diff options
| author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-08-03 02:01:39 +0200 | 
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-08-03 02:01:39 +0200 | 
| commit | 4bbd3f88211399f41e8210ad3fbe5b0ea8910994 (patch) | |
| tree | 02047971ef8e7a50eeb2122e89141ae4576ef122 /id/server/moa-id-commons/src | |
| parent | fab8bb66ea62eb23e806ad280008c5f722d684ec (diff) | |
| download | moa-id-spss-4bbd3f88211399f41e8210ad3fbe5b0ea8910994.tar.gz moa-id-spss-4bbd3f88211399f41e8210ad3fbe5b0ea8910994.tar.bz2 moa-id-spss-4bbd3f88211399f41e8210ad3fbe5b0ea8910994.zip | |
* check if SSL-Session is already established
 * Add two comments regarding TLSv1.2 support in JAVA 7 and restiction of allowed SSL ciphers
Diffstat (limited to 'id/server/moa-id-commons/src')
| -rw-r--r-- | id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java | 28 | 
1 files changed, 28 insertions, 0 deletions
| diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java index 0479b1bc1..bdadf681d 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java @@ -34,6 +34,7 @@ import java.util.Arrays;  import java.util.List;  import javax.net.ssl.SSLException; +import javax.net.ssl.SSLParameters;  import javax.net.ssl.SSLPeerUnverifiedException;  import javax.net.ssl.SSLSession;  import javax.net.ssl.SSLSocket; @@ -50,6 +51,7 @@ import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException;  import at.gv.egovernment.moa.util.MiscUtil;  import at.gv.egovernment.moaspss.logging.Logger;  import iaik.pki.PKIException; +import sun.security.ssl.ProtocolVersion;  /**   * @author tlenz @@ -188,6 +190,19 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory  		if (socket instanceof SSLSocket) {  			SSLSocket sslSocket = (SSLSocket)socket; +/*TODO			 +*			Set allowed ProtocolVersions into SSLSocket to support TLSv1.1 and TLSv1.2 in JAVA 7 +*			Therefore, we had do manually set the TLS1.2 protocol support into SSLParameters  +*			from SSL socket. Maybe, there is an additional validation required if TLSv1.2 is +*			supported in principle by currently used JAVA version. +*/ +//			SSLParameters test = ((SSLSocket) socket).getSSLParameters(); +//			List<String> enabledProtocols = Arrays.asList(test.getProtocols()); +//			if (enabledProtocols.contains(ProtocolVersion.TLS11.name)) { +//				 +//			} +//			sslSocket.setSSLParameters(test); +			  			//verify Hostname  			verifyHostName(sslSocket); @@ -208,7 +223,14 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory  	 */  	private void verifyHostName(SSLSocket sslSocket) throws SSLException{  		if (verifyHostName) { +			  			SSLSession session = sslSocket.getSession(); +			if ("SSL_NULL_WITH_NULL_NULL".equals(session.getCipherSuite())) { +				Logger.warn("SSL connection can NOT established."); +				throw new SSLException("SSL connection can NOT established."); +				 +			} +			  			String hostName = session.getPeerHost();  			Certificate[] certs = null; @@ -254,6 +276,12 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory  	 * @return {@link SSLSocket} with Ciphersuites  	 */  	private SSLSocket setEnabledSslCiphers(SSLSocket sslSocket) { +		/*TODO: +		 * This implementation currently not work fine, because not all ciphers from  +		 * 'https.cipherSuites' SystemProperty had to be supported by current JAVA version +		 * Add an validation step to check the allowed cipherSuites against the currently +		 * supported cipher suites and only add the matching set of ciphers +		 */  		String systemProp = System.getProperty("https.cipherSuites");		  		if (MiscUtil.isNotEmpty(systemProp)) {  			try { | 
