Commit 5bdcaaaa authored by Dave Cridland's avatar Dave Cridland

Merge pull request #454 from guusdk/OF-1004

OF-1004: Reduce complexity of connection configuration
parents 22159e5b 3c8a143b
...@@ -2466,3 +2466,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl ...@@ -2466,3 +2466,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl
If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too). If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too).
client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients. client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients.
client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients. client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -2429,3 +2429,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl ...@@ -2429,3 +2429,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl
If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too). If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too).
client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients. client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients.
client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients. client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -3062,3 +3062,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl ...@@ -3062,3 +3062,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl
If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too). If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too).
client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients. client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients.
client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients. client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -2487,3 +2487,15 @@ client.connections.settings.ping.footnote=La especificaci\u00f3n de XMPP requeir ...@@ -2487,3 +2487,15 @@ client.connections.settings.ping.footnote=La especificaci\u00f3n de XMPP requeir
solicitud. Si un cliente no soporta la solicitud XMPP Ping debe retornar error (lo cual tambi\u00e9n es una respuesta). solicitud. Si un cliente no soporta la solicitud XMPP Ping debe retornar error (lo cual tambi\u00e9n es una respuesta).
client.connections.settings.ping.enable=Enviar una solicitud XMPP Ping a los clientes inactivos. client.connections.settings.ping.enable=Enviar una solicitud XMPP Ping a los clientes inactivos.
client.connections.settings.ping.disable=No enviar una solicitud XMPP Ping a los clientes inactivos. client.connections.settings.ping.disable=No enviar una solicitud XMPP Ping a los clientes inactivos.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -2042,3 +2042,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl ...@@ -2042,3 +2042,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl
If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too). If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too).
client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients. client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients.
client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients. client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -2413,3 +2413,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl ...@@ -2413,3 +2413,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl
If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too). If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too).
client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients. client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients.
client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients. client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -2433,3 +2433,15 @@ client.connections.settings.ping.footnote=De XMPP specificatie verplicht alle cl ...@@ -2433,3 +2433,15 @@ client.connections.settings.ping.footnote=De XMPP specificatie verplicht alle cl
is, waaraan Openfire kan zien dat de verbinding actief is). is, waaraan Openfire kan zien dat de verbinding actief is).
client.connections.settings.ping.enable=Verstuur XMPP Ping verzoeken aan clienten die inactief zijn. client.connections.settings.ping.enable=Verstuur XMPP Ping verzoeken aan clienten die inactief zijn.
client.connections.settings.ping.disable=Verstuur geen XMPP ping verzoeken. client.connections.settings.ping.disable=Verstuur geen XMPP ping verzoeken.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -2400,3 +2400,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl ...@@ -2400,3 +2400,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl
If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too). If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too).
client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients. client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients.
client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients. client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -2433,3 +2433,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl ...@@ -2433,3 +2433,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl
If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too). If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too).
client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients. client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients.
client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients. client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -2974,3 +2974,15 @@ client.connections.settings.ping.footnote=As defini\u00e7\u00f5es XMPP requerem ...@@ -2974,3 +2974,15 @@ client.connections.settings.ping.footnote=As defini\u00e7\u00f5es XMPP requerem
Se o cliente n\u00e3o suportar o Ping XMPP, vai ter de devolver um erro (o que no fundo tambem \u00e9 uma resposta). Se o cliente n\u00e3o suportar o Ping XMPP, vai ter de devolver um erro (o que no fundo tambem \u00e9 uma resposta).
client.connections.settings.ping.enable=Enviar um Ping XMPP aos clientes para verifica\u00e7\u00e3o. client.connections.settings.ping.enable=Enviar um Ping XMPP aos clientes para verifica\u00e7\u00e3o.
client.connections.settings.ping.disable=N\u00e3o enviar Ping XMPP de verifica\u00e7\u00e3o. client.connections.settings.ping.disable=N\u00e3o enviar Ping XMPP de verifica\u00e7\u00e3o.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -1887,3 +1887,14 @@ xmpp.error.502=\u041E\u0448\u0438\u0431\u043A\u0430 \u0443\u0434\u0430\u043B\u04 ...@@ -1887,3 +1887,14 @@ xmpp.error.502=\u041E\u0448\u0438\u0431\u043A\u0430 \u0443\u0434\u0430\u043B\u04
xmpp.error.503=\u0421\u043B\u0443\u0436\u0431\u0430 \u043D\u0435\u0434\u043E\u0441\u0442\u0443\u043F\u043D\u0430 xmpp.error.503=\u0421\u043B\u0443\u0436\u0431\u0430 \u043D\u0435\u0434\u043E\u0441\u0442\u0443\u043F\u043D\u0430
xmpp.error.504=\u0422\u0430\u0439\u043C-\u0430\u0443\u0442 \u0443\u0434\u0430\u043B\u0435\u043D\u043D\u043E\u0433\u043E \u0441\u0435\u0440\u0432\u0435\u0440\u0430 xmpp.error.504=\u0422\u0430\u0439\u043C-\u0430\u0443\u0442 \u0443\u0434\u0430\u043B\u0435\u043D\u043D\u043E\u0433\u043E \u0441\u0435\u0440\u0432\u0435\u0440\u0430
xmpp.error.unknown=\u041D\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043D\u044B\u0439 \u043A\u043E\u0434 \u043E\u0448\u0438\u0431\u043A\u0438 xmpp.error.unknown=\u041D\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043D\u044B\u0439 \u043A\u043E\u0434 \u043E\u0448\u0438\u0431\u043A\u0438
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -2269,3 +2269,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl ...@@ -2269,3 +2269,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl
If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too). If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too).
client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients. client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients.
client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients. client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -2325,3 +2325,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl ...@@ -2325,3 +2325,15 @@ client.connections.settings.ping.footnote=The XMPP specification requires all cl
If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too). If a client does not support the XMPP Ping request, it must return an error (which in itself is a response too).
client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients. client.connections.settings.ping.enable=Send an XMPP Ping request to idle clients.
client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients. client.connections.settings.ping.disable=Do not send XMPP Ping requests to idle clients.
# Connection type and mode
connection-type.socket-s2s=server-to-server (federation)
connection-type.socket-c2s=client-to-server
connection-type.bosh-c2s=HTTP-binding (BOSH)
connection-type.webadmin=admin console
connection-type.component=external component
connection-type.connection-manager=connection manager
connection-type.unspecified=unspecified
connection-mode.plain=plain text (with STARTSSL)
connection-mode.legacy=encrypted (legacy-mode)
connection-mode.unspecified=unspecified
...@@ -34,10 +34,8 @@ public class ConnectionConfiguration ...@@ -34,10 +34,8 @@ public class ConnectionConfiguration
private final CertificateStoreConfiguration trustStoreConfiguration; private final CertificateStoreConfiguration trustStoreConfiguration;
private final boolean acceptSelfSignedCertificates; private final boolean acceptSelfSignedCertificates;
private final boolean verifyCertificateValidity; private final boolean verifyCertificateValidity;
private final Set<String> encryptionProtocolsEnabled; private final Set<String> encryptionProtocols;
private final Set<String> encryptionProtocolsDisabled; private final Set<String> encryptionCipherSuites;
private final Set<String> cipherSuitesEnabled;
private final Set<String> cipherSuitesDisabled;
private final Connection.CompressionPolicy compressionPolicy; private final Connection.CompressionPolicy compressionPolicy;
// derived // derived
...@@ -55,7 +53,7 @@ public class ConnectionConfiguration ...@@ -55,7 +53,7 @@ public class ConnectionConfiguration
* @param tlsPolicy The TLS policy that is applied to connections (cannot be null). * @param tlsPolicy The TLS policy that is applied to connections (cannot be null).
*/ */
// TODO input validation // TODO input validation
public ConnectionConfiguration( ConnectionType type, boolean enabled, int maxThreadPoolSize, int maxBufferSize, Connection.ClientAuth clientAuth, InetAddress bindAddress, int port, Connection.TLSPolicy tlsPolicy, CertificateStoreConfiguration identityStoreConfiguration, CertificateStoreConfiguration trustStoreConfiguration, boolean acceptSelfSignedCertificates, boolean verifyCertificateValidity, Set<String> encryptionProtocolsEnabled, Set<String> encryptionProtocolsDisabled, Set<String> cipherSuitesEnabled, Set<String> cipherSuitesDisabled, Connection.CompressionPolicy compressionPolicy ) public ConnectionConfiguration( ConnectionType type, boolean enabled, int maxThreadPoolSize, int maxBufferSize, Connection.ClientAuth clientAuth, InetAddress bindAddress, int port, Connection.TLSPolicy tlsPolicy, CertificateStoreConfiguration identityStoreConfiguration, CertificateStoreConfiguration trustStoreConfiguration, boolean acceptSelfSignedCertificates, boolean verifyCertificateValidity, Set<String> encryptionProtocols, Set<String> encryptionCipherSuites, Connection.CompressionPolicy compressionPolicy )
{ {
if ( maxThreadPoolSize <= 0 ) { if ( maxThreadPoolSize <= 0 ) {
throw new IllegalArgumentException( "Argument 'maxThreadPoolSize' must be equal to or greater than one." ); throw new IllegalArgumentException( "Argument 'maxThreadPoolSize' must be equal to or greater than one." );
...@@ -76,21 +74,8 @@ public class ConnectionConfiguration ...@@ -76,21 +74,8 @@ public class ConnectionConfiguration
this.trustStoreConfiguration = trustStoreConfiguration; this.trustStoreConfiguration = trustStoreConfiguration;
this.acceptSelfSignedCertificates = acceptSelfSignedCertificates; this.acceptSelfSignedCertificates = acceptSelfSignedCertificates;
this.verifyCertificateValidity = verifyCertificateValidity; this.verifyCertificateValidity = verifyCertificateValidity;
this.encryptionProtocols = Collections.unmodifiableSet( encryptionProtocols );
// Remove all disabled protocols from the enabled ones. this.encryptionCipherSuites = Collections.unmodifiableSet( encryptionCipherSuites );
final Set<String> protocolsEnabled = new HashSet<>();
protocolsEnabled.addAll( encryptionProtocolsEnabled );
protocolsEnabled.removeAll( encryptionProtocolsDisabled );
this.encryptionProtocolsEnabled = Collections.unmodifiableSet( protocolsEnabled );
this.encryptionProtocolsDisabled = Collections.unmodifiableSet( encryptionProtocolsDisabled );
// Remove all disabled suites from the enabled ones.
final Set<String> suitesEnabled = new HashSet<>();
suitesEnabled.addAll( cipherSuitesEnabled );
suitesEnabled.removeAll( cipherSuitesDisabled );
this.cipherSuitesEnabled = Collections.unmodifiableSet( suitesEnabled );
this.cipherSuitesDisabled = Collections.unmodifiableSet( cipherSuitesDisabled );
this.compressionPolicy = compressionPolicy; this.compressionPolicy = compressionPolicy;
final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager(); final CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
...@@ -175,66 +160,30 @@ public class ConnectionConfiguration ...@@ -175,66 +160,30 @@ public class ConnectionConfiguration
* When non-empty, the list is intended to specify those protocols (from a larger collection of implementation- * When non-empty, the list is intended to specify those protocols (from a larger collection of implementation-
* supported protocols) that can be used to establish encryption. * supported protocols) that can be used to establish encryption.
* *
* Values returned by {@link #getEncryptionProtocolsDisabled()} are not included in the result of this method.
*
* The order over which values are iterated in the result is equal to the order of values in the comma-separated * The order over which values are iterated in the result is equal to the order of values in the comma-separated
* configuration string. This can, but is not guaranteed to, indicate preference. * configuration string. This can, but is not guaranteed to, indicate preference.
* *
* @return An (ordered) set of protocols, never null but possibly empty. * @return An (ordered) set of protocols, never null but possibly empty.
*/ */
public Set<String> getEncryptionProtocolsEnabled() public Set<String> getEncryptionProtocols()
{ {
return encryptionProtocolsEnabled; return encryptionProtocols;
}
/**
* A collection of protocols that must not be used for encryption of connections.
*
* When non-empty, the list is intended to specify those protocols (from a larger collection of implementation-
* supported protocols) that must not be used to establish encryption.
*
* The order over which values are iterated in the result is equal to the order of values in the comma-separated
* configuration string.
*
* @return An (ordered) set of protocols, never null but possibly empty.
*/
public Set<String> getEncryptionProtocolsDisabled()
{
return encryptionProtocolsDisabled;
} }
/** /**
* A collection of cipher suite names that can be used for encryption of connections. * A collection of cipher suite names that can be used for encryption of connections.
* *
* When non-empty, the list is intended to specify those cipher suites (from a larger collection of implementation- * When non-empty, the list is intended to specify those cipher suites (from a larger collection of implementation-
* supported cipher suties) that can be used to establish encryption. * supported cipher suites) that can be used to establish encryption.
*
* Values returned by {@link #getCipherSuitesDisabled()} are not included in the result of this method.
* *
* The order over which values are iterated in the result is equal to the order of values in the comma-separated * The order over which values are iterated in the result is equal to the order of values in the comma-separated
* configuration string. This can, but is not guaranteed to, indicate preference. * configuration string. This can, but is not guaranteed to, indicate preference.
* *
* @return An (ordered) set of cipher suites, never null but possibly empty. * @return An (ordered) set of cipher suites, never null but possibly empty.
*/ */
public Set<String> getCipherSuitesEnabled() public Set<String> getEncryptionCipherSuites()
{
return cipherSuitesEnabled;
}
/**
* A collection of cipher suites that must not be used for encryption of connections.
*
* When non-empty, the list is intended to specify those cipher suites (from a larger collection of implementation-
* supported cipher suites) that must not be used to establish encryption.
*
* The order over which values are iterated in the result is equal to the order of values in the comma-separated
* configuration string.
*
* @return An (ordered) set of cipher suites, never null but possibly empty.
*/
public Set<String> getCipherSuitesDisabled()
{ {
return cipherSuitesDisabled; return encryptionCipherSuites;
} }
public IdentityStore getIdentityStore() public IdentityStore getIdentityStore()
......
...@@ -9,6 +9,8 @@ import org.slf4j.LoggerFactory; ...@@ -9,6 +9,8 @@ import org.slf4j.LoggerFactory;
import javax.net.ssl.*; import javax.net.ssl.*;
import java.security.*; import java.security.*;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Set; import java.util.Set;
/** /**
...@@ -109,49 +111,19 @@ public class EncryptionArtifactFactory ...@@ -109,49 +111,19 @@ public class EncryptionArtifactFactory
final SSLEngine sslEngine = sslContext.createSSLEngine(); final SSLEngine sslEngine = sslContext.createSSLEngine();
// Configure protocol support. // Configure protocol support.
final Set<String> protocolsEnabled = configuration.getEncryptionProtocolsEnabled(); final Set<String> protocols = configuration.getEncryptionProtocols();
if ( !protocolsEnabled.isEmpty() ) if ( !protocols.isEmpty() )
{ {
// When an explicit list of enabled protocols is defined, use only those. // When an explicit list of enabled protocols is defined, use only those (otherwise, an implementation-specific default will be used).
sslEngine.setEnabledProtocols( protocolsEnabled.toArray( new String[ protocolsEnabled.size() ] ) ); sslEngine.setEnabledProtocols( protocols.toArray( new String[ protocols.size() ] ) );
}
else
{
// Otherwise, use all supported protocols (except for the ones that are explicitly disabled).
final Set<String> disabled = configuration.getEncryptionProtocolsDisabled();
final ArrayList<String> supported = new ArrayList<>();
for ( final String candidate : sslEngine.getSupportedProtocols() )
{
if ( !disabled.contains( candidate ) )
{
supported.add( candidate );
}
}
sslEngine.setEnabledProtocols( supported.toArray( new String[ supported.size()] ) );
} }
// Configure cipher suite support. // Configure cipher suite support.
final Set<String> cipherSuitesEnabled = configuration.getCipherSuitesEnabled(); final Set<String> cipherSuites = configuration.getEncryptionCipherSuites();
if ( !cipherSuitesEnabled.isEmpty() ) if ( !cipherSuites.isEmpty() )
{
// When an explicit list of enabled protocols is defined, use only those.
sslEngine.setEnabledCipherSuites( cipherSuitesEnabled.toArray( new String[ cipherSuitesEnabled.size() ] ) );
}
else
{
// Otherwise, use all supported cipher suites (except for the ones that are explicitly disabled).
final Set<String> disabled = configuration.getCipherSuitesDisabled();
final ArrayList<String> supported = new ArrayList<>();
for ( final String candidate : sslEngine.getSupportedCipherSuites() )
{ {
if ( !disabled.contains( candidate ) ) // When an explicit list of enabled protocols is defined, use only those (otherwise, an implementation-specific default will be used)..
{ sslEngine.setEnabledCipherSuites( cipherSuites.toArray( new String[ cipherSuites.size() ] ) );
supported.add( candidate );
}
}
sslEngine.setEnabledCipherSuites( supported.toArray( new String[ supported.size() ] ) );
} }
return sslEngine; return sslEngine;
...@@ -221,20 +193,20 @@ public class EncryptionArtifactFactory ...@@ -221,20 +193,20 @@ public class EncryptionArtifactFactory
sslContextFactory.setKeyStorePassword( new String( configuration.getIdentityStore().getConfiguration().getPassword() ) ); sslContextFactory.setKeyStorePassword( new String( configuration.getIdentityStore().getConfiguration().getPassword() ) );
// Configure protocol support // Configure protocol support
if ( configuration.getEncryptionProtocolsEnabled() != null && !configuration.getEncryptionProtocolsEnabled().isEmpty() ) final Set<String> protocols = configuration.getEncryptionProtocols();
if ( !protocols.isEmpty() )
{ {
sslContextFactory.setIncludeProtocols( configuration.getEncryptionProtocolsEnabled().toArray( new String[ configuration.getEncryptionProtocolsEnabled().size() ] ) ); sslContextFactory.setIncludeProtocols( protocols.toArray( new String[ protocols.size() ] ) );
} }
sslContextFactory.setExcludeProtocols( configuration.getEncryptionProtocolsDisabled().toArray( new String[ configuration.getEncryptionProtocolsDisabled().size() ] ) );
// Configure cipher suite support. // Configure cipher suite support.
if ( configuration.getCipherSuitesEnabled() != null && !configuration.getCipherSuitesEnabled().isEmpty() ) final Set<String> cipherSuites = configuration.getEncryptionCipherSuites();
if ( !cipherSuites.isEmpty() )
{ {
sslContextFactory.setIncludeCipherSuites( configuration.getCipherSuitesEnabled().toArray( new String[ configuration.getCipherSuitesEnabled().size() ] ) ); sslContextFactory.setIncludeCipherSuites( cipherSuites.toArray( new String[ cipherSuites.size() ] ) );
} }
sslContextFactory.setExcludeCipherSuites( configuration.getCipherSuitesDisabled().toArray( new String[ configuration.getCipherSuitesDisabled().size() ] ) );
//Set policy for checking client certificates // Set policy for checking client certificates.
switch ( configuration.getClientAuth() ) switch ( configuration.getClientAuth() )
{ {
case disabled: case disabled:
...@@ -325,4 +297,57 @@ public class EncryptionArtifactFactory ...@@ -325,4 +297,57 @@ public class EncryptionArtifactFactory
} }
return filter; return filter;
} }
/**
* Returns the names of all encryption protocols that are supported (but not necessarily enabled).
*
* @return An array of protocol names. Not expected to be empty.
*/
public static List<String> getSupportedProtocols() throws NoSuchAlgorithmException, KeyManagementException
{
// TODO Might want to cache the result. It's unlikely to change at runtime.
final SSLContext context = SSLContext.getInstance( "TLSv1" );
context.init( null, null, null );
return Arrays.asList( context.createSSLEngine().getSupportedProtocols() );
}
/**
* Returns the names of all encryption protocols that are enabled by default.
*
* @return An array of protocol names. Not expected to be empty.
*/
public static List<String> getDefaultProtocols() throws NoSuchAlgorithmException, KeyManagementException
{
// TODO Might want to cache the result. It's unlikely to change at runtime.
final SSLContext context = SSLContext.getInstance( "TLSv1" );
context.init( null, null, null );
return Arrays.asList( context.createSSLEngine().getEnabledProtocols() );
}
/**
* Returns the names of all encryption cipher suites that are supported (but not necessarily enabled).
*
* @return An array of cipher suite names. Not expected to be empty.
*/
public static List<String> getSupportedCipherSuites() throws NoSuchAlgorithmException, KeyManagementException
{
// TODO Might want to cache the result. It's unlikely to change at runtime.
final SSLContext context = SSLContext.getInstance( "TLSv1" );
context.init( null, null, null );
return Arrays.asList( context.createSSLEngine().getSupportedCipherSuites() );
}
/**
* Returns the names of all encryption cipher suites that are enabled by default.
*
* @return An array of cipher suite names. Not expected to be empty.
*/
public static List<String> getDefaultCipherSuites() throws NoSuchAlgorithmException, KeyManagementException
{
// TODO Might want to cache the result. It's unlikely to change at runtime.
final SSLContext context = SSLContext.getInstance( "TLSv1" );
context.init( null, null, null );
return Arrays.asList( context.createSSLEngine().getEnabledCipherSuites() );
}
} }
package org.jivesoftware.openfire.spi;
import org.junit.Assert;
import org.junit.Test;
import java.util.Collection;
/**
* Unit tests that verify the functionality of {@link EncryptionArtifactFactory}.
*
* @author Guus der Kinderen, guus.der.kinderen@gmail.com
*/
public class EncryptionArtifactFactoryTest
{
/**
* Verifies that the collection of supported encryption protocols is not empty.
*/
@Test
public void testHasSupportedProtocols() throws Exception
{
// Setup fixture.
// (not needed)
// Execute system under test.
final Collection<String> result = EncryptionArtifactFactory.getSupportedProtocols();
// Verify results.
Assert.assertFalse( result.isEmpty() );
}
/**
* Verifies that the collection of default encryption protocols is not empty.
*/
@Test
public void testHasDefaultProtocols() throws Exception
{
// Setup fixture.
// (not needed)
// Execute system under test.
final Collection<String> result = EncryptionArtifactFactory.getDefaultProtocols();
// Verify results.
Assert.assertFalse( result.isEmpty() );
}
/**
* Verifies that the collection of supported cipher suites is not empty.
*/
@Test
public void testHasSupportedCipherSuites() throws Exception
{
// Setup fixture.
// (not needed)
// Execute system under test.
final Collection<String> result = EncryptionArtifactFactory.getSupportedCipherSuites();
// Verify results.
Assert.assertFalse( result.isEmpty() );
}
/**
* Verifies that the collection of default cipher suites is not empty.
*/
@Test
public void testHasDefaultCipherSuites() throws Exception
{
// Setup fixture.
// (not needed)
// Execute system under test.
final Collection<String> result = EncryptionArtifactFactory.getDefaultCipherSuites();
// Verify results.
Assert.assertFalse( result.isEmpty() );
}
}
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment