cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ashaki...@apache.org
Subject [1/2] git commit: [CXF-5652]: added fallback configuration of chiper suites using JVM option
Date Tue, 22 Jul 2014 20:18:58 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 3e585af93 -> 27987cc37


[CXF-5652]: added fallback configuration of chiper suites using JVM option


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3cfddbac
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3cfddbac
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3cfddbac

Branch: refs/heads/master
Commit: 3cfddbac308cdbac8517874c454fd1b294186001
Parents: a46e5d4
Author: Andrei Shakirin <andrei.shakirin@gmail.com>
Authored: Tue Jul 22 22:18:09 2014 +0200
Committer: Andrei Shakirin <andrei.shakirin@gmail.com>
Committed: Tue Jul 22 22:18:09 2014 +0200

----------------------------------------------------------------------
 .../apache/cxf/configuration/jsse/SSLUtils.java | 87 +++++++++++---------
 .../cxf/transport/https/Messages.properties     |  1 +
 2 files changed, 49 insertions(+), 39 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/3cfddbac/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
index 07f7485..0663469 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
@@ -61,6 +61,8 @@ public final class SSLUtils {
     private static final String DEFAULT_TRUST_STORE_TYPE = "JKS";
     private static final String DEFAULT_SECURE_SOCKET_PROTOCOL = "TLSv1";
     private static final String CERTIFICATE_FACTORY_TYPE = "X.509";
+
+    private static final String HTTPS_CIPHER_SUITES = "https.cipherSuites";
     
     private static final boolean DEFAULT_REQUIRE_CLIENT_AUTHENTICATION = false;
     private static final boolean DEFAULT_WANT_CLIENT_AUTHENTICATION = true;
@@ -431,53 +433,60 @@ public final class SSLUtils {
         String[] cipherSuites = null;
         if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) {
             cipherSuites = getCiphersFromList(cipherSuitesList, log, exclude);
-        } else {
-            LogUtils.log(log, Level.FINE, "CIPHERSUITES_NOT_SET");
-            if (filters == null) {
-                LogUtils.log(log, Level.FINE, "CIPHERSUITE_FILTERS_NOT_SET");           
    
+            return cipherSuites;
+        }
+        if (!exclude) {
+            String jvmCipherSuites = System.getProperty(HTTPS_CIPHER_SUITES);
+            if (jvmCipherSuites != null) {
+                LogUtils.log(log, Level.FINE, "CIPHERSUITES_SYSTEM_PROPERTY_SET", jvmCipherSuites);
+                return jvmCipherSuites.split(",");
             }
-            List<String> filteredCipherSuites = new ArrayList<String>();
-            List<String> excludedCipherSuites = new ArrayList<String>();
-            List<Pattern> includes =
-                filters != null
+        }
+        LogUtils.log(log, Level.FINE, "CIPHERSUITES_NOT_SET");
+        if (filters == null) {
+            LogUtils.log(log, Level.FINE, "CIPHERSUITE_FILTERS_NOT_SET");
+        }
+        List<String> filteredCipherSuites = new ArrayList<String>();
+        List<String> excludedCipherSuites = new ArrayList<String>();
+        List<Pattern> includes =
+            filters != null
                 ? compileRegexPatterns(filters.getInclude(), true, log)
                 : compileRegexPatterns(DEFAULT_CIPHERSUITE_FILTERS_INCLUDE, true, log);
-            List<Pattern> excludes =
-                filters != null
+        List<Pattern> excludes =
+            filters != null
                 ? compileRegexPatterns(filters.getExclude(), false, log)
                 : compileRegexPatterns(DEFAULT_CIPHERSUITE_FILTERS_EXCLUDE, true, log);
-            for (int i = 0; i < supportedCipherSuites.length; i++) {
-                if (matchesOneOf(supportedCipherSuites[i], includes)
-                    && !matchesOneOf(supportedCipherSuites[i], excludes)) {
-                    LogUtils.log(log,
-                                 Level.FINE,
-                                 "CIPHERSUITE_INCLUDED",
-                                 supportedCipherSuites[i]);
-                    filteredCipherSuites.add(supportedCipherSuites[i]);
-                } else {
-                    LogUtils.log(log,
-                                 Level.FINE,
-                                 "CIPHERSUITE_EXCLUDED",
-                                 supportedCipherSuites[i]);
-                    excludedCipherSuites.add(supportedCipherSuites[i]);
-                }
-            }
-            LogUtils.log(log,
-                         Level.FINE,
-                         "CIPHERSUITES_FILTERED",
-                         filteredCipherSuites);
-            LogUtils.log(log,
-                         Level.FINE,
-                         "CIPHERSUITES_EXCLUDED",
-                         excludedCipherSuites);
-            if (exclude) {
-                cipherSuites = getCiphersFromList(excludedCipherSuites, log, exclude);
+        for (int i = 0; i < supportedCipherSuites.length; i++) {
+            if (matchesOneOf(supportedCipherSuites[i], includes)
+                && !matchesOneOf(supportedCipherSuites[i], excludes)) {
+                LogUtils.log(log,
+                             Level.FINE,
+                             "CIPHERSUITE_INCLUDED",
+                             supportedCipherSuites[i]);
+                filteredCipherSuites.add(supportedCipherSuites[i]);
             } else {
-                cipherSuites = getCiphersFromList(filteredCipherSuites, log, exclude);
+                LogUtils.log(log,
+                             Level.FINE,
+                             "CIPHERSUITE_EXCLUDED",
+                             supportedCipherSuites[i]);
+                excludedCipherSuites.add(supportedCipherSuites[i]);
             }
-        } 
+        }
+        LogUtils.log(log,
+                     Level.FINE,
+                     "CIPHERSUITES_FILTERED",
+                     filteredCipherSuites);
+        LogUtils.log(log,
+                     Level.FINE,
+                     "CIPHERSUITES_EXCLUDED",
+                     excludedCipherSuites);
+        if (exclude) {
+            cipherSuites = getCiphersFromList(excludedCipherSuites, log, exclude);
+        } else {
+            cipherSuites = getCiphersFromList(filteredCipherSuites, log, exclude);
+        }
         return cipherSuites;
-    }         
+    }
     
     private static List<Pattern> compileRegexPatterns(List<String> regexes,
                                                       boolean include,

http://git-wip-us.apache.org/repos/asf/cxf/blob/3cfddbac/rt/transports/http/src/main/java/org/apache/cxf/transport/https/Messages.properties
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/Messages.properties
b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/Messages.properties
index 51da321..ae6af41 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/Messages.properties
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/Messages.properties
@@ -57,6 +57,7 @@ WANT_CLIENT_AUTHENTICATION_NOT_SET = Want client authentication has not
been set
 WANT_CLIENT_AUTHENTICATION_SET = Want client authentication is set to {0}.
 KEY_PASSWORD_NOT_SAME_KEYSTORE_PASSWORD = The value specified for the keystore password is
different to the key password. Currently limitations in JSSE requires that they should be
the same. The keystore password value will be used only.
 CIPHERSUITES_SET = The cipher suites have been set to {0}.  
+CIPHERSUITES_SYSTEM_PROPERTY_SET = The cipher suites has been set as a system property to
{0}.  
 CIPHERSUITES_NOT_SET = The cipher suites have not been configured, falling back to cipher
suite filters.
 CIPHERSUITE_FILTERS_NOT_SET = The cipher suite filters have not been configured, falling
back to default filters.
 CIPHERSUITE_FILTER = Ciphersuite filter: 


Mime
View raw message