diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-08-03 02:01:39 +0200 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-08-03 02:01:39 +0200 |
commit | 4bbd3f88211399f41e8210ad3fbe5b0ea8910994 (patch) | |
tree | 02047971ef8e7a50eeb2122e89141ae4576ef122 /id/server | |
parent | fab8bb66ea62eb23e806ad280008c5f722d684ec (diff) | |
download | moa-id-spss-4bbd3f88211399f41e8210ad3fbe5b0ea8910994.tar.gz moa-id-spss-4bbd3f88211399f41e8210ad3fbe5b0ea8910994.tar.bz2 moa-id-spss-4bbd3f88211399f41e8210ad3fbe5b0ea8910994.zip |
* check if SSL-Session is already established
* Add two comments regarding TLSv1.2 support in JAVA 7 and restiction of allowed SSL ciphers
Diffstat (limited to 'id/server')
-rw-r--r-- | id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java index 0479b1bc1..bdadf681d 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java @@ -34,6 +34,7 @@ import java.util.Arrays; import java.util.List; import javax.net.ssl.SSLException; +import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; @@ -50,6 +51,7 @@ import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moaspss.logging.Logger; import iaik.pki.PKIException; +import sun.security.ssl.ProtocolVersion; /** * @author tlenz @@ -188,6 +190,19 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory if (socket instanceof SSLSocket) { SSLSocket sslSocket = (SSLSocket)socket; +/*TODO +* Set allowed ProtocolVersions into SSLSocket to support TLSv1.1 and TLSv1.2 in JAVA 7 +* Therefore, we had do manually set the TLS1.2 protocol support into SSLParameters +* from SSL socket. Maybe, there is an additional validation required if TLSv1.2 is +* supported in principle by currently used JAVA version. +*/ +// SSLParameters test = ((SSLSocket) socket).getSSLParameters(); +// List<String> enabledProtocols = Arrays.asList(test.getProtocols()); +// if (enabledProtocols.contains(ProtocolVersion.TLS11.name)) { +// +// } +// sslSocket.setSSLParameters(test); + //verify Hostname verifyHostName(sslSocket); @@ -208,7 +223,14 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory */ private void verifyHostName(SSLSocket sslSocket) throws SSLException{ if (verifyHostName) { + SSLSession session = sslSocket.getSession(); + if ("SSL_NULL_WITH_NULL_NULL".equals(session.getCipherSuite())) { + Logger.warn("SSL connection can NOT established."); + throw new SSLException("SSL connection can NOT established."); + + } + String hostName = session.getPeerHost(); Certificate[] certs = null; @@ -254,6 +276,12 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory * @return {@link SSLSocket} with Ciphersuites */ private SSLSocket setEnabledSslCiphers(SSLSocket sslSocket) { + /*TODO: + * This implementation currently not work fine, because not all ciphers from + * 'https.cipherSuites' SystemProperty had to be supported by current JAVA version + * Add an validation step to check the allowed cipherSuites against the currently + * supported cipher suites and only add the matching set of ciphers + */ String systemProp = System.getProperty("https.cipherSuites"); if (MiscUtil.isNotEmpty(systemProp)) { try { |