From 4af1d0a0d6fb6f4784067d320e42504922710788 Mon Sep 17 00:00:00 2001 From: tkellner Date: Mon, 11 Nov 2013 20:52:36 +0000 Subject: Allow to disable certain ciphersuites for SSL connections git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1213 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../gv/egiz/bku/spring/SSLSocketFactoryBean.java | 66 +++++++++++++++++----- 1 file changed, 51 insertions(+), 15 deletions(-) (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java') diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java index 2ace91d2..702212bc 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java @@ -37,30 +37,65 @@ import org.springframework.beans.factory.FactoryBean; import at.gv.egiz.bku.conf.MoccaConfigurationFacade; public class SSLSocketFactoryBean implements FactoryBean { - + protected PKIProfile pkiProfile; - + /** * The configuration facade. */ protected final ConfigurationFacade configurationFacade = new ConfigurationFacade(); - + public class ConfigurationFacade implements MoccaConfigurationFacade { - + private Configuration configuration; - + + //avoid ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey + private final String DEFAULT_DISABLED_CIPHER_SUITES = + "TLS_ECDH_ECDSA_WITH_NULL_SHA," + + "TLS_ECDH_ECDSA_WITH_RC4_128_SHA," + + "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDHE_ECDSA_WITH_NULL_SHA," + + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA," + + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDH_RSA_WITH_NULL_SHA," + + "TLS_ECDH_RSA_WITH_RC4_128_SHA," + + "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDHE_RSA_WITH_NULL_SHA," + + "TLS_ECDHE_RSA_WITH_RC4_128_SHA," + + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDH_anon_WITH_NULL_SHA," + + "TLS_ECDH_anon_WITH_RC4_128_SHA," + + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDH_anon_WITH_AES_128_CBC_SHA," + + "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"; + public static final String SSL_PROTOCOL = "SSL.sslProtocol"; - - public static final String SSL_DISSABLE_ALL_CHECKS = "SSL.disableAllChecks"; - + + public static final String SSL_DISABLE_ALL_CHECKS = "SSL.disableAllChecks"; + + public static final String SSL_DISABLED_CIPHER_SUITES = "SSL.disabledCipherSuites"; + public String getSslProtocol() { return configuration.getString(SSL_PROTOCOL, "TLS"); } - + public boolean disableAllSslChecks() { - return configuration.getBoolean(SSL_DISSABLE_ALL_CHECKS, false); + return configuration.getBoolean(SSL_DISABLE_ALL_CHECKS, false); + } + + public String[] getDisabledCipherSuites() { + String suites = configuration.getString(SSL_DISABLED_CIPHER_SUITES, + DEFAULT_DISABLED_CIPHER_SUITES); + return suites.split(","); } - } /** @@ -93,15 +128,16 @@ public class SSLSocketFactoryBean implements FactoryBean { @Override public Object getObject() throws Exception { - PKITrustManager pkiTrustManager = new PKITrustManager(); pkiTrustManager.setConfiguration(configurationFacade.configuration); pkiTrustManager.setPkiProfile(pkiProfile); - + SSLContext sslContext = SSLContext.getInstance(configurationFacade.getSslProtocol()); sslContext.init(null, new TrustManager[] {pkiTrustManager}, null); - - return sslContext.getSocketFactory(); + + SSLSocketFactory ssf = sslContext.getSocketFactory(); + + return new InternalSSLSocketFactory(ssf, configurationFacade.getDisabledCipherSuites()); } @Override -- cgit v1.2.3