private void logSupportedParameters(SslContextFactory contextFactory) { if (LOGGED.compareAndSet(false, true)) { // When Jetty logs out which protocols are enabled / disabled they include tracing // information to detect if the protocol was disabled at the // JRE/lib/security/java.security level. Since we don't log this information we take the // SSLEngine from our context instead of a pristine version. // // For more info from Jetty: // https://github.com/eclipse/jetty.project/blob/93a8afcc6bd1a6e0af7bd9f967c97ae1bc3eb718/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L356-L360 final SSLEngine engine = contextFactory.getSslContext().createSSLEngine(); final Map<Boolean, List<String>> protocols = partitionSupport( engine.getSupportedProtocols(), engine.getEnabledProtocols(), contextFactory.getExcludeProtocols(), contextFactory.getIncludeProtocols() ); final Map<Boolean, List<String>> ciphers = partitionSupport( engine.getSupportedCipherSuites(), engine.getEnabledCipherSuites(), contextFactory.getExcludeCipherSuites(), contextFactory.getIncludeCipherSuites() ); LOGGER.info("Enabled protocols: {}", protocols.get(true)); LOGGER.info("Disabled protocols: {}", protocols.get(false)); LOGGER.info("Enabled cipher suites: {}", ciphers.get(true)); LOGGER.info("Disabled cipher suites: {}", ciphers.get(false)); } }
@Test public void shouldLeaveTheDefaultProtocolInclusionAndExclusionListUnTouchedIfNotOverridden() { when(goSSLConfig.getProtocolsToBeIncluded()).thenReturn(null); when(goSSLConfig.getProtocolsToBeExcluded()).thenReturn(null); sslSocketConnector = new GoSslSocketConnector(jettyServer, "password", systemEnvironment, goSSLConfig); ServerConnector connector = (ServerConnector) sslSocketConnector.getConnector(); Collection<ConnectionFactory> connectionFactories = connector.getConnectionFactories(); SslContextFactory sslContextFactory = findSslContextFactory(connectionFactories); assertThat(sslContextFactory.getExcludeProtocols().length, is(4)); assertThat(Arrays.asList(sslContextFactory.getExcludeProtocols()).containsAll(Arrays.asList("SSL", "SSLv2", "SSLv2Hello", "SSLv3")), is(true)); assertThat(sslContextFactory.getIncludeProtocols().length, is(0)); }
@Test public void shouldOverrideTheDefaultProtocolExclusionListIfConfigured() { when(goSSLConfig.getProtocolsToBeExcluded()).thenReturn(new String[]{"SSL", "TLS1.0", "TLS1.1"}); when(goSSLConfig.getProtocolsToBeIncluded()).thenReturn(new String[]{"TLS1.2"}); sslSocketConnector = new GoSslSocketConnector(jettyServer, "password", systemEnvironment, goSSLConfig); ServerConnector connector = (ServerConnector) sslSocketConnector.getConnector(); Collection<ConnectionFactory> connectionFactories = connector.getConnectionFactories(); SslContextFactory sslContextFactory = findSslContextFactory(connectionFactories); assertThat(sslContextFactory.getExcludeProtocols().length, is(3)); assertThat(Arrays.asList(sslContextFactory.getExcludeProtocols()).containsAll(Arrays.asList("SSL", "TLS1.0", "TLS1.1")), is(true)); assertThat(sslContextFactory.getIncludeProtocols().length, is(1)); assertThat(sslContextFactory.getIncludeProtocols()[0], is("TLS1.2")); }
@Test public void shouldClearOutDefaultProtocolsAndCipherSetByJettyIfFlagIsSet() { when(systemEnvironment.get(SystemEnvironment.GO_SSL_CONFIG_CLEAR_JETTY_DEFAULT_EXCLUSIONS)).thenReturn(true); when(goSSLConfig.getProtocolsToBeExcluded()).thenReturn(null); when(goSSLConfig.getProtocolsToBeIncluded()).thenReturn(null); when(goSSLConfig.getCipherSuitesToBeIncluded()).thenReturn(null); when(goSSLConfig.getCipherSuitesToBeExcluded()).thenReturn(null); sslSocketConnector = new GoSslSocketConnector(jettyServer, "password", systemEnvironment, goSSLConfig); ServerConnector connector = (ServerConnector) sslSocketConnector.getConnector(); Collection<ConnectionFactory> connectionFactories = connector.getConnectionFactories(); SslContextFactory sslContextFactory = findSslContextFactory(connectionFactories); assertThat(sslContextFactory.getExcludeProtocols().length, is(0)); assertThat(sslContextFactory.getIncludeProtocols().length, is(0)); assertThat(sslContextFactory.getExcludeCipherSuites().length, is(0)); assertThat(sslContextFactory.getIncludeCipherSuites().length, is(0)); }
sslContextFactory.addExcludeProtocols(excludedProtocols); LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = " + Arrays.toString(sslContextFactory.getExcludeProtocols())); sslContextFactory.setKeyStorePath(keyStorePath); sslContextFactory.setKeyStorePassword(keyStorePassword);
List<SslSelectionDump> selectionDump() throws NoSuchAlgorithmException { /* Use a pristine SSLEngine (not one from this SslContextFactory). * This will allow for proper detection and identification * of JRE/lib/security/java.security level disabled features */ SSLEngine sslEngine = SSLContext.getDefault().createSSLEngine(); List<SslSelectionDump> selections = new ArrayList<>(); // protocols selections.add(new SslSelectionDump("Protocol", sslEngine.getSupportedProtocols(), sslEngine.getEnabledProtocols(), getExcludeProtocols(), getIncludeProtocols())); // ciphers selections.add(new SslSelectionDump("Cipher Suite", sslEngine.getSupportedCipherSuites(), sslEngine.getEnabledCipherSuites(), getExcludeCipherSuites(), getIncludeCipherSuites())); return selections; }
@Override public void dump(Appendable out, String indent) throws IOException { try { SSLEngine sslEngine = SSLContext.getDefault().createSSLEngine(); Dumpable.dumpObjects(out, indent, this, "trustAll=" + _trustAll, new SslSelectionDump("Protocol", sslEngine.getSupportedProtocols(), sslEngine.getEnabledProtocols(), getExcludeProtocols(), getIncludeProtocols()), new SslSelectionDump("Cipher Suite", sslEngine.getSupportedCipherSuites(), sslEngine.getEnabledCipherSuites(), getExcludeCipherSuites(), getIncludeCipherSuites())); } catch (NoSuchAlgorithmException ignore) { LOG.ignore(ignore); } }
List<SslSelectionDump> selectionDump() throws NoSuchAlgorithmException { /* Use a pristine SSLEngine (not one from this SslContextFactory). * This will allow for proper detection and identification * of JRE/lib/security/java.security level disabled features */ SSLEngine sslEngine = SSLContext.getDefault().createSSLEngine(); List<SslSelectionDump> selections = new ArrayList<>(); // protocols selections.add(new SslSelectionDump("Protocol", sslEngine.getSupportedProtocols(), sslEngine.getEnabledProtocols(), getExcludeProtocols(), getIncludeProtocols())); // ciphers selections.add(new SslSelectionDump("Cipher Suite", sslEngine.getSupportedCipherSuites(), sslEngine.getEnabledCipherSuites(), getExcludeCipherSuites(), getIncludeCipherSuites())); return selections; }
sslContextFactory.addExcludeProtocols(excludedProtocols); LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = " + Arrays.toString(sslContextFactory.getExcludeProtocols())); sslContextFactory.setKeyStorePath(keyStorePath); sslContextFactory.setKeyStorePassword(keyStorePassword);
sslContextFactory.addExcludeProtocols(excludedProtocols); LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = " + Arrays.toString(sslContextFactory.getExcludeProtocols())); sslContextFactory.setKeyStorePath(keyStorePath); sslContextFactory.setKeyStorePassword(keyStorePassword);
if (allowSSLv3 || !tlsServerParameters.getIncludeProtocols().isEmpty()) { List<String> excludedProtocols = new ArrayList<>(); for (String excludedProtocol : scf.getExcludeProtocols()) { if (!(tlsServerParameters.getIncludeProtocols().contains(excludedProtocol) || (allowSSLv3 && ("SSLv3".equals(excludedProtocol)
sslContextFactory.addExcludeProtocols(excludedProtocols); LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = " + Arrays.toString(sslContextFactory.getExcludeProtocols())); sslContextFactory.setKeyStorePath(keyStorePath); sslContextFactory.setKeyStorePassword(keyStorePassword);
if (allowSSLv3 || !tlsServerParameters.getIncludeProtocols().isEmpty()) { List<String> excludedProtocols = new ArrayList<>(); for (String excludedProtocol : scf.getExcludeProtocols()) { if (!(tlsServerParameters.getIncludeProtocols().contains(excludedProtocol) || (allowSSLv3 && ("SSLv3".equals(excludedProtocol)
port, sslcf.getIncludeCipherSuites(), sslcf.getExcludeCipherSuites(), sslcf.getIncludeProtocols(), sslcf.getExcludeProtocols());