diff options
author | Christina Fu <cfu@redhat.com> | 2014-11-18 18:28:53 -0800 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2014-11-21 09:55:33 -0800 |
commit | 46d7be6f5d24e025df30b382065addfb30c8032f (patch) | |
tree | e025247ed79d9a9c99614a24e1d26fb9a7d320b4 /base | |
parent | 99d571cee64846e8e1cfbc129aa0081b2f1f95e0 (diff) | |
download | pki-46d7be6f5d24e025df30b382065addfb30c8032f.tar.gz pki-46d7be6f5d24e025df30b382065addfb30c8032f.tar.xz pki-46d7be6f5d24e025df30b382065addfb30c8032f.zip |
bugzilla 871171 (client-side code) Provide Tomcat support for TLS v1.1 and TLS v1.2
Diffstat (limited to 'base')
4 files changed, 44 insertions, 103 deletions
diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java index 50e6f6458..0ecee4d8e 100644 --- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java +++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java @@ -476,6 +476,23 @@ public class PKIConnection { localAddr = localAddress.getAddress(); } + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range = + new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); + + SSLSocket.setSSLVersionRangeDefault( + org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, + stream_range); + + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range = + new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1, + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); + + SSLSocket.setSSLVersionRangeDefault( + org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, + datagram_range); SSLSocket socket; if (sock == null) { socket = new SSLSocket(InetAddress.getByName(hostName), @@ -488,6 +505,8 @@ public class PKIConnection { } else { socket = new SSLSocket(sock, hostName, new ServerCertApprovalCB(), null); } +// setSSLVersionRange needs to be exposed in jss +// socket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); String certNickname = config.getCertNickname(); if (certNickname != null) { diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java index cd6a6ea18..132375298 100644 --- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java +++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java @@ -55,27 +55,6 @@ public class HttpClient { private boolean _secure = false; public static final int ARGC = 1; - static final int cipherSuites[] = { - SSLSocket.SSL3_RSA_WITH_RC4_128_MD5, - SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA, - SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA, - SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5, - SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - SSLSocket.SSL3_RSA_WITH_NULL_MD5, - SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, - SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, - SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, - SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA, - SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA, - SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, - SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA, - SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA, - SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - 0 - }; public HttpClient(String host, int port, String secure) throws Exception { @@ -148,27 +127,27 @@ public class HttpClient { int i; - for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) { - try { - SSLSocket.setCipherPreferenceDefault(i, false); - } catch (SocketException e) { - } - } - //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5 - for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) { - try { - SSLSocket.setCipherPreferenceDefault(i, false); - } catch (SocketException e) { - } - } - for (i = 0; cipherSuites[i] != 0; ++i) { - try { - SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true); - } catch (SocketException e) { - } - } SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this); + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range = + new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); + + SSLSocket.setSSLVersionRangeDefault( + org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, + stream_range); + + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range = + new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1, + org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); + + SSLSocket.setSSLVersionRangeDefault( + org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, + datagram_range); sslSocket = new SSLSocket(_host, _port); + // setSSLVersionRange needs to be exposed in jss + // sslSocket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); sslSocket.addHandshakeCompletedListener(listener); CryptoToken tt = cm.getThreadToken(); diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java index 4d9e60251..720882a15 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java +++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java @@ -51,12 +51,11 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt { SSLSocket s = null; try { - SSLSocket.enableSSL2Default(false); + /* + * let inherit TLS range and cipher settings + */ s = new SSLSocket(host, port); s.setUseClientMode(true); - s.enableSSL2(false); - //TODO Do we really want to set the default each time? - SSLSocket.enableSSL2Default(false); s.enableV2CompatibleHello(false); SSLHandshakeCompletedListener listener = null; diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java index fcf5fc16e..2f8a40ca2 100644 --- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java +++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java @@ -47,54 +47,6 @@ public class JssSSLSocketFactory implements ISocketFactory { mClientAuthCertNickname = certNickname; } - // XXX remove these static SSL cipher suite initializations later on. - static final int cipherSuites[] = { - SSLSocket.SSL3_RSA_WITH_RC4_128_MD5, - SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA, - SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA, - SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5, - SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - SSLSocket.SSL3_RSA_WITH_NULL_MD5, - SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA, - SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA, - SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, - SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - //SSLSocket.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - //SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - //SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA, - SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA, - SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - 0 - }; - - static { - int i; - - for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) { - try { - SSLSocket.setCipherPreferenceDefault(i, false); - } catch (SocketException e) { - } - } - - //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5 - for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) { - try { - SSLSocket.setCipherPreferenceDefault(i, false); - } catch (SocketException e) { - } - } - for (i = 0; cipherSuites[i] != 0; ++i) { - try { - SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true); - } catch (SocketException e) { - } - } - } - public Socket makeSocket(String host, int port) throws IOException, UnknownHostException { return makeSocket(host, port, null, null); @@ -106,20 +58,12 @@ public class JssSSLSocketFactory implements ISocketFactory { throws IOException, UnknownHostException { try { + /* + * let inherit tls range and cipher settings + */ s = new SSLSocket(host, port, null, 0, certApprovalCallback, clientCertCallback); - for (int i = 0; cipherSuites[i] != 0; ++i) { - try { - SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true); - } catch (SocketException e) { - } - } - s.setUseClientMode(true); - s.enableSSL2(false); - //TODO Do we rally want to set the default each time? - SSLSocket.enableSSL2Default(false); - s.enableV2CompatibleHello(false); SSLHandshakeCompletedListener listener = null; |