From 5b0a67e97e403b9529b0aeb1f28a34fcafd4c564 Mon Sep 17 00:00:00 2001
From: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>
Date: Mon, 22 Nov 2010 17:13:41 +0000
Subject: Bug 651977 - turn off ssl2 for java servers (server.xml) - patch 2

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1583 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
---
 .../cmscore/ldapconn/LdapJssSSLSocketFactory.java   |  4 ++++
 .../com/netscape/cmscore/security/JssSubsystem.java |  3 +++
 .../admin/certsrv/connection/JSSConnection.java     | 21 ++++++++++++++++-----
 pki/base/silent/src/http/HTTPClient.java            |  1 +
 .../netscape/cmsutil/http/JssSSLSocketFactory.java  |  8 ++++++--
 5 files changed, 30 insertions(+), 7 deletions(-)

(limited to 'pki/base')

diff --git a/pki/base/common/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/pki/base/common/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
index a662b84cd..b9f7d78eb 100644
--- a/pki/base/common/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
+++ b/pki/base/common/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
@@ -46,8 +46,12 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
         SSLSocket s = null;
 
         try {
+            SSLSocket.enableSSL2Default(false);
             s = new SSLSocket(host, port);
             s.setUseClientMode(true);
+            s.enableSSL2(false);
+            s.enableSSL2Default(false);
+            s.enableV2CompatibleHello(false);
 
             SSLHandshakeCompletedListener listener = null;
 
diff --git a/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java b/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java
index 08615264e..cf63a770b 100644
--- a/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java
+++ b/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java
@@ -131,6 +131,7 @@ public final class JssSubsystem implements ICryptoSubsystem {
     static {
 
         /* set ssl cipher string names. */
+        /* disallowing SSL2 ciphers to be turned on
         mCipherNames.put(Constants.PR_SSL2_RC4_128_WITH_MD5,
             Integer.valueOf(SSLSocket.SSL2_RC4_128_WITH_MD5));
         mCipherNames.put(Constants.PR_SSL2_RC4_128_EXPORT40_WITH_MD5,
@@ -143,6 +144,7 @@ public final class JssSubsystem implements ICryptoSubsystem {
             Integer.valueOf(SSLSocket.SSL2_DES_64_CBC_WITH_MD5));
         mCipherNames.put(Constants.PR_SSL2_DES_192_EDE3_CBC_WITH_MD5,
             Integer.valueOf(SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5));
+        */
         mCipherNames.put(Constants.PR_SSL3_RSA_WITH_NULL_MD5,
             Integer.valueOf(SSLSocket.SSL3_RSA_WITH_NULL_MD5));
         mCipherNames.put(Constants.PR_SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
@@ -389,6 +391,7 @@ public final class JssSubsystem implements ICryptoSubsystem {
                 if (sslcipher != null) {
                     String msg = "setting ssl cipher " + cipher;
 
+                    CMS.debug("JSSSubsystem: initSSL(): "+msg);
                     log(ILogger.LL_INFO, msg);
                     if (Debug.ON)
                         Debug.trace(msg);
diff --git a/pki/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java b/pki/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
index bc9b8dd94..27292b3d9 100644
--- a/pki/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
+++ b/pki/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
@@ -98,15 +98,23 @@ public class JSSConnection implements IConnection, SSLCertificateApprovalCallbac
 
         // SSLSocket needs to be set before getting an instance
         // to get the ciphers
+        SSLSocket.enableSSL2Default(false);
         SSLSocket.enableSSL3Default(true);
         int TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005; 
         int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A; 
 
         int ciphers[] = SSLSocket.getImplementedCipherSuites();
         for (int i = 0; ciphers != null && i < ciphers.length; i++) {
-           Debug.println("JSSConnection Debug: NSS Cipher Supported '0x" + 
-              Integer.toHexString(ciphers[i]) + "'"); 
-           SSLSocket.setCipherPreferenceDefault(ciphers[i], true);
+            // make sure SSLv2 ciphers are not enabled
+            if ((ciphers[i] & 0xfff0) !=0xff00) {
+                Debug.println("JSSConnection Debug: non-SSL2 NSS Cipher Supported '0x" + 
+                Integer.toHexString(ciphers[i]) + "'"); 
+                SSLSocket.setCipherPreferenceDefault(ciphers[i], true);
+            } else {
+                Debug.println("JSSConnection Debug: SSL2 (turned off) NSS Cipher Supported '0x" + 
+                Integer.toHexString(ciphers[i]) + "'"); 
+                SSLSocket.setCipherPreferenceDefault(ciphers[i], false);
+            }
 
            /* Enable ECC Cipher */
 
@@ -120,8 +128,11 @@ public class JSSConnection implements IConnection, SSLCertificateApprovalCallbac
            }
         }
 		s = new SSLSocket(host, port, null, 0, this, this);
-//        s.enableSSL3(true);
-//        s.enableSSL3Default(true);
+        s.enableSSL2(false);
+        s.enableSSL2Default(false);
+        s.enableV2CompatibleHello(false);
+        s.enableSSL3(true);
+        s.enableSSL3Default(true);
 
 		// Initialze Http Input and Output Streams
 		httpIn = s.getInputStream();
diff --git a/pki/base/silent/src/http/HTTPClient.java b/pki/base/silent/src/http/HTTPClient.java
index 4db3f4d18..049b1440a 100644
--- a/pki/base/silent/src/http/HTTPClient.java
+++ b/pki/base/silent/src/http/HTTPClient.java
@@ -120,6 +120,7 @@ public class HTTPClient implements SSLCertificateApprovalCallback
 			socket.enableSSL3(true);
 			socket.enableSSL2(false);
 			socket.enableSSL2Default(false);
+            socket.enableV2CompatibleHello(false);
 		}
 		catch(Exception e)
 		{
diff --git a/pki/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/pki/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
index 91cf9ca43..e24fbb0aa 100644
--- a/pki/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
+++ b/pki/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
@@ -60,15 +60,16 @@ public class JssSSLSocketFactory implements ISocketFactory {
         for (i = SSLSocket.SSL2_RC4_128_WITH_MD5;
             i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) {
             try {
-                SSLSocket.setCipherPreferenceDefault(i, true);
+                SSLSocket.setCipherPreferenceDefault(i, false);
             } catch( SocketException e) {
             }
         }
+
         //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5
         for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5;
             i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) {
             try {
-                SSLSocket.setCipherPreferenceDefault(i, true);
+                SSLSocket.setCipherPreferenceDefault(i, false);
             } catch( SocketException e) {
             }
         }
@@ -94,6 +95,9 @@ public class JssSSLSocketFactory implements ISocketFactory {
             s = new SSLSocket(host, port, null, 0, certApprovalCallback,
               clientCertCallback);
             s.setUseClientMode(true);
+            s.enableSSL2(false);
+            s.enableSSL2Default(false);
+            s.enableV2CompatibleHello(false);
 
             SSLHandshakeCompletedListener listener = null;
 
-- 
cgit