Bug 651977 - turn off ssl2 for java servers (server.xml) - patch 2

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1583 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-11-22 17:13:41 +0000
committer: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-11-22 17:13:41 +0000
commit: 5b0a67e97e403b9529b0aeb1f28a34fcafd4c564 (patch)
tree: 1f2fabcb90f4f7eab19c7b175fb3e7c051930e80 /pki/base/console/src/com/netscape
parent: 9d7cd2e5956a8d5fe7ae3b3c7a6b6c91fd4e3c1e (diff)
download: pki-5b0a67e97e403b9529b0aeb1f28a34fcafd4c564.tar.gz
pki-5b0a67e97e403b9529b0aeb1f28a34fcafd4c564.tar.xz
pki-5b0a67e97e403b9529b0aeb1f28a34fcafd4c564.zip
1 files changed, 16 insertions, 5 deletions
diff --git a/pki/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java b/pki/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
index bc9b8dd94..27292b3d9 100644
--- a/pki/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
+++ b/pki/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
@@ -98,15 +98,23 @@ public class JSSConnection implements IConnection, SSLCertificateApprovalCallbac
 
         // SSLSocket needs to be set before getting an instance
         // to get the ciphers
+        SSLSocket.enableSSL2Default(false);
         SSLSocket.enableSSL3Default(true);
         int TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005; 
         int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A; 
 
         int ciphers[] = SSLSocket.getImplementedCipherSuites();
         for (int i = 0; ciphers != null && i < ciphers.length; i++) {
-           Debug.println("JSSConnection Debug: NSS Cipher Supported '0x" + 
-              Integer.toHexString(ciphers[i]) + "'"); 
-           SSLSocket.setCipherPreferenceDefault(ciphers[i], true);
+            // make sure SSLv2 ciphers are not enabled
+            if ((ciphers[i] & 0xfff0) !=0xff00) {
+                Debug.println("JSSConnection Debug: non-SSL2 NSS Cipher Supported '0x" + 
+                Integer.toHexString(ciphers[i]) + "'"); 
+                SSLSocket.setCipherPreferenceDefault(ciphers[i], true);
+            } else {
+                Debug.println("JSSConnection Debug: SSL2 (turned off) NSS Cipher Supported '0x" + 
+                Integer.toHexString(ciphers[i]) + "'"); 
+                SSLSocket.setCipherPreferenceDefault(ciphers[i], false);
+            }
 
            /* Enable ECC Cipher */
 
@@ -120,8 +128,11 @@ public class JSSConnection implements IConnection, SSLCertificateApprovalCallbac
            }
         }
 		s = new SSLSocket(host, port, null, 0, this, this);
-//        s.enableSSL3(true);
-//        s.enableSSL3Default(true);
+        s.enableSSL2(false);
+        s.enableSSL2Default(false);
+        s.enableV2CompatibleHello(false);
+        s.enableSSL3(true);
+        s.enableSSL3Default(true);
 
 		// Initialze Http Input and Output Streams
 		httpIn = s.getInputStream();
author	cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-11-22 17:13:41 +0000
committer	cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-11-22 17:13:41 +0000
commit	5b0a67e97e403b9529b0aeb1f28a34fcafd4c564 (patch)
tree	1f2fabcb90f4f7eab19c7b175fb3e7c051930e80 /pki/base/console/src/com/netscape
parent	9d7cd2e5956a8d5fe7ae3b3c7a6b6c91fd4e3c1e (diff)
download	pki-5b0a67e97e403b9529b0aeb1f28a34fcafd4c564.tar.gz pki-5b0a67e97e403b9529b0aeb1f28a34fcafd4c564.tar.xz pki-5b0a67e97e403b9529b0aeb1f28a34fcafd4c564.zip