Return-Path: X-Original-To: apmail-db-derby-commits-archive@www.apache.org Delivered-To: apmail-db-derby-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5DF7A1081B for ; Thu, 11 Dec 2014 19:32:36 +0000 (UTC) Received: (qmail 13843 invoked by uid 500); 11 Dec 2014 19:32:36 -0000 Delivered-To: apmail-db-derby-commits-archive@db.apache.org Received: (qmail 13820 invoked by uid 500); 11 Dec 2014 19:32:36 -0000 Mailing-List: contact derby-commits-help@db.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: "Derby Development" List-Id: Delivered-To: mailing list derby-commits@db.apache.org Received: (qmail 13810 invoked by uid 99); 11 Dec 2014 19:32:36 -0000 Received: from eris.apache.org (HELO hades.apache.org) (140.211.11.105) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Dec 2014 19:32:36 +0000 Received: from hades.apache.org (localhost [127.0.0.1]) by hades.apache.org (ASF Mail Server at hades.apache.org) with ESMTP id 90929AC0E00; Thu, 11 Dec 2014 19:32:34 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1644731 - in /db/derby/code/branches/10.8/java: client/org/apache/derby/client/net/ drda/org/apache/derby/impl/drda/ Date: Thu, 11 Dec 2014 19:32:34 -0000 To: derby-commits@db.apache.org From: mamta@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20141211193235.90929AC0E00@hades.apache.org> Author: mamta Date: Thu Dec 11 19:32:34 2014 New Revision: 1644731 URL: http://svn.apache.org/r1644731 Log: DERBY-6778(SSL tests are failing on 10.8 codeline with IBM jdk 1.4.2 after poodle security backport) In order to work around the IBM jdk 1.4.2 issue, we will bypass the poodle security code introduced by DERBY-6764 for IBM jdk 1.4.2 in only 10.8 codeline(since the failure is only with that jdk). Jdk 1.4 is pretty old and hopefully we do not have anyone using that jdk anymore. Modified: db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/NaiveTrustManager.java db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/OpenSocketAction.java db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java Modified: db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/NaiveTrustManager.java URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/NaiveTrustManager.java?rev=1644731&r1=1644730&r2=1644731&view=diff ============================================================================== --- db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/NaiveTrustManager.java (original) +++ db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/NaiveTrustManager.java Thu Dec 11 19:32:34 2014 @@ -30,6 +30,7 @@ import javax.net.ssl.KeyManagerFactory; import java.security.KeyStore; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; +import org.apache.derby.iapi.services.info.JVMInfo; /** @@ -67,7 +68,19 @@ public class NaiveTrustManager thisManager = new TrustManager [] {new NaiveTrustManager()}; } - SSLContext ctx = SSLContext.getInstance("TLS"); + SSLContext ctx; + //DERBY-6778(SSL tests are failing on 10.8 codeline with + // IBM jdk 1.4.2 after poodle security backport) + //In order to work around the IBM jdk 1.4.2 issue, do not + // try to disable SSLv3 and SSLV2Hello protocols for this + // specific jdk. + //The SSLv3 and SSLV2Hello protocols can lead to poodle + // security issue and that is why they are getting disabled + // for all the other jdks as per DERBY-6764. + if (JVMInfo.isIBMJVM() && JVMInfo.JDK_ID == JVMInfo.J2SE_142) + ctx = SSLContext.getInstance("SSL"); + else + ctx = SSLContext.getInstance("TLS"); if (ctx.getProvider().getName().equals("SunJSSE") && (System.getProperty("javax.net.ssl.keyStore") != null) && Modified: db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/OpenSocketAction.java URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/OpenSocketAction.java?rev=1644731&r1=1644730&r2=1644731&view=diff ============================================================================== --- db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/OpenSocketAction.java (original) +++ db/derby/code/branches/10.8/java/client/org/apache/derby/client/net/OpenSocketAction.java Thu Dec 11 19:32:34 2014 @@ -25,6 +25,8 @@ import javax.net.SocketFactory; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.SSLSocket; +import org.apache.derby.iapi.services.info.JVMInfo; + public class OpenSocketAction implements java.security.PrivilegedExceptionAction { private String server_; private int port_; @@ -63,8 +65,25 @@ public class OpenSocketAction implements sf = SocketFactory.getDefault(); break; } - if (clientSSLMode_ == org.apache.derby.jdbc.ClientBaseDataSource.SSL_BASIC || - clientSSLMode_ == org.apache.derby.jdbc.ClientBaseDataSource.SSL_PEER_AUTHENTICATION){ + + //DERBY-6778(SSL tests are failing on 10.8 codeline with + // IBM jdk 1.4.2 after poodle security backport) + //In order to work around the IBM jdk 1.4.2 issue, do not + // try to disable SSLv3 and SSLV2Hello protocols for this + // specific jdk. + //The SSLv3 and SSLV2Hello protocols can lead to poodle + // security issue and that is why they are getting disabled + // for all the other jdks as per DERBY-6764. + boolean SSLclient = false;//are we working with SSL enabled client + if ((clientSSLMode_ == org.apache.derby.jdbc.ClientBaseDataSource.SSL_BASIC || + clientSSLMode_ == org.apache.derby.jdbc.ClientBaseDataSource.SSL_PEER_AUTHENTICATION)) + SSLclient = true; + + boolean ibmJdk142 = false;//are we working with IBM jdk 1.4.2 + if (JVMInfo.isIBMJVM() && JVMInfo.JDK_ID == JVMInfo.J2SE_142) + ibmJdk142 = true; + + if (SSLclient && !ibmJdk142) { //DERBY-6764(analyze impact of poodle security alert on Derby // client - server ssl support) //If SSLv3 and/or SSLv2Hello is one of the enabled protocols, Modified: db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java?rev=1644731&r1=1644730&r2=1644731&view=diff ============================================================================== --- db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java (original) +++ db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java Thu Dec 11 19:32:34 2014 @@ -30,6 +30,8 @@ import javax.net.ssl.KeyManagerFactory; import java.security.KeyStore; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; + +import org.apache.derby.iapi.services.info.JVMInfo; import org.apache.derby.iapi.services.property.PropertyUtil; @@ -68,7 +70,19 @@ public class NaiveTrustManager thisManager = new TrustManager [] {new NaiveTrustManager()}; } - SSLContext ctx = SSLContext.getInstance("TLS"); + SSLContext ctx; + //DERBY-6778(SSL tests are failing on 10.8 codeline with + // IBM jdk 1.4.2 after poodle security backport) + //In order to work around the IBM jdk 1.4.2 issue, do not + // try to disable SSLv3 and SSLV2Hello protocols for this + // specific jdk. + //The SSLv3 and SSLV2Hello protocols can lead to poodle + // security issue and that is why they are getting disabled + // for all the other jdks as per DERBY-6764. + if (JVMInfo.isIBMJVM() && JVMInfo.JDK_ID == JVMInfo.J2SE_142) + ctx = SSLContext.getInstance("SSL"); + else + ctx = SSLContext.getInstance("TLS"); if (ctx.getProvider().getName().equals("SunJSSE") && (PropertyUtil.getSystemProperty("javax.net.ssl.keyStore") != null) && Modified: db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java?rev=1644731&r1=1644730&r2=1644731&view=diff ============================================================================== --- db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java (original) +++ db/derby/code/branches/10.8/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java Thu Dec 11 19:32:34 2014 @@ -69,6 +69,7 @@ import org.apache.derby.iapi.reference.M import org.apache.derby.iapi.reference.Property; import org.apache.derby.iapi.reference.SQLState; import org.apache.derby.iapi.services.i18n.MessageService; +import org.apache.derby.iapi.services.info.JVMInfo; import org.apache.derby.iapi.services.info.ProductGenusNames; import org.apache.derby.iapi.services.info.ProductVersionHolder; import org.apache.derby.iapi.services.info.Version; @@ -674,6 +675,18 @@ public final class NetworkServerControlI // InetAddresses for NetworkServerControl // admin commands. buildLocalAddressList(hostAddress); + + //DERBY-6778(SSL tests are failing on 10.8 codeline with + // IBM jdk 1.4.2 after poodle security backport) + //In order to work around the IBM jdk 1.4.2 issue, do not + // try to disable SSLv3 and SSLV2Hello protocols for this + // specific jdk. + //The SSLv3 and SSLV2Hello protocols can lead to poodle + // security issue and that is why they are getting disabled + // for all the other jdks as per DERBY-6764. + boolean ibmJdk142 = false;//are we working with IBM jdk 1.4.2 + if (JVMInfo.isIBMJVM() && JVMInfo.JDK_ID == JVMInfo.J2SE_142) + ibmJdk142 = true; // Create the right kind of socket switch (getSSLMode()) { @@ -691,12 +704,14 @@ public final class NetworkServerControlI (SSLServerSocket)ssf.createServerSocket(portNumber, 0, hostAddress); - //DERBY-6764(analyze impact of poodle security alert on - // Derby client - server ssl support) - String[] removeTwoProtocols = + if (!ibmJdk142) { + //DERBY-6764(analyze impact of poodle security + // alert on Derby client - server ssl support) + String[] removeTwoProtocols = removeSSLv3andSSLv2Hello( - sss1.getEnabledProtocols()); - sss1.setEnabledProtocols(removeTwoProtocols); + sss1.getEnabledProtocols()); + sss1.setEnabledProtocols(removeTwoProtocols); + } return sss1; case SSL_PEER_AUTHENTICATION: SSLServerSocketFactory ssf2 = @@ -705,12 +720,14 @@ public final class NetworkServerControlI (SSLServerSocket)ssf2.createServerSocket(portNumber, 0, hostAddress); - //DERBY-6764(analyze impact of poodle security alert on - // Derby client - server ssl support) - removeTwoProtocols = + if (!ibmJdk142) { + //DERBY-6764(analyze impact of poodle security + // alert on Derby client - server ssl support) + String[] removeTwoProtocols = removeSSLv3andSSLv2Hello( - sss2.getEnabledProtocols()); - sss2.setEnabledProtocols(removeTwoProtocols); + sss2.getEnabledProtocols()); + sss2.setEnabledProtocols(removeTwoProtocols); + } sss2.setNeedClientAuth(true); return sss2; } @@ -2628,17 +2645,31 @@ public final class NetworkServerControlI { if (hostAddress == null) hostAddress = InetAddress.getByName(hostArg); + + //DERBY-6778(SSL tests are failing on 10.8 codeline with + // IBM jdk 1.4.2 after poodle security backport) + //In order to work around the IBM jdk 1.4.2 issue, do not + // try to disable SSLv3 and SSLV2Hello protocols for this + // specific jdk. + //The SSLv3 and SSLV2Hello protocols can lead to poodle + // security issue and that is why they are getting disabled + // for all the other jdks as per DERBY-6764. + boolean ibmJdk142 = false;//are we working with IBM jdk 1.4.2 + if (JVMInfo.isIBMJVM() && JVMInfo.JDK_ID == JVMInfo.J2SE_142) + ibmJdk142 = true; switch(getSSLMode()) { case SSL_BASIC: SSLSocket s1 = (SSLSocket)NaiveTrustManager.getSocketFactory(). createSocket(hostAddress, portNumber); - //DERBY-6764(analyze impact of poodle security alert on - // Derby client - server ssl support) - String[] removeTwoProtocols = - removeSSLv3andSSLv2Hello( - s1.getEnabledProtocols()); - s1.setEnabledProtocols(removeTwoProtocols); + if (!ibmJdk142) { + //DERBY-6764(analyze impact of poodle security alert on + // Derby client - server ssl support) + String[] removeTwoProtocols = + removeSSLv3andSSLv2Hello( + s1.getEnabledProtocols()); + s1.setEnabledProtocols(removeTwoProtocols); + } // Need to handshake now to get proper error reporting. s1.startHandshake(); return s1; @@ -2646,12 +2677,14 @@ public final class NetworkServerControlI case SSL_PEER_AUTHENTICATION: SSLSocket s2 = (SSLSocket)SSLSocketFactory.getDefault(). createSocket(hostAddress, portNumber); - //DERBY-6764(analyze impact of poodle security alert on - // Derby client - server ssl support) - removeTwoProtocols = - removeSSLv3andSSLv2Hello( - s2.getEnabledProtocols()); - s2.setEnabledProtocols(removeTwoProtocols); + if (!ibmJdk142) { + //DERBY-6764(analyze impact of poodle security alert on + // Derby client - server ssl support) + String[] removeTwoProtocols = + removeSSLv3andSSLv2Hello( + s2.getEnabledProtocols()); + s2.setEnabledProtocols(removeTwoProtocols); + } // Need to handshake now to get proper error reporting. s2.startHandshake(); return s2;