cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: [CXF-6407] - Use default JVM cipher suites if no filters are specified
Date Mon, 18 May 2015 16:21:06 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 6daabe0f4 -> 793f0a7d2


[CXF-6407] - Use default JVM cipher suites if no filters are specified


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/793f0a7d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/793f0a7d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/793f0a7d

Branch: refs/heads/master
Commit: 793f0a7d2a8eade3238deef212dff5f29e0c5b4d
Parents: 6daabe0
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon May 18 17:20:49 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon May 18 17:21:01 2015 +0100

----------------------------------------------------------------------
 .../apache/cxf/configuration/jsse/SSLUtils.java | 51 ++++++++++++--------
 .../http/asyncclient/AsyncHTTPConduit.java      | 10 ++--
 .../http_jetty/JettyHTTPServerEngine.java       | 26 +++++-----
 .../https/HttpsURLConnectionFactory.java        |  9 ++--
 4 files changed, 58 insertions(+), 38 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/793f0a7d/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
index 1023f31..43f725b 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
@@ -426,31 +426,42 @@ public final class SSLUtils {
         return context.getServerSocketFactory().getSupportedCipherSuites();
     }
         
-    public static String[] getCiphersuites(List<String> cipherSuitesList,
-                                           String[] supportedCipherSuites,
+    public static String[] getCiphersuitesToInclude(List<String> cipherSuitesList,
                                            FiltersType filters,
-                                           Logger log, boolean exclude) {
+                                           String[] defaultCipherSuites,
+                                           String[] supportedCipherSuites,
+                                           Logger log) {
+        // CipherSuites are returned in the following priority:
+        // 1) If we have defined explicit "cipherSuite" configuration
+        // 2) If we have defined ciphersuites via a system property.
+        // 3) The default JVM CipherSuites, if no filters have been defined
+        // 4) Filter the supported cipher suites (*not* the default JVM CipherSuites)
+        if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) {
+            return getCiphersFromList(cipherSuitesList, log, false);
+        }
         
-        // First check the "include" case only. If we have defined explicit "cipherSuite"
-        // configuration, then just return these. Otherwise see if we have defined ciphersuites
-        // via a system property.
-        if (!exclude) {
-            if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) {
-                return getCiphersFromList(cipherSuitesList, log, exclude);
-            } else {
-                String[] cipherSuites = getSystemCiphersuites(log);
-                if (cipherSuites != null) {
-                    return cipherSuites;
-                }
-            }
+        String[] cipherSuites = getSystemCiphersuites(log);
+        if (cipherSuites != null) {
+            return cipherSuites;
+        }
+
+        // If we have no explicit cipherSuites (for the include case as above), and no filters,

+        // then just use the defaults
+        if ((defaultCipherSuites != null && defaultCipherSuites.length != 0)
+            && (filters == null || !(filters.isSetInclude() || filters.isSetExclude())))
{
+            LogUtils.log(log, Level.FINE, "CIPHERSUITES_SET", defaultCipherSuites.toString());
         
+            return defaultCipherSuites;
         }
-    
-        // Otherwise check the "include/exclude" cipherSuiteFilter configuration
         
         LogUtils.log(log, Level.FINE, "CIPHERSUITES_NOT_SET");
-        if (filters == null) {
-            LogUtils.log(log, Level.FINE, "CIPHERSUITE_FILTERS_NOT_SET");
-        }
+        
+        return getFilteredCiphersuites(filters, supportedCipherSuites, log, false);
+    }
+    
+    public static String[] getFilteredCiphersuites(FiltersType filters,
+                                           String[] supportedCipherSuites,
+                                           Logger log, boolean exclude) {
+        // We have explicit filters, so use the "include/exclude" cipherSuiteFilter configuration
         List<String> filteredCipherSuites = new ArrayList<String>();
         List<String> excludedCipherSuites = new ArrayList<String>();
         List<Pattern> includes =

http://git-wip-us.apache.org/repos/asf/cxf/blob/793f0a7d/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
b/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
index f70dbb8..f86c026 100644
--- a/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
+++ b/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java
@@ -899,9 +899,13 @@ public class AsyncHTTPConduit extends URLConnectionHTTPConduit {
         if (tlsClientParameters == null) {
             tlsClientParameters = new TLSClientParameters();
         }
-        String[] cipherSuites = SSLUtils.getCiphersuites(tlsClientParameters.getCipherSuites(),
-                                                         SSLUtils.getSupportedCipherSuites(sslcontext),

-                                                         tlsClientParameters.getCipherSuitesFilter(),
LOG, false);
+        
+        String[] cipherSuites = 
+            SSLUtils.getCiphersuitesToInclude(tlsClientParameters.getCipherSuites(), 
+                                              tlsClientParameters.getCipherSuitesFilter(),

+                                              sslcontext.getSocketFactory().getDefaultCipherSuites(),
+                                              SSLUtils.getSupportedCipherSuites(sslcontext),

+                                              LOG);
         sslengine.setEnabledCipherSuites(cipherSuites);
         
         String protocol = tlsClientParameters.getSecureSocketProtocol() != null ? tlsClientParameters

http://git-wip-us.apache.org/repos/asf/cxf/blob/793f0a7d/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index df0e23a..27d5145 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -717,20 +717,22 @@ public class JettyHTTPServerEngine implements ServerEngine {
         final String[] supportedCipherSuites = 
             SSLUtils.getServerSupportedCipherSuites(context);
 
-        String[] excludedCipherSuites = 
-            SSLUtils.getCiphersuites(
-                    tlsServerParameters.getCipherSuites(),
-                    supportedCipherSuites,
-                    tlsServerParameters.getCipherSuitesFilter(),
-                    LOG, true);
-        scf.setExcludeCipherSuites(excludedCipherSuites);
+        if (tlsServerParameters.getCipherSuitesFilter() != null
+            && tlsServerParameters.getCipherSuitesFilter().isSetExclude()) {
+            String[] excludedCipherSuites = 
+                SSLUtils.getFilteredCiphersuites(tlsServerParameters.getCipherSuitesFilter(),
+                                                 supportedCipherSuites,
+                                                 LOG, 
+                                                 true);
+            scf.setExcludeCipherSuites(excludedCipherSuites);
+        }
         
         String[] includedCipherSuites = 
-            SSLUtils.getCiphersuites(
-                    tlsServerParameters.getCipherSuites(),
-                    supportedCipherSuites,
-                    tlsServerParameters.getCipherSuitesFilter(),
-                    LOG, false);
+            SSLUtils.getCiphersuitesToInclude(tlsServerParameters.getCipherSuites(), 
+                                              tlsServerParameters.getCipherSuitesFilter(),

+                                              context.getServerSocketFactory().getDefaultCipherSuites(),
+                                              supportedCipherSuites, 
+                                              LOG);
         scf.setIncludeCipherSuites(includedCipherSuites);
         
         return context;

http://git-wip-us.apache.org/repos/asf/cxf/blob/793f0a7d/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
index a8c3494..f5d88de 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
@@ -170,9 +170,12 @@ public class HttpsURLConnectionFactory {
             ctx.init(keyManagers, tlsClientParameters.getTrustManagers(),
                      tlsClientParameters.getSecureRandom());
 
-            // The "false" argument means opposite of exclude.
-            String[] cipherSuites = SSLUtils.getCiphersuites(tlsClientParameters.getCipherSuites(),
SSLUtils
-                .getSupportedCipherSuites(ctx), tlsClientParameters.getCipherSuitesFilter(),
LOG, false);
+            String[] cipherSuites = 
+                SSLUtils.getCiphersuitesToInclude(tlsClientParameters.getCipherSuites(),

+                                                  tlsClientParameters.getCipherSuitesFilter(),

+                                                  ctx.getSocketFactory().getDefaultCipherSuites(),
+                                                  SSLUtils.getSupportedCipherSuites(ctx),

+                                                  LOG);
             // The SSLSocketFactoryWrapper enables certain cipher suites
             // from the policy.
             socketFactory = new SSLSocketFactoryWrapper(ctx.getSocketFactory(), cipherSuites,


Mime
View raw message