summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJose <jose@zeroc.com>2014-10-21 20:16:27 +0200
committerJose <jose@zeroc.com>2014-10-21 20:16:27 +0200
commit1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74 (patch)
treebc554207011272cc7d23eb2211ab74fb4363e045
parentAdded ability to build just java tests against ice installation (diff)
downloadice-1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74.tar.bz2
ice-1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74.tar.xz
ice-1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74.zip
Fixed (ICE-5758) - Disable SSLv3 by default
Diffstat
-rw-r--r--cpp/src/IceSSL/OpenSSLEngine.cpp24
-rw-r--r--cpp/src/IceSSL/SChannelEngine.cpp22
-rw-r--r--cpp/src/IceSSL/SecureTransportEngine.cpp18
-rw-r--r--cpp/test/IceSSL/configuration/.depend.mak6
-rw-r--r--cpp/test/IceSSL/configuration/AllTests.cpp214
-rwxr-xr-xcpp/test/IceSSL/configuration/run.py2
-rw-r--r--cs/src/IceSSL/SSLEngine.cs26
-rw-r--r--cs/test/IceSSL/certs/c_rsa_nopass_ca1.pfxbin1949 -> 1949 bytes
-rw-r--r--cs/test/IceSSL/certs/c_rsa_nopass_ca1_exp.pfxbin1949 -> 1949 bytes
-rw-r--r--cs/test/IceSSL/certs/c_rsa_nopass_ca2.pfxbin1949 -> 1949 bytes
-rw-r--r--cs/test/IceSSL/certs/cacert1.pem24
-rw-r--r--cs/test/IceSSL/certs/cacert2.pem24
-rw-r--r--cs/test/IceSSL/certs/cacert2.pfxbin1973 -> 1973 bytes
-rw-r--r--cs/test/IceSSL/certs/s_rsa_nopass_ca1.pfxbin1981 -> 1981 bytes
-rw-r--r--cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn1.pfxbin1957 -> 1957 bytes
-rw-r--r--cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn2.pfxbin1957 -> 1957 bytes
-rw-r--r--cs/test/IceSSL/certs/s_rsa_nopass_ca1_exp.pfxbin1981 -> 1981 bytes
-rw-r--r--cs/test/IceSSL/certs/s_rsa_nopass_ca2.pfxbin1981 -> 1981 bytes
-rw-r--r--cs/test/IceSSL/configuration/AllTests.cs111
-rw-r--r--java/src/Ice/src/main/java/IceSSL/SSLEngine.java18
-rw-r--r--java/test/IceSSL/configuration/AllTests.java80
21 files changed, 474 insertions, 95 deletions
diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp
index c53ddbda7ca..75c58f50cf5 100644
--- a/cpp/src/IceSSL/OpenSSLEngine.cpp
+++ b/cpp/src/IceSSL/OpenSSLEngine.cpp
@@ -352,9 +352,16 @@ OpenSSLEngine::initialize()
PropertiesPtr properties = communicator()->getProperties();
//
- // Protocols selects which protocols to enable.
+ // Protocols selects which protocols to enable, by default we only enable TLS1.0
+ // TLS1.1 and TLS1.2 to avoid security issues with SSLv3
//
- const int protocols = parseProtocols(properties->getPropertyAsList(propPrefix + "Protocols"));
+ vector<string> defaultProtocols;
+ defaultProtocols.push_back("tls1_0");
+ defaultProtocols.push_back("tls1_1");
+ defaultProtocols.push_back("tls1_2");
+
+ const int protocols =
+ parseProtocols(properties->getPropertyAsListWithDefault(propPrefix + "Protocols", defaultProtocols));
//
// Create an SSL context if the application hasn't supplied one.
@@ -901,27 +908,26 @@ OpenSSLEngine::parseProtocols(const StringSeq& protocols) const
for(Ice::StringSeq::const_iterator p = protocols.begin(); p != protocols.end(); ++p)
{
- string prot = *p;
-
- if(prot == "ssl3" || prot == "sslv3")
+ string prot = IceUtilInternal::toUpper(*p);
+ if(prot == "SSL3" || prot == "SSLV3")
{
v |= SSLv3;
}
- else if(prot == "tls" || prot == "tls1" || prot == "tlsv1" || prot == "tls1_0" || prot == "tlsv1_0")
+ else if(prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0")
{
v |= TLSv1_0;
}
- else if(prot == "tls1_1" || prot == "tlsv1_1")
+ else if(prot == "TLS1_1" || prot == "TLSV1_1")
{
v |= TLSv1_1;
}
- else if(prot == "tls1_2" || prot == "tlsv1_2")
+ else if(prot == "TLS1_2" || prot == "TLSV1_2")
{
v |= TLSv1_2;
}
else
{
- throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + prot + "'");
+ throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + *p + "'");
}
}
diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp
index 595a85aa220..bef93424650 100644
--- a/cpp/src/IceSSL/SChannelEngine.cpp
+++ b/cpp/src/IceSSL/SChannelEngine.cpp
@@ -93,31 +93,31 @@ parseProtocols(const StringSeq& protocols)
for(Ice::StringSeq::const_iterator p = protocols.begin(); p != protocols.end(); ++p)
{
- string prot = *p;
+ string prot = IceUtilInternal::toUpper(*p);
- if(prot == "ssl3" || prot == "sslv3")
+ if(prot == "SSL3" || prot == "SSLV3")
{
v |= SP_PROT_SSL3_SERVER;
v |= SP_PROT_SSL3_CLIENT;
}
- else if(prot == "tls" || prot == "tls1" || prot == "tlsv1" || prot == "tls1_0" || prot == "tlsv1_0")
+ else if(prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0")
{
v |= SP_PROT_TLS1_SERVER;
v |= SP_PROT_TLS1_CLIENT;
}
- else if(prot == "tls1_1" || prot == "tlsv1_1")
+ else if(prot == "TLS1_1" || prot == "TLSV1_1")
{
v |= SP_PROT_TLS1_1_SERVER;
v |= SP_PROT_TLS1_1_CLIENT;
}
- else if(prot == "tls1_2" || prot == "tlsv1_2")
+ else if(prot == "TLS1_2" || prot == "TLSV1_2")
{
v |= SP_PROT_TLS1_2_SERVER;
v |= SP_PROT_TLS1_2_CLIENT;
}
else
{
- throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + prot + "'");
+ throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + *p + "'");
}
}
@@ -182,9 +182,15 @@ SChannelEngine::initialize()
const PropertiesPtr properties = communicator()->getProperties();
//
- // Protocols selects which protocols to enable.
+ // Protocols selects which protocols to enable, by default we only enable TLS1.0
+ // TLS1.1 and TLS1.2 to avoid security issues with SSLv3
//
- const_cast<DWORD&>(_protocols) = parseProtocols(properties->getPropertyAsList(prefix + "Protocols"));
+ vector<string> defaultProtocols;
+ defaultProtocols.push_back("tls1_0");
+ defaultProtocols.push_back("tls1_1");
+ defaultProtocols.push_back("tls1_2");
+ const_cast<DWORD&>(_protocols) =
+ parseProtocols(properties->getPropertyAsListWithDefault(prefix + "Protocols", defaultProtocols));
//
// Check for a default directory. We look in this directory for
diff --git a/cpp/src/IceSSL/SecureTransportEngine.cpp b/cpp/src/IceSSL/SecureTransportEngine.cpp
index 743347feb67..8d255f24124 100644
--- a/cpp/src/IceSSL/SecureTransportEngine.cpp
+++ b/cpp/src/IceSSL/SecureTransportEngine.cpp
@@ -751,27 +751,28 @@ CiphersHelper::ciphers()
}
SSLProtocol
-parseProtocol(const string& prot)
+parseProtocol(const string& p)
{
- if(prot == "ssl3" || prot == "sslv3")
+ const string prot = IceUtilInternal::toUpper(p);
+ if(prot == "SSL3" || prot == "SSLV3")
{
return kSSLProtocol3;
}
- else if(prot == "tls" || prot == "tls1" || prot == "tlsv1" || prot == "tls1_0" || prot == "tlsv1_0")
+ else if(prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0")
{
return kTLSProtocol1;
}
- else if(prot == "tls1_1" || prot == "tlsv1_1")
+ else if(prot == "TLS1_1" || prot == "TLSV1_1")
{
return kTLSProtocol11;
}
- else if(prot == "tls1_2" || prot == "tlsv1_2")
+ else if(prot == "TLS1_2" || prot == "TLSV1_2")
{
return kTLSProtocol12;
}
else
{
- throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + prot + "'");
+ throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + p + "'");
}
}
@@ -1212,7 +1213,10 @@ IceSSL::SecureTransportEngine::initialize()
_protocolVersionMax = parseProtocol(protocolVersionMax);
}
- const string protocolVersionMin = properties->getProperty(propPrefix + "ProtocolVersionMin");
+ //
+ // The default min protocol version is set to TLS1.0 to avoid security issues with SSLv3
+ //
+ const string protocolVersionMin = properties->getPropertyWithDefault(propPrefix + "ProtocolVersionMin", "tls1_0");
if(!protocolVersionMin.empty())
{
_protocolVersionMin = parseProtocol(protocolVersionMin);
diff --git a/cpp/test/IceSSL/configuration/.depend.mak b/cpp/test/IceSSL/configuration/.depend.mak
index a09fc686430..0b7721e0916 100644
--- a/cpp/test/IceSSL/configuration/.depend.mak
+++ b/cpp/test/IceSSL/configuration/.depend.mak
@@ -320,9 +320,6 @@ AllTests.obj: \
"$(includedir)\IceUtil\RecMutex.h" \
"$(includedir)\IceUtil\UUID.h" \
"Test.h" \
- "Util.h" \
- "$(includedir)\IceSSL\IceSSL.h" \
- "$(includedir)\IceSSL\EndpointInfo.h" \
TestI.obj: \
TestI.cpp \
@@ -450,9 +447,6 @@ TestI.obj: \
"$(includedir)\IceSSL\Plugin.h" \
"$(includedir)\IceSSL\Config.h" \
"$(includedir)\IceSSL\ConnectionInfo.h" \
- "Util.h" \
- "$(includedir)\IceSSL\IceSSL.h" \
- "$(includedir)\IceSSL\EndpointInfo.h" \
Server.obj: \
Server.cpp \
diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp
index 2a6f922d385..64cbda75975 100644
--- a/cpp/test/IceSSL/configuration/AllTests.cpp
+++ b/cpp/test/IceSSL/configuration/AllTests.cpp
@@ -11,7 +11,6 @@
#include <IceSSL/Plugin.h>
#include <TestCommon.h>
#include <Test.h>
-#include <Util.h>
#include <fstream>
using namespace std;
@@ -1137,15 +1136,15 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool pfx, b
Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
test(fact);
Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost, pfx);
- initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem");
+ d["IceSSL.CertAuthFile"] = "cacert1.pem";
if(pfx)
{
- initData.properties->setProperty("IceSSL.CertFile", "s_rsa_ca1.pfx");
+ d["IceSSL.CertFile"] = "s_rsa_ca1.pfx";
}
else
{
- initData.properties->setProperty("IceSSL.CertFile", "s_rsa_nopass_ca1_pub.pem");
- initData.properties->setProperty("IceSSL.KeyFile", "s_rsa_nopass_ca1_priv.pem");
+ d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem";
+ d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem";
}
d["IceSSL.VerifyPeer"] = "0";
d["IceSSL.Protocols"] = "tls";
@@ -1201,6 +1200,102 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool pfx, b
}
fact->destroyServer(server);
comm->destroy();
+
+ //
+ // This should fail because the client only accept SSLv3 and the server
+ // use the default protocol set that disables SSLv3
+ //
+ {
+ InitializationData initData;
+ initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost, pfx);
+ initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem");
+ if(pfx)
+ {
+ initData.properties->setProperty("IceSSL.CertFile", "c_rsa_ca1.pfx");
+ }
+ else
+ {
+ initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem");
+ initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem");
+ }
+ initData.properties->setProperty("IceSSL.VerifyPeer", "0");
+ initData.properties->setProperty("IceSSL.Protocols", "ssl3");
+ CommunicatorPtr comm = initialize(initData);
+
+ Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
+ test(fact);
+ Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost, pfx);
+ d["IceSSL.CertAuthFile"] = "cacert1.pem";
+ if(pfx)
+ {
+ d["IceSSL.CertFile"] = "s_rsa_ca1.pfx";
+ }
+ else
+ {
+ d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem";
+ d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem";
+ }
+ d["IceSSL.VerifyPeer"] = "0";
+ Test::ServerPrx server = fact->createServer(d);
+ try
+ {
+ server->ice_ping();
+ test(false);
+ }
+ catch(const ProtocolException&)
+ {
+ // Expected on some platforms.
+ }
+ catch(const ConnectionLostException&)
+ {
+ // Expected on some platforms.
+ }
+ catch(const LocalException&)
+ {
+ test(false);
+ }
+ fact->destroyServer(server);
+ comm->destroy();
+ }
+
+ //
+ // This should success because both have SSLv3 enabled
+ //
+ {
+ InitializationData initData;
+ initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost, pfx);
+ initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem");
+ initData.properties->setProperty("IceSSL.Protocols", "ssl3");
+ CommunicatorPtr comm = initialize(initData);
+
+ Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
+ test(fact);
+ Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost, pfx);
+ d["IceSSL.CertAuthFile"] = "cacert1.pem";
+ if(pfx)
+ {
+ d["IceSSL.CertFile"] = "s_rsa_ca1.pfx";
+ }
+ else
+ {
+ d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem";
+ d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem";
+ }
+ d["IceSSL.VerifyPeer"] = "0";
+ d["IceSSL.Protocols"] = "ssl3, tls, tls1_1, tls1_2";
+ Test::ServerPrx server = fact->createServer(d);
+ try
+ {
+ server->ice_ping();
+ }
+ catch(const LocalException& ex)
+ {
+ cerr << ex << endl;
+ test(false);
+ }
+ fact->destroyServer(server);
+ comm->destroy();
+ }
#else
//
// This should fail because the client and server have no protocol
@@ -1263,6 +1358,113 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool pfx, b
}
fact->destroyServer(server);
comm->destroy();
+
+ //
+ // This should fail because the client only accept SSLv3 and the server
+ // use the default protocol set that disables SSLv3
+ //
+ {
+ InitializationData initData;
+ initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost, pfx);
+ initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem");
+ if(pfx)
+ {
+ initData.properties->setProperty("IceSSL.CertFile", "c_rsa_ca1.pfx");
+ }
+ else
+ {
+ initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem");
+ initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem");
+ }
+ initData.properties->setProperty("IceSSL.VerifyPeer", "0");
+ initData.properties->setProperty("IceSSL.ProtocolVersionMin", "ssl3");
+ initData.properties->setProperty("IceSSL.ProtocolVersionMax", "ssl3");
+ CommunicatorPtr comm = initialize(initData);
+
+ Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
+ test(fact);
+ Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost, pfx);
+ d["IceSSL.CertAuthFile"] = "cacert1.pem";
+ if(pfx)
+ {
+ d["IceSSL.CertFile"] = "s_rsa_ca1.pfx";
+ }
+ else
+ {
+ d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem";
+ d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem";
+ }
+ d["IceSSL.VerifyPeer"] = "0";
+ Test::ServerPrx server = fact->createServer(d);
+ try
+ {
+ server->ice_ping();
+ test(false);
+ }
+ catch(const ProtocolException&)
+ {
+ // Expected on some platforms.
+ }
+ catch(const ConnectionLostException&)
+ {
+ // Expected on some platforms.
+ }
+ catch(const LocalException&)
+ {
+ test(false);
+ }
+ fact->destroyServer(server);
+ comm->destroy();
+ }
+
+ //
+ // This should success because both have SSLv3 enabled
+ //
+ {
+ InitializationData initData;
+ initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost, pfx);
+ initData.properties->setProperty("IceSSL.CertAuthFile", "cacert1.pem");
+ if(pfx)
+ {
+ initData.properties->setProperty("IceSSL.CertFile", "c_rsa_ca1.pfx");
+ }
+ else
+ {
+ initData.properties->setProperty("IceSSL.CertFile", "c_rsa_nopass_ca1_pub.pem");
+ initData.properties->setProperty("IceSSL.KeyFile", "c_rsa_nopass_ca1_priv.pem");
+ }
+ initData.properties->setProperty("IceSSL.VerifyPeer", "0");
+ initData.properties->setProperty("IceSSL.ProtocolVersionMin", "ssl3");
+ initData.properties->setProperty("IceSSL.ProtocolVersionMax", "ssl3");
+ CommunicatorPtr comm = initialize(initData);
+
+ Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
+ test(fact);
+ Test::Properties d = createServerProps(defaultProperties, defaultDir, defaultHost, pfx);
+ d["IceSSL.CertAuthFile"] = "cacert1.pem";
+ if(pfx)
+ {
+ d["IceSSL.CertFile"] = "s_rsa_ca1.pfx";
+ }
+ else
+ {
+ d["IceSSL.CertFile"] = "s_rsa_nopass_ca1_pub.pem";
+ d["IceSSL.KeyFile"] = "s_rsa_nopass_ca1_priv.pem";
+ }
+ d["IceSSL.VerifyPeer"] = "0";
+ d["IceSSL.ProtocolVersionMin"] = "ssl3";
+ Test::ServerPrx server = fact->createServer(d);
+ try
+ {
+ server->ice_ping();
+ }
+ catch(const LocalException&)
+ {
+ test(false);
+ }
+ fact->destroyServer(server);
+ comm->destroy();
+ }
#endif
}
cout << "ok" << endl;
@@ -1574,7 +1776,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool pfx, b
IceSSL::NativeConnectionInfoPtr::dynamicCast(server->ice_getConnection()->getInfo());
test(info->cipher.compare(0, cipherSub.size(), cipherSub) == 0);
}
- catch(const LocalException&)
+ catch(const LocalException& ex)
{
//
// OS X 10.10 bug the handshake fails attempting client auth
diff --git a/cpp/test/IceSSL/configuration/run.py b/cpp/test/IceSSL/configuration/run.py
index 61da2e86b04..37e92428317 100755
--- a/cpp/test/IceSSL/configuration/run.py
+++ b/cpp/test/IceSSL/configuration/run.py
@@ -27,8 +27,8 @@ keychainPath = os.path.abspath(os.path.join(certsPath, "Find.keychain"))
def keychainCleanup():
os.system("rm -rf %s ../certs/keychain" % keychainPath)
-atexit.register(keychainCleanup)
if TestUtil.isDarwin():
+ atexit.register(keychainCleanup)
keychainCleanup()
os.system("mkdir -p ../certs/keychain")
diff --git a/cs/src/IceSSL/SSLEngine.cs b/cs/src/IceSSL/SSLEngine.cs
index 1b27ffe1565..3b0de0d63ac 100644
--- a/cs/src/IceSSL/SSLEngine.cs
+++ b/cs/src/IceSSL/SSLEngine.cs
@@ -31,6 +31,16 @@ namespace IceSSL
_securityTraceCategory = "Security";
_initialized = false;
_trustManager = new TrustManager(_communicator);
+
+ _tls12Support = false;
+ try
+ {
+ Enum.Parse(typeof(System.Security.Authentication.SslProtocols), "Tls12");
+ _tls12Support = true;
+ }
+ catch(Exception)
+ {
+ }
}
internal void initialize()
@@ -93,10 +103,13 @@ namespace IceSSL
}
//
- // Select protocols.
+ // Protocols selects which protocols to enable, by default we only enable TLS1.0
+ // TLS1.1 and TLS1.2 to avoid security issues with SSLv3
//
- _protocols = parseProtocols(prefix + "Protocols");
-
+ _protocols = parseProtocols(
+ properties.getPropertyAsListWithDefault(prefix + "Protocols",
+ _tls12Support ? new string[]{"TLS1_0", "TLS1_1", "TLS1_2"} :
+ new string[]{"TLS1_0", "TLS1_1"}));
//
// CheckCertName determines whether we compare the name in a peer's
// certificate against its hostname.
@@ -896,10 +909,10 @@ namespace IceSSL
return (string[])l.ToArray(typeof(string));
}
- private SslProtocols parseProtocols(string property)
+ private SslProtocols parseProtocols(string[] arr)
{
SslProtocols result = SslProtocols.Default;
- string[] arr = _communicator.getProperties().getPropertyAsList(property);
+
if(arr.Length > 0)
{
result = 0;
@@ -917,7 +930,9 @@ namespace IceSSL
}
case "TLS":
case "TLS1":
+ case "TLS1_0":
case "TLSV1":
+ case "TLSV1_0":
{
protocol = "Tls";
break;
@@ -1186,5 +1201,6 @@ namespace IceSSL
private CertificateVerifier _verifier;
private PasswordCallback _passwordCallback;
private TrustManager _trustManager;
+ private bool _tls12Support;
}
}
diff --git a/cs/test/IceSSL/certs/c_rsa_nopass_ca1.pfx b/cs/test/IceSSL/certs/c_rsa_nopass_ca1.pfx
index e167f323e18..2f8c19f0a74 100644
--- a/cs/test/IceSSL/certs/c_rsa_nopass_ca1.pfx
+++ b/cs/test/IceSSL/certs/c_rsa_nopass_ca1.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/c_rsa_nopass_ca1_exp.pfx b/cs/test/IceSSL/certs/c_rsa_nopass_ca1_exp.pfx
index 8bad53f8b1e..30f06e76592 100644
--- a/cs/test/IceSSL/certs/c_rsa_nopass_ca1_exp.pfx
+++ b/cs/test/IceSSL/certs/c_rsa_nopass_ca1_exp.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/c_rsa_nopass_ca2.pfx b/cs/test/IceSSL/certs/c_rsa_nopass_ca2.pfx
index 9dda17bf4ec..922ed17dd5b 100644
--- a/cs/test/IceSSL/certs/c_rsa_nopass_ca2.pfx
+++ b/cs/test/IceSSL/certs/c_rsa_nopass_ca2.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/cacert1.pem b/cs/test/IceSSL/certs/cacert1.pem
index 224da8829f6..05771c456b1 100644
--- a/cs/test/IceSSL/certs/cacert1.pem
+++ b/cs/test/IceSSL/certs/cacert1.pem
@@ -1,22 +1,22 @@
-----BEGIN CERTIFICATE-----
-MIIDtTCCAx6gAwIBAgIJAJQxcKxQahWZMA0GCSqGSIb3DQEBBAUAMIGZMQswCQYD
+MIIDtTCCAx6gAwIBAgIJAM6KZ+2Wb362MA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEbMBkGA1UEBxMSUGFsbSBCZWFjaCBH
YXJkZW5zMRQwEgYDVQQKEwtaZXJvQywgSW5jLjEMMAoGA1UECxMDSWNlMRgwFgYD
VQQDEw9aZXJvQyBUZXN0IENBIDExHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2Mu
-Y29tMB4XDTEwMDMxNzE0NTAzM1oXDTIwMDMxNDE0NTAzM1owgZkxCzAJBgNVBAYT
+Y29tMB4XDTE0MDgxOTE0NDAzN1oXDTI0MDgxNjE0NDAzN1owgZkxCzAJBgNVBAYT
AlVTMRAwDgYDVQQIEwdGbG9yaWRhMRswGQYDVQQHExJQYWxtIEJlYWNoIEdhcmRl
bnMxFDASBgNVBAoTC1plcm9DLCBJbmMuMQwwCgYDVQQLEwNJY2UxGDAWBgNVBAMT
D1plcm9DIFRlc3QgQ0EgMTEdMBsGCSqGSIb3DQEJARYOaW5mb0B6ZXJvYy5jb20w
-gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKjr2OoeWxpC48D2b3pv6EADXwT4
-1tZr5JilYnUbwpf9D2UWtmB1cwdVHkmpGgEs5nx4hl9+4TXuCNQAG7j9YWIPrBei
-8bshMC8Ndp41i433Ybzn2LmzqFEcs32LoShwjB3vhH4jNMC2SchiBOXHR9Muobtd
-lQi02oadqeK1skOxAgMBAAGjggEBMIH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYE
-FKLZgCrkkY4Lhbfk1ShiT8fJi+jRMIHOBgNVHSMEgcYwgcOAFKLZgCrkkY4Lhbfk
-1ShiT8fJi+jRoYGfpIGcMIGZMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlk
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM5Xr7rTd7Y8jiC2ofNBRIFwgdzx
+yH3Q6hg8/RHj1aIbavSHZcsBpJb+VUKmuL7TaSQWsgdvjQeZOhQlPe/wy4cC2bqK
+qZ5pDo8ELoTf99xFyrrGFfRlQSk17gOH/YTkzrj9HZcqYt3jIxCpiKOLOVb6NVOG
+HhO7YOZcTEulBnTTAgMBAAGjggEBMIH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYE
+FBP6cmf+NAWayT5h0pHWugNlG4qaMIHOBgNVHSMEgcYwgcOAFBP6cmf+NAWayT5h
+0pHWugNlG4qaoYGfpIGcMIGZMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlk
YTEbMBkGA1UEBxMSUGFsbSBCZWFjaCBHYXJkZW5zMRQwEgYDVQQKEwtaZXJvQywg
SW5jLjEMMAoGA1UECxMDSWNlMRgwFgYDVQQDEw9aZXJvQyBUZXN0IENBIDExHTAb
-BgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tggkAlDFwrFBqFZkwDQYJKoZIhvcN
-AQEEBQADgYEAGjLQC2Syy/mI5b7Ggl50sHxhkPvnGJIRwV+MAsv0iUZ/r/RKiPGr
-lAOi3ypiR4G20AYpx5qO3J0tY+hmTY5Wq6jsVsHVDoSftnUIESyayEoy6KEOZU1s
-GLCJ+/EZ7ap7+SYxb3tjYAupcO9gSK07b2Hxi6n1cGFNHD7O+k6Ca+k=
+BgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tggkAzopn7ZZvfrYwDQYJKoZIhvcN
+AQELBQADgYEAR6KQ9Fn0mxzPoglWYFlIlZqCsREFSTgJIa3i/5fdp3oWKVkGguHc
+tcGEdC4OzDQ+7FQNzGVbTetrKnPm6TamiGOXpvjz2loToAq8Q9L2Ppw+lI/XFExY
+thaS2Vffcj+sJE5KEBJYMonEuVBj+2Qc/Vkdwr2VfSoFttiKHfphgog=
-----END CERTIFICATE-----
diff --git a/cs/test/IceSSL/certs/cacert2.pem b/cs/test/IceSSL/certs/cacert2.pem
index f63b05fd929..fc30d9970b7 100644
--- a/cs/test/IceSSL/certs/cacert2.pem
+++ b/cs/test/IceSSL/certs/cacert2.pem
@@ -1,22 +1,22 @@
-----BEGIN CERTIFICATE-----
-MIIDtTCCAx6gAwIBAgIJAMUVxdyE24rJMA0GCSqGSIb3DQEBBAUAMIGZMQswCQYD
+MIIDtTCCAx6gAwIBAgIJAMlvEbSZWNrDMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEbMBkGA1UEBxMSUGFsbSBCZWFjaCBH
YXJkZW5zMRQwEgYDVQQKEwtaZXJvQywgSW5jLjEMMAoGA1UECxMDSWNlMRgwFgYD
VQQDEw9aZXJvQyBUZXN0IENBIDIxHTAbBgkqhkiG9w0BCQEWDmluZm9AemVyb2Mu
-Y29tMB4XDTEwMDMxNzE0NTAzM1oXDTIwMDMxNDE0NTAzM1owgZkxCzAJBgNVBAYT
+Y29tMB4XDTE0MDgxOTE0NDAzN1oXDTI0MDgxNjE0NDAzN1owgZkxCzAJBgNVBAYT
AlVTMRAwDgYDVQQIEwdGbG9yaWRhMRswGQYDVQQHExJQYWxtIEJlYWNoIEdhcmRl
bnMxFDASBgNVBAoTC1plcm9DLCBJbmMuMQwwCgYDVQQLEwNJY2UxGDAWBgNVBAMT
D1plcm9DIFRlc3QgQ0EgMjEdMBsGCSqGSIb3DQEJARYOaW5mb0B6ZXJvYy5jb20w
-gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALaAI4V1BCJT/7basy1ws8sf7Am0
-T+avRuxr9/7QZ17F6J4rFW6SRYvjw2z03eN6+YuZBaocozUxt9TkI0sDhc1+Dr7p
-j7mj+NoGjjSb7AMwQWu6rLEwD1SRCdewTMOQQ1ntHrCm5thhFxyahqhEXipBdfET
-/26f+QZphtaTCSxFAgMBAAGjggEBMIH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYE
-FClxCfTPV07zPCt/Sc5Pf2RFzl8FMIHOBgNVHSMEgcYwgcOAFClxCfTPV07zPCt/
-Sc5Pf2RFzl8FoYGfpIGcMIGZMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlk
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANm0tTVD6XvTBGlgNstYm0qsVKBP
+rw+6KTWove1Bt5yA20JpVC7CsNOsMSMYlFtIg42yFnVd4XmB6bMwiWIhaBgvJ61L
+/CAN0BQlRR7FTRnsO4suB25WqJz/u1KBMnLhvcymOaVhZRund148MAbzsC8yQw1E
+Feob5XEO1WIi1fBBAgMBAAGjggEBMIH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYE
+FHFhcwHRtqoh9ZDn2lWT+hsf3a1mMIHOBgNVHSMEgcYwgcOAFHFhcwHRtqoh9ZDn
+2lWT+hsf3a1moYGfpIGcMIGZMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlk
YTEbMBkGA1UEBxMSUGFsbSBCZWFjaCBHYXJkZW5zMRQwEgYDVQQKEwtaZXJvQywg
SW5jLjEMMAoGA1UECxMDSWNlMRgwFgYDVQQDEw9aZXJvQyBUZXN0IENBIDIxHTAb
-BgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tggkAxRXF3ITbiskwDQYJKoZIhvcN
-AQEEBQADgYEAf96l4YCA6Q/CloSoSZdnxVRpUUb8OlyEISRNYVef51KXUjeQ8Kj1
-kza7n/RcCWUS0uaAqAiOEINc4JnQYNNSP+2BXcBqd0imwBOpS+itW0fmGyWFiBaA
-mtPmLuRxEl7sYfP4KTafLLLOan3pegeoz7g4OqHMsmG30fLgU+CcWBQ=
+BgkqhkiG9w0BCQEWDmluZm9AemVyb2MuY29tggkAyW8RtJlY2sMwDQYJKoZIhvcN
+AQELBQADgYEAloK0g6Z1d/urq2kK8vyHJ1ngRGB5KTz8Uy0L74owl61XTyvx5jFd
+pCjTvxTYIviKmzfbLZz9eq5gmOfByZTZMaGKEC9hZ6jU89gFDny41n4d2dRiZlX8
+IwMXk4hKy2qJil0GElX3+zcRDbHv05t9TowWwNRJdKDMY+5KmuGYgW4=
-----END CERTIFICATE-----
diff --git a/cs/test/IceSSL/certs/cacert2.pfx b/cs/test/IceSSL/certs/cacert2.pfx
index 63d4ddffb1a..fbc0b9c0771 100644
--- a/cs/test/IceSSL/certs/cacert2.pfx
+++ b/cs/test/IceSSL/certs/cacert2.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/s_rsa_nopass_ca1.pfx b/cs/test/IceSSL/certs/s_rsa_nopass_ca1.pfx
index 4cac9d6719c..d4da4b14be9 100644
--- a/cs/test/IceSSL/certs/s_rsa_nopass_ca1.pfx
+++ b/cs/test/IceSSL/certs/s_rsa_nopass_ca1.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn1.pfx b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn1.pfx
index c0cf4b156f4..abaf88af9cb 100644
--- a/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn1.pfx
+++ b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn1.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn2.pfx b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn2.pfx
index 7ad4d37419d..b87113ebccf 100644
--- a/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn2.pfx
+++ b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_cn2.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/s_rsa_nopass_ca1_exp.pfx b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_exp.pfx
index df56f67c84d..db463ca3d75 100644
--- a/cs/test/IceSSL/certs/s_rsa_nopass_ca1_exp.pfx
+++ b/cs/test/IceSSL/certs/s_rsa_nopass_ca1_exp.pfx
Binary files differ
diff --git a/cs/test/IceSSL/certs/s_rsa_nopass_ca2.pfx b/cs/test/IceSSL/certs/s_rsa_nopass_ca2.pfx
index 8303851b776..8ba6e819bd6 100644
--- a/cs/test/IceSSL/certs/s_rsa_nopass_ca2.pfx
+++ b/cs/test/IceSSL/certs/s_rsa_nopass_ca2.pfx
Binary files differ
diff --git a/cs/test/IceSSL/configuration/AllTests.cs b/cs/test/IceSSL/configuration/AllTests.cs
index ca0c8868077..8bb36fa5f17 100644
--- a/cs/test/IceSSL/configuration/AllTests.cs
+++ b/cs/test/IceSSL/configuration/AllTests.cs
@@ -20,7 +20,7 @@ public class AllTests
{
private static void test(bool b)
{
- if (!b)
+ if(!b)
{
throw new Exception();
}
@@ -50,6 +50,7 @@ public class AllTests
{
result.properties.setProperty("Ice.Default.Host", defaultHost);
}
+ //result.properties.setProperty("IceSSL.Trace.Security", "1");
return result;
}
@@ -66,6 +67,7 @@ public class AllTests
{
result["Ice.Default.Host"] = defaultHost;
}
+ //result["IceSSL.Trace.Security"] = "1";
return result;
}
@@ -255,8 +257,8 @@ public class AllTests
{
server.noCert();
}
- catch(Ice.LocalException)
- {
+ catch(Ice.LocalException ex)
+ { Console.WriteLine(ex.ToString());
test(false);
}
//
@@ -268,8 +270,9 @@ public class AllTests
(IceSSL.NativeConnectionInfo)server.ice_getConnection().getInfo();
test(info.certs != null);
}
- catch(Ice.LocalException)
+ catch(Ice.LocalException ex)
{
+ Console.WriteLine(ex.ToString());
test(false);
}
fact.destroyServer(server);
@@ -294,8 +297,9 @@ public class AllTests
{
// Expected.
}
- catch(Ice.LocalException)
+ catch(Ice.LocalException ex)
{
+ Console.WriteLine(ex.ToString());
test(false);
}
fact.destroyServer(server);
@@ -332,8 +336,9 @@ public class AllTests
test(caCert.Equals(info.nativeCerts[1]));
test(serverCert.Equals(info.nativeCerts[0]));
}
- catch(Exception)
+ catch(Exception ex)
{
+ Console.WriteLine(ex.ToString());
test(false);
}
fact.destroyServer(server);
@@ -354,8 +359,9 @@ public class AllTests
new X509Certificate2(defaultDir + "/c_rsa_nopass_ca1.pfx", "password");
server.checkCert(clientCert.Subject, clientCert.Issuer);
}
- catch(Exception)
+ catch(Exception ex)
{
+ Console.WriteLine(ex.ToString());
test(false);
}
fact.destroyServer(server);
@@ -387,8 +393,9 @@ public class AllTests
{
// Expected.
}
- catch(Ice.LocalException)
+ catch(Ice.LocalException ex)
{
+ Console.WriteLine(ex.ToString());
test(false);
}
fact.destroyServer(server);
@@ -412,8 +419,9 @@ public class AllTests
{
server.ice_ping();
}
- catch(Ice.LocalException)
+ catch(Ice.LocalException ex)
{
+ Console.WriteLine(ex.ToString());
test(false);
}
fact.destroyServer(server);
@@ -442,8 +450,9 @@ public class AllTests
{
// Expected.
}
- catch(Ice.LocalException)
+ catch(Ice.LocalException ex)
{
+ Console.WriteLine(ex.ToString());
test(false);
}
fact.destroyServer(server);
@@ -469,8 +478,9 @@ public class AllTests
{
server.ice_ping();
}
- catch(Ice.LocalException)
+ catch(Ice.LocalException ex)
{
+ Console.WriteLine(ex.ToString());
test(false);
}
fact.destroyServer(server);
@@ -773,6 +783,66 @@ public class AllTests
test(false);
}
}
+ {
+ //
+ // This should fail because the client ony enables SSLv3 and the server
+ // uses the default protocol set that disables SSLv3
+ //
+ Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost);
+ initData.properties.setProperty("IceSSL.CertFile", defaultDir + "/c_rsa_nopass_ca1.pfx");
+ initData.properties.setProperty("IceSSL.Password", "password");
+ initData.properties.setProperty("IceSSL.Protocols", "ssl3");
+ Ice.Communicator comm = Ice.Util.initialize(ref args, initData);
+ Test.ServerFactoryPrx fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ Dictionary<string, string> d = createServerProps(defaultProperties, testDir, defaultHost);
+ d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx";
+ d["IceSSL.Password"] = "password";
+ d["IceSSL.VerifyPeer"] = "2";
+ store.Add(caCert1);
+ Test.ServerPrx server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(Ice.ConnectionLostException)
+ {
+ // Expected.
+ }
+ catch(Ice.LocalException)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ store.Remove(caCert1);
+ comm.destroy();
+
+ //
+ // This should success because the client and the server enables SSLv3
+ //
+ comm = Ice.Util.initialize(ref args, initData);
+ fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, testDir, defaultHost);
+ d["IceSSL.CertFile"] = defaultDir + "/s_rsa_nopass_ca1.pfx";
+ d["IceSSL.Password"] = "password";
+ d["IceSSL.VerifyPeer"] = "2";
+ d["IceSSL.Protocols"] = "ssl3, tls1_0, tls1_1, tls1_2";
+ store.Add(caCert1);
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
+ catch(Ice.LocalException)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ store.Remove(caCert1);
+ comm.destroy();
+ }
Console.Out.WriteLine("ok");
Console.Out.Write("testing expired certificates... ");
@@ -1910,11 +1980,11 @@ public class AllTests
string[] clientFindCertProperties = new string[]
{
"SUBJECTDN:'CN=Client, E=info@zeroc.com, OU=Ice, O=\"ZeroC, Inc.\", S=Florida, C=US'",
- "ISSUER:'ZeroC, Inc.' SUBJECT:Client SERIAL:01",
+ "ISSUER:'ZeroC, Inc.' SUBJECT:Client SERIAL:02",
"ISSUERDN:'E=info@zeroc.com, CN=ZeroC Test CA 1, OU=Ice, O=\"ZeroC, Inc.\"," +
" L=Palm Beach Gardens, S=Florida, C=US' SUBJECT:Client",
- "THUMBPRINT:'5b d5 e5 92 2b 0e ee 24 38 93 87 f2 c4 a4 bd bd d4 f3 be ee'",
- "SUBJECTKEYID:'87 fc ae 41 a0 c9 34 e7 05 43 c9 89 96 2c a9 8d 10 56 14 62'"
+ "THUMBPRINT:'54 26 20 f0 93 a9 b6 bc 2a 8c 83 ef 14 d4 49 18 a3 18 67 46'",
+ "SUBJECTKEYID:'58 77 81 07 55 2a 0c 10 19 88 13 47 6f 27 6e 21 75 5f 85 ca'"
};
string[] serverFindCertProperties = new string[]
@@ -1923,18 +1993,18 @@ public class AllTests
"ISSUER:'ZeroC, Inc.' SUBJECT:Server SERIAL:01",
"ISSUERDN:'E=info@zeroc.com, CN=ZeroC Test CA 1, OU=Ice, O=\"ZeroC, Inc.\"," +
" L=Palm Beach Gardens, S=Florida, C=US' SUBJECT:Server",
- "THUMBPRINT:'ad 53 5b a8 d9 17 f8 7f bd f5 2a 35 7a 77 b2 f2 9a 8d ca 84'",
- "SUBJECTKEYID:'13 1c 98 41 95 f7 35 bd 34 03 0c 2f 0e 5f d7 8d 05 d5 1e 5e'"
+ "THUMBPRINT:'27 e0 18 c9 23 12 6c f0 5c da fa 36 5a 4c 63 5a e2 53 07 1a'",
+ "SUBJECTKEYID:'a6 42 aa 17 04 41 86 56 67 e4 04 64 59 34 30 c7 4c 6b ef a4'"
};
string[] failFindCertProperties = new string[]
{
- "SUBJECTDN:'CN=Client, E=infox@zeroc.com, OU=Ice, O=\"ZeroC, Inc.\", S=Florida, C=US'",
- "ISSUER:'ZeroC, Inc.' SUBJECT:Client SERIAL:'01 02'",
+ "SUBJECTDN:'CN = Client, E = infox@zeroc.com, OU = Ice, O = \"ZeroC, Inc.\", S = Florida, C = US'",
+ "ISSUER:'ZeroC, Inc.' SUBJECT:Client SERIAL:'02 02'",
"ISSUERDN:'E=info@zeroc.com, CN=ZeroC Test CA 1, OU=Ice, O=\"ZeroC, Inc.\"," +
" L=Palm Beach Gardens, S=Florida, C=ES' SUBJECT:Client",
- "THUMBPRINT:'5b d5 e5 92 2b 0e ee 24 38 93 87 f2 c4 a4 bd bd d4 f3 be XX'",
- "SUBJECTKEYID:'87 fc ae 41 a0 c9 34 e7 05 43 c9 89 96 2c a9 8d 10 56 14 XX'"
+ "THUMBPRINT:'27 e0 18 c9 23 12 6c f0 5c da fa 36 5a 4c 63 5a e2 53 07 ff'",
+ "SUBJECTKEYID:'a6 42 aa 17 04 41 86 56 67 e4 04 64 59 34 30 c7 4c 6b ef ff'"
};
string[] certificates = new string[] {"/s_rsa_nopass_ca1.pfx", "/c_rsa_nopass_ca1.pfx"};
@@ -1947,7 +2017,6 @@ public class AllTests
{
certStore.Add(new X509Certificate2(defaultDir + cert, "password"));
}
-
for(int i = 0; i < clientFindCertProperties.Length; ++i)
{
Ice.InitializationData initData = createClientProps(defaultProperties, testDir, defaultHost);
diff --git a/java/src/Ice/src/main/java/IceSSL/SSLEngine.java b/java/src/Ice/src/main/java/IceSSL/SSLEngine.java
index d8e4361e344..5601d3f2312 100644
--- a/java/src/Ice/src/main/java/IceSSL/SSLEngine.java
+++ b/java/src/Ice/src/main/java/IceSSL/SSLEngine.java
@@ -45,29 +45,31 @@ class SSLEngine
}
//
- // Select protocols.
+ // Protocols selects which protocols to enable, by default we only enable TLS1.0
+ // TLS1.1 and TLS1.2 to avoid security issues with SSLv3
//
- String[] protocols = properties.getPropertyAsList(prefix + "Protocols");
+ String[] protocols =
+ properties.getPropertyAsListWithDefault(prefix + "Protocols", new String[]{"tls1_0", "tls1_1", "tls1_2"});
if(protocols.length != 0)
{
java.util.ArrayList<String> l = new java.util.ArrayList<String>();
for(String prot : protocols)
{
- String s = prot.toLowerCase();
- if(s.equals("ssl3") || s.equals("sslv3"))
+ String s = prot.toUpperCase();
+ if(s.equals("SSL3") || s.equals("SSLV3"))
{
l.add("SSLv3");
}
- else if(s.equals("tls") || s.equals("tls1") || s.equals("tlsv1") || s.equals("tls1_0") ||
- s.equals("tlsv1_0"))
+ else if(s.equals("TLS") || s.equals("TLS1") || s.equals("TLSV1") || s.equals("TLS1_0") ||
+ s.equals("TLSV1_0"))
{
l.add("TLSv1");
}
- else if(s.equals("tls1_1") || s.equals("tlsv1_1"))
+ else if(s.equals("TLS1_1") || s.equals("TLSV1_1"))
{
l.add("TLSv1.1");
}
- else if(s.equals("tls1_2") || s.equals("tlsv1_2"))
+ else if(s.equals("TLS1_2") || s.equals("TLSV1_2"))
{
l.add("TLSv1.2");
}
diff --git a/java/test/IceSSL/configuration/AllTests.java b/java/test/IceSSL/configuration/AllTests.java
index 64ecac628ff..1e955c8c1f5 100644
--- a/java/test/IceSSL/configuration/AllTests.java
+++ b/java/test/IceSSL/configuration/AllTests.java
@@ -794,6 +794,86 @@ public class AllTests
fact.destroyServer(server);
comm.destroy();
}
+
+ {
+ //
+ // This should fail because the client ony enables SSLv3 and the server
+ // uses the default protocol set that disables SSLv3
+ //
+ Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost);
+ initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks");
+ initData.properties.setProperty("IceSSL.Password", "password");
+ initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks");
+ initData.properties.setProperty("IceSSL.Protocols", "ssl3");
+ Ice.Communicator comm = Ice.Util.initialize(args, initData);
+ ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost);
+ d.put("IceSSL.Keystore", "s_rsa_ca1.jks");
+ d.put("IceSSL.Password", "password");
+ d.put("IceSSL.Truststore", "cacert1.jks");
+ d.put("IceSSL.VerifyPeer", "2");
+ ServerPrx server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ test(false);
+ }
+ catch(Ice.SecurityException ex)
+ {
+ // Expected.
+ }
+ catch(Ice.ConnectionLostException ex)
+ {
+ // Expected for thread pool.
+ }
+ catch(Ice.LocalException ex)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ {
+ //
+ // This should success because the client and the server enables SSLv3
+ //
+ Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost);
+ initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks");
+ initData.properties.setProperty("IceSSL.Password", "password");
+ initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks");
+ initData.properties.setProperty("IceSSL.Protocols", "ssl3");
+ Ice.Communicator comm = Ice.Util.initialize(args, initData);
+ ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost);
+ d.put("IceSSL.Keystore", "s_rsa_ca1.jks");
+ d.put("IceSSL.Password", "password");
+ d.put("IceSSL.Truststore", "cacert1.jks");
+ d.put("IceSSL.VerifyPeer", "2");
+ d.put("IceSSL.Protocols", "ssl3, tls1_0, tls1_1, tls1_2");
+ ServerPrx server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
+ catch(Ice.SecurityException ex)
+ {
+ // Expected.
+ }
+ catch(Ice.ConnectionLostException ex)
+ {
+ // Expected for thread pool.
+ }
+ catch(Ice.LocalException ex)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
out.println("ok");
out.print("testing expired certificates... ");
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-03 15:27:18 +0000