aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2017-08-03 02:01:39 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2017-08-03 02:01:39 +0200
commit4bbd3f88211399f41e8210ad3fbe5b0ea8910994 (patch)
tree02047971ef8e7a50eeb2122e89141ae4576ef122
parentfab8bb66ea62eb23e806ad280008c5f722d684ec (diff)
downloadmoa-id-spss-4bbd3f88211399f41e8210ad3fbe5b0ea8910994.tar.gz
moa-id-spss-4bbd3f88211399f41e8210ad3fbe5b0ea8910994.tar.bz2
moa-id-spss-4bbd3f88211399f41e8210ad3fbe5b0ea8910994.zip
* check if SSL-Session is already established
* Add two comments regarding TLSv1.2 support in JAVA 7 and restiction of allowed SSL ciphers
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java28
1 files changed, 28 insertions, 0 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
index 0479b1bc1..bdadf681d 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
@@ -34,6 +34,7 @@ import java.util.Arrays;
import java.util.List;
import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
@@ -50,6 +51,7 @@ import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException;
import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moaspss.logging.Logger;
import iaik.pki.PKIException;
+import sun.security.ssl.ProtocolVersion;
/**
* @author tlenz
@@ -188,6 +190,19 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
if (socket instanceof SSLSocket) {
SSLSocket sslSocket = (SSLSocket)socket;
+/*TODO
+* Set allowed ProtocolVersions into SSLSocket to support TLSv1.1 and TLSv1.2 in JAVA 7
+* Therefore, we had do manually set the TLS1.2 protocol support into SSLParameters
+* from SSL socket. Maybe, there is an additional validation required if TLSv1.2 is
+* supported in principle by currently used JAVA version.
+*/
+// SSLParameters test = ((SSLSocket) socket).getSSLParameters();
+// List<String> enabledProtocols = Arrays.asList(test.getProtocols());
+// if (enabledProtocols.contains(ProtocolVersion.TLS11.name)) {
+//
+// }
+// sslSocket.setSSLParameters(test);
+
//verify Hostname
verifyHostName(sslSocket);
@@ -208,7 +223,14 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
*/
private void verifyHostName(SSLSocket sslSocket) throws SSLException{
if (verifyHostName) {
+
SSLSession session = sslSocket.getSession();
+ if ("SSL_NULL_WITH_NULL_NULL".equals(session.getCipherSuite())) {
+ Logger.warn("SSL connection can NOT established.");
+ throw new SSLException("SSL connection can NOT established.");
+
+ }
+
String hostName = session.getPeerHost();
Certificate[] certs = null;
@@ -254,6 +276,12 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
* @return {@link SSLSocket} with Ciphersuites
*/
private SSLSocket setEnabledSslCiphers(SSLSocket sslSocket) {
+ /*TODO:
+ * This implementation currently not work fine, because not all ciphers from
+ * 'https.cipherSuites' SystemProperty had to be supported by current JAVA version
+ * Add an validation step to check the allowed cipherSuites against the currently
+ * supported cipher suites and only add the matching set of ciphers
+ */
String systemProp = System.getProperty("https.cipherSuites");
if (MiscUtil.isNotEmpty(systemProp)) {
try {