From 6ccc2a6a7f160bd44789fb328d69b3ff8484d94d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 8 Nov 2016 15:49:31 +0100 Subject: fix problem with SSLSocketFactory --- .../utils/MOAHttpProtocolSocketFactory.java | 39 ++++++++++++++++------ 1 file changed, 29 insertions(+), 10 deletions(-) diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java index 5bcf915e8..0479b1bc1 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java @@ -29,6 +29,9 @@ import java.net.UnknownHostException; import java.security.GeneralSecurityException; import java.security.cert.Certificate; import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; import javax.net.ssl.SSLException; import javax.net.ssl.SSLPeerUnverifiedException; @@ -189,7 +192,7 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory verifyHostName(sslSocket); //set allowed SSL ciphers - sslSocket = setEnabledSslCiphers(sslSocket); + //sslSocket = setEnabledSslCiphers(sslSocket); return sslSocket; } @@ -251,18 +254,34 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory * @return {@link SSLSocket} with Ciphersuites */ private SSLSocket setEnabledSslCiphers(SSLSocket sslSocket) { - String systemProp = System.getProperty("https.cipherSuites"); + String systemProp = System.getProperty("https.cipherSuites"); if (MiscUtil.isNotEmpty(systemProp)) { - sslSocket.setEnabledCipherSuites(systemProp.split(",")); - - } + try { + List possibleCiphers = new ArrayList(); - try { - Logger.trace("Enabled SSL-Cipher: " + StringUtils.join(((SSLSocket) sslSocket).getEnabledCipherSuites(), ",")); - } catch (Exception e) { - Logger.error(e); + List supportedCiphers = Arrays.asList(sslSocket.getSupportedCipherSuites()); + for (String el : systemProp.split(",")) { + if (supportedCiphers.contains(el)) + possibleCiphers.add(el); + else + Logger.debug("Ignore unsupported cipher: " + el); + + } + + sslSocket.setEnabledCipherSuites(possibleCiphers.toArray(new String[possibleCiphers.size()])); + + try { + Logger.trace("Enabled SSL-Cipher: " + StringUtils.join(((SSLSocket) sslSocket).getEnabledCipherSuites(), ",")); + } catch (Exception e) { + Logger.error(e); + } + + } catch (IllegalArgumentException e) { + Logger.warn("Can not set allowed https.cipherSuites to httpClient. Use default set!"); + + } } - + return sslSocket; } } -- cgit v1.2.3