From 6ccc2a6a7f160bd44789fb328d69b3ff8484d94d Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 8 Nov 2016 15:49:31 +0100
Subject: fix problem with SSLSocketFactory

---
 .../utils/MOAHttpProtocolSocketFactory.java        | 39 ++++++++++++++++------
 1 file changed, 29 insertions(+), 10 deletions(-)

diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
index 5bcf915e8..0479b1bc1 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
@@ -29,6 +29,9 @@ import java.net.UnknownHostException;
 import java.security.GeneralSecurityException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
 
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLPeerUnverifiedException;
@@ -189,7 +192,7 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
 			verifyHostName(sslSocket);
 				
 			//set allowed SSL ciphers
-			sslSocket = setEnabledSslCiphers(sslSocket);
+			//sslSocket = setEnabledSslCiphers(sslSocket);
 						
 			return sslSocket;	
 		}
@@ -251,18 +254,34 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
 	 * @return {@link SSLSocket} with Ciphersuites
 	 */
 	private SSLSocket setEnabledSslCiphers(SSLSocket sslSocket) {
-		String systemProp = System.getProperty("https.cipherSuites");
+		String systemProp = System.getProperty("https.cipherSuites");		
 		if (MiscUtil.isNotEmpty(systemProp)) {
-			sslSocket.setEnabledCipherSuites(systemProp.split(","));
-	
-		}
+			try {
+				List<String> possibleCiphers = new ArrayList<String>();
 			
-		try {
-			Logger.trace("Enabled SSL-Cipher: " + StringUtils.join(((SSLSocket) sslSocket).getEnabledCipherSuites(), ","));
-		} catch (Exception e) {
-			Logger.error(e);
+				List<String> supportedCiphers = Arrays.asList(sslSocket.getSupportedCipherSuites());
+				for (String el : systemProp.split(",")) {
+					if (supportedCiphers.contains(el))
+						possibleCiphers.add(el);
+					else
+						Logger.debug("Ignore unsupported cipher: " + el);
+				
+				}
+										
+				sslSocket.setEnabledCipherSuites(possibleCiphers.toArray(new String[possibleCiphers.size()]));
+				
+				try {
+					Logger.trace("Enabled SSL-Cipher: " + StringUtils.join(((SSLSocket) sslSocket).getEnabledCipherSuites(), ","));
+				} catch (Exception e) {
+					Logger.error(e);
+				}
+				
+			} catch (IllegalArgumentException e) {
+				Logger.warn("Can not set allowed https.cipherSuites to httpClient. Use default set!");
+				
+			}	
 		}
-		
+					
 		return sslSocket;
 	}
 }
-- 
cgit v1.2.3