summaryrefslogtreecommitdiff
path: root/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
diff options
context:
space:
mode:
Diffstat (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java')
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java66
1 files changed, 51 insertions, 15 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
index 2ace91d2..702212bc 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
@@ -37,30 +37,65 @@ import org.springframework.beans.factory.FactoryBean;
import at.gv.egiz.bku.conf.MoccaConfigurationFacade;
public class SSLSocketFactoryBean implements FactoryBean {
-
+
protected PKIProfile pkiProfile;
-
+
/**
* The configuration facade.
*/
protected final ConfigurationFacade configurationFacade = new ConfigurationFacade();
-
+
public class ConfigurationFacade implements MoccaConfigurationFacade {
-
+
private Configuration configuration;
-
+
+ //avoid ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey
+ private final String DEFAULT_DISABLED_CIPHER_SUITES =
+ "TLS_ECDH_ECDSA_WITH_NULL_SHA," +
+ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA," +
+ "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +
+ "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +
+ "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDHE_ECDSA_WITH_NULL_SHA," +
+ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA," +
+ "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +
+ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDH_RSA_WITH_NULL_SHA," +
+ "TLS_ECDH_RSA_WITH_RC4_128_SHA," +
+ "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +
+ "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +
+ "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDHE_RSA_WITH_NULL_SHA," +
+ "TLS_ECDHE_RSA_WITH_RC4_128_SHA," +
+ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDH_anon_WITH_NULL_SHA," +
+ "TLS_ECDH_anon_WITH_RC4_128_SHA," +
+ "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA," +
+ "TLS_ECDH_anon_WITH_AES_128_CBC_SHA," +
+ "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
+
public static final String SSL_PROTOCOL = "SSL.sslProtocol";
-
- public static final String SSL_DISSABLE_ALL_CHECKS = "SSL.disableAllChecks";
-
+
+ public static final String SSL_DISABLE_ALL_CHECKS = "SSL.disableAllChecks";
+
+ public static final String SSL_DISABLED_CIPHER_SUITES = "SSL.disabledCipherSuites";
+
public String getSslProtocol() {
return configuration.getString(SSL_PROTOCOL, "TLS");
}
-
+
public boolean disableAllSslChecks() {
- return configuration.getBoolean(SSL_DISSABLE_ALL_CHECKS, false);
+ return configuration.getBoolean(SSL_DISABLE_ALL_CHECKS, false);
+ }
+
+ public String[] getDisabledCipherSuites() {
+ String suites = configuration.getString(SSL_DISABLED_CIPHER_SUITES,
+ DEFAULT_DISABLED_CIPHER_SUITES);
+ return suites.split(",");
}
-
}
/**
@@ -93,15 +128,16 @@ public class SSLSocketFactoryBean implements FactoryBean {
@Override
public Object getObject() throws Exception {
-
PKITrustManager pkiTrustManager = new PKITrustManager();
pkiTrustManager.setConfiguration(configurationFacade.configuration);
pkiTrustManager.setPkiProfile(pkiProfile);
-
+
SSLContext sslContext = SSLContext.getInstance(configurationFacade.getSslProtocol());
sslContext.init(null, new TrustManager[] {pkiTrustManager}, null);
-
- return sslContext.getSocketFactory();
+
+ SSLSocketFactory ssf = sslContext.getSocketFactory();
+
+ return new InternalSSLSocketFactory(ssf, configurationFacade.getDisabledCipherSuites());
}
@Override
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-29 06:50:51 +0000