From 45690fbc42773415ef034419ed3f27d2974b78e1 Mon Sep 17 00:00:00 2001
From: Matthew Swift <matthew.swift@forgerock.com>
Date: Wed, 21 Nov 2012 23:24:40 +0000
Subject: [PATCH] Fix OPENDJ-649: Add supportedTLSCiphers and supportedTLSProtocols to RootDSE and system monitor

---
 opends/src/server/org/opends/server/extensions/TLSByteChannel.java |   88 ++++++--------------------------------------
 1 files changed, 12 insertions(+), 76 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/TLSByteChannel.java b/opends/src/server/org/opends/server/extensions/TLSByteChannel.java
index 4b35f8b..6e35881 100644
--- a/opends/src/server/org/opends/server/extensions/TLSByteChannel.java
+++ b/opends/src/server/org/opends/server/extensions/TLSByteChannel.java
@@ -39,13 +39,10 @@
 import java.security.cert.Certificate;
 import java.util.LinkedHashMap;
 import java.util.Map;
-import java.util.Set;
 
 import javax.net.ssl.*;
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 
-import org.opends.server.admin.std.server.LDAPConnectionHandlerCfg;
-import org.opends.server.api.ClientConnection;
 import org.opends.server.loggers.debug.DebugTracer;
 import org.opends.server.types.DebugLogLevel;
 
@@ -443,32 +440,6 @@
   private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocate(0);
   private static final DebugTracer TRACER = getTracer();
 
-
-
-  /**
-   * Create an TLS byte channel instance using the specified LDAP connection
-   * configuration, client connection, SSL context and socket channel
-   * parameters.
-   *
-   * @param config
-   *          The LDAP connection configuration.
-   * @param c
-   *          The client connection.
-   * @param sslContext
-   *          The SSL context.
-   * @param socketChannel
-   *          The socket channel.
-   * @return A TLS capable byte channel.
-   */
-  public static TLSByteChannel getTLSByteChannel(
-      final LDAPConnectionHandlerCfg config, final ClientConnection c,
-      final SSLContext sslContext, final ByteChannel socketChannel)
-  {
-    return new TLSByteChannel(config, c, socketChannel, sslContext);
-  }
-
-
-
   private final ByteChannelImpl pimpl = new ByteChannelImpl();
   private final ByteChannel channel;
   private final SSLEngine sslEngine;
@@ -485,55 +456,20 @@
 
 
 
-  private TLSByteChannel(final LDAPConnectionHandlerCfg config,
-      final ClientConnection c, final ByteChannel channel,
-      final SSLContext sslContext)
+  /**
+   * Creates an TLS byte channel instance using the specified LDAP connection
+   * configuration, client connection, SSL context and socket channel
+   * parameters.
+   *
+   * @param channel
+   *          The underlying channel.
+   * @param sslEngine
+   *          The SSL engine to use.
+   */
+  public TLSByteChannel(final ByteChannel channel, final SSLEngine sslEngine)
   {
-
     this.channel = channel;
-
-    // getHostName could potentially be very expensive and could block
-    // the connection handler for several minutes. (See issue 4229)
-    // Accepting new connections should be done in a seperate thread to
-    // avoid blocking new connections. Just remove for now to prevent
-    // potential DoS attacks. SSL sessions will not be reused and some
-    // cipher suites (such as Kerberos) will not work.
-
-    // String hostName = socketChannel.socket().getInetAddress().getHostName();
-    // int port = socketChannel.socket().getPort();
-    // sslEngine = sslContext.createSSLEngine(hostName, port);
-
-    sslEngine = sslContext.createSSLEngine();
-    sslEngine.setUseClientMode(false);
-
-    final Set<String> protocols = config.getSSLProtocol();
-    if (!protocols.isEmpty())
-    {
-      sslEngine.setEnabledProtocols(protocols.toArray(new String[0]));
-    }
-
-    final Set<String> ciphers = config.getSSLCipherSuite();
-    if (!ciphers.isEmpty())
-    {
-      sslEngine.setEnabledCipherSuites(ciphers.toArray(new String[0]));
-    }
-
-    switch (config.getSSLClientAuthPolicy())
-    {
-    case DISABLED:
-      sslEngine.setNeedClientAuth(false);
-      sslEngine.setWantClientAuth(false);
-      break;
-    case REQUIRED:
-      sslEngine.setWantClientAuth(true);
-      sslEngine.setNeedClientAuth(true);
-      break;
-    case OPTIONAL:
-    default:
-      sslEngine.setNeedClientAuth(false);
-      sslEngine.setWantClientAuth(true);
-      break;
-    }
+    this.sslEngine = sslEngine;
 
     // Allocate read/write buffers.
     final SSLSession session = sslEngine.getSession();

--
Gitblit v1.10.0