hc-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ol...@apache.org
Subject svn commit: r1632978 - in /httpcomponents/httpclient/branches/4.3.x/httpclient/src: main/java/org/apache/http/conn/ssl/ test/java/org/apache/http/conn/ssl/ test/java/org/apache/http/impl/client/integration/ test/java/org/apache/http/localserver/
Date Sun, 19 Oct 2014 19:20:11 GMT
Author: olegk
Date: Sun Oct 19 19:20:10 2014
New Revision: 1632978

URL: http://svn.apache.org/r1632978
Log:
Disable all versions of SSL protocol by default

Modified:
    httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java
    httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
    httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/impl/client/integration/TestClientAuthentication.java
    httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/localserver/LocalTestServer.java

Modified: httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java?rev=1632978&r1=1632977&r2=1632978&view=diff
==============================================================================
--- httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java
(original)
+++ httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java
Sun Oct 19 19:20:10 2014
@@ -40,6 +40,8 @@ import javax.net.ssl.SSLSocket;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.Socket;
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * Layered socket factory for TLS/SSL connections.
@@ -270,6 +272,16 @@ public class SSLConnectionSocketFactory 
                 true);
         if (supportedProtocols != null) {
             sslsock.setEnabledProtocols(supportedProtocols);
+        } else {
+            // If supported protocols are not explicitly set, remove all SSL protocol versions
+            final String[] allProtocols = sslsock.getSupportedProtocols();
+            final List<String> enabledProtocols = new ArrayList<String>(allProtocols.length);
+            for (String protocol: allProtocols) {
+                if (!protocol.startsWith("SSL")) {
+                    enabledProtocols.add(protocol);
+                }
+            }
+            sslsock.setEnabledProtocols(enabledProtocols.toArray(new String[enabledProtocols.size()]));
         }
         if (supportedCipherSuites != null) {
             sslsock.setEnabledCipherSuites(supportedCipherSuites);

Modified: httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java?rev=1632978&r1=1632977&r2=1632978&view=diff
==============================================================================
--- httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
(original)
+++ httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
Sun Oct 19 19:20:10 2014
@@ -195,6 +195,60 @@ public class TestSSLSocketFactory extend
     }
 
     @Test
+    public void testTLSOnly() throws Exception {
+        final SSLContext serverSSLContext = SSLContexts.custom()
+                .useProtocol("TLS")
+                .loadTrustMaterial(keystore)
+                .loadKeyMaterial(keystore, "nopassword".toCharArray())
+                .build();
+        final SSLContext clientSSLContext = SSLContexts.custom()
+                .useProtocol("TLS")
+                .loadTrustMaterial(keystore)
+                .build();
+
+        this.localServer = new LocalTestServer(serverSSLContext, false, new String[] {"TLSv1"});
+        this.localServer.registerDefaultHandlers();
+        this.localServer.start();
+
+        final HttpHost host = new HttpHost("localhost", 443, "https");
+        final HttpContext context = new BasicHttpContext();
+        final TestX509HostnameVerifier hostVerifier = new TestX509HostnameVerifier();
+        final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(clientSSLContext,
hostVerifier);
+        final Socket socket = socketFactory.createSocket(context);
+        final InetSocketAddress remoteAddress = this.localServer.getServiceAddress();
+        final SSLSocket sslSocket = (SSLSocket) socketFactory.connectSocket(0, socket, host,
remoteAddress, null, context);
+        final SSLSession sslsession = sslSocket.getSession();
+
+        Assert.assertNotNull(sslsession);
+        Assert.assertTrue(hostVerifier.isFired());
+    }
+
+    @Test(expected=IOException.class)
+    public void testSSLDisabledByDefault() throws Exception {
+        final SSLContext serverSSLContext = SSLContexts.custom()
+                .useProtocol("TLS")
+                .loadTrustMaterial(keystore)
+                .loadKeyMaterial(keystore, "nopassword".toCharArray())
+                .build();
+        final SSLContext clientSSLContext = SSLContexts.custom()
+                .useProtocol("TLS")
+                .loadTrustMaterial(keystore)
+                .build();
+
+        this.localServer = new LocalTestServer(serverSSLContext, false, new String[] {"SSLv3"});
+        this.localServer.registerDefaultHandlers();
+        this.localServer.start();
+
+        final HttpHost host = new HttpHost("localhost", 443, "https");
+        final HttpContext context = new BasicHttpContext();
+        final TestX509HostnameVerifier hostVerifier = new TestX509HostnameVerifier();
+        final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(clientSSLContext,
hostVerifier);
+        final Socket socket = socketFactory.createSocket(context);
+        final InetSocketAddress remoteAddress = this.localServer.getServiceAddress();
+        socketFactory.connectSocket(0, socket, host, remoteAddress, null, context);
+    }
+
+    @Test
     public void testClientAuthSSLAliasChoice() throws Exception {
         final PrivateKeyStrategy aliasStrategy = new PrivateKeyStrategy() {
 

Modified: httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/impl/client/integration/TestClientAuthentication.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/impl/client/integration/TestClientAuthentication.java?rev=1632978&r1=1632977&r2=1632978&view=diff
==============================================================================
--- httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/impl/client/integration/TestClientAuthentication.java
(original)
+++ httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/impl/client/integration/TestClientAuthentication.java
Sun Oct 19 19:20:10 2014
@@ -235,7 +235,7 @@ public class TestClientAuthentication ex
             .add(new RequestBasicAuth())
             .add(new ResponseBasicUnauthorized()).build();
         this.localServer = new LocalTestServer(
-                httpproc, null, null, new AuthExpectationVerifier(), null, false);
+                httpproc, null, null, new AuthExpectationVerifier(), null, false, null);
         this.localServer.register("*", new AuthHandler());
         this.localServer.start();
 

Modified: httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/localserver/LocalTestServer.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/localserver/LocalTestServer.java?rev=1632978&r1=1632977&r2=1632978&view=diff
==============================================================================
--- httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/localserver/LocalTestServer.java
(original)
+++ httpcomponents/httpclient/branches/4.3.x/httpclient/src/test/java/org/apache/http/localserver/LocalTestServer.java
Sun Oct 19 19:20:10 2014
@@ -89,6 +89,9 @@ public class LocalTestServer {
     /** Optional flag whether to force SSL context */
     private final boolean forceSSLAuth;
 
+    /** Optional set of enabled SSL/TLS protocols */
+    private final String[] enabledProtocols;
+
     /** The server socket, while being served. */
     private volatile ServerSocket servicedSocket;
 
@@ -128,7 +131,8 @@ public class LocalTestServer {
             final HttpResponseFactory responseFactory,
             final HttpExpectationVerifier expectationVerifier,
             final SSLContext sslcontext,
-            final boolean forceSSLAuth) {
+            final boolean forceSSLAuth,
+            final String[] enabledProtocols) {
         super();
         this.handlerRegistry = new UriHttpRequestHandlerMapper();
         this.workers = Collections.synchronizedSet(new HashSet<Worker>());
@@ -140,12 +144,13 @@ public class LocalTestServer {
             expectationVerifier);
         this.sslcontext = sslcontext;
         this.forceSSLAuth = forceSSLAuth;
+        this.enabledProtocols = enabledProtocols;
     }
 
     public LocalTestServer(
             final HttpProcessor proc,
             final ConnectionReuseStrategy reuseStrat) {
-        this(proc, reuseStrat, null, null, null, false);
+        this(proc, reuseStrat, null, null, null, false, null);
     }
 
     /**
@@ -155,7 +160,17 @@ public class LocalTestServer {
      * @param forceSSLAuth whether or not the server needs to enforce client auth
      */
     public LocalTestServer(final SSLContext sslcontext, final boolean forceSSLAuth) {
-        this(null, null, null, null, sslcontext, forceSSLAuth);
+        this(null, null, null, null, sslcontext, forceSSLAuth, null);
+    }
+
+    /**
+     * Creates a new test server with SSL/TLS encryption.
+     *
+     * @param sslcontext SSL context
+     * @param forceSSLAuth whether or not the server needs to enforce client auth
+     */
+    public LocalTestServer(final SSLContext sslcontext, final boolean forceSSLAuth, final
String[] enabledProtocols) {
+        this(null, null, null, null, sslcontext, forceSSLAuth, enabledProtocols);
     }
 
     /**
@@ -164,7 +179,7 @@ public class LocalTestServer {
      * @param sslcontext SSL context
      */
     public LocalTestServer(final SSLContext sslcontext) {
-        this(null, null, null, null, sslcontext, false);
+        this(null, null, null, null, sslcontext, false, null);
     }
 
     /**
@@ -252,6 +267,9 @@ public class LocalTestServer {
             } else {
                 sslsock.setWantClientAuth(true);
             }
+            if (enabledProtocols != null) {
+                sslsock.setEnabledProtocols(enabledProtocols);
+            }
             ssock = sslsock;
         } else {
             ssock = new ServerSocket();



Mime
View raw message