|
Lines 1-5
Link Here
|
| 1 |
/******************************************************************************* |
1 |
/******************************************************************************* |
| 2 |
* Copyright (c) 2002, 2014 IBM Corporation and others. |
2 |
* Copyright (c) 2002, 2015 IBM Corporation and others. |
| 3 |
* All rights reserved. This program and the accompanying materials |
3 |
* All rights reserved. This program and the accompanying materials |
| 4 |
* are made available under the terms of the Eclipse Public License v1.0 |
4 |
* are made available under the terms of the Eclipse Public License v1.0 |
| 5 |
* which accompanies this distribution, and is available at |
5 |
* which accompanies this distribution, and is available at |
|
Lines 30-35
Link Here
|
| 30 |
* David McKnight (IBM) - [388472] [dstore] need alternative option for getting at server hostname |
30 |
* David McKnight (IBM) - [388472] [dstore] need alternative option for getting at server hostname |
| 31 |
* David McKnight (IBM) - [390681] [dstore] need to merge differences between HEAD stream and 3.2 in ConnectionEstablisher.finished() |
31 |
* David McKnight (IBM) - [390681] [dstore] need to merge differences between HEAD stream and 3.2 in ConnectionEstablisher.finished() |
| 32 |
* David McKnight (IBM) [439545][dstore] potential deadlock on senders during shutdown |
32 |
* David McKnight (IBM) [439545][dstore] potential deadlock on senders during shutdown |
|
|
33 |
* David McKnight (IBM) [464736][dstore] need methods to disable ciphers and protocols |
| 33 |
*******************************************************************************/ |
34 |
*******************************************************************************/ |
| 34 |
|
35 |
|
| 35 |
package org.eclipse.dstore.core.server; |
36 |
package org.eclipse.dstore.core.server; |
|
Lines 44-51
Link Here
|
| 44 |
import java.net.Socket; |
45 |
import java.net.Socket; |
| 45 |
import java.net.UnknownHostException; |
46 |
import java.net.UnknownHostException; |
| 46 |
import java.util.ArrayList; |
47 |
import java.util.ArrayList; |
|
|
48 |
import java.util.List; |
| 47 |
|
49 |
|
| 48 |
import javax.net.ssl.SSLContext; |
50 |
import javax.net.ssl.SSLContext; |
|
|
51 |
import javax.net.ssl.SSLServerSocket; |
| 49 |
import javax.net.ssl.SSLSession; |
52 |
import javax.net.ssl.SSLSession; |
| 50 |
import javax.net.ssl.SSLSocket; |
53 |
import javax.net.ssl.SSLSocket; |
| 51 |
|
54 |
|
|
Lines 91-96
Link Here
|
| 91 |
private int _maxConnections; |
94 |
private int _maxConnections; |
| 92 |
private int _timeout; |
95 |
private int _timeout; |
| 93 |
private String _msg; |
96 |
private String _msg; |
|
|
97 |
|
| 98 |
|
| 99 |
private String[] _disabledCipherPatterns = null; |
| 100 |
private String[] _disabledProtocolPatterns = null; |
| 101 |
private String[] _enabledCiphers = null; |
| 102 |
private String[] _enabledProtocols = null; |
| 103 |
|
| 94 |
|
104 |
|
| 95 |
|
105 |
|
| 96 |
/** |
106 |
/** |
|
Lines 261-266
Link Here
|
| 261 |
{ |
271 |
{ |
| 262 |
try |
272 |
try |
| 263 |
{ |
273 |
{ |
|
|
274 |
if (_dataStore.usingSSL()) |
| 275 |
{ |
| 276 |
SSLServerSocket sslServerSocket = (SSLServerSocket)_serverSocket; |
| 277 |
// for security, disable ciphers and protocols we don't want |
| 278 |
disableCiphers(sslServerSocket); |
| 279 |
disableProtocols(sslServerSocket); |
| 280 |
|
| 281 |
// for security, enable only ciphers and protocols that are common |
| 282 |
enableCiphers(sslServerSocket); |
| 283 |
enableProtocols(sslServerSocket); |
| 284 |
} |
| 285 |
|
| 264 |
Socket newSocket = _serverSocket.accept(); |
286 |
Socket newSocket = _serverSocket.accept(); |
| 265 |
if (_dataStore.usingSSL()) |
287 |
if (_dataStore.usingSSL()) |
| 266 |
{ |
288 |
{ |
|
Lines 600-603
Link Here
|
| 600 |
} |
622 |
} |
| 601 |
|
623 |
|
| 602 |
} |
624 |
} |
|
|
625 |
|
| 626 |
/** |
| 627 |
* Specify cipher patterns to be disabled when using SSL sockets |
| 628 |
* @param cipherPatterns regex patterns of ciphers to disable |
| 629 |
*/ |
| 630 |
public void setDisabledCipherPatterns(String[] cipherPatterns){ |
| 631 |
_disabledCipherPatterns = cipherPatterns; |
| 632 |
} |
| 633 |
|
| 634 |
/** |
| 635 |
* Specify protocol patterns to be disabled when using SSL sockets |
| 636 |
* @param protocolPatterns regex patterns of protocols to disable |
| 637 |
*/ |
| 638 |
public void setDisabledProtocolPatterns(String[] protocolPatterns){ |
| 639 |
_disabledProtocolPatterns = protocolPatterns; |
| 640 |
} |
| 641 |
|
| 642 |
/** |
| 643 |
* Specify ciphers to be enabled when using SSL sockets |
| 644 |
* @param ciphers to enable |
| 645 |
*/ |
| 646 |
public void setEnabledCiphers(String[] ciphers){ |
| 647 |
_enabledCiphers = ciphers; |
| 648 |
} |
| 649 |
|
| 650 |
/** |
| 651 |
* Specify protocols to be enabled when using SSL sockets |
| 652 |
* @param protocols to enable |
| 653 |
*/ |
| 654 |
public void setEnabledProtocols(String[] protocols){ |
| 655 |
_enabledProtocols = protocols; |
| 656 |
} |
| 657 |
|
| 658 |
private String[] filterNames(String[] inNames, String[] filters){ |
| 659 |
List outNames = new ArrayList(); |
| 660 |
for (int n = 0; n < inNames.length; n++){ |
| 661 |
String inName = inNames[n]; |
| 662 |
boolean match = false; |
| 663 |
for (int i = 0; i < filters.length && !match; i++){ |
| 664 |
String filter = filters[i]; |
| 665 |
match = inName.matches(filter); |
| 666 |
} |
| 667 |
if (!match){ |
| 668 |
outNames.add(inName); |
| 669 |
} |
| 670 |
else { |
| 671 |
String cn = getClass().toString(); |
| 672 |
IServerLogger logger = _dataStore.getClient().getLogger(); |
| 673 |
logger.logDebugMessage(cn, "Filtering out: " + inName); //$NON-NLS-1$ |
| 674 |
} |
| 675 |
} |
| 676 |
return (String[])outNames.toArray(new String[outNames.size()]); |
| 677 |
} |
| 678 |
|
| 679 |
private void disableCiphers(SSLServerSocket socket){ |
| 680 |
if (_disabledCipherPatterns != null){ |
| 681 |
String[] enabledSuites = socket.getEnabledCipherSuites(); |
| 682 |
String[] newEnabledSuites = filterNames(enabledSuites, _disabledCipherPatterns); |
| 683 |
|
| 684 |
socket.setEnabledCipherSuites(newEnabledSuites); |
| 685 |
} |
| 686 |
} |
| 687 |
|
| 688 |
private void disableProtocols(SSLServerSocket socket){ |
| 689 |
if (_disabledProtocolPatterns != null){ |
| 690 |
String[] enabledProtocols = socket.getEnabledProtocols(); |
| 691 |
String[] newEnabledProtocols = filterNames(enabledProtocols, _disabledProtocolPatterns); |
| 692 |
socket.setEnabledProtocols(newEnabledProtocols); |
| 693 |
} |
| 694 |
} |
| 695 |
|
| 696 |
private String[] mergeCommon(String[] inNames1, String[] inNames2){ |
| 697 |
List merged = new ArrayList(); |
| 698 |
for (int n = 0; n < inNames1.length; n++){ |
| 699 |
String inName1 = inNames1[n]; |
| 700 |
boolean match = false; |
| 701 |
for (int i = 0; i < inNames2.length && !match; i++){ |
| 702 |
match = inName1.equals(inNames2[i]); |
| 703 |
} |
| 704 |
if (match){ |
| 705 |
merged.add(inName1); |
| 706 |
} |
| 707 |
} |
| 708 |
return (String[])merged.toArray(new String[merged.size()]); |
| 709 |
} |
| 710 |
|
| 711 |
private void enableCiphers(SSLServerSocket socket){ |
| 712 |
if (_enabledCiphers != null){ |
| 713 |
String[] enabledSuites = socket.getEnabledCipherSuites(); |
| 714 |
String[] newEnabledSuites = mergeCommon(enabledSuites, _enabledCiphers); |
| 715 |
if (newEnabledSuites.length > 0){ |
| 716 |
socket.setEnabledCipherSuites(newEnabledSuites); |
| 717 |
} |
| 718 |
} |
| 719 |
} |
| 720 |
|
| 721 |
private void enableProtocols(SSLServerSocket socket){ |
| 722 |
if (_enabledProtocols != null){ |
| 723 |
String[] enabledProtocols = socket.getEnabledProtocols(); |
| 724 |
String[] newEnabledProtocols = mergeCommon(enabledProtocols, _enabledProtocols); |
| 725 |
if (newEnabledProtocols.length > 0){ |
| 726 |
socket.setEnabledCipherSuites(newEnabledProtocols); |
| 727 |
} |
| 728 |
} |
| 729 |
} |
| 603 |
} |
730 |
} |
