set https.cipherSuites Java SystemProperty to Apache HttpClient 3.1

1 files changed, 36 insertions, 8 deletions

diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
index 4f3f921df..84743b8c7 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
@@ -28,14 +28,18 @@ import java.net.Socket;
 import java.net.UnknownHostException;
 import java.security.GeneralSecurityException;
 
+import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 
 import org.apache.commons.httpclient.ConnectTimeoutException;
 import org.apache.commons.httpclient.params.HttpConnectionParams;
 import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
+import org.apache.commons.lang3.StringUtils;
 
 import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
 import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException;
+import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moaspss.logging.Logger;
 import iaik.pki.PKIException;
 
 /**
@@ -116,8 +120,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
 	 */
 	public Socket createSocket(String host, int port, InetAddress localAddress,
 			int localPort) throws IOException, UnknownHostException {
-		return this.sslfactory.createSocket(host, port,
-				localAddress, localPort);
+		return setEnabledSslCiphers(this.sslfactory.createSocket(host, port,
+				localAddress, localPort));
 	}
 
 	/* (non-Javadoc)
@@ -126,8 +130,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
 	public Socket createSocket(String host, int port, InetAddress localAddress,
 			int localPort, HttpConnectionParams params) throws IOException,
 			UnknownHostException, ConnectTimeoutException {
-		return this.sslfactory.createSocket(host, port,
-				localAddress, localPort);
+		return setEnabledSslCiphers(this.sslfactory.createSocket(host, port,
+				localAddress, localPort));
 	}
 
 	/* (non-Javadoc)
@@ -135,16 +139,40 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
 	 */
 	public Socket createSocket(String host, int port) throws IOException,
 			UnknownHostException {
-		return this.sslfactory.createSocket(host, port);
+		return setEnabledSslCiphers(this.sslfactory.createSocket(host, port));
 	}
-
+	
 	/* (non-Javadoc)
 	 * @see org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory#createSocket(java.net.Socket, java.lang.String, int, boolean)
 	 */
 	public Socket createSocket(Socket socket, String host, int port,
 			boolean autoClose) throws IOException, UnknownHostException {
-		return this.sslfactory.createSocket(socket, host,
-				port, autoClose);
+		return setEnabledSslCiphers(this.sslfactory.createSocket(socket, host,
+				port, autoClose));
 	}
 
+	/**
+	 * Enable only a specific subset of TLS cipher suites 
+	 * This subset can be set by 'https.cipherSuites' SystemProperty (z.B. -Dhttps.cipherSuites=...) 
+	 * 
+	 * @param sslSocket {@link SSLSocket}
+	 * @return {@link SSLSocket} with Ciphersuites
+	 */
+	private Socket setEnabledSslCiphers(Socket sslSocket) {
+		if (sslSocket instanceof SSLSocket) {
+			String systemProp = System.getProperty("https.cipherSuites");
+			if (MiscUtil.isNotEmpty(systemProp)) {
+				((SSLSocket) sslSocket).setEnabledCipherSuites(systemProp.split(","));
+			
+			}
+			
+			try {
+				Logger.trace("Enabled SSL-Cipher: " + StringUtils.join(((SSLSocket) sslSocket).getEnabledCipherSuites(), ","));
+			} catch (Exception e) {
+				Logger.error(e);
+			}
+		}
+		
+		return sslSocket;
+	}
 }