From 3a3bfc5c7fbbca28f3064fa069956824356af780 Mon Sep 17 00:00:00 2001
From: Nicolas Capponi <nicolas.capponi@forgerock.com>
Date: Mon, 10 Oct 2016 07:27:25 +0000
Subject: [PATCH] OPENDJ-3330 Add support for all TLS versions in client tools delivered by the server
---
opendj-server-legacy/src/main/java/org/opends/server/tools/SSLConnectionFactory.java | 49 ++++++++++++++++++++++++++++++++++++++++---------
1 files changed, 40 insertions(+), 9 deletions(-)
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/tools/SSLConnectionFactory.java b/opendj-server-legacy/src/main/java/org/opends/server/tools/SSLConnectionFactory.java
index 53fb7f4..69019a2 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/tools/SSLConnectionFactory.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/tools/SSLConnectionFactory.java
@@ -23,11 +23,15 @@
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
import java.security.Provider;
+import java.util.Arrays;
+import java.util.List;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
@@ -35,10 +39,13 @@
import org.opends.server.extensions.BlindTrustManagerProvider;
import org.forgerock.i18n.slf4j.LocalizedLogger;
+import org.forgerock.opendj.ldap.SSLContextBuilder;
import org.opends.server.util.CollectionUtils;
import org.opends.server.util.ExpirationCheckTrustManager;
import org.opends.server.util.SelectableCertificateKeyManager;
+import com.forgerock.opendj.cli.ConnectionFactoryProvider;
+
import static org.opends.messages.ToolMessages.*;
@@ -49,6 +56,26 @@
{
private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
+ /**
+ * List of available TLS protocols. By default, corresponds to all TLS protocols available in the JVM.
+ * The list may be overridden if <em>org.opends.ldaps.protocols</em> system property is set.
+ */
+ private static final String[] TLS_PROTOCOLS;
+
+ static
+ {
+ List<String> protocols = null;
+ try
+ {
+ protocols = ConnectionFactoryProvider.getDefaultProtocols();
+ }
+ catch (NoSuchAlgorithmException ex)
+ {
+ logger.trace("Unable to retrieve default TLS protocols of the JVM, defaulting to TLSv1", ex);
+ protocols = Arrays.asList(SSLContextBuilder.PROTOCOL_TLS1);
+ }
+ TLS_PROTOCOLS = protocols.toArray(new String[protocols.size()]);
+ }
private SSLSocketFactory sslSocketFactory;
@@ -148,10 +175,16 @@
{
if(sslSocketFactory == null)
{
- throw new SSLConnectionException(
- ERR_TOOLS_SSL_CONNECTION_NOT_INITIALIZED.get());
+ throw new SSLConnectionException(ERR_TOOLS_SSL_CONNECTION_NOT_INITIALIZED.get());
}
- return sslSocketFactory.createSocket(hostName, portNumber);
+ return socketWithEnabledProtocols(sslSocketFactory.createSocket(hostName, portNumber));
+ }
+
+ private Socket socketWithEnabledProtocols(Socket socket)
+ {
+ SSLSocket sslSocket = (SSLSocket) socket;
+ sslSocket.setEnabledProtocols(TLS_PROTOCOLS);
+ return sslSocket;
}
/**
@@ -174,10 +207,9 @@
{
if (sslSocketFactory == null)
{
- throw new SSLConnectionException(ERR_TOOLS_SSL_CONNECTION_NOT_INITIALIZED
- .get());
+ throw new SSLConnectionException(ERR_TOOLS_SSL_CONNECTION_NOT_INITIALIZED.get());
}
- return sslSocketFactory.createSocket(host, portNumber);
+ return socketWithEnabledProtocols(sslSocketFactory.createSocket(host, portNumber));
}
/**
@@ -206,10 +238,9 @@
{
if(sslSocketFactory == null)
{
- throw new SSLConnectionException(
- ERR_TOOLS_SSL_CONNECTION_NOT_INITIALIZED.get());
+ throw new SSLConnectionException(ERR_TOOLS_SSL_CONNECTION_NOT_INITIALIZED.get());
}
- return sslSocketFactory.createSocket(s, hostName, portNumber, autoClose);
+ return socketWithEnabledProtocols(sslSocketFactory.createSocket(s, hostName, portNumber, autoClose));
}
/**
--
Gitblit v1.10.0