Ticket #1648 [RFE] provide separate cipher lists for CS instances acting as client and server This patch provides subsystem->subsystem cipher configuration when acting as a client

author: Christina Fu <cfu@redhat.com> 2015-10-20 14:06:11 +0200
committer: Christina Fu <cfu@redhat.com> 2015-10-20 16:17:26 +0200
commit: 562a49f08df2adb1a3f233a9b7490575182ece04 (patch)
tree: 1e304bb3b022ab5c67a80f5fe10facc99b69e7c3
parent: 14c3c2992fc5eccb7cafad38d0b5a0e7503982d5 (diff)
download: pki-562a49f08df2adb1a3f233a9b7490575182ece04.tar.gz
pki-562a49f08df2adb1a3f233a9b7490575182ece04.tar.xz
pki-562a49f08df2adb1a3f233a9b7490575182ece04.zip
11 files changed, 303 insertions, 20 deletions
diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
index a49d641ce..db692e3d0 100644
--- a/base/ca/src/com/netscape/ca/CAService.java
+++ b/base/ca/src/com/netscape/ca/CAService.java
@@ -290,11 +290,13 @@ public class CAService implements ICAService, IService {
             // Changed by beomsuk
             //connector =
             //	new HttpConnector(mCA, nickname, remauthority, resendInterval);
+
+            String clientCiphers = config.getString("clientCiphers", null);
             if (timeout == 0)
-                connector = new HttpConnector((IAuthority) mCA, nickname, remauthority, resendInterval, config);
+                connector = new HttpConnector((IAuthority) mCA, nickname, clientCiphers, remauthority, resendInterval, config);
             else
                 connector =
-                        new HttpConnector((IAuthority) mCA, nickname, remauthority, resendInterval, config, timeout);
+                        new HttpConnector((IAuthority) mCA, nickname, clientCiphers, remauthority, resendInterval, config, timeout);
             // Change end
 
             // log(ILogger.LL_INFO, "remote authority "+
diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
index 187b1028a..2a88e2c33 100644
--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
@@ -896,8 +896,9 @@ public final class CMS {
      * @return resender
      */
     public static IResender getResender(IAuthority authority, String nickname,
+            String clientCiphers,
             IRemoteAuthority remote, int interval) {
-        return _engine.getResender(authority, nickname, remote, interval);
+        return _engine.getResender(authority, nickname, clientCiphers, remote, interval);
     }
 
     /**
diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
index bf1d3ff61..e9b5b765f 100644
--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
@@ -1051,6 +1051,7 @@ public interface ICMSEngine extends ISubsystem {
      * @return resender
      */
     public IResender getResender(IAuthority authority, String nickname,
+            String clientCiphers,
             IRemoteAuthority remote, int interval);
 
     /**
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index 2452a417f..77f913636 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1010,8 +1010,9 @@ public class CMSEngine implements ICMSEngine {
     }
 
     public IResender getResender(IAuthority authority, String nickname,
+            String clientCiphers,
             IRemoteAuthority remote, int interval) {
-        return new Resender(authority, nickname, remote, interval);
+        return new Resender(authority, nickname, clientCiphers, remote, interval);
     }
 
     public IPKIMessage getHttpPKIMessage() {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java
index db2a51afd..47f5e6108 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java
@@ -43,6 +43,7 @@ public class HttpConnFactory {
     private IAuthority mSource;
     private IRemoteAuthority mDest = null;
     private String mNickname = "";
+    private String mClientCiphers = null;
     private int mTimeout = 0;
 
     /**
@@ -59,13 +60,18 @@ public class HttpConnFactory {
      * @param maxConns max number of connections to have available. This is
      * @param serverInfo server connection info - host, port, etc.
      */
-    public HttpConnFactory(int minConns, int maxConns, IAuthority source, IRemoteAuthority dest, String nickname,
+    public HttpConnFactory(int minConns, int maxConns, IAuthority source, IRemoteAuthority dest, String nickname, String clientCiphers,
             int timeout) throws EBaseException {
 
         CMS.debug("In HttpConnFactory constructor mTimeout " + timeout);
+        if (mClientCiphers != null)
+            CMS.debug("In HttpConnFactory constructor mClientCiphers: " + mClientCiphers);
+        else
+            CMS.debug("In HttpConnFactory constructor mClientCiphers not specified, will take default ");
         mSource = source;
         mDest = dest;
         mNickname = nickname;
+        mClientCiphers = clientCiphers;
         mTimeout = timeout;
 
         init(minConns, maxConns);
@@ -120,7 +126,7 @@ public class HttpConnFactory {
         CMS.debug("In HttpConnFactory.createConnection.");
 
         try {
-            ISocketFactory tFactory = new JssSSLSocketFactory(mNickname);
+            ISocketFactory tFactory = new JssSSLSocketFactory(mNickname, mClientCiphers);
 
             if (mTimeout == 0) {
                 retConn = CMS.getHttpConnection(mDest, tFactory);
diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java
index 9b6f8dd93..398becc20 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java
@@ -49,13 +49,13 @@ public class HttpConnector implements IConnector {
 
     private HttpConnFactory mConnFactory = null;
 
-    public HttpConnector(IAuthority source, String nickName,
+    public HttpConnector(IAuthority source, String nickName, String clientCiphers,
             IRemoteAuthority dest, int resendInterval, IConfigStore config) throws EBaseException {
 
         mTimeout = 0;
         mSource = source;
         mDest = dest;
-        mFactory = new JssSSLSocketFactory(nickName);
+        mFactory = new JssSSLSocketFactory(nickName, clientCiphers);
 
         int minConns = config.getInteger("minHttpConns", 1);
         int maxConns = config.getInteger("maxHttpConns", 15);
@@ -64,7 +64,7 @@ public class HttpConnector implements IConnector {
         CMS.debug("HttpConn: max " + maxConns);
 
         try {
-            mConnFactory = new HttpConnFactory(minConns, maxConns, source, dest, nickName, 0);
+            mConnFactory = new HttpConnFactory(minConns, maxConns, source, dest, nickName, clientCiphers, 0);
         } catch (EBaseException e) {
             CMS.debug("can't create new HttpConnFactory " + e.toString());
         }
@@ -72,17 +72,17 @@ public class HttpConnector implements IConnector {
         //        mConn = CMS.getHttpConnection(dest, mFactory);
         // this will start resending past requests in parallel.
         if (resendInterval >= 0) {
-            mResender = CMS.getResender(mSource, nickName, dest, resendInterval);
+            mResender = CMS.getResender(mSource, nickName, clientCiphers, dest, resendInterval);
         }
     }
 
     // Inserted by beomsuk
-    public HttpConnector(IAuthority source, String nickName,
+    public HttpConnector(IAuthority source, String nickName, String clientCiphers,
             IRemoteAuthority dest, int resendInterval, IConfigStore config, int timeout) throws EBaseException {
         mSource = source;
         mDest = dest;
         mTimeout = timeout;
-        mFactory = new JssSSLSocketFactory(nickName);
+        mFactory = new JssSSLSocketFactory(nickName, clientCiphers);
 
         int minConns = config.getInteger("minHttpConns", 1);
         int maxConns = config.getInteger("maxHttpConns", 15);
@@ -91,14 +91,14 @@ public class HttpConnector implements IConnector {
         CMS.debug("HttpConn: max " + maxConns);
 
         try {
-            mConnFactory = new HttpConnFactory(minConns, maxConns, source, dest, nickName, timeout);
+            mConnFactory = new HttpConnFactory(minConns, maxConns, source, dest, nickName, clientCiphers, timeout);
         } catch (EBaseException e) {
             CMS.debug("can't create new HttpConnFactory");
         }
 
         // this will start resending past requests in parallel.
         if (resendInterval >= 0) {
-            mResender = CMS.getResender(mSource, nickName, dest, resendInterval);
+            mResender = CMS.getResender(mSource, nickName, clientCiphers, dest, resendInterval);
         }
     }
 
diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java
index a949b993e..e6d9ceda7 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java
@@ -57,6 +57,7 @@ public class Resender implements IResender {
     protected HttpConnection mConn = null;
 
     protected String mNickName = null;
+    protected String mClientCiphers = null;
     protected boolean connected = false;
 
     // default interval.
@@ -64,20 +65,22 @@ public class Resender implements IResender {
     // was down (versus being serviced in request queue)
     protected int mInterval = 1 * MINUTE;
 
-    public Resender(IAuthority authority, String nickName, IRemoteAuthority dest) {
+    public Resender(IAuthority authority, String nickName, String clientCiphers, IRemoteAuthority dest) {
         mAuthority = authority;
         mQueue = mAuthority.getRequestQueue();
         mDest = dest;
         mNickName = nickName;
+        mClientCiphers = clientCiphers;
     }
 
     public Resender(
-            IAuthority authority, String nickName,
+            IAuthority authority, String nickName, String clientCiphers,
             IRemoteAuthority dest, int interval) {
         mAuthority = authority;
         mQueue = mAuthority.getRequestQueue();
         mDest = dest;
         mNickName = nickName;
+        mClientCiphers = clientCiphers;
         if (interval > 0)
             mInterval = interval; // interval specified in seconds.
     }
@@ -124,7 +127,7 @@ public class Resender implements IResender {
 
         if (! connected) {
             CMS.debug("Connecting ...");
-            mConn = new HttpConnection(mDest, new JssSSLSocketFactory(mNickName));
+            mConn = new HttpConnection(mDest, new JssSSLSocketFactory(mNickName, mClientCiphers));
             initRequests();
             connected = true;
         }
diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
index 36a263e92..b45b33b5f 100644
--- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
+++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
@@ -509,7 +509,7 @@ public class CMSEngineDefaultStub implements ICMSEngine {
         return null;
     }
 
-    public IResender getResender(IAuthority authority, String nickname, IRemoteAuthority remote, int interval) {
+    public IResender getResender(IAuthority authority, String nickname, String clientCiphers, IRemoteAuthority remote, int interval) {
         return null;
     }
 
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/ConnectionManager.java b/base/tps/src/org/dogtagpki/server/tps/cms/ConnectionManager.java
index 2b5ab2208..692d4ba87 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/ConnectionManager.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/ConnectionManager.java
@@ -178,6 +178,12 @@ public class ConnectionManager
             CMS.debug("ConnectionManager: createConnector(): nickName not found in config");
             throw new EBaseException("nickName not found in config");
         }
+        /*
+         * if tps.connector.<ca>.clientCiphers is specified, it will
+         * override the default;  If it is not specified, default will
+         * be used.
+         */
+        String clientCiphers = conf.getString("clientCiphers", null);
 
         // "resendInterval" is for Request Queue, and not supported in TPS
         int resendInterval = -1;
@@ -188,10 +194,10 @@ public class ConnectionManager
         CMS.debug("ConnectionManager: createConnector(): establishing HttpConnector");
         if (timeout == 0) {
             connector =
-                    new HttpConnector(null, nickname, remauthority, resendInterval, conf);
+                    new HttpConnector(null, nickname, clientCiphers, remauthority, resendInterval, conf);
         } else {
             connector =
-                    new HttpConnector(null, nickname, remauthority, resendInterval, conf, timeout);
+                    new HttpConnector(null, nickname, clientCiphers, remauthority, resendInterval, conf, timeout);
         }
 
         CMS.debug("ConnectionManager: createConnector(): ends.");
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 8ef96d564..2a3f95528 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -132,6 +132,7 @@ import org.mozilla.jss.util.Password;
 
 import com.netscape.cmsutil.util.Cert;
 import com.netscape.cmsutil.util.Utils;
+
 @SuppressWarnings("serial")
 public class CryptoUtil {
 
@@ -692,6 +693,242 @@ public class CryptoUtil {
         return pair;
     }
 
+
+    private static HashMap<String, Integer> cipherMap = new HashMap<String, Integer>();
+    static {
+        // SSLv2
+        cipherMap.put("SSL2_RC4_128_WITH_MD5", SSLSocket.SSL2_RC4_128_WITH_MD5);
+        cipherMap.put("SSL2_RC4_128_EXPORT40_WITH_MD5",
+                SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5);
+        cipherMap.put("SSL2_RC2_128_CBC_WITH_MD5",
+                SSLSocket.SSL2_RC2_128_CBC_WITH_MD5);
+        cipherMap.put("SSL2_RC2_128_CBC_EXPORT40_WITH_MD5",
+                SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5);
+        cipherMap.put("SSL2_IDEA_128_CBC_WITH_MD5",
+                SSLSocket.SSL2_IDEA_128_CBC_WITH_MD5);
+        cipherMap.put("SSL2_DES_64_CBC_WITH_MD5",
+                SSLSocket.SSL2_DES_64_CBC_WITH_MD5);
+        cipherMap.put("SSL2_DES_192_EDE3_CBC_WITH_MD5",
+                SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5);
+
+        // SSLv3
+        cipherMap.put("SSL3_RSA_WITH_NULL_MD5",
+                SSLSocket.SSL3_RSA_WITH_NULL_MD5);
+        cipherMap.put("SSL3_RSA_WITH_NULL_SHA",
+                SSLSocket.SSL3_RSA_WITH_NULL_SHA);
+        cipherMap.put("SSL3_RSA_EXPORT_WITH_RC4_40_MD5",
+                SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5);
+        cipherMap.put("SSL3_RSA_WITH_RC4_128_MD5",
+                SSLSocket.SSL3_RSA_WITH_RC4_128_MD5);
+        cipherMap.put("SSL3_RSA_WITH_RC4_128_SHA",
+                SSLSocket.SSL3_RSA_WITH_RC4_128_SHA);
+        cipherMap.put("SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
+                SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5);
+        cipherMap.put("SSL3_RSA_WITH_IDEA_CBC_SHA",
+                SSLSocket.SSL3_RSA_WITH_IDEA_CBC_SHA);
+        cipherMap.put("SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA",
+                SSLSocket.SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA);
+        cipherMap.put("SSL3_RSA_WITH_DES_CBC_SHA",
+                SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA);
+        cipherMap.put("SSL3_RSA_WITH_3DES_EDE_CBC_SHA",
+                SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA);
+
+        cipherMap.put("SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
+                SSLSocket.SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA);
+        cipherMap.put("SSL3_DH_DSS_WITH_DES_CBC_SHA",
+                SSLSocket.SSL3_DH_DSS_WITH_DES_CBC_SHA);
+        cipherMap.put("SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA",
+                SSLSocket.SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA);
+        cipherMap.put("SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
+                SSLSocket.SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA);
+        cipherMap.put("SSL3_DH_RSA_WITH_DES_CBC_SHA",
+                SSLSocket.SSL3_DH_RSA_WITH_DES_CBC_SHA);
+        cipherMap.put("SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA",
+                SSLSocket.SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA);
+
+        cipherMap.put("SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+                SSLSocket.SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA);
+        cipherMap.put("SSL3_DHE_DSS_WITH_DES_CBC_SHA",
+                SSLSocket.SSL3_DHE_DSS_WITH_DES_CBC_SHA);
+        cipherMap.put("SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+                SSLSocket.SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
+        cipherMap.put("SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+                SSLSocket.SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA);
+        cipherMap.put("SSL3_DHE_RSA_WITH_DES_CBC_SHA",
+                SSLSocket.SSL3_DHE_RSA_WITH_DES_CBC_SHA);
+        cipherMap.put("SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+                SSLSocket.SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA);
+
+        cipherMap.put("SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5",
+                SSLSocket.SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5);
+        cipherMap.put("SSL3_DH_ANON_WITH_RC4_128_MD5",
+                SSLSocket.SSL3_DH_ANON_WITH_RC4_128_MD5);
+        cipherMap.put("SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA",
+                SSLSocket.SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA);
+        cipherMap.put("SSL3_DH_ANON_WITH_DES_CBC_SHA",
+                SSLSocket.SSL3_DH_ANON_WITH_DES_CBC_SHA);
+        cipherMap.put("SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA",
+                SSLSocket.SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA);
+
+        cipherMap.put("SSL3_FORTEZZA_DMS_WITH_NULL_SHA",
+                SSLSocket.SSL3_FORTEZZA_DMS_WITH_NULL_SHA);
+        cipherMap.put("SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA",
+                SSLSocket.SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA);
+        cipherMap.put("SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA",
+                SSLSocket.SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA);
+
+        cipherMap.put("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
+                SSLSocket.SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA);
+        cipherMap.put("SSL_RSA_FIPS_WITH_DES_CBC_SHA",
+                SSLSocket.SSL_RSA_FIPS_WITH_DES_CBC_SHA);
+
+        // TLS
+        cipherMap.put("TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA",
+                SSLSocket.TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA);
+        cipherMap.put("TLS_RSA_EXPORT1024_WITH_RC4_56_SHA",
+                SSLSocket.TLS_RSA_EXPORT1024_WITH_RC4_56_SHA);
+
+        cipherMap.put("TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",
+                SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA);
+        cipherMap.put("TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",
+                SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA);
+        cipherMap.put("TLS_DHE_DSS_WITH_RC4_128_SHA",
+                SSLSocket.TLS_DHE_DSS_WITH_RC4_128_SHA);
+
+        cipherMap.put("TLS_RSA_WITH_AES_128_CBC_SHA",
+                SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA);
+        cipherMap.put("TLS_DH_DSS_WITH_AES_128_CBC_SHA",
+                SSLSocket.TLS_DH_DSS_WITH_AES_128_CBC_SHA);
+        cipherMap.put("TLS_DH_RSA_WITH_AES_128_CBC_SHA",
+                SSLSocket.TLS_DH_RSA_WITH_AES_128_CBC_SHA);
+        cipherMap.put("TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+                SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA);
+        cipherMap.put("TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+                SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
+        cipherMap.put("TLS_DH_ANON_WITH_AES_128_CBC_SHA",
+                SSLSocket.TLS_DH_ANON_WITH_AES_128_CBC_SHA);
+
+        cipherMap.put("TLS_RSA_WITH_AES_256_CBC_SHA",
+                SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA);
+        cipherMap.put("TLS_DH_DSS_WITH_AES_256_CBC_SHA",
+                SSLSocket.TLS_DH_DSS_WITH_AES_256_CBC_SHA);
+        cipherMap.put("TLS_DH_RSA_WITH_AES_256_CBC_SHA",
+                SSLSocket.TLS_DH_RSA_WITH_AES_256_CBC_SHA);
+        cipherMap.put("TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+                SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA);
+        cipherMap.put("TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+                SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA);
+        cipherMap.put("TLS_DH_ANON_WITH_AES_256_CBC_SHA",
+                SSLSocket.TLS_DH_ANON_WITH_AES_256_CBC_SHA);
+
+        // ECC
+        cipherMap.put("TLS_ECDH_ECDSA_WITH_NULL_SHA",
+                SSLSocket.TLS_ECDH_ECDSA_WITH_NULL_SHA);
+        cipherMap.put("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+                SSLSocket.TLS_ECDH_ECDSA_WITH_RC4_128_SHA);
+        cipherMap.put("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+                SSLSocket.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA);
+        cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+                SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA);
+        cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+                SSLSocket.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA);
+
+        cipherMap.put("TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+                SSLSocket.TLS_ECDHE_ECDSA_WITH_NULL_SHA);
+        cipherMap.put("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+                SSLSocket.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA);
+        cipherMap.put("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+                SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA);
+        cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+                SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
+        cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+                SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
+
+        cipherMap.put("TLS_ECDHE_RSA_WITH_NULL_SHA",
+                SSLSocket.TLS_ECDHE_RSA_WITH_NULL_SHA);
+        cipherMap.put("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+                SSLSocket.TLS_ECDHE_RSA_WITH_RC4_128_SHA);
+        cipherMap.put("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+                SSLSocket.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA);
+        cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+                SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
+        cipherMap.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+                SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA);
+
+        cipherMap.put("TLS_ECDH_anon_WITH_NULL_SHA",
+                SSLSocket.TLS_ECDH_anon_WITH_NULL_SHA);
+        cipherMap.put("TLS_ECDH_anon_WITH_RC4_128_SHA",
+                SSLSocket.TLS_ECDH_anon_WITH_RC4_128_SHA);
+        cipherMap.put("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+                SSLSocket.TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA);
+        cipherMap.put("TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+                SSLSocket.TLS_ECDH_anon_WITH_AES_128_CBC_SHA);
+        cipherMap.put("TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
+                SSLSocket.TLS_ECDH_anon_WITH_AES_256_CBC_SHA);
+
+        // TLSv1_2
+        cipherMap.put("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+                SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256);
+        cipherMap.put("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+                SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256);
+        cipherMap.put("TLS_RSA_WITH_NULL_SHA256",
+                SSLSocket.TLS_RSA_WITH_NULL_SHA256);
+        cipherMap.put("TLS_RSA_WITH_AES_128_CBC_SHA256",
+                SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA256);
+        cipherMap.put("TLS_RSA_WITH_AES_256_CBC_SHA256",
+                SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA256);
+        cipherMap.put("TLS_RSA_WITH_SEED_CBC_SHA",
+                SSLSocket.TLS_RSA_WITH_SEED_CBC_SHA);
+        cipherMap.put("TLS_RSA_WITH_AES_128_GCM_SHA256",
+                SSLSocket.TLS_RSA_WITH_AES_128_GCM_SHA256);
+        cipherMap.put("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+                SSLSocket.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256);
+        cipherMap.put("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+                SSLSocket.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256);
+        cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+                SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256);
+        cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+                SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
+        cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+                SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+        cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+                SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
+        cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+                SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
+        cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+                SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256);
+
+    }
+
+
+    // if clientOverrideCiphers is provided in config, use it
+    public static void setClientCiphers(String clientOverrideCiphers)
+            throws SocketException {
+        if (clientOverrideCiphers != null) {
+            String strCiphers[] = clientOverrideCiphers.split(",");
+            if (strCiphers.length != 0) {
+                unsetSSLCiphers();
+                int cipherid;
+                for (int i=0; i< strCiphers.length; i++) {
+                    Object mapValue;
+
+                    mapValue = cipherMap.get(strCiphers[i]);
+                    if (mapValue == null) {
+                        cipherid = 0;
+                    } else {
+                        cipherid = (Integer) mapValue;
+                    }
+                    if (cipherid != 0) {
+                        SSLSocket.setCipherPreferenceDefault(cipherid, true);
+                    }
+                }
+            }
+            return;
+        } else { //use default
+            setClientCiphers();
+        }
+    }
+
     public static void setClientCiphers()
             throws SocketException {
         int ciphers[] = SSLSocket.getImplementedCipherSuites();
@@ -720,6 +957,19 @@ public class CryptoUtil {
         }
     }
 
+    /*
+     * unset all implemented cipehrs; for enforcing strict list of ciphers
+     */
+    private static void unsetSSLCiphers() throws SocketException {
+        int ciphers[] = SSLSocket.getImplementedCipherSuites();
+        try {
+            for (int i = 0; ciphers != null && i < ciphers.length; i++) {
+                SSLSocket.setCipherPreferenceDefault(ciphers[i], false);
+            }
+        } catch (Exception e) {
+        }
+    }
+
     public static byte[] getModulus(PublicKey pubk) {
         RSAPublicKey rsaKey = (RSAPublicKey) pubk;
 
diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
index 8c70480e2..eaed82167 100644
--- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
+++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
@@ -29,6 +29,7 @@ import org.mozilla.jss.ssl.SSLHandshakeCompletedListener;
 import org.mozilla.jss.ssl.SSLSocket;
 
 import com.netscape.cmsutil.net.ISocketFactory;
+import com.netscape.cmsutil.crypto.CryptoUtil;
 
 /**
  * Uses NSS ssl socket.
@@ -37,6 +38,7 @@ import com.netscape.cmsutil.net.ISocketFactory;
  */
 public class JssSSLSocketFactory implements ISocketFactory {
     private String mClientAuthCertNickname = null;
+    private String mClientCiphers = null;
     private SSLSocket s = null;
 
     public JssSSLSocketFactory() {
@@ -46,6 +48,14 @@ public class JssSSLSocketFactory implements ISocketFactory {
         mClientAuthCertNickname = certNickname;
     }
 
+    public JssSSLSocketFactory(String certNickname, String ciphers) {
+        if (certNickname != null)
+            mClientAuthCertNickname = certNickname;
+
+        if (ciphers != null)
+            mClientCiphers = ciphers;
+    }
+
     public Socket makeSocket(String host, int port)
             throws IOException, UnknownHostException {
         return makeSocket(host, port, null, null, 0);
@@ -60,7 +70,10 @@ public class JssSSLSocketFactory implements ISocketFactory {
         try {
             /*
              * let inherit tls range and cipher settings
+             * unless it's overwritten by config
              */
+            if (mClientCiphers != null)
+                CryptoUtil.setClientCiphers(mClientCiphers);
             s = new SSLSocket(host, port, null, 0, certApprovalCallback,
                     clientCertCallback);
             s.setUseClientMode(true);
author	Christina Fu <cfu@redhat.com>	2015-10-20 14:06:11 +0200
committer	Christina Fu <cfu@redhat.com>	2015-10-20 16:17:26 +0200
commit	562a49f08df2adb1a3f233a9b7490575182ece04 (patch)
tree	1e304bb3b022ab5c67a80f5fe10facc99b69e7c3
parent	14c3c2992fc5eccb7cafad38d0b5a0e7503982d5 (diff)
download	pki-562a49f08df2adb1a3f233a9b7490575182ece04.tar.gz pki-562a49f08df2adb1a3f233a9b7490575182ece04.tar.xz pki-562a49f08df2adb1a3f233a9b7490575182ece04.zip