        throws IOException, UnknownHostException {
-        return getSSLContext().getSocketFactory().createSocket(
-            host,
-            port
-        );
+    public Socket createSocket(String host, int port) throws IOException, UnknownHostException
{
+        SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host,
port);
+        socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+        return socket;
     }
 
-    /**
-     * @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean)
-     */
-    public Socket createSocket(
-        Socket socket,
-        String host,
-        int port,
-        boolean autoClose)
-        throws IOException, UnknownHostException {
-        return getSSLContext().getSocketFactory().createSocket(
-            socket,
-            host,
-            port,
-            autoClose
-        );
+    public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws
IOException, UnknownHostException {
+        SSLSocket s= (SSLSocket) getSSLContext().getSocketFactory().createSocket(socket,
host, port, autoClose);
+        s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+        return s;
     }
 
     public boolean equals(Object obj) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
----------------------------------------------------------------------
diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
index f196697..49512c0 100644
--- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
+++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
@@ -32,6 +32,8 @@ import javax.xml.ws.WebServiceException;
 
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import com.vmware.vim25.DynamicProperty;
 import com.vmware.vim25.InvalidCollectorVersionFaultMsg;
 import com.vmware.vim25.InvalidPropertyFaultMsg;
@@ -103,7 +105,7 @@ public class VmwareClient {
         javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
         javax.net.ssl.TrustManager tm = new TrustAllTrustManager();
         trustAllCerts[0] = tm;
-        javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
+        javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
         javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext();
         sslsc.setSessionTimeout(0);
         sc.init(null, trustAllCerts, null);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/53c0ab85/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
----------------------------------------------------------------------
diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
index eefb7cb..3182acc 100755
--- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
+++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
@@ -40,6 +40,7 @@ import javax.net.ssl.SSLSession;
 import javax.xml.ws.soap.SOAPFaultException;
 
 import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;
 
 import com.cloud.hypervisor.vmware.mo.DatacenterMO;
 import com.cloud.hypervisor.vmware.mo.DatastoreFile;
@@ -77,7 +78,7 @@ public class VmwareContext {
 			javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
 			javax.net.ssl.TrustManager tm = new TrustAllManager();
 			trustAllCerts[0] = tm;
-			javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
+            javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
 			sc.init(null, trustAllCerts, null);
 			javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
 


Mime
View raw message