From 73abba42cd64432fffab0debd2513acf855764cc Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 29 Oct 2014 14:33:00 -0400
Subject: [PATCH] Ticket 47929 - Console - add tls1.1 support

Bug Description:  SSL3 is no longer safe to use.

Fix Description:  Update the console to work with TLS1.1 and up, and the
                  option to set the min/max SSL versions in the Console
                  Preference file:

                        sslVersionMin: TLS1.1
                        sslVersionMax: TLS1.2

https://fedorahosted.org/389/ticket/47929

Reviewed by: ?
---
 .../management/client/comm/CommChannel.java        |  3 ++
 .../management/client/comm/CommManager.java        | 23 +++++++++---
 .../management/client/comm/HttpChannel.java        | 11 +++---
 .../management/client/comm/HttpManager.java        |  5 +++
 .../management/client/comm/HttpsChannel.java       | 42 ++++++++++++++++++++--
 .../management/client/console/Console.java         | 11 ++++--
 6 files changed, 81 insertions(+), 14 deletions(-)

diff --git a/src/com/netscape/management/client/comm/CommChannel.java b/src/com/netscape/management/client/comm/CommChannel.java
index 27ea4eb..622c58e 100644
--- a/src/com/netscape/management/client/comm/CommChannel.java
+++ b/src/com/netscape/management/client/comm/CommChannel.java
@@ -20,6 +20,7 @@
 package com.netscape.management.client.comm;
 
 import java.io.IOException;
+import com.netscape.management.client.preferences.Preferences;
 
 /**
  * The CommChannel interface is implemented by any object
@@ -40,6 +41,8 @@ public interface CommChannel {
       */
     public void open() throws IOException;
 
+    public void open(Preferences pref) throws IOException;
+
     /**
      * Closes a communication channel. The channel should be closed
      * and its resources released upon completion.
diff --git a/src/com/netscape/management/client/comm/CommManager.java b/src/com/netscape/management/client/comm/CommManager.java
index f147f46..d462e39 100644
--- a/src/com/netscape/management/client/comm/CommManager.java
+++ b/src/com/netscape/management/client/comm/CommManager.java
@@ -26,6 +26,7 @@ import java.util.Locale;
 import com.netscape.management.client.util.Debug;
 import com.netscape.management.client.util.LinkedList;
 import com.netscape.management.client.util.LinkedListElement;
+import com.netscape.management.client.preferences.Preferences;
 
 /**
  * This abstract class is the superclass of all classes which
@@ -94,13 +95,14 @@ public abstract class CommManager {
       *  that basic auth information will be sent with the transaction; otherwise the transaction will be
       *  first attempted without basic auth, and retried if necessary on receipt of an auth request.
       * @param channelData optional data argument to be passed to the CommChannel.
+      * @param pref preferences containing max and min SSL versions
       * @see CommClient
       * @see CommRecord
       * @see CommChannel
       */
     public synchronized CommRecord send(Object target,
             CommClient client, Object arg, InputStream data,
-            int dataLength, int mode, Object channelData)
+            int dataLength, int mode, Object channelData, Preferences pref)
         throws IOException {
         Debug.println("CommManager> New CommRecord (" + target + ")");
         Debug.println(Debug.TYPE_HTTP,
@@ -124,7 +126,7 @@ public abstract class CommManager {
             CommChannel cc = createChannel(tid,
                     Integer.toString(CommChannelCount++) + ":" +
                     Integer.toString(i));
-            cc.open();
+            cc.open(pref);
             chv.addElement(cc);
         }
 
@@ -143,16 +145,29 @@ public abstract class CommManager {
     public synchronized CommRecord send(Object target,
             CommClient client, Object arg, InputStream data, int dataLength)
         throws IOException {
-        return send(target, client, arg, data, dataLength, 0, null);
+        return send(target, client, arg, data, dataLength, 0, null, null);
     }
 
     public synchronized CommRecord send(Object target,
             CommClient client, Object arg, InputStream data,
             int dataLength, int mode)
         throws IOException {
-        return send(target, client, arg, data, dataLength, mode, null);
+        return send(target, client, arg, data, dataLength, mode, null, null);
+    }
+
+    public synchronized CommRecord send(Object target,
+            CommClient client, Object arg, InputStream data,
+            int dataLength, int mode, String[] headers)
+        throws IOException {
+        return send(target, client, arg, data, dataLength, mode, null, null);
     }
 
+    public synchronized CommRecord send(Object target,
+            CommClient client, Object arg, InputStream data,
+            int dataLength, int mode, Preferences pref)
+        throws IOException {
+        return send(target, client, arg, data, dataLength, mode, null, pref);
+    }
     /**
       * Forcibly terminates a communication request. If the request is in the queue,
       * it is dequeued. If the request is in progress, an attempt is made to halt
diff --git a/src/com/netscape/management/client/comm/HttpChannel.java b/src/com/netscape/management/client/comm/HttpChannel.java
index c72ef02..917e5ee 100644
--- a/src/com/netscape/management/client/comm/HttpChannel.java
+++ b/src/com/netscape/management/client/comm/HttpChannel.java
@@ -20,7 +20,6 @@
 package com.netscape.management.client.comm;
 
 import java.net.Socket;
-import java.net.SocketException;
 import java.net.URL;
 import java.net.URLEncoder;
 import java.io.IOException;
@@ -29,14 +28,10 @@ import java.io.InputStream;
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.OutputStreamWriter;
 import java.io.InterruptedIOException;
 import java.util.Enumeration;
 import java.util.Hashtable;
-import java.util.BitSet;
 import java.lang.reflect.Method;
-import java.io.UTFDataFormatException;
 
 import com.netscape.management.client.util.*;
 import com.netscape.management.client.util.Debug;
@@ -44,8 +39,8 @@ import com.netscape.management.client.util.IProgressListener;
 import com.netscape.management.client.util.Permissions;
 import com.netscape.management.client.util.URLByteEncoder;
 import com.netscape.management.client.console.VersionInfo;
+import com.netscape.management.client.preferences.Preferences;
 
-import java.util.*;
 
 /**
  * A HTTP protocol handler.
@@ -89,6 +84,10 @@ public class HttpChannel implements Runnable, CommChannel {
     }
 
     public void open() throws IOException {
+        open(null);
+    };
+
+    public void open(Preferences pref) throws IOException {
         Method m = Permissions.getEnablePrivilegeMethod();
 
         if (m != null) {
diff --git a/src/com/netscape/management/client/comm/HttpManager.java b/src/com/netscape/management/client/comm/HttpManager.java
index a4234e1..53403b8 100644
--- a/src/com/netscape/management/client/comm/HttpManager.java
+++ b/src/com/netscape/management/client/comm/HttpManager.java
@@ -25,6 +25,7 @@ import java.io.IOException;
 import java.io.InputStream;
 
 import com.netscape.management.client.util.Debug;
+import com.netscape.management.client.preferences.Preferences;
 
 /**
  * This CommManager subclass implements connection management
@@ -124,6 +125,10 @@ public class HttpManager extends CommManager {
         return send(url, client, arg, null, 0, mode);
     }
     public CommRecord get(URL url, CommClient client, Object arg,
+            int mode, Preferences pref) throws IOException {
+        return send(url, client, arg, null, 0, mode, null, pref);
+    }
+    public CommRecord get(URL url, CommClient client, Object arg,
             String[] hdrs) throws IOException {
         return send(url, client, arg, null, 0, 0, hdrs);
     }
diff --git a/src/com/netscape/management/client/comm/HttpsChannel.java b/src/com/netscape/management/client/comm/HttpsChannel.java
index f67b64d..3a92fa6 100644
--- a/src/com/netscape/management/client/comm/HttpsChannel.java
+++ b/src/com/netscape/management/client/comm/HttpsChannel.java
@@ -31,6 +31,7 @@ import com.netscape.management.client.util.GridBagUtil;
 import com.netscape.management.client.util.RemoteImage;
 import com.netscape.management.client.security.PromptForTrustDialog;
 import com.netscape.management.nmclf.SuiPasswordField;
+import com.netscape.management.client.preferences.Preferences;
 
 import org.mozilla.jss.ssl.SSLSocket;
 import org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus;
@@ -74,7 +75,6 @@ public class HttpsChannel extends HttpChannel implements
     static HttpsChannel.SelectCertDialog selectCertDialog = null;
     static CertificateFactory cf;
     static ResourceSet resource;
-
     private JFrame _frame; 
 
     final static int MAX_PASSWORD_PROMPT = 10;
@@ -403,11 +403,49 @@ public class HttpsChannel extends HttpChannel implements
         return getPasswordDialog.getPassword();
     }
 
-    public void open() throws IOException {
+    private int getSSLVersionRangeEnum (String rangeString) {
+        if (rangeString == null)
+            return -1;
+        if (rangeString.equalsIgnoreCase("ssl3"))
+            return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.ssl3;
+        else if (rangeString.equalsIgnoreCase("tls1.0"))
+            return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0;
+        else if (rangeString.equalsIgnoreCase("tls1.1"))
+            return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1;
+        else if (rangeString.equalsIgnoreCase("tls1.2"))
+            return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2;
+
+        return -1;
+    }
+
+    public void open(Preferences pref) throws IOException {
         cryptoManager.setPasswordCallback(this);
         try {
             nthPrompt = 0;
+
+            // Set our defaults
+            int min = org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1;
+            int max = org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2;
+
             Debug.println("CREATE JSS SSLSocket");
+
+            if(pref != null){
+                // Check if min/max have been a preference
+                int version;
+
+                if ((version = getSSLVersionRangeEnum(pref.getString("sslVersionMin"))) != -1 ){
+                    min = version;
+                }
+                if ((version = getSSLVersionRangeEnum(pref.getString("sslVersionMax"))) != -1){
+                    max = version;
+                }
+            }
+
+            org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range =
+                new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(min, max);
+
+            SSLSocket.setSSLVersionRangeDefault(org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, range);
+
             socket = new SSLSocket(InetAddress.getByName(getHost()),
                                    getPort(), null, 0, true, this,
                                    this);
diff --git a/src/com/netscape/management/client/console/Console.java b/src/com/netscape/management/client/console/Console.java
index ac4878e..680abff 100644
--- a/src/com/netscape/management/client/console/Console.java
+++ b/src/com/netscape/management/client/console/Console.java
@@ -77,6 +77,8 @@ public class Console implements CommClient {
     public static final String PREFERENCE_LOCAL = "StorePrefsToDisk";
     public static final String PREFERENCE_X = "X";
     public static final String PREFERENCE_Y = "Y";
+    public static final String PREFERENCE_SSL_VERSION_MIN = "sslVersionMin";
+    public static final String PREFERENCE_SSL_VERSION_MAX = "sslVersionMax";
 
     public static final String PREFERENCE_DIR = System.getProperty("user.home") + File.separator +
                               _resource_theme.getString("console","prefsdir") + File.separator;
@@ -1053,7 +1055,7 @@ public class Console implements CommClient {
 
         Hashtable ht = new Hashtable();
 
-        boolean successfulAuth = invoke_task(url, user, pw, ht);
+        boolean successfulAuth = invoke_task(url, user, pw, ht, _preferences);
 
         String param;
 
@@ -1138,6 +1140,11 @@ public class Console implements CommClient {
 
     private synchronized final boolean invoke_task(URL url,
             String user, String pw, Hashtable ht) {
+        return invoke_task(url, user, pw, ht, null);
+    }
+
+    private synchronized final boolean invoke_task(URL url,
+            String user, String pw, Hashtable ht, Preferences pref) {
         HttpManager h = new HttpManager();
 
         InputStream is;
@@ -1146,7 +1153,7 @@ public class Console implements CommClient {
 
         try {
             h.get(url, this, r = new Response(user, pw),
-                    h.FORCE_BASIC_AUTH);
+                    h.FORCE_BASIC_AUTH, pref);
         } catch (Exception ioe) {
             String _url;
             try {
-- 
1.9.3