db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1644731 - in /db/derby/code/branches/10.8/java: client/org/apache/derby/client/net/ drda/org/apache/derby/impl/drda/
Date Thu, 11 Dec 2014 19:32:34 GMT
Author: mamta
Date: Thu Dec 11 19:32:34 2014
New Revision: 1644731

URL: http://svn.apache.org/r1644731
Log:
DERBY-6778(SSL tests are failing on 10.8 codeline with IBM jdk 1.4.2 after poodle security
backport)

In order to work around the IBM jdk 1.4.2 issue, we will bypass the poodle security code introduced
by DERBY-6764 for IBM jdk 1.4.2 in only 10.8 codeline(since the failure is only with that
jdk). Jdk 1.4 is pretty old and hopefully we do not have anyone using that jdk anymore.


Modified:
    db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/NaiveTrustManager.java
    db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/OpenSocketAction.java
    db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
    db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java

Modified: db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/NaiveTrustManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/NaiveTrustManager.java?rev=1644731&r1=1644730&r2=1644731&view=diff
==============================================================================
--- db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/NaiveTrustManager.java
(original)
+++ db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/NaiveTrustManager.java
Thu Dec 11 19:32:34 2014
@@ -30,6 +30,7 @@ import javax.net.ssl.KeyManagerFactory;
 import java.security.KeyStore;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
+import org.apache.derby.iapi.services.info.JVMInfo;
 
 
 /**
@@ -67,7 +68,19 @@ public class NaiveTrustManager
             thisManager = new TrustManager [] {new NaiveTrustManager()};
         }
 
-        SSLContext ctx = SSLContext.getInstance("TLS");
+        SSLContext ctx;
+        //DERBY-6778(SSL tests are failing on 10.8 codeline with 
+        // IBM jdk 1.4.2 after poodle security backport)
+        //In order to work around the IBM jdk 1.4.2 issue, do not
+        // try to disable SSLv3 and SSLV2Hello protocols for this 
+        // specific jdk. 
+        //The SSLv3 and SSLV2Hello protocols can lead to poodle 
+        // security issue and that is why they are getting disabled 
+        // for all the other jdks as per DERBY-6764.
+        if (JVMInfo.isIBMJVM() && JVMInfo.JDK_ID == JVMInfo.J2SE_142)
+            ctx = SSLContext.getInstance("SSL");
+        else
+            ctx = SSLContext.getInstance("TLS");
         
         if (ctx.getProvider().getName().equals("SunJSSE") &&
             (System.getProperty("javax.net.ssl.keyStore") != null) &&

Modified: db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/OpenSocketAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/OpenSocketAction.java?rev=1644731&r1=1644730&r2=1644731&view=diff
==============================================================================
--- db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/OpenSocketAction.java
(original)
+++ db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/OpenSocketAction.java
Thu Dec 11 19:32:34 2014
@@ -25,6 +25,8 @@ import javax.net.SocketFactory;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.SSLSocket;
 
+import org.apache.derby.iapi.services.info.JVMInfo;
+
 public class OpenSocketAction implements java.security.PrivilegedExceptionAction {
     private String server_;
     private int port_;
@@ -63,8 +65,25 @@ public class OpenSocketAction implements
             sf = SocketFactory.getDefault();
             break;
         }
-        if (clientSSLMode_ == org.apache.derby.jdbc.ClientBaseDataSource.SSL_BASIC ||
-            clientSSLMode_ == org.apache.derby.jdbc.ClientBaseDataSource.SSL_PEER_AUTHENTICATION){
+        
+        //DERBY-6778(SSL tests are failing on 10.8 codeline with 
+        // IBM jdk 1.4.2 after poodle security backport)
+        //In order to work around the IBM jdk 1.4.2 issue, do not
+        // try to disable SSLv3 and SSLV2Hello protocols for this 
+        // specific jdk. 
+        //The SSLv3 and SSLV2Hello protocols can lead to poodle 
+        // security issue and that is why they are getting disabled 
+        // for all the other jdks as per DERBY-6764.
+        boolean SSLclient = false;//are we working with SSL enabled client
+        if ((clientSSLMode_ == org.apache.derby.jdbc.ClientBaseDataSource.SSL_BASIC ||
+                clientSSLMode_ == org.apache.derby.jdbc.ClientBaseDataSource.SSL_PEER_AUTHENTICATION))
+        	SSLclient = true;
+        
+        boolean ibmJdk142 = false;//are we working with IBM jdk 1.4.2
+        if (JVMInfo.isIBMJVM() && JVMInfo.JDK_ID == JVMInfo.J2SE_142)
+        	ibmJdk142 = true;
+
+        if (SSLclient && !ibmJdk142) {
         	//DERBY-6764(analyze impact of poodle security alert on Derby 
         	// client - server ssl support)
         	//If SSLv3 and/or SSLv2Hello is one of the enabled protocols,  

Modified: db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java?rev=1644731&r1=1644730&r2=1644731&view=diff
==============================================================================
--- db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
(original)
+++ db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
Thu Dec 11 19:32:34 2014
@@ -30,6 +30,8 @@ import javax.net.ssl.KeyManagerFactory;
 import java.security.KeyStore;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
+
+import org.apache.derby.iapi.services.info.JVMInfo;
 import org.apache.derby.iapi.services.property.PropertyUtil;
 
 
@@ -68,7 +70,19 @@ public class NaiveTrustManager
             thisManager = new TrustManager [] {new NaiveTrustManager()};
         }
 
-        SSLContext ctx = SSLContext.getInstance("TLS");
+        SSLContext ctx;
+        //DERBY-6778(SSL tests are failing on 10.8 codeline with 
+        // IBM jdk 1.4.2 after poodle security backport)
+        //In order to work around the IBM jdk 1.4.2 issue, do not
+        // try to disable SSLv3 and SSLV2Hello protocols for this 
+        // specific jdk. 
+        //The SSLv3 and SSLV2Hello protocols can lead to poodle 
+        // security issue and that is why they are getting disabled 
+        // for all the other jdks as per DERBY-6764.
+        if (JVMInfo.isIBMJVM() && JVMInfo.JDK_ID == JVMInfo.J2SE_142)
+            ctx = SSLContext.getInstance("SSL");
+        else
+            ctx = SSLContext.getInstance("TLS");
         
         if (ctx.getProvider().getName().equals("SunJSSE") &&
             (PropertyUtil.getSystemProperty("javax.net.ssl.keyStore") != null) &&

Modified: db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java?rev=1644731&r1=1644730&r2=1644731&view=diff
==============================================================================
--- db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
(original)
+++ db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
Thu Dec 11 19:32:34 2014
@@ -69,6 +69,7 @@ import org.apache.derby.iapi.reference.M
 import org.apache.derby.iapi.reference.Property;
 import org.apache.derby.iapi.reference.SQLState;
 import org.apache.derby.iapi.services.i18n.MessageService;
+import org.apache.derby.iapi.services.info.JVMInfo;
 import org.apache.derby.iapi.services.info.ProductGenusNames;
 import org.apache.derby.iapi.services.info.ProductVersionHolder;
 import org.apache.derby.iapi.services.info.Version;
@@ -674,6 +675,18 @@ public final class NetworkServerControlI
 		// InetAddresses for NetworkServerControl
 		// admin commands.
 		buildLocalAddressList(hostAddress);
+        
+		//DERBY-6778(SSL tests are failing on 10.8 codeline with 
+		// IBM jdk 1.4.2 after poodle security backport)
+		//In order to work around the IBM jdk 1.4.2 issue, do not
+		// try to disable SSLv3 and SSLV2Hello protocols for this 
+		// specific jdk. 
+		//The SSLv3 and SSLV2Hello protocols can lead to poodle 
+		// security issue and that is why they are getting disabled 
+		// for all the other jdks as per DERBY-6764.
+		boolean ibmJdk142 = false;//are we working with IBM jdk 1.4.2
+		if (JVMInfo.isIBMJVM() && JVMInfo.JDK_ID == JVMInfo.J2SE_142)
+			ibmJdk142 = true;
 											
 		// Create the right kind of socket
 		switch (getSSLMode()) {
@@ -691,12 +704,14 @@ public final class NetworkServerControlI
 					(SSLServerSocket)ssf.createServerSocket(portNumber,
 					0,
 					hostAddress);
-			//DERBY-6764(analyze impact of poodle security alert on 
-			// Derby client - server ssl support)
-			String[] removeTwoProtocols = 
+			if (!ibmJdk142) {
+				//DERBY-6764(analyze impact of poodle security  
+				// alert on Derby client - server ssl support)
+				String[] removeTwoProtocols = 
 					removeSSLv3andSSLv2Hello(
-							sss1.getEnabledProtocols());
-			sss1.setEnabledProtocols(removeTwoProtocols);
+						sss1.getEnabledProtocols());
+				sss1.setEnabledProtocols(removeTwoProtocols);
+			}
 			return sss1;
 		case SSL_PEER_AUTHENTICATION:
 			SSLServerSocketFactory ssf2 =
@@ -705,12 +720,14 @@ public final class NetworkServerControlI
 				(SSLServerSocket)ssf2.createServerSocket(portNumber,
 														 0,
 														 hostAddress);
-			//DERBY-6764(analyze impact of poodle security alert on 
-			// Derby client - server ssl support)
-			removeTwoProtocols = 
+			if (!ibmJdk142) {
+				//DERBY-6764(analyze impact of poodle security  
+				// alert on Derby client - server ssl support)
+				String[] removeTwoProtocols = 
 					removeSSLv3andSSLv2Hello(
-							sss2.getEnabledProtocols());
-			sss2.setEnabledProtocols(removeTwoProtocols);
+						sss2.getEnabledProtocols());
+				sss2.setEnabledProtocols(removeTwoProtocols);
+			}
 			sss2.setNeedClientAuth(true);
 			return sss2;
 		}
@@ -2628,17 +2645,31 @@ public final class NetworkServerControlI
 									{
 										if (hostAddress == null)
 											hostAddress = InetAddress.getByName(hostArg);
+								        
+										//DERBY-6778(SSL tests are failing on 10.8 codeline with 
+										// IBM jdk 1.4.2 after poodle security backport)
+										//In order to work around the IBM jdk 1.4.2 issue, do not
+										// try to disable SSLv3 and SSLV2Hello protocols for this 
+										// specific jdk. 
+										//The SSLv3 and SSLV2Hello protocols can lead to poodle 
+										// security issue and that is why they are getting disabled 
+										// for all the other jdks as per DERBY-6764.
+										boolean ibmJdk142 = false;//are we working with IBM jdk 1.4.2
+										if (JVMInfo.isIBMJVM() && JVMInfo.JDK_ID == JVMInfo.J2SE_142)
+											ibmJdk142 = true;
                                         
 										switch(getSSLMode()) {
 										case SSL_BASIC:
 											SSLSocket s1 = (SSLSocket)NaiveTrustManager.getSocketFactory().
 												createSocket(hostAddress, portNumber);
-											//DERBY-6764(analyze impact of poodle security alert on 
-											// Derby client - server ssl support)
-											String[] removeTwoProtocols = 
-													removeSSLv3andSSLv2Hello(
-															s1.getEnabledProtocols());
-											s1.setEnabledProtocols(removeTwoProtocols);
+									        if (!ibmJdk142) {
+												//DERBY-6764(analyze impact of poodle security alert on 
+												// Derby client - server ssl support)
+												String[] removeTwoProtocols = 
+														removeSSLv3andSSLv2Hello(
+																s1.getEnabledProtocols());
+												s1.setEnabledProtocols(removeTwoProtocols);
+									        }
 											// Need to handshake now to get proper error reporting.
 											s1.startHandshake();
 											return s1;
@@ -2646,12 +2677,14 @@ public final class NetworkServerControlI
 										case SSL_PEER_AUTHENTICATION:
 											SSLSocket s2 = (SSLSocket)SSLSocketFactory.getDefault().
 												createSocket(hostAddress, portNumber);
-											//DERBY-6764(analyze impact of poodle security alert on 
-											// Derby client - server ssl support)
-											removeTwoProtocols = 
-													removeSSLv3andSSLv2Hello(
-															s2.getEnabledProtocols());
-											s2.setEnabledProtocols(removeTwoProtocols);
+									        if (!ibmJdk142) {
+												//DERBY-6764(analyze impact of poodle security alert on 
+												// Derby client - server ssl support)
+									        	String[] removeTwoProtocols = 
+														removeSSLv3andSSLv2Hello(
+																s2.getEnabledProtocols());
+												s2.setEnabledProtocols(removeTwoProtocols);
+									        }
 											// Need to handshake now to get proper error reporting.
 											s2.startHandshake();
 											return s2;



Mime
View raw message