2 files changed, 90 insertions, 8 deletions

diff --git a/java/src/Ice/src/main/java/IceSSL/SSLEngine.java b/java/src/Ice/src/main/java/IceSSL/SSLEngine.java
index d8e4361e344..5601d3f2312 100644
--- a/java/src/Ice/src/main/java/IceSSL/SSLEngine.java
+++ b/java/src/Ice/src/main/java/IceSSL/SSLEngine.java
@@ -45,29 +45,31 @@ class SSLEngine
         }
 
         //
-        // Select protocols.
+        // Protocols selects which protocols to enable, by default we only enable TLS1.0
+        // TLS1.1 and TLS1.2 to avoid security issues with SSLv3
         //
-        String[] protocols = properties.getPropertyAsList(prefix + "Protocols");
+        String[] protocols = 
+            properties.getPropertyAsListWithDefault(prefix + "Protocols", new String[]{"tls1_0", "tls1_1", "tls1_2"});
         if(protocols.length != 0)
         {
             java.util.ArrayList<String> l = new java.util.ArrayList<String>();
             for(String prot : protocols)
             {
-                String s = prot.toLowerCase();
-                if(s.equals("ssl3") || s.equals("sslv3"))
+                String s = prot.toUpperCase();
+                if(s.equals("SSL3") || s.equals("SSLV3"))
                 {
                     l.add("SSLv3");
                 }
-                else if(s.equals("tls") || s.equals("tls1") || s.equals("tlsv1") || s.equals("tls1_0") ||
-                        s.equals("tlsv1_0"))
+                else if(s.equals("TLS") || s.equals("TLS1") || s.equals("TLSV1") || s.equals("TLS1_0") ||
+                        s.equals("TLSV1_0"))
                 {
                     l.add("TLSv1");
                 }
-                else if(s.equals("tls1_1") || s.equals("tlsv1_1"))
+                else if(s.equals("TLS1_1") || s.equals("TLSV1_1"))
                 {
                     l.add("TLSv1.1");
                 }
-                else if(s.equals("tls1_2") || s.equals("tlsv1_2"))
+                else if(s.equals("TLS1_2") || s.equals("TLSV1_2"))
                 {
                     l.add("TLSv1.2");
                 }
diff --git a/java/test/IceSSL/configuration/AllTests.java b/java/test/IceSSL/configuration/AllTests.java
index 64ecac628ff..1e955c8c1f5 100644
--- a/java/test/IceSSL/configuration/AllTests.java
+++ b/java/test/IceSSL/configuration/AllTests.java
@@ -794,6 +794,86 @@ public class AllTests
             fact.destroyServer(server);
             comm.destroy();
         }
+
+        {
+            //
+            // This should fail because the client ony enables SSLv3 and the server
+            // uses the default protocol set that disables SSLv3
+            //
+            Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost);
+            initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks");
+            initData.properties.setProperty("IceSSL.Password", "password");
+            initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks");
+            initData.properties.setProperty("IceSSL.Protocols", "ssl3");
+            Ice.Communicator comm = Ice.Util.initialize(args, initData);
+            ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+            test(fact != null);
+            java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost);
+            d.put("IceSSL.Keystore", "s_rsa_ca1.jks");
+            d.put("IceSSL.Password", "password");
+            d.put("IceSSL.Truststore", "cacert1.jks");
+            d.put("IceSSL.VerifyPeer", "2");
+            ServerPrx server = fact.createServer(d);
+            try
+            {
+                server.ice_ping();
+                test(false);
+            }
+            catch(Ice.SecurityException ex)
+            {
+                // Expected.
+            }
+            catch(Ice.ConnectionLostException ex)
+            {
+                // Expected for thread pool.
+            }
+            catch(Ice.LocalException ex)
+            {
+                test(false);
+            }
+            fact.destroyServer(server);
+            comm.destroy();
+        }
+
+        {
+            //
+            // This should success because the client and the server enables SSLv3
+            //
+            Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost);
+            initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks");
+            initData.properties.setProperty("IceSSL.Password", "password");
+            initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks");
+            initData.properties.setProperty("IceSSL.Protocols", "ssl3");
+            Ice.Communicator comm = Ice.Util.initialize(args, initData);
+            ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+            test(fact != null);
+            java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost);
+            d.put("IceSSL.Keystore", "s_rsa_ca1.jks");
+            d.put("IceSSL.Password", "password");
+            d.put("IceSSL.Truststore", "cacert1.jks");
+            d.put("IceSSL.VerifyPeer", "2");
+            d.put("IceSSL.Protocols", "ssl3, tls1_0, tls1_1, tls1_2");
+            ServerPrx server = fact.createServer(d);
+            try
+            {
+                server.ice_ping();
+            }
+            catch(Ice.SecurityException ex)
+            {
+                // Expected.
+            }
+            catch(Ice.ConnectionLostException ex)
+            {
+                // Expected for thread pool.
+            }
+            catch(Ice.LocalException ex)
+            {
+                test(false);
+            }
+            fact.destroyServer(server);
+            comm.destroy();
+        }
+
         out.println("ok");
 
         out.print("testing expired certificates... ");