tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lu...@apache.org
Subject cvs commit: jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse JSSE14SocketFactory.java JSSESocketFactory.java
Date Mon, 11 Aug 2003 21:46:41 GMT
luehe       2003/08/11 14:46:41

  Modified:    util/java/org/apache/tomcat/util/net/jsse
                        JSSE14SocketFactory.java JSSESocketFactory.java
  Log:
  - Added support for specifying comma-separated list of SSL protocol
    variants to be enabled
  
    This may be useful to disable the less secure SSLv2.
  
  - Fixed bug where if none of the requested ciphers were actually supported, no
    error was reported
  
  Revision  Changes    Path
  1.9       +5 -1      jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
  
  Index: JSSE14SocketFactory.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java,v
  retrieving revision 1.8
  retrieving revision 1.9
  diff -u -r1.8 -r1.9
  --- JSSE14SocketFactory.java	11 Aug 2003 18:12:29 -0000	1.8
  +++ JSSE14SocketFactory.java	11 Aug 2003 21:46:41 -0000	1.9
  @@ -133,7 +133,11 @@
               sslProxy = context.getServerSocketFactory();
   
               // Determine which cipher suites to enable
  -            enabledCiphers = getEnabledCiphers(sslProxy.getSupportedCipherSuites());
  +            String requestedCiphers = (String)attributes.get("ciphers");
  +            if (requestedCiphers != null) {
  +                enabledCiphers = getEnabledCiphers(requestedCiphers,
  +                                                   sslProxy.getSupportedCipherSuites());
  +            }
   
           } catch(Exception e) {
               if( e instanceof IOException )
  
  
  
  1.5       +75 -15    jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
  
  Index: JSSESocketFactory.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- JSSESocketFactory.java	18 Jul 2003 05:26:45 -0000	1.4
  +++ JSSESocketFactory.java	11 Aug 2003 21:46:41 -0000	1.5
  @@ -155,25 +155,28 @@
       public void handshake(Socket sock) throws IOException {
           ((SSLSocket)sock).startHandshake();
       }
  -     
  +
       /*
        * Determines the SSL cipher suites to be enabled.
        *
  -     * @return Array of SSL cipher suites to be enabled, or null if the
  -     * cipherSuites property was not specified (meaning that all supported
  -     * cipher suites are to be enabled)
  +     * @param requestedCiphers Comma-separated list of requested ciphers
  +     * @param supportedCiphers Array of supported ciphers
  +     *
  +     * @return Array of SSL cipher suites to be enabled, or null if none of the
  +     * requested ciphers are supported
        */
  -    protected String[] getEnabledCiphers(String[] supportedCiphers) {
  +    protected String[] getEnabledCiphers(String requestedCiphers,
  +                                         String[] supportedCiphers) {
   
           String[] enabledCiphers = null;
   
  -        String attrValue = (String)attributes.get("ciphers");
  -        if (attrValue != null) {
  +        if (requestedCiphers != null) {
               Vector vec = null;
               int fromIndex = 0;
  -            int index = attrValue.indexOf(',', fromIndex);
  +            int index = requestedCiphers.indexOf(',', fromIndex);
               while (index != -1) {
  -                String cipher = attrValue.substring(fromIndex, index).trim();
  +                String cipher
  +                    = requestedCiphers.substring(fromIndex, index).trim();
                   /*
                    * Check to see if the requested cipher is among the supported
                    * ciphers, i.e., may be enabled
  @@ -189,7 +192,7 @@
                       }
                   }
                   fromIndex = index+1;
  -                index = attrValue.indexOf(',', fromIndex);
  +                index = requestedCiphers.indexOf(',', fromIndex);
               }
   
               if (vec != null) {
  @@ -200,7 +203,7 @@
   
           return enabledCiphers;
       }
  -
  +     
       /*
        * Gets the SSL server's keystore password.
        */
  @@ -288,15 +291,72 @@
        */
       abstract void init() throws IOException ;
   
  +    /*
  +     * Determines the SSL protocol variants to be enabled.
  +     *
  +     * @param requestedProtocols Comma-separated list of requested SSL
  +     * protocol variants
  +     * @param supportedProtocols Array of supported SSL protocol variants
  +     *
  +     * @return Array of SSL protocol variants to be enabled, or null if none of
  +     * the requested protocol variants are supported
  +     */
  +    private String[] getEnabledProtocols(String requestedProtocols,
  +                                         String[] supportedProtocols) {
  +
  +        String[] enabledProtocols = null;
  +
  +        if (requestedProtocols != null) {
  +            Vector vec = null;
  +            int fromIndex = 0;
  +            int index = requestedProtocols.indexOf(',', fromIndex);
  +            while (index != -1) {
  +                String protocol
  +                    = requestedProtocols.substring(fromIndex, index).trim();
  +                /*
  +                 * Check to see if the requested protocol is among the
  +                 * supported protocols, i.e., may be enabled
  +                 */
  +                for (int i=0; supportedProtocols != null
  +                             && i<supportedProtocols.length; i++) {
  +                    if (supportedProtocols[i].equals(protocol)) {
  +                        if (vec == null) {
  +                            vec = new Vector();
  +                        }
  +                        vec.addElement(protocol);
  +                        break;
  +                    }
  +                }
  +                fromIndex = index+1;
  +                index = requestedProtocols.indexOf(',', fromIndex);
  +            }
  +
  +            if (vec != null) {
  +                enabledProtocols = new String[vec.size()];
  +                vec.copyInto(enabledProtocols);
  +            }
  +        }
  +
  +        return enabledProtocols;
  +    }
  +
       /**
  -     * Sets the SSL server socket properties (such as enabled cipher suites,
  -     * etc.)
  +     * Configures the given SSL server socket with the requested cipher suites,
  +     * protocol versions, and need for client authentication
        */
       private void initServerSocket(ServerSocket ssocket) {
  -        SSLServerSocket socket=(SSLServerSocket)ssocket;
   
  -        if (enabledCiphers != null) {
  +        SSLServerSocket socket = (SSLServerSocket) ssocket;
  +
  +        if (attributes.get("ciphers") != null) {
               socket.setEnabledCipherSuites(enabledCiphers);
  +        }
  +
  +        String requestedProtocols = (String) attributes.get("protocols");
  +        if (requestedProtocols != null) {
  +            socket.setEnabledProtocols(getEnabledProtocols(
  +                                        requestedProtocols,
  +                                        socket.getSupportedProtocols()));
           }
   
           // we don't know if client auth is needed -
  
  
  

Mime
View raw message