summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--base/common/src/com/netscape/certsrv/client/PKIConnection.java19
-rw-r--r--base/java-tools/src/com/netscape/cmstools/HttpClient.java59
-rw-r--r--base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java7
-rw-r--r--base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java62
4 files changed, 44 insertions, 103 deletions
diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
index 50e6f6458..0ecee4d8e 100644
--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
@@ -476,6 +476,23 @@ public class PKIConnection {
localAddr = localAddress.getAddress();
}
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0,
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
+
+ SSLSocket.setSSLVersionRangeDefault(
+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM,
+ stream_range);
+
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range =
+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1,
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
+
+ SSLSocket.setSSLVersionRangeDefault(
+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM,
+ datagram_range);
SSLSocket socket;
if (sock == null) {
socket = new SSLSocket(InetAddress.getByName(hostName),
@@ -488,6 +505,8 @@ public class PKIConnection {
} else {
socket = new SSLSocket(sock, hostName, new ServerCertApprovalCB(), null);
}
+// setSSLVersionRange needs to be exposed in jss
+// socket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
String certNickname = config.getCertNickname();
if (certNickname != null) {
diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
index cd6a6ea18..132375298 100644
--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
@@ -55,27 +55,6 @@ public class HttpClient {
private boolean _secure = false;
public static final int ARGC = 1;
- static final int cipherSuites[] = {
- SSLSocket.SSL3_RSA_WITH_RC4_128_MD5,
- SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
- SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA,
- SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
- SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
- SSLSocket.SSL3_RSA_WITH_NULL_MD5,
- SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
- SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
- SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA,
- SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA,
- SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
- SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- 0
- };
public HttpClient(String host, int port, String secure)
throws Exception {
@@ -148,27 +127,27 @@ public class HttpClient {
int i;
- for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) {
- try {
- SSLSocket.setCipherPreferenceDefault(i, false);
- } catch (SocketException e) {
- }
- }
- //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5
- for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) {
- try {
- SSLSocket.setCipherPreferenceDefault(i, false);
- } catch (SocketException e) {
- }
- }
- for (i = 0; cipherSuites[i] != 0; ++i) {
- try {
- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true);
- } catch (SocketException e) {
- }
- }
SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this);
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0,
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
+
+ SSLSocket.setSSLVersionRangeDefault(
+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM,
+ stream_range);
+
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range =
+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1,
+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
+
+ SSLSocket.setSSLVersionRangeDefault(
+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM,
+ datagram_range);
sslSocket = new SSLSocket(_host, _port);
+ // setSSLVersionRange needs to be exposed in jss
+ // sslSocket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
sslSocket.addHandshakeCompletedListener(listener);
CryptoToken tt = cm.getThreadToken();
diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
index 4d9e60251..720882a15 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
@@ -51,12 +51,11 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
SSLSocket s = null;
try {
- SSLSocket.enableSSL2Default(false);
+ /*
+ * let inherit TLS range and cipher settings
+ */
s = new SSLSocket(host, port);
s.setUseClientMode(true);
- s.enableSSL2(false);
- //TODO Do we really want to set the default each time?
- SSLSocket.enableSSL2Default(false);
s.enableV2CompatibleHello(false);
SSLHandshakeCompletedListener listener = null;
diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
index fcf5fc16e..2f8a40ca2 100644
--- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
+++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
@@ -47,54 +47,6 @@ public class JssSSLSocketFactory implements ISocketFactory {
mClientAuthCertNickname = certNickname;
}
- // XXX remove these static SSL cipher suite initializations later on.
- static final int cipherSuites[] = {
- SSLSocket.SSL3_RSA_WITH_RC4_128_MD5,
- SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
- SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA,
- SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
- SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
- SSLSocket.SSL3_RSA_WITH_NULL_MD5,
- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA,
- SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA,
- SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- //SSLSocket.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
- //SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- //SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
- SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- 0
- };
-
- static {
- int i;
-
- for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) {
- try {
- SSLSocket.setCipherPreferenceDefault(i, false);
- } catch (SocketException e) {
- }
- }
-
- //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5
- for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) {
- try {
- SSLSocket.setCipherPreferenceDefault(i, false);
- } catch (SocketException e) {
- }
- }
- for (i = 0; cipherSuites[i] != 0; ++i) {
- try {
- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true);
- } catch (SocketException e) {
- }
- }
- }
-
public Socket makeSocket(String host, int port)
throws IOException, UnknownHostException {
return makeSocket(host, port, null, null);
@@ -106,20 +58,12 @@ public class JssSSLSocketFactory implements ISocketFactory {
throws IOException, UnknownHostException {
try {
+ /*
+ * let inherit tls range and cipher settings
+ */
s = new SSLSocket(host, port, null, 0, certApprovalCallback,
clientCertCallback);
- for (int i = 0; cipherSuites[i] != 0; ++i) {
- try {
- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true);
- } catch (SocketException e) {
- }
- }
-
s.setUseClientMode(true);
- s.enableSSL2(false);
- //TODO Do we rally want to set the default each time?
- SSLSocket.enableSSL2Default(false);
- s.enableV2CompatibleHello(false);
SSLHandshakeCompletedListener listener = null;
generated by cgit (git 2.34.1) at 2024-06-20 15:26:25 +0000