diff options
| author | Jose <jose@zeroc.com> | 2014-10-21 20:16:27 +0200 |
|---|---|---|
| committer | Jose <jose@zeroc.com> | 2014-10-21 20:16:27 +0200 |
| commit | 1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74 (patch) | |
| tree | bc554207011272cc7d23eb2211ab74fb4363e045 /java | |
| parent | Added ability to build just java tests against ice installation (diff) | |
| download | ice-1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74.tar.bz2 ice-1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74.tar.xz ice-1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74.zip | |
Fixed (ICE-5758) - Disable SSLv3 by default
Diffstat (limited to 'java')
| -rw-r--r-- | java/src/Ice/src/main/java/IceSSL/SSLEngine.java | 18 | ||||
| -rw-r--r-- | java/test/IceSSL/configuration/AllTests.java | 80 |
2 files changed, 90 insertions, 8 deletions
diff --git a/java/src/Ice/src/main/java/IceSSL/SSLEngine.java b/java/src/Ice/src/main/java/IceSSL/SSLEngine.java index d8e4361e344..5601d3f2312 100644 --- a/java/src/Ice/src/main/java/IceSSL/SSLEngine.java +++ b/java/src/Ice/src/main/java/IceSSL/SSLEngine.java @@ -45,29 +45,31 @@ class SSLEngine } // - // Select protocols. + // Protocols selects which protocols to enable, by default we only enable TLS1.0 + // TLS1.1 and TLS1.2 to avoid security issues with SSLv3 // - String[] protocols = properties.getPropertyAsList(prefix + "Protocols"); + String[] protocols = + properties.getPropertyAsListWithDefault(prefix + "Protocols", new String[]{"tls1_0", "tls1_1", "tls1_2"}); if(protocols.length != 0) { java.util.ArrayList<String> l = new java.util.ArrayList<String>(); for(String prot : protocols) { - String s = prot.toLowerCase(); - if(s.equals("ssl3") || s.equals("sslv3")) + String s = prot.toUpperCase(); + if(s.equals("SSL3") || s.equals("SSLV3")) { l.add("SSLv3"); } - else if(s.equals("tls") || s.equals("tls1") || s.equals("tlsv1") || s.equals("tls1_0") || - s.equals("tlsv1_0")) + else if(s.equals("TLS") || s.equals("TLS1") || s.equals("TLSV1") || s.equals("TLS1_0") || + s.equals("TLSV1_0")) { l.add("TLSv1"); } - else if(s.equals("tls1_1") || s.equals("tlsv1_1")) + else if(s.equals("TLS1_1") || s.equals("TLSV1_1")) { l.add("TLSv1.1"); } - else if(s.equals("tls1_2") || s.equals("tlsv1_2")) + else if(s.equals("TLS1_2") || s.equals("TLSV1_2")) { l.add("TLSv1.2"); } diff --git a/java/test/IceSSL/configuration/AllTests.java b/java/test/IceSSL/configuration/AllTests.java index 64ecac628ff..1e955c8c1f5 100644 --- a/java/test/IceSSL/configuration/AllTests.java +++ b/java/test/IceSSL/configuration/AllTests.java @@ -794,6 +794,86 @@ public class AllTests fact.destroyServer(server); comm.destroy(); } + + { + // + // This should fail because the client ony enables SSLv3 and the server + // uses the default protocol set that disables SSLv3 + // + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + initData.properties.setProperty("IceSSL.Protocols", "ssl3"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + d.put("IceSSL.VerifyPeer", "2"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + test(false); + } + catch(Ice.SecurityException ex) + { + // Expected. + } + catch(Ice.ConnectionLostException ex) + { + // Expected for thread pool. + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } + + { + // + // This should success because the client and the server enables SSLv3 + // + Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); + initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); + initData.properties.setProperty("IceSSL.Password", "password"); + initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); + initData.properties.setProperty("IceSSL.Protocols", "ssl3"); + Ice.Communicator comm = Ice.Util.initialize(args, initData); + ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); + d.put("IceSSL.Keystore", "s_rsa_ca1.jks"); + d.put("IceSSL.Password", "password"); + d.put("IceSSL.Truststore", "cacert1.jks"); + d.put("IceSSL.VerifyPeer", "2"); + d.put("IceSSL.Protocols", "ssl3, tls1_0, tls1_1, tls1_2"); + ServerPrx server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.SecurityException ex) + { + // Expected. + } + catch(Ice.ConnectionLostException ex) + { + // Expected for thread pool. + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } + out.println("ok"); out.print("testing expired certificates... "); |