From 4178b0c2811d509387f2f1ade59d7c009fef9973 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 28 Oct 2016 00:02:48 +0200 Subject: set https.cipherSuites Java SystemProperty to Apache HttpClient 3.1 --- .../utils/MOAHttpProtocolSocketFactory.java | 44 ++++++++++++++++++---- 1 file changed, 36 insertions(+), 8 deletions(-) diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java index 4f3f921df..84743b8c7 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java @@ -28,14 +28,18 @@ import java.net.Socket; import java.net.UnknownHostException; import java.security.GeneralSecurityException; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import org.apache.commons.httpclient.ConnectTimeoutException; import org.apache.commons.httpclient.params.HttpConnectionParams; import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; +import org.apache.commons.lang3.StringUtils; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moaspss.logging.Logger; import iaik.pki.PKIException; /** @@ -116,8 +120,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory */ public Socket createSocket(String host, int port, InetAddress localAddress, int localPort) throws IOException, UnknownHostException { - return this.sslfactory.createSocket(host, port, - localAddress, localPort); + return setEnabledSslCiphers(this.sslfactory.createSocket(host, port, + localAddress, localPort)); } /* (non-Javadoc) @@ -126,8 +130,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory public Socket createSocket(String host, int port, InetAddress localAddress, int localPort, HttpConnectionParams params) throws IOException, UnknownHostException, ConnectTimeoutException { - return this.sslfactory.createSocket(host, port, - localAddress, localPort); + return setEnabledSslCiphers(this.sslfactory.createSocket(host, port, + localAddress, localPort)); } /* (non-Javadoc) @@ -135,16 +139,40 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { - return this.sslfactory.createSocket(host, port); + return setEnabledSslCiphers(this.sslfactory.createSocket(host, port)); } - + /* (non-Javadoc) * @see org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory#createSocket(java.net.Socket, java.lang.String, int, boolean) */ public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException { - return this.sslfactory.createSocket(socket, host, - port, autoClose); + return setEnabledSslCiphers(this.sslfactory.createSocket(socket, host, + port, autoClose)); } + /** + * Enable only a specific subset of TLS cipher suites + * This subset can be set by 'https.cipherSuites' SystemProperty (z.B. -Dhttps.cipherSuites=...) + * + * @param sslSocket {@link SSLSocket} + * @return {@link SSLSocket} with Ciphersuites + */ + private Socket setEnabledSslCiphers(Socket sslSocket) { + if (sslSocket instanceof SSLSocket) { + String systemProp = System.getProperty("https.cipherSuites"); + if (MiscUtil.isNotEmpty(systemProp)) { + ((SSLSocket) sslSocket).setEnabledCipherSuites(systemProp.split(",")); + + } + + try { + Logger.trace("Enabled SSL-Cipher: " + StringUtils.join(((SSLSocket) sslSocket).getEnabledCipherSuites(), ",")); + } catch (Exception e) { + Logger.error(e); + } + } + + return sslSocket; + } } -- cgit v1.2.3