/** * Create a channel connector for "http/https" requests */ Connector createChannelConnector(int queueSize, Builder b) { ServerConnector connector; final HttpConfiguration conf = new HttpConfiguration(); conf.setRequestHeaderSize(1024*64); final HttpConnectionFactory http = new HttpConnectionFactory(conf); if (!b.useSSL) { connector = new ServerConnector(webServer, http); } else { SslContextFactory sslContextFactory = new SslContextFactory(); sslContextFactory.setKeyStorePath(b.keyStorePath); Set<String> excludedSSLProtocols = Sets.newHashSet( Splitter.on(",").trimResults().omitEmptyStrings().split( Strings.nullToEmpty(b.conf.getVar(ConfVars.HIVE_SSL_PROTOCOL_BLACKLIST)))); sslContextFactory.addExcludeProtocols(excludedSSLProtocols.toArray( new String[excludedSSLProtocols.size()])); sslContextFactory.setKeyStorePassword(b.keyStorePassword); connector = new ServerConnector(webServer, sslContextFactory, http); } connector.setAcceptQueueSize(queueSize); connector.setReuseAddress(true); connector.setHost(b.host); connector.setPort(b.port); return connector; }
/** * Create ssl connector if https is used * @return */ private ServerConnector sslConnector() { HttpConfiguration http_config = new HttpConfiguration(); http_config.setSecureScheme("https"); http_config.setSecurePort(this.getPort()); HttpConfiguration https_config = new HttpConfiguration(http_config); https_config.addCustomizer(new SecureRequestCustomizer()); SslContextFactory sslContextFactory = new SslContextFactory(this.getCertKeyStorePath()); sslContextFactory.setKeyStorePassword(this.getCertKeyStorePassword()); //exclude weak ciphers sslContextFactory.setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$"); //only support tlsv1.2 sslContextFactory.addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1"); ServerConnector connector = new ServerConnector(jettyServer, new SslConnectionFactory(sslContextFactory, "http/1.1"), new HttpConnectionFactory(https_config)); connector.setPort(this.getPort()); connector.setIdleTimeout(50000); return connector; }
String[] excludedProtocols = hiveConf.getVar(ConfVars.HIVE_SSL_PROTOCOL_BLACKLIST).split(","); LOG.info("HTTP Server SSL: adding excluded protocols: " + Arrays.toString(excludedProtocols)); sslContextFactory.addExcludeProtocols(excludedProtocols); LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = " + Arrays.toString(sslContextFactory.getExcludeProtocols()));
/** * Construct an instance of SslContextFactory * Default constructor for use in XmlConfiguration files * @param trustAll whether to blindly trust all certificates * @see #setTrustAll(boolean) */ public SslContextFactory(boolean trustAll) { setTrustAll(trustAll); addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); }
SslContextFactory sslContextFactory = new SslContextFactory(); sslContextFactory.addExcludeProtocols("SSLv3"); sslContextFactory.setKeyStorePath(...); ...
/** * Create a channel connector for "http/https" requests */ Connector createChannelConnector(int queueSize, Builder b) { ServerConnector connector; final HttpConfiguration conf = new HttpConfiguration(); conf.setRequestHeaderSize(1024*64); final HttpConnectionFactory http = new HttpConnectionFactory(conf); if (!b.useSSL) { connector = new ServerConnector(webServer, http); } else { SslContextFactory sslContextFactory = new SslContextFactory(); sslContextFactory.setKeyStorePath(b.keyStorePath); Set<String> excludedSSLProtocols = Sets.newHashSet( Splitter.on(",").trimResults().omitEmptyStrings().split( Strings.nullToEmpty(b.conf.getVar(ConfVars.HIVE_SSL_PROTOCOL_BLACKLIST)))); sslContextFactory.addExcludeProtocols(excludedSSLProtocols.toArray( new String[excludedSSLProtocols.size()])); sslContextFactory.setKeyStorePassword(b.keyStorePassword); connector = new ServerConnector(webServer, sslContextFactory, http); } connector.setAcceptQueueSize(queueSize); connector.setReuseAddress(true); connector.setHost(b.host); connector.setPort(b.port); return connector; }
String[] excludedProtocols = hiveConf.getVar(ConfVars.HIVE_SSL_PROTOCOL_BLACKLIST).split(","); LOG.info("HTTP Server SSL: adding excluded protocols: " + Arrays.toString(excludedProtocols)); sslContextFactory.addExcludeProtocols(excludedProtocols); LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = " + Arrays.toString(sslContextFactory.getExcludeProtocols()));
getSslContextFactory().addExcludeProtocols("SSLv3"); getSslContextFactory().addExcludeProtocols("SSLv2Hello"); } else if (excludeProtocols != null) { for (String p : excludeProtocols) { getSslContextFactory().addExcludeProtocols(p);
config.getStringArray(ATLAS_SSL_EXCLUDE_PROTOCOLS) : DEFAULT_EXCLUDE_PROTOCOLS; if (excludedProtocols != null && excludedProtocols.length > 0) { sslContextFactory.addExcludeProtocols(excludedProtocols);
Sets.newHashSet(Splitter.on(",").trimResults().omitEmptyStrings() .split(Strings.nullToEmpty(conf.get(ServerConfig.SENTRY_SSL_PROTOCOL_BLACKLIST)))); sslContextFactory.addExcludeProtocols(moreExcludedSSLProtocols.toArray( new String[moreExcludedSSLProtocols.size()]));
String[] excludedProtocols = hiveConf.getVar(ConfVars.HIVE_SSL_PROTOCOL_BLACKLIST).split(","); LOG.info("HTTP Server SSL: adding excluded protocols: " + Arrays.toString(excludedProtocols)); sslContextFactory.addExcludeProtocols(excludedProtocols); LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = " + Arrays.toString(sslContextFactory.getExcludeProtocols()));
String[] excludedProtocols = hiveConf.getVar(ConfVars.HIVE_SSL_PROTOCOL_BLACKLIST).split(","); LOG.info("HTTP Server SSL: adding excluded protocols: " + Arrays.toString(excludedProtocols)); sslContextFactory.addExcludeProtocols(excludedProtocols); LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = " + Arrays.toString(sslContextFactory.getExcludeProtocols()));
private SslContextFactory(boolean trustAll, String keyStorePath) { setTrustAll(trustAll); addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); // Exclude weak / insecure ciphers setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$"); // Exclude ciphers that don't support forward secrecy addExcludeCipherSuites("^TLS_RSA_.*$"); // The following exclusions are present to cleanup known bad cipher // suites that may be accidentally included via include patterns. // The default enabled cipher list in Java will not include these // (but they are available in the supported list). addExcludeCipherSuites("^SSL_.*$"); addExcludeCipherSuites("^.*_NULL_.*$"); addExcludeCipherSuites("^.*_anon_.*$"); if (keyStorePath != null) setKeyStorePath(keyStorePath); }