Commit 8f094c44 authored by daryl herzmann's avatar daryl herzmann

Merge pull request #144 from sco0ter/of861

Disable SSLv3 for socket connections to avoid POODLE vulnerability.
parents 3a9f3c42 1cd3c3ba
...@@ -38,6 +38,8 @@ import org.xmlpull.v1.XmlPullParserException; ...@@ -38,6 +38,8 @@ import org.xmlpull.v1.XmlPullParserException;
import org.xmlpull.v1.XmlPullParserFactory; import org.xmlpull.v1.XmlPullParserFactory;
import org.xmpp.packet.StreamError; import org.xmpp.packet.StreamError;
import javax.net.ssl.SSLHandshakeException;
/** /**
* A ConnectionHandler is responsible for creating new sessions, destroying sessions and delivering * A ConnectionHandler is responsible for creating new sessions, destroying sessions and delivering
* received XML stanzas to the proper StanzaHandler. * received XML stanzas to the proper StanzaHandler.
...@@ -146,6 +148,9 @@ public abstract class ConnectionHandler extends IoHandlerAdapter { ...@@ -146,6 +148,9 @@ public abstract class ConnectionHandler extends IoHandlerAdapter {
if (cause instanceof IOException) { if (cause instanceof IOException) {
// TODO Verify if there were packets pending to be sent and decide what to do with them // TODO Verify if there were packets pending to be sent and decide what to do with them
Log.info("ConnectionHandler reports IOException for session: " + session, cause); Log.info("ConnectionHandler reports IOException for session: " + session, cause);
if (cause instanceof SSLHandshakeException) {
session.close(true);
}
} }
else if (cause instanceof ProtocolDecoderException) { else if (cause instanceof ProtocolDecoderException) {
Log.warn("Closing session due to exception: " + session, cause); Log.warn("Closing session due to exception: " + session, cause);
...@@ -157,7 +162,7 @@ public abstract class ConnectionHandler extends IoHandlerAdapter { ...@@ -157,7 +162,7 @@ public abstract class ConnectionHandler extends IoHandlerAdapter {
} else { } else {
error = new StreamError(StreamError.Condition.internal_server_error); error = new StreamError(StreamError.Condition.internal_server_error);
} }
final Connection connection = (Connection) session.getAttribute(CONNECTION); final Connection connection = (Connection) session.getAttribute(CONNECTION);
connection.deliverRawText(error.toXML()); connection.deliverRawText(error.toXML());
session.close(true); session.close(true);
......
...@@ -367,6 +367,8 @@ public class NIOConnection implements Connection { ...@@ -367,6 +367,8 @@ public class NIOConnection implements Connection {
SslFilter filter = new SslFilter(tlsContext); SslFilter filter = new SslFilter(tlsContext);
filter.setUseClientMode(clientMode); filter.setUseClientMode(clientMode);
// Disable SSLv3 due to POODLE vulnerability.
filter.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
if (authentication == ClientAuth.needed) { if (authentication == ClientAuth.needed) {
filter.setNeedClientAuth(true); filter.setNeedClientAuth(true);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment