QPID-6156 : [Java] Prevent downgrade to SSLv3 on secure connections

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1632285 13f79535-47bb-0310-9956-ffa450edef68
author: Robert Godfrey <rgodfrey@apache.org> 2014-10-16 12:18:05 +0000
committer: Robert Godfrey <rgodfrey@apache.org> 2014-10-16 12:18:05 +0000
commit: c194b6913e73661c1da7de29e02b5b921e0eaf1e (patch)
tree: 83b73910af3114d4a4a6bfa588fcb34c1f28deeb /qpid/java/broker-plugins
parent: 45e8fc964106fab73b4f750da59a5349853296ea (diff)
download: qpid-python-c194b6913e73661c1da7de29e02b5b921e0eaf1e.tar.gz
4 files changed, 11 insertions, 6 deletions
diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
index 936cc4789a..6e104f844f 100644
--- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
+++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
@@ -74,6 +74,7 @@ import org.apache.qpid.server.model.port.HttpPort;
 import org.apache.qpid.server.model.port.PortManager;
 import org.apache.qpid.server.util.ServerScopedRuntimeException;
 import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
 
 @ManagedObject( category = false, type = "MANAGEMENT-HTTP" )
 public class HttpManagement extends AbstractPluginAdapter<HttpManagement> implements HttpManagementConfiguration<HttpManagement>, PortManager
@@ -317,7 +318,7 @@ public class HttpManagement extends AbstractPluginAdapter<HttpManagement> implem
             throw new IllegalConfigurationException("Key store is not configured. Cannot start management on HTTPS port without keystore");
         }
         SslContextFactory factory = new SslContextFactory();
-
+        factory.addExcludeProtocols(SSLUtil.SSLV3_PROTOCOL);
         boolean needClientCert = port.getNeedClientAuth() || port.getWantClientAuth();
 
         if (needClientCert && trustStores.isEmpty())
diff --git a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java
index b0f5abd1a3..5c15a40427 100644
--- a/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java
+++ b/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/QpidSslRMIServerSocketFactory.java
@@ -30,6 +30,8 @@ import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 import javax.rmi.ssl.SslRMIServerSocketFactory;
 
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
+
 public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory
 {
     private final SSLContext _sslContext;
@@ -74,7 +76,7 @@ public class QpidSslRMIServerSocketFactory extends SslRMIServerSocketFactory
                                                          socket.getPort(),
                                                          true);
                 sslSocket.setUseClientMode(false);
-
+                SSLUtil.removeSSLv3Support(sslSocket);
                 return sslSocket;
             }
         };
diff --git a/qpid/java/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java b/qpid/java/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
index d989a73fa2..8e250ef669 100644
--- a/qpid/java/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
+++ b/qpid/java/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketProvider.java
@@ -32,8 +32,6 @@ import java.util.Set;
 import javax.net.ssl.SSLContext;
 import javax.servlet.http.HttpServletRequest;
 
-import org.apache.qpid.server.model.port.AmqpPort;
-import org.apache.qpid.server.model.port.HttpPort;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.nio.SelectChannelConnector;
@@ -48,11 +46,14 @@ import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.model.Port;
 import org.apache.qpid.server.model.Protocol;
 import org.apache.qpid.server.model.Transport;
+import org.apache.qpid.server.model.port.AmqpPort;
+import org.apache.qpid.server.model.port.HttpPort;
 import org.apache.qpid.server.protocol.MultiVersionProtocolEngineFactory;
 import org.apache.qpid.server.transport.AcceptingTransport;
 import org.apache.qpid.server.util.ServerScopedRuntimeException;
 import org.apache.qpid.transport.Sender;
 import org.apache.qpid.transport.network.NetworkConnection;
+import org.apache.qpid.transport.network.security.ssl.SSLUtil;
 
 class WebSocketProvider implements AcceptingTransport
 {
@@ -103,6 +104,7 @@ class WebSocketProvider implements AcceptingTransport
         {
             SslContextFactory factory = new SslContextFactory();
             factory.setSslContext(_sslContext);
+            factory.addExcludeProtocols(SSLUtil.SSLV3_PROTOCOL);
             factory.setNeedClientAuth(true);
             connector = new SslSelectChannelConnector(factory);
         }
diff --git a/qpid/java/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketTransportProvider.java b/qpid/java/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketTransportProvider.java
index 346e29e212..c7578adb91 100644
--- a/qpid/java/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketTransportProvider.java
+++ b/qpid/java/broker-plugins/websocket/src/main/java/org/apache/qpid/server/transport/websocket/WebSocketTransportProvider.java
@@ -24,9 +24,9 @@ import java.util.Set;
 
 import javax.net.ssl.SSLContext;
 
-import org.apache.qpid.server.model.Port;
 import org.apache.qpid.server.model.Protocol;
 import org.apache.qpid.server.model.Transport;
+import org.apache.qpid.server.model.port.AmqpPort;
 import org.apache.qpid.server.transport.AcceptingTransport;
 import org.apache.qpid.server.transport.TransportProvider;
 
@@ -39,7 +39,7 @@ class WebSocketTransportProvider implements TransportProvider
     @Override
     public AcceptingTransport createTransport(final Set<Transport> transports,
                                               final SSLContext sslContext,
-                                              final Port port,
+                                              final AmqpPort<?> port,
                                               final Set<Protocol> supported,
                                               final Protocol defaultSupportedProtocolReply)
     {
author	Robert Godfrey <rgodfrey@apache.org>	2014-10-16 12:18:05 +0000
committer	Robert Godfrey <rgodfrey@apache.org>	2014-10-16 12:18:05 +0000
commit	c194b6913e73661c1da7de29e02b5b921e0eaf1e (patch)
tree	83b73910af3114d4a4a6bfa588fcb34c1f28deeb /qpid/java/broker-plugins
parent	45e8fc964106fab73b4f750da59a5349853296ea (diff)
download	qpid-python-c194b6913e73661c1da7de29e02b5b921e0eaf1e.tar.gz