1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.tomcat.util.net.jsse;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.compat.JreVendor;
import org.apache.tomcat.util.net.SSLContext;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLUtilBase;
import org.apache.tomcat.util.res.StringManager;
/**
* SSLUtil implementation for JSSE.
*
* @author Harish Prabandham
* @author Costin Manolache
* @author Stefan Freyr Stefansson
* @author EKR
* @author Jan Luehe
*/
public class JSSEUtil extends SSLUtilBase {
private static final Log log = LogFactory.getLog(JSSEUtil.class);
private static final StringManager sm = StringManager.getManager(JSSEUtil.class);
private volatile boolean initialized = false;
private volatile Set<String> implementedProtocols;
private volatile Set<String> implementedCiphers;
public JSSEUtil (SSLHostConfigCertificate certificate) {
this(certificate, true);
}
public JSSEUtil (SSLHostConfigCertificate certificate, boolean warnOnSkip) {
super(certificate, warnOnSkip);
}
@Override
protected Log getLog() {
return log;
}
@Override
protected Set<String> getImplementedProtocols() {
initialise();
return implementedProtocols;
}
@Override
protected Set<String> getImplementedCiphers() {
initialise();
return implementedCiphers;
}
@Override
protected boolean isTls13RenegAuthAvailable() {
// TLS 1.3 does not support authentication after the initial handshake
return false;
}
@Override
public SSLContext createSSLContextInternal(List<String> negotiableProtocols)
throws NoSuchAlgorithmException {
return new JSSESSLContext(sslHostConfig.getSslProtocol());
}
private void initialise() {
if (!initialized) {
synchronized (this) {
if (!initialized) {
SSLContext context;
try {
context = new JSSESSLContext(sslHostConfig.getSslProtocol());
context.init(null, null, null);
} catch (NoSuchAlgorithmException | KeyManagementException e) {
// This is fatal for the connector so throw an exception to prevent
// it from starting
throw new IllegalArgumentException(e);
}
String[] implementedProtocolsArray = context.getSupportedSSLParameters().getProtocols();
implementedProtocols = new HashSet<>(implementedProtocolsArray.length);
// Filter out SSLv2 from the list of implemented protocols (just in case
// we are running on a JVM that supports it) since it is no longer
// considered secure but allow SSLv2Hello.
// Note SSLv3 is allowed despite known insecurities because some users
// still have a requirement for it.
for (String protocol : implementedProtocolsArray) {
String protocolUpper = protocol.toUpperCase(Locale.ENGLISH);
if (!"SSLV2HELLO".equals(protocolUpper) && !"SSLV3".equals(protocolUpper)) {
if (protocolUpper.contains("SSL")) {
log.debug(sm.getString("jsseUtil.excludeProtocol", protocol));
continue;
}
}
implementedProtocols.add(protocol);
}
if (implementedProtocols.size() == 0) {
log.warn(sm.getString("jsseUtil.noDefaultProtocols"));
}
String[] implementedCipherSuiteArray = context.getSupportedSSLParameters().getCipherSuites();
// The IBM JRE will accept cipher suites names SSL_xxx or TLS_xxx but
// only returns the SSL_xxx form for supported cipher suites. Therefore
// need to filter the requested cipher suites using both forms with an
// IBM JRE.
if (JreVendor.IS_IBM_JVM) {
implementedCiphers = new HashSet<>(implementedCipherSuiteArray.length * 2);
for (String name : implementedCipherSuiteArray) {
implementedCiphers.add(name);
if (name.startsWith("SSL")) {
implementedCiphers.add("TLS" + name.substring(3));
}
}
} else {
implementedCiphers = new HashSet<>(Arrays.asList(implementedCipherSuiteArray));
}
initialized = true;
}
}
}
}
}
|
