private void logSupportedParameters(SslContextFactory contextFactory) { if (LOGGED.compareAndSet(false, true)) { // When Jetty logs out which protocols are enabled / disabled they include tracing // information to detect if the protocol was disabled at the // JRE/lib/security/java.security level. Since we don't log this information we take the // SSLEngine from our context instead of a pristine version. // // For more info from Jetty: // https://github.com/eclipse/jetty.project/blob/93a8afcc6bd1a6e0af7bd9f967c97ae1bc3eb718/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L356-L360 final SSLEngine engine = contextFactory.getSslContext().createSSLEngine(); final Map<Boolean, List<String>> protocols = partitionSupport( engine.getSupportedProtocols(), engine.getEnabledProtocols(), contextFactory.getExcludeProtocols(), contextFactory.getIncludeProtocols() ); final Map<Boolean, List<String>> ciphers = partitionSupport( engine.getSupportedCipherSuites(), engine.getEnabledCipherSuites(), contextFactory.getExcludeCipherSuites(), contextFactory.getIncludeCipherSuites() ); LOGGER.info("Enabled protocols: {}", protocols.get(true)); LOGGER.info("Disabled protocols: {}", protocols.get(false)); LOGGER.info("Enabled cipher suites: {}", ciphers.get(true)); LOGGER.info("Disabled cipher suites: {}", ciphers.get(false)); } }
@Test public void shouldSetupCipherSuitesToBeIncluded() { ServerConnector connector = (ServerConnector) sslSocketConnector.getConnector(); Collection<ConnectionFactory> connectionFactories = connector.getConnectionFactories(); SslContextFactory sslContextFactory = findSslContextFactory(connectionFactories); List<String> includedCipherSuites = new ArrayList<>(Arrays.asList(sslContextFactory.getIncludeCipherSuites())); assertThat(includedCipherSuites.size(), is(1)); assertThat(includedCipherSuites.contains("FOO"), is(true)); }
@Test public void shouldOverrideTheDefaultCipherSuiteExclusionListIfConfigured() { when(goSSLConfig.getCipherSuitesToBeExcluded()).thenReturn(new String[]{"*MD5*"}); when(goSSLConfig.getCipherSuitesToBeIncluded()).thenReturn(new String[]{"*ECDHE*"}); sslSocketConnector = new GoSslSocketConnector(jettyServer, "password", systemEnvironment, goSSLConfig); ServerConnector connector = (ServerConnector) sslSocketConnector.getConnector(); Collection<ConnectionFactory> connectionFactories = connector.getConnectionFactories(); SslContextFactory sslContextFactory = findSslContextFactory(connectionFactories); assertThat(sslContextFactory.getExcludeCipherSuites().length, is(1)); assertThat(sslContextFactory.getExcludeCipherSuites()[0], is("*MD5*")); assertThat(sslContextFactory.getIncludeCipherSuites().length, is(1)); assertThat(sslContextFactory.getIncludeCipherSuites()[0], is("*ECDHE*")); }
@Test public void shouldClearOutDefaultProtocolsAndCipherSetByJettyIfFlagIsSet() { when(systemEnvironment.get(SystemEnvironment.GO_SSL_CONFIG_CLEAR_JETTY_DEFAULT_EXCLUSIONS)).thenReturn(true); when(goSSLConfig.getProtocolsToBeExcluded()).thenReturn(null); when(goSSLConfig.getProtocolsToBeIncluded()).thenReturn(null); when(goSSLConfig.getCipherSuitesToBeIncluded()).thenReturn(null); when(goSSLConfig.getCipherSuitesToBeExcluded()).thenReturn(null); sslSocketConnector = new GoSslSocketConnector(jettyServer, "password", systemEnvironment, goSSLConfig); ServerConnector connector = (ServerConnector) sslSocketConnector.getConnector(); Collection<ConnectionFactory> connectionFactories = connector.getConnectionFactories(); SslContextFactory sslContextFactory = findSslContextFactory(connectionFactories); assertThat(sslContextFactory.getExcludeProtocols().length, is(0)); assertThat(sslContextFactory.getIncludeProtocols().length, is(0)); assertThat(sslContextFactory.getExcludeCipherSuites().length, is(0)); assertThat(sslContextFactory.getIncludeCipherSuites().length, is(0)); }
@Test public void shouldLeaveTheDefaultCipherSuiteInclusionAndExclusionListUnTouchedIfNotOverridden() { when(goSSLConfig.getCipherSuitesToBeIncluded()).thenReturn(null); when(goSSLConfig.getCipherSuitesToBeExcluded()).thenReturn(null); sslSocketConnector = new GoSslSocketConnector(jettyServer, "password", systemEnvironment, goSSLConfig); ServerConnector connector = (ServerConnector) sslSocketConnector.getConnector(); Collection<ConnectionFactory> connectionFactories = connector.getConnectionFactories(); SslContextFactory sslContextFactory = findSslContextFactory(connectionFactories); assertThat(sslContextFactory.getExcludeCipherSuites(), is(arrayWithSize(5))); assertThat(sslContextFactory.getExcludeCipherSuites(), is(arrayContainingInAnyOrder("^.*_(MD5|SHA|SHA1)$", "^TLS_RSA_.*$", "^SSL_.*$", "^.*_NULL_.*$", "^.*_anon_.*$"))); assertThat(sslContextFactory.getIncludeCipherSuites(), is(emptyArray())); }
List<SslSelectionDump> selectionDump() throws NoSuchAlgorithmException { /* Use a pristine SSLEngine (not one from this SslContextFactory). * This will allow for proper detection and identification * of JRE/lib/security/java.security level disabled features */ SSLEngine sslEngine = SSLContext.getDefault().createSSLEngine(); List<SslSelectionDump> selections = new ArrayList<>(); // protocols selections.add(new SslSelectionDump("Protocol", sslEngine.getSupportedProtocols(), sslEngine.getEnabledProtocols(), getExcludeProtocols(), getIncludeProtocols())); // ciphers selections.add(new SslSelectionDump("Cipher Suite", sslEngine.getSupportedCipherSuites(), sslEngine.getEnabledCipherSuites(), getExcludeCipherSuites(), getIncludeCipherSuites())); return selections; }
@Override public void dump(Appendable out, String indent) throws IOException { try { SSLEngine sslEngine = SSLContext.getDefault().createSSLEngine(); Dumpable.dumpObjects(out, indent, this, "trustAll=" + _trustAll, new SslSelectionDump("Protocol", sslEngine.getSupportedProtocols(), sslEngine.getEnabledProtocols(), getExcludeProtocols(), getIncludeProtocols()), new SslSelectionDump("Cipher Suite", sslEngine.getSupportedCipherSuites(), sslEngine.getEnabledCipherSuites(), getExcludeCipherSuites(), getIncludeCipherSuites())); } catch (NoSuchAlgorithmException ignore) { LOG.ignore(ignore); } }
/** * @see org.eclipse.jetty.server.ssl.SslConnector#getIncludeCipherSuites() * @deprecated */ @Deprecated public String[] getIncludeCipherSuites() { return _sslContextFactory.getIncludeCipherSuites(); }
/** * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites() * @deprecated */ @Deprecated public String[] getIncludeCipherSuites() { return _sslContextFactory.getIncludeCipherSuites(); }
/** * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites() * @deprecated */ @Deprecated public String[] getIncludeCipherSuites() { return _sslContextFactory.getIncludeCipherSuites(); }
/** * @see org.eclipse.jetty.server.ssl.SslConnector#getIncludeCipherSuites() * @deprecated */ @Deprecated public String[] getIncludeCipherSuites() { return _sslContextFactory.getIncludeCipherSuites(); }
/** * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites() * @deprecated */ @Deprecated public String[] getIncludeCipherSuites() { return _sslContextFactory.getIncludeCipherSuites(); }
/** * @see org.eclipse.jetty.server.ssl.SslConnector#getIncludeCipherSuites() * @deprecated */ @Deprecated public String[] getIncludeCipherSuites() { return _sslContextFactory.getIncludeCipherSuites(); }
/** * @see org.eclipse.jetty.server.ssl.SslConnector#getIncludeCipherSuites() * @deprecated */ @Deprecated public String[] getIncludeCipherSuites() { return _sslContextFactory.getIncludeCipherSuites(); }
/** * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites() * @deprecated */ @Deprecated public String[] getIncludeCipherSuites() { return _sslContextFactory.getIncludeCipherSuites(); }
/** * @see org.eclipse.jetty.server.ssl.SslConnector#getIncludeCipherSuites() * @deprecated */ @Deprecated public String[] getIncludeCipherSuites() { return _sslContextFactory.getIncludeCipherSuites(); }
/** * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites() * @deprecated */ @Deprecated public String[] getIncludeCipherSuites() { return _sslContextFactory.getIncludeCipherSuites(); }
List<SslSelectionDump> selectionDump() throws NoSuchAlgorithmException { /* Use a pristine SSLEngine (not one from this SslContextFactory). * This will allow for proper detection and identification * of JRE/lib/security/java.security level disabled features */ SSLEngine sslEngine = SSLContext.getDefault().createSSLEngine(); List<SslSelectionDump> selections = new ArrayList<>(); // protocols selections.add(new SslSelectionDump("Protocol", sslEngine.getSupportedProtocols(), sslEngine.getEnabledProtocols(), getExcludeProtocols(), getIncludeProtocols())); // ciphers selections.add(new SslSelectionDump("Cipher Suite", sslEngine.getSupportedCipherSuites(), sslEngine.getEnabledCipherSuites(), getExcludeCipherSuites(), getIncludeCipherSuites())); return selections; }
port, sslcf.getIncludeCipherSuites(), sslcf.getExcludeCipherSuites(), sslcf.getIncludeProtocols(), sslcf.getExcludeProtocols());