|
 |
eb29d7 |
From 53134a2d0ba5a497ad789ee0412ba92c2d4ef11c Mon Sep 17 00:00:00 2001
|
|
|
eb29d7 |
From: Christina Fu <cfu@redhat.com>
|
|
|
eb29d7 |
Date: Tue, 18 Nov 2014 18:28:53 -0800
|
|
|
eb29d7 |
Subject: [PATCH] bugzilla 871171 (client-side code) Provide Tomcat support
|
|
|
eb29d7 |
for TLS v1.1 and TLS v1.2
|
|
|
eb29d7 |
|
|
|
eb29d7 |
---
|
|
|
eb29d7 |
.../com/netscape/certsrv/client/PKIConnection.java | 19 +++++++
|
|
|
eb29d7 |
.../src/com/netscape/cmstools/HttpClient.java | 59 +++++++-------------
|
|
|
eb29d7 |
.../cmscore/ldapconn/LdapJssSSLSocketFactory.java | 7 ++-
|
|
|
eb29d7 |
.../netscape/cmsutil/http/JssSSLSocketFactory.java | 62 ++--------------------
|
|
|
eb29d7 |
4 files changed, 44 insertions(+), 103 deletions(-)
|
|
|
eb29d7 |
|
|
|
eb29d7 |
diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
|
|
|
eb29d7 |
index cf103a9..4d298a7 100644
|
|
|
eb29d7 |
--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
|
|
|
eb29d7 |
+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
|
|
|
eb29d7 |
@@ -472,6 +472,23 @@ public class PKIConnection {
|
|
|
eb29d7 |
localAddr = localAddress.getAddress();
|
|
|
eb29d7 |
}
|
|
|
eb29d7 |
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
|
|
|
eb29d7 |
+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0,
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
|
|
|
eb29d7 |
+
|
|
|
eb29d7 |
+ SSLSocket.setSSLVersionRangeDefault(
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM,
|
|
|
eb29d7 |
+ stream_range);
|
|
|
eb29d7 |
+
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range =
|
|
|
eb29d7 |
+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1,
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
|
|
|
eb29d7 |
+
|
|
|
eb29d7 |
+ SSLSocket.setSSLVersionRangeDefault(
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM,
|
|
|
eb29d7 |
+ datagram_range);
|
|
|
eb29d7 |
SSLSocket socket;
|
|
|
eb29d7 |
if (sock == null) {
|
|
|
eb29d7 |
socket = new SSLSocket(InetAddress.getByName(hostName),
|
|
|
eb29d7 |
@@ -484,6 +501,8 @@ public class PKIConnection {
|
|
|
eb29d7 |
} else {
|
|
|
eb29d7 |
socket = new SSLSocket(sock, hostName, new ServerCertApprovalCB(), null);
|
|
|
eb29d7 |
}
|
|
|
eb29d7 |
+// setSSLVersionRange needs to be exposed in jss
|
|
|
eb29d7 |
+// socket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
|
|
|
eb29d7 |
|
|
|
eb29d7 |
String certNickname = config.getCertNickname();
|
|
|
eb29d7 |
if (certNickname != null) {
|
|
|
eb29d7 |
diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
|
|
|
eb29d7 |
index cd6a6ea..1323752 100644
|
|
|
eb29d7 |
--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
|
|
|
eb29d7 |
+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
|
|
|
eb29d7 |
@@ -55,27 +55,6 @@ public class HttpClient {
|
|
|
eb29d7 |
private boolean _secure = false;
|
|
|
eb29d7 |
|
|
|
eb29d7 |
public static final int ARGC = 1;
|
|
|
eb29d7 |
- static final int cipherSuites[] = {
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_WITH_RC4_128_MD5,
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_WITH_NULL_MD5,
|
|
|
eb29d7 |
- SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
|
|
|
eb29d7 |
- 0
|
|
|
eb29d7 |
- };
|
|
|
eb29d7 |
|
|
|
eb29d7 |
public HttpClient(String host, int port, String secure)
|
|
|
eb29d7 |
throws Exception {
|
|
|
eb29d7 |
@@ -148,27 +127,27 @@ public class HttpClient {
|
|
|
eb29d7 |
|
|
|
eb29d7 |
int i;
|
|
|
eb29d7 |
|
|
|
eb29d7 |
- for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) {
|
|
|
eb29d7 |
- try {
|
|
|
eb29d7 |
- SSLSocket.setCipherPreferenceDefault(i, false);
|
|
|
eb29d7 |
- } catch (SocketException e) {
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
- //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5
|
|
|
eb29d7 |
- for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) {
|
|
|
eb29d7 |
- try {
|
|
|
eb29d7 |
- SSLSocket.setCipherPreferenceDefault(i, false);
|
|
|
eb29d7 |
- } catch (SocketException e) {
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
- for (i = 0; cipherSuites[i] != 0; ++i) {
|
|
|
eb29d7 |
- try {
|
|
|
eb29d7 |
- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true);
|
|
|
eb29d7 |
- } catch (SocketException e) {
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this);
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
|
|
|
eb29d7 |
+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0,
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
|
|
|
eb29d7 |
+
|
|
|
eb29d7 |
+ SSLSocket.setSSLVersionRangeDefault(
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM,
|
|
|
eb29d7 |
+ stream_range);
|
|
|
eb29d7 |
+
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range =
|
|
|
eb29d7 |
+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1,
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
|
|
|
eb29d7 |
+
|
|
|
eb29d7 |
+ SSLSocket.setSSLVersionRangeDefault(
|
|
|
eb29d7 |
+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM,
|
|
|
eb29d7 |
+ datagram_range);
|
|
|
eb29d7 |
sslSocket = new SSLSocket(_host, _port);
|
|
|
eb29d7 |
+ // setSSLVersionRange needs to be exposed in jss
|
|
|
eb29d7 |
+ // sslSocket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
|
|
|
eb29d7 |
sslSocket.addHandshakeCompletedListener(listener);
|
|
|
eb29d7 |
|
|
|
eb29d7 |
CryptoToken tt = cm.getThreadToken();
|
|
|
eb29d7 |
diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
|
|
|
eb29d7 |
index 4d9e602..720882a 100644
|
|
|
eb29d7 |
--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
|
|
|
eb29d7 |
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
|
|
|
eb29d7 |
@@ -51,12 +51,11 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
eb29d7 |
SSLSocket s = null;
|
|
|
eb29d7 |
|
|
|
eb29d7 |
try {
|
|
|
eb29d7 |
- SSLSocket.enableSSL2Default(false);
|
|
|
eb29d7 |
+ /*
|
|
|
eb29d7 |
+ * let inherit TLS range and cipher settings
|
|
|
eb29d7 |
+ */
|
|
|
eb29d7 |
s = new SSLSocket(host, port);
|
|
|
eb29d7 |
s.setUseClientMode(true);
|
|
|
eb29d7 |
- s.enableSSL2(false);
|
|
|
eb29d7 |
- //TODO Do we really want to set the default each time?
|
|
|
eb29d7 |
- SSLSocket.enableSSL2Default(false);
|
|
|
eb29d7 |
s.enableV2CompatibleHello(false);
|
|
|
eb29d7 |
|
|
|
eb29d7 |
SSLHandshakeCompletedListener listener = null;
|
|
|
eb29d7 |
diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
|
|
|
eb29d7 |
index fcf5fc1..2f8a40c 100644
|
|
|
eb29d7 |
--- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
|
|
|
eb29d7 |
+++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
|
|
|
eb29d7 |
@@ -47,54 +47,6 @@ public class JssSSLSocketFactory implements ISocketFactory {
|
|
|
eb29d7 |
mClientAuthCertNickname = certNickname;
|
|
|
eb29d7 |
}
|
|
|
eb29d7 |
|
|
|
eb29d7 |
- // XXX remove these static SSL cipher suite initializations later on.
|
|
|
eb29d7 |
- static final int cipherSuites[] = {
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_WITH_RC4_128_MD5,
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
|
|
|
eb29d7 |
- SSLSocket.SSL3_RSA_WITH_NULL_MD5,
|
|
|
eb29d7 |
- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
|
|
eb29d7 |
- //SSLSocket.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
|
eb29d7 |
- //SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
|
eb29d7 |
- //SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
|
|
|
eb29d7 |
- SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
|
|
|
eb29d7 |
- 0
|
|
|
eb29d7 |
- };
|
|
|
eb29d7 |
-
|
|
|
eb29d7 |
- static {
|
|
|
eb29d7 |
- int i;
|
|
|
eb29d7 |
-
|
|
|
eb29d7 |
- for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) {
|
|
|
eb29d7 |
- try {
|
|
|
eb29d7 |
- SSLSocket.setCipherPreferenceDefault(i, false);
|
|
|
eb29d7 |
- } catch (SocketException e) {
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
-
|
|
|
eb29d7 |
- //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5
|
|
|
eb29d7 |
- for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) {
|
|
|
eb29d7 |
- try {
|
|
|
eb29d7 |
- SSLSocket.setCipherPreferenceDefault(i, false);
|
|
|
eb29d7 |
- } catch (SocketException e) {
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
- for (i = 0; cipherSuites[i] != 0; ++i) {
|
|
|
eb29d7 |
- try {
|
|
|
eb29d7 |
- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true);
|
|
|
eb29d7 |
- } catch (SocketException e) {
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
-
|
|
|
eb29d7 |
public Socket makeSocket(String host, int port)
|
|
|
eb29d7 |
throws IOException, UnknownHostException {
|
|
|
eb29d7 |
return makeSocket(host, port, null, null);
|
|
|
eb29d7 |
@@ -106,20 +58,12 @@ public class JssSSLSocketFactory implements ISocketFactory {
|
|
|
eb29d7 |
throws IOException, UnknownHostException {
|
|
|
eb29d7 |
|
|
|
eb29d7 |
try {
|
|
|
eb29d7 |
+ /*
|
|
|
eb29d7 |
+ * let inherit tls range and cipher settings
|
|
|
eb29d7 |
+ */
|
|
|
eb29d7 |
s = new SSLSocket(host, port, null, 0, certApprovalCallback,
|
|
|
eb29d7 |
clientCertCallback);
|
|
|
eb29d7 |
- for (int i = 0; cipherSuites[i] != 0; ++i) {
|
|
|
eb29d7 |
- try {
|
|
|
eb29d7 |
- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true);
|
|
|
eb29d7 |
- } catch (SocketException e) {
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
- }
|
|
|
eb29d7 |
-
|
|
|
eb29d7 |
s.setUseClientMode(true);
|
|
|
eb29d7 |
- s.enableSSL2(false);
|
|
|
eb29d7 |
- //TODO Do we rally want to set the default each time?
|
|
|
eb29d7 |
- SSLSocket.enableSSL2Default(false);
|
|
|
eb29d7 |
- s.enableV2CompatibleHello(false);
|
|
|
eb29d7 |
|
|
|
eb29d7 |
SSLHandshakeCompletedListener listener = null;
|
|
|
eb29d7 |
|
|
|
eb29d7 |
--
|
|
|
eb29d7 |
1.8.3.1
|
|
|
eb29d7 |
|