OF-946: Merge SSLConfig.Type with Purpose

src/java/org/jivesoftware/openfire/XMPPServer.java

@@ -376,7 +376,7 @@ public class XMPPServer {
             // Update certificates (if required)
             try {
                 // Check if keystore already has certificates for current domain
-                final IdentityStoreConfig storeConfig = (IdentityStoreConfig) SSLConfig.getInstance().getStoreConfig( Purpose.SOCKETBASED_IDENTITYSTORE );
+                final IdentityStoreConfig storeConfig = SSLConfig.getInstance().getIdentityStoreConfig( Purpose.SOCKET_C2S );
                 storeConfig.ensureDomainCertificates( "DSA", "RSA" );
             } catch (Exception e) {
                 logger.error("Error generating self-signed certificates", e);
@@ -1207,7 +1207,7 @@ public class XMPPServer {
      * @return the <code>AuditManager</code> registered with this server.
      */
     public AuditManager getAuditManager() {
-        return (AuditManager) modules.get(AuditManager.class.getName());
+        return (AuditManager) modules.get(AuditManagerImpl.class.getName());
     }
 
     /**

src/java/org/jivesoftware/openfire/clearspace/SSLProtocolSocketFactory.java

@@ -63,14 +63,14 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
 
     private SSLContext createSSLContext(String host) {
         try {
-            final SSLContext context = SSLConfig.getSSLContext( SSLConfig.Type.ADMIN );
+            final SSLContext context = SSLConfig.getSSLContext( Purpose.ADMIN );
             context.init(
                     null,
                     new TrustManager[] {
                             new ClearspaceX509TrustManager(
                                     host,
                                     manager.getProperties(),
-                                    SSLConfig.getStore( Purpose.ADMINISTRATIVE_TRUSTSTORE ) )
+                                    SSLConfig.getTrustStore( Purpose.ADMIN ) )
                     },
                     null);
             return context;

src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java

@@ -50,6 +50,7 @@ import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.keystore.IdentityStoreConfig;
 import org.jivesoftware.openfire.keystore.Purpose;
 import org.jivesoftware.openfire.keystore.CertificateStoreConfig;
+import org.jivesoftware.openfire.keystore.TrustStoreConfig;
 import org.jivesoftware.openfire.net.SSLConfig;
 import org.jivesoftware.util.CertificateEventListener;
 import org.jivesoftware.util.CertificateManager;
@@ -140,14 +141,14 @@ public class AdminConsolePlugin implements Plugin {
         // Create a connector for https traffic if it's enabled.
         sslEnabled = false;
         try {
-            final IdentityStoreConfig identityStoreConfig = (IdentityStoreConfig) SSLConfig.getInstance().getStoreConfig( Purpose.WEBADMIN_IDENTITYSTORE );
+            final IdentityStoreConfig identityStoreConfig = SSLConfig.getInstance().getIdentityStoreConfig( Purpose.WEBADMIN );
             if (adminSecurePort > 0 && identityStoreConfig.getStore().aliases().hasMoreElements() )
             {
                 if ( !identityStoreConfig.containsDomainCertificate( "RSA" )) {
                     Log.warn("Admin console: Using RSA certificates but they are not valid for the hosted domain");
                 }
 
-                final CertificateStoreConfig trustStoreConfig = SSLConfig.getInstance().getStoreConfig( Purpose.WEBADMIN_TRUSTSTORE );
+                final TrustStoreConfig trustStoreConfig = SSLConfig.getInstance().getTrustStoreConfig( Purpose.WEBADMIN );
 
                 final SslContextFactory sslContextFactory = new SslContextFactory();
                 sslContextFactory.setTrustStorePath( trustStoreConfig.getCanonicalPath() );
@@ -343,13 +344,6 @@ public class AdminConsolePlugin implements Plugin {
             context = new WebAppContext(contexts, pluginDir.getAbsoluteFile() + File.separator + "webapp",
                     "/");
         }
-
-        // Ensure the JSP engine is initialized correctly (in order to be able to cope with Tomcat/Jasper precompiled JSPs).
-        final List<ContainerInitializer> initializers = new ArrayList<>();
-        initializers.add(new ContainerInitializer(new JettyJasperInitializer(), null));
-        context.setAttribute("org.eclipse.jetty.containerInitializers", initializers);
-        context.setAttribute(InstanceManager.class.getName(), new SimpleInstanceManager());
-
         context.setWelcomeFiles(new String[]{"index.jsp"});
     }
 

src/java/org/jivesoftware/openfire/http/HttpBindManager.java

@@ -23,7 +23,10 @@ package org.jivesoftware.openfire.http;
 import java.io.File;
 import java.security.KeyStore;
 import java.security.cert.X509Certificate;
-import java.util.*;
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 import javax.servlet.DispatcherType;
 import javax.servlet.Filter;
@@ -247,7 +250,7 @@ public final class HttpBindManager {
     private void createSSLConnector(int securePort, int bindThreads) {
         httpsConnector = null;
         try {
-            final IdentityStoreConfig identityStoreConfig = (IdentityStoreConfig) SSLConfig.getInstance().getStoreConfig( Purpose.BOSHBASED_IDENTITYSTORE );
+            final IdentityStoreConfig identityStoreConfig = SSLConfig.getInstance().getIdentityStoreConfig( Purpose.BOSH_C2S );
             final KeyStore keyStore = identityStoreConfig.getStore();
 
             if (securePort > 0 && identityStoreConfig.getStore().aliases().hasMoreElements() ) {
@@ -256,7 +259,7 @@ public final class HttpBindManager {
                             "the hosted domain");
                 }
 
-                final CertificateStoreConfig trustStoreConfig = SSLConfig.getInstance().getStoreConfig( Purpose.BOSHBASED_C2S_TRUSTSTORE );
+                final TrustStoreConfig trustStoreConfig = SSLConfig.getInstance().getTrustStoreConfig( Purpose.BOSH_C2S );
 
                 final SslContextFactory sslContextFactory = new SslContextFactory();
                 sslContextFactory.setTrustStorePath( trustStoreConfig.getCanonicalPath() );
@@ -570,13 +573,11 @@ public final class HttpBindManager {
     private void createBoshHandler(ContextHandlerCollection contexts, String boshPath)
     {
         ServletContextHandler context = new ServletContextHandler(contexts, boshPath, ServletContextHandler.SESSIONS);
-
         // Ensure the JSP engine is initialized correctly (in order to be able to cope with Tomcat/Jasper precompiled JSPs).
         final List<ContainerInitializer> initializers = new ArrayList<>();
         initializers.add(new ContainerInitializer(new JettyJasperInitializer(), null));
         context.setAttribute("org.eclipse.jetty.containerInitializers", initializers);
         context.setAttribute(InstanceManager.class.getName(), new SimpleInstanceManager());
-
         context.addServlet(new ServletHolder(new HttpBindServlet()),"/*");
         if (isHttpCompressionEnabled()) {
 	        Filter gzipFilter = new AsyncGzipFilter() {
@@ -601,13 +602,11 @@ public final class HttpBindManager {
 	private void createCrossDomainHandler(ContextHandlerCollection contexts, String crossPath)
     {
         ServletContextHandler context = new ServletContextHandler(contexts, crossPath, ServletContextHandler.SESSIONS);
-
         // Ensure the JSP engine is initialized correctly (in order to be able to cope with Tomcat/Jasper precompiled JSPs).
         final List<ContainerInitializer> initializers = new ArrayList<>();
         initializers.add(new ContainerInitializer(new JettyJasperInitializer(), null));
         context.setAttribute("org.eclipse.jetty.containerInitializers", initializers);
         context.setAttribute(InstanceManager.class.getName(), new SimpleInstanceManager());
-
         context.addServlet(new ServletHolder(new FlashCrossDomainServlet()),"");
     }
 

src/java/org/jivesoftware/openfire/keystore/CertificateStoreConfig.java

@@ -54,7 +54,7 @@ public abstract class CertificateStoreConfig
     {
         try
         {
-            this.canonicalPath = SSLConfig.canonicalize( path );
+            this.canonicalPath = Purpose.canonicalize( path );
             final File file = new File( canonicalPath );
 
             if ( createIfAbsent && !file.exists() )

src/java/org/jivesoftware/openfire/keystore/Purpose.java

 package org.jivesoftware.openfire.keystore;
 
+import org.jivesoftware.util.JiveGlobals;
+
+import java.io.File;
+import java.io.IOException;
+
 /**
- * Potential intended usages for keystores
+ * Potential intended usages (for TLS connectivity).
  *
  * @author Guus der Kinderen, guus.der.kinderen@gmail.com
  */
 public enum Purpose
 {
     /**
-     * Identification of this Openfire instance used by regular socket-based connections.
+     * Socket-based server-to-server (XMPP federation) connectivity.
      */
-    SOCKETBASED_IDENTITYSTORE( false ),
+    SOCKET_S2S( "xmpp.socket.ssl.", null ),
 
     /**
-     * Identification of remote servers that you choose to trust, applies to server-to-server federation via regular socket-based connections.
+     * Socket-based client connectivity.
      */
-    SOCKETBASED_S2S_TRUSTSTORE( true ),
+    SOCKET_C2S( "xmpp.socket.ssl.client.", null ),
 
     /**
-     * Identification of clients that you choose to trust, applies to mutual authentication via regular socket-based connections.
+     * BOSH (HTTP-bind) based client connectivity.
      */
-    SOCKETBASED_C2S_TRUSTSTORE( true ),
+    BOSH_C2S( "xmpp.bosh.ssl.client.", SOCKET_C2S),
 
     /**
-     * Identification of this Openfire instance used by regular BOSH (HTTP-bind) connections.
+     * Generic administrative services (eg: user providers).
      */
-    BOSHBASED_IDENTITYSTORE( false ),
+    ADMIN( "admin.ssl.", SOCKET_S2S),
 
     /**
-     * Identification of clients that you choose to trust, applies to mutual authentication via BOSH (HTTP-bind) connections.
+     * Openfire web-admin console.
      */
-    BOSHBASED_C2S_TRUSTSTORE( true ),
+    WEBADMIN( "admin.web.ssl.", ADMIN);
 
-    /**
-     * Identification of this Openfire instance used by connections to administrative services (eg: user providers).
-     */
-    ADMINISTRATIVE_IDENTITYSTORE( false ),
+    String prefix;
+    Purpose fallback;
+    Purpose( String prefix, Purpose fallback) {
+        this.prefix = prefix;
+        this.fallback = fallback;
+    }
 
-    /**
-     * Identification of remote applications/servers that provide administrative functionality (eg: user providers).
-     */
-    ADMINISTRATIVE_TRUSTSTORE( true ),
+    public String getPrefix()
+    {
+        return prefix;
+    }
 
-    /**
-     * Openfire web-admin console.
-     */
-    WEBADMIN_IDENTITYSTORE( false ),
+    public Purpose getFallback()
+    {
+        return fallback;
+    }
 
-    /**
-     * Openfire web-admin console.
-     */
-    WEBADMIN_TRUSTSTORE( true );
+    public String getIdentityStoreType()
+    {
+        final String propertyName = prefix + "storeType";
+        final String defaultValue = "jks";
+
+        if ( fallback == null )
+        {
+            return JiveGlobals.getProperty( propertyName, defaultValue ).trim();
+        }
+        else
+        {
+            return JiveGlobals.getProperty( propertyName, fallback.getIdentityStoreType() ).trim();
+        }
+    }
+
+    public String getTrustStoreType()
+    {
+        return getIdentityStoreType();
+    }
+
+    public String getIdentityStorePassword()
+    {
+        final String propertyName = prefix + "keypass";
+        final String defaultValue = "changeit";
+
+        if ( fallback == null )
+        {
+            return JiveGlobals.getProperty( propertyName, defaultValue ).trim();
+        }
+        else
+        {
+            return JiveGlobals.getProperty( propertyName, fallback.getIdentityStorePassword() ).trim();
+        }
+    }
+
+    public String getTrustStorePassword()
+    {
+        final String propertyName = prefix + "trustpass";
+        final String defaultValue = "changeit";
+
+        if ( fallback == null )
+        {
+            return JiveGlobals.getProperty( propertyName, defaultValue ).trim();
+        }
+        else
+        {
+            return JiveGlobals.getProperty( propertyName, fallback.getTrustStorePassword() ).trim();
+        }
+    }
+
+    public boolean acceptSelfSigned()
+    {
+        // TODO these are new properties! Deprecate (migrate?) all existing 'accept-selfsigned properties' (Eg: org.jivesoftware.openfire.session.ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS )
+        final String propertyName = prefix + "certificate.accept-selfsigned";
+        final boolean defaultValue = false;
+
+        if ( fallback == null )
+        {
+            return JiveGlobals.getBooleanProperty( propertyName, defaultValue );
+        }
+        else
+        {
+            return JiveGlobals.getBooleanProperty( propertyName, fallback.acceptSelfSigned() );
+        }
+    }
 
-    private final boolean isTrustStore;
+    public boolean verifyValidity()
+    {
+        // TODO these are new properties! Deprecate (migrate?) all existing 'verify / verify-validity properties' (Eg: org.jivesoftware.openfire.session.ConnectionSettings.Server.TLS_CERTIFICATE_VERIFY_VALIDITY )
+        final String propertyName = prefix + "certificate.verify.validity";
+        final boolean defaultValue = true;
 
-    Purpose( boolean isTrustStore )
+        if ( fallback == null )
+        {
+            return JiveGlobals.getBooleanProperty( propertyName, defaultValue );
+        }
+        else
         {
-        this.isTrustStore = isTrustStore;
+            return JiveGlobals.getBooleanProperty( propertyName, fallback.acceptSelfSigned() );
+        }
     }
 
-    public boolean isIdentityStore()
+    public String getIdentityStoreLocation() throws IOException
     {
-        return !isTrustStore;
+        return canonicalize( getIdentityStoreLocation() );
     }
 
-    public boolean isTrustStore()
+    public String getIdentityStoreLocationNonCanonicalized()
     {
-        return isTrustStore;
+        final String propertyName = prefix + "keystore";
+        final String defaultValue = "resources" + File.separator + "security" + File.separator + "keystore";
+
+        if ( fallback == null )
+        {
+            return JiveGlobals.getProperty( propertyName, defaultValue ).trim();
         }
+        else
+        {
+            return JiveGlobals.getProperty( propertyName, fallback.getIdentityStoreLocationNonCanonicalized() ).trim();
+        }
+    }
+
+    public String getTrustStoreLocation() throws IOException
+    {
+        return canonicalize( getTrustStoreLocation() );
+    }
+
+    public String getTrustStoreLocationNonCanonicalized()
+    {
+        final String propertyName = prefix + "truststore";
+        final String defaultValue = "resources" + File.separator + "security" + File.separator + "truststore";
+
+        if ( fallback == null )
+        {
+            return JiveGlobals.getProperty( propertyName, defaultValue ).trim();
+        }
+        else
+        {
+            return JiveGlobals.getProperty( propertyName, fallback.getTrustStoreLocationNonCanonicalized() ).trim();
+        }
+    }
+
+    public static String canonicalize( String path ) throws IOException
+    {
+        File file = new File( path );
+        if (!file.isAbsolute()) {
+            file = new File( JiveGlobals.getHomeDirectory() + File.separator + path );
+        }
+
+        return file.getCanonicalPath();
+    }
+
 }

src/java/org/jivesoftware/openfire/net/SASLAuthentication.java

@@ -20,6 +20,7 @@
 
 package org.jivesoftware.openfire.net;
 
+import java.io.UnsupportedEncodingException;
 import java.net.UnknownHostException;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyStore;
@@ -87,6 +88,7 @@ public class SASLAuthentication {
     // plus an extra regex alternative to catch a single equals sign ('=', see RFC 6120 6.4.2)
     private static final Pattern BASE64_ENCODED = Pattern.compile("^(=|([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==))$");
 
+
     private static final String SASL_NAMESPACE = "xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\"";
 
     private static Map<String, ElementType> typeMap = new TreeMap<>();
@@ -193,8 +195,8 @@ public class SASLAuthentication {
             // Server connections don't follow the same rules as clients
             if (session.isSecure()) {
                 LocalIncomingServerSession svr = (LocalIncomingServerSession)session;
-                final KeyStore keyStore   = SSLConfig.getStore( Purpose.SOCKETBASED_IDENTITYSTORE );
-                final KeyStore trustStore = SSLConfig.getStore( Purpose.SOCKETBASED_S2S_TRUSTSTORE );
+                final KeyStore keyStore   = SSLConfig.getIdentityStore( Purpose.SOCKET_S2S );
+                final KeyStore trustStore = SSLConfig.getTrustStore( Purpose.SOCKET_S2S );
                 final X509Certificate trusted = CertificateManager.getEndEntityCertificate( svr.getConnection().getPeerCertificates(), keyStore, trustStore );
 
                 boolean haveTrustedCertificate = trusted != null;
@@ -572,8 +574,8 @@ public class SASLAuthentication {
                 return Status.failed; 
             }
 
-            final KeyStore keyStore   = SSLConfig.getStore( Purpose.SOCKETBASED_IDENTITYSTORE );
-            final KeyStore trustStore = SSLConfig.getStore( Purpose.SOCKETBASED_C2S_TRUSTSTORE );
+            final KeyStore keyStore   = SSLConfig.getIdentityStore( Purpose.SOCKET_C2S );
+            final KeyStore trustStore = SSLConfig.getTrustStore( Purpose.SOCKET_C2S );
             final X509Certificate trusted = CertificateManager.getEndEntityCertificate( connection.getPeerCertificates(), keyStore, trustStore );
 
             if (trusted == null) {
@@ -653,8 +655,9 @@ public class SASLAuthentication {
     }
 
     public static boolean verifyCertificates(Certificate[] chain, String hostname, boolean isS2S) {
-        final KeyStore keyStore   = SSLConfig.getStore( Purpose.SOCKETBASED_IDENTITYSTORE );
-        final KeyStore trustStore = SSLConfig.getStore( isS2S ? Purpose.SOCKETBASED_S2S_TRUSTSTORE : Purpose.SOCKETBASED_C2S_TRUSTSTORE );
+        final Purpose purpose = isS2S ? Purpose.SOCKET_S2S : Purpose.SOCKET_C2S;
+        final KeyStore keyStore   = SSLConfig.getIdentityStore( purpose );
+        final KeyStore trustStore = SSLConfig.getTrustStore( purpose );
         final X509Certificate trusted = CertificateManager.getEndEntityCertificate( chain, keyStore, trustStore );
         if (trusted != null) {
             return verifyCertificate(trusted, hostname);

src/java/org/jivesoftware/openfire/net/TLSWrapper.java

@@ -31,6 +31,7 @@ import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import javax.net.ssl.SSLEngineResult.Status;
 
 import org.jivesoftware.openfire.Connection;
+import org.jivesoftware.openfire.keystore.Purpose;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -77,12 +78,12 @@ public class TLSWrapper {
             final SSLEngine sslEngine;
             if ( clientMode )
             {
-                sslEngine = SSLConfig.getClientModeSSLEngine( SSLConfig.Type.SOCKET_S2S );
+                sslEngine = SSLConfig.getClientModeSSLEngine( Purpose.SOCKET_S2S );
             }
             else
             {
-                final SSLConfig.Type type = isPeerClient ? SSLConfig.Type.SOCKET_C2S : SSLConfig.Type.SOCKET_S2S;
-                sslEngine = SSLConfig.getServerModeSSLEngine( type, clientAuth );
+                final Purpose purpose = isPeerClient ? Purpose.SOCKET_C2S : Purpose.SOCKET_S2S;
+                sslEngine = SSLConfig.getServerModeSSLEngine( purpose, clientAuth );
             }
 
             final SSLSession sslSession = sslEngine.getSession();

src/java/org/jivesoftware/openfire/nio/NIOConnection.java

@@ -28,19 +28,13 @@ import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.net.UnknownHostException;
-
+import java.nio.charset.Charset;
 import java.nio.charset.CharsetEncoder;
 import java.nio.charset.CodingErrorAction;
-import java.nio.charset.StandardCharsets;
-import java.security.KeyStore;
 import java.security.cert.Certificate;
-import java.util.concurrent.atomic.AtomicReference;
 import java.util.concurrent.locks.ReentrantLock;
 
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManager;
+import javax.net.ssl.*;
 
 import org.apache.mina.core.buffer.IoBuffer;
 import org.apache.mina.core.filterchain.IoFilterChain;
@@ -52,26 +46,20 @@ import org.jivesoftware.openfire.Connection;
 import org.jivesoftware.openfire.ConnectionCloseListener;
 import org.jivesoftware.openfire.PacketDeliverer;
 import org.jivesoftware.openfire.auth.UnauthorizedException;
-import org.jivesoftware.openfire.keystore.IdentityStoreConfig;
-import org.jivesoftware.openfire.keystore.Purpose;
-import org.jivesoftware.openfire.keystore.TrustStoreConfig;
+import org.jivesoftware.openfire.keystore.*;
 import org.jivesoftware.openfire.net.*;
-import org.jivesoftware.openfire.session.ConnectionSettings;
 import org.jivesoftware.openfire.session.LocalSession;
 import org.jivesoftware.openfire.session.Session;
-import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.util.XMLWriter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xmpp.packet.Packet;
 
 /**
- * Implementation of {@link Connection} inteface specific for NIO connections when using
- * the MINA framework.<p>
- *
- * MINA project can be found at <a href="http://mina.apache.org">here</a>.
+ * Implementation of {@link Connection} interface specific for NIO connections when using the Apache MINA framework.
  *
  * @author Gaston Dombiak
+ * @see <a href="http://mina.apache.org">Apache MINA</a>
  */
 public class NIOConnection implements Connection {
 
@@ -378,65 +366,28 @@ public class NIOConnection implements Connection {
     @Deprecated
 	@Override
     public void startTLS(boolean clientMode, String remoteServer, ClientAuth authentication) throws Exception {
-        final boolean isClientToServer = ( remoteServer == null );
-        startTLS( clientMode, isClientToServer, authentication );
+        final boolean isPeerClient = ( remoteServer == null );
+        startTLS( clientMode, isPeerClient, authentication );
     }
 
-    public void startTLS(boolean clientMode, boolean isClientToServer, ClientAuth authentication) throws Exception {
-        Log.debug( "StartTLS: using {}", isClientToServer ? "c2s" : "s2s" );
+    public void startTLS(boolean clientMode, boolean isPeerClient, ClientAuth authentication) throws Exception {
 
-        final SSLConfig sslConfig = SSLConfig.getInstance();
-        final TrustStoreConfig storeConfig;
-        if (isClientToServer) {
-            storeConfig = (TrustStoreConfig) sslConfig.getStoreConfig( Purpose.SOCKETBASED_C2S_TRUSTSTORE );
-        } else {
-            storeConfig = (TrustStoreConfig) sslConfig.getStoreConfig( Purpose.SOCKETBASED_S2S_TRUSTSTORE );
+        final SslFilter filter;
+        if ( clientMode ) {
+            filter = SSLConfig.getClientModeSslFilter( Purpose.SOCKET_S2S );
         }
-
-        final TrustManager[] tm;
-        if (clientMode || authentication == ClientAuth.needed || authentication == ClientAuth.wanted) {
-            // We might need to verify a certificate from our peer, so get different TrustManager[]'s
-            final KeyStore ksTrust = storeConfig.getStore();
-            if(isClientToServer) {
-                // Check if we can trust certificates presented by the client
-                tm = new TrustManager[]{new ClientTrustManager(ksTrust)};
-            } else {
-                // Check if we can trust certificates presented by the server
-                tm = new TrustManager[]{new ServerTrustManager(ksTrust)};
+        else
+        {
+            final Purpose purpose = isPeerClient ? Purpose.SOCKET_C2S : Purpose.SOCKET_S2S;
+            filter = SSLConfig.getServerModeSslFilter( purpose, authentication );
         }
-        } else {
-            tm = storeConfig.getTrustManagers();
-        }
-
-        final SSLContext tlsContext = SSLConfig.getSSLContext();
 
-        final IdentityStoreConfig identityStoreConfig = (IdentityStoreConfig) sslConfig.getStoreConfig( Purpose.SOCKETBASED_IDENTITYSTORE );
-        tlsContext.init( identityStoreConfig.getKeyManagers(), tm, null);
-
-        SslFilter filter = new SslFilter(tlsContext);
-        filter.setUseClientMode(clientMode);
-        // Disable SSLv3 due to POODLE vulnerability.
-        if (clientMode) {
-            filter.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
-        } else {
-            // ... but accept a SSLv2 Hello when in server mode.
-            filter.setEnabledProtocols(new String[]{"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
-        }
-        if (authentication == ClientAuth.needed) {
-            filter.setNeedClientAuth(true);
-        }
-        else if (authentication == ClientAuth.wanted) {
-            // Just indicate that we would like to authenticate the client but if client
-            // certificates are self-signed or have no certificate chain then we are still
-            // good
-            filter.setWantClientAuth(true);
-        }
         ioSession.getFilterChain().addBefore(EXECUTOR_FILTER_NAME, TLS_FILTER_NAME, filter);
         ioSession.setAttribute(SslFilter.DISABLE_ENCRYPTION_ONCE, Boolean.TRUE);
 
-        if (!clientMode) {
+        if ( !clientMode ) {
             // Indicate the client that the server is ready to negotiate TLS
-            deliverRawText("<proceed xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"/>");
+            deliverRawText( "<proceed xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"/>" );
         }
     }
 

src/java/org/jivesoftware/openfire/session/LocalClientSession.java

@@ -256,7 +256,7 @@ public class LocalClientSession extends LocalSession implements ClientSession {
         if (!connection.isSecure()) {
             boolean hasCertificates = false;
             try {
-                hasCertificates = SSLConfig.getStore( Purpose.SOCKETBASED_IDENTITYSTORE ).size() > 0;
+                hasCertificates = SSLConfig.getIdentityStore( Purpose.SOCKET_C2S ).size() > 0;
             }
             catch (Exception e) {
                 Log.error(e.getMessage(), e);

src/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java

@@ -153,7 +153,7 @@ public class LocalIncomingServerSession extends LocalServerSession implements In
 	                            Connection.TLSPolicy.required;
 	            boolean hasCertificates = false;
 	            try {
-	                hasCertificates = SSLConfig.getStore( Purpose.SOCKETBASED_IDENTITYSTORE ).size() > 0;
+	                hasCertificates = SSLConfig.getIdentityStore( Purpose.SOCKET_S2S ).size() > 0;
 	            }
 	            catch (Exception e) {
 	                Log.error(e.getMessage(), e);
@@ -285,7 +285,6 @@ public class LocalIncomingServerSession extends LocalServerSession implements In
      *
      * @return domains, subdomains and virtual hosts that where validated.
      */
-    @Override
     public Collection<String> getValidatedDomains() {
         return Collections.unmodifiableCollection(validatedDomains);
     }
@@ -375,7 +374,7 @@ public class LocalIncomingServerSession extends LocalServerSession implements In
         	usingSelfSigned = true;
         } else {
         	try {
-                final KeyStore keyStore = SSLConfig.getStore( Purpose.SOCKETBASED_IDENTITYSTORE );
+                final KeyStore keyStore = SSLConfig.getIdentityStore( Purpose.SOCKET_S2S );
 				usingSelfSigned = CertificateManager.isSelfSignedCertificate(keyStore, (X509Certificate) chain[0]);
 			} catch (KeyStoreException ex) {
 				Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);

src/java/org/jivesoftware/openfire/spi/ConnectionManagerImpl.java

@@ -56,14 +56,7 @@ import org.apache.mina.integration.jmx.IoServiceMBean;
 import org.apache.mina.integration.jmx.IoSessionMBean;
 import org.apache.mina.transport.socket.SocketSessionConfig;
 import org.apache.mina.transport.socket.nio.NioSocketAcceptor;
-import org.jivesoftware.openfire.ConnectionManager;
-import org.jivesoftware.openfire.JMXManager;
-import org.jivesoftware.openfire.PacketDeliverer;
-import org.jivesoftware.openfire.PacketRouter;
-import org.jivesoftware.openfire.RoutingTable;
-import org.jivesoftware.openfire.ServerPort;
-import org.jivesoftware.openfire.SessionManager;
-import org.jivesoftware.openfire.XMPPServer;
+import org.jivesoftware.openfire.*;
 import org.jivesoftware.openfire.container.BasicModule;
 import org.jivesoftware.openfire.container.PluginManager;
 import org.jivesoftware.openfire.container.PluginManagerListener;
@@ -451,6 +444,7 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
 		        Log.debug("Throttling read buffer for connections from sslSocketAcceptor={} to max={} bytes",
 		                  sslSocketAcceptor, maxBufferSize);
 
+
                 // Add the SSL filter now since sockets are "borned" encrypted in the old ssl method
                 Connection.ClientAuth clientAuth;
                 try {
@@ -459,9 +453,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
                     clientAuth = Connection.ClientAuth.disabled;
                 }
 
-                final SslFilter sslFilter = SSLConfig.getServerModeSslFilter( SSLConfig.Type.SOCKET_C2S, clientAuth );
+                final SslFilter sslFilter = SSLConfig.getServerModeSslFilter( Purpose.SOCKET_C2S, clientAuth );
                 sslSocketAcceptor.getFilterChain().addAfter(EXECUTOR_FILTER_NAME, TLS_FILTER_NAME, sslFilter);
-
             }
             catch (Exception e) {
                 System.err.println("Error starting SSL XMPP listener on port " + port + ": " +
@@ -615,7 +608,7 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
     @Override
     public boolean isClientSSLListenerEnabled() {
         try {
-            return JiveGlobals.getBooleanProperty(ConnectionSettings.Client.ENABLE_OLD_SSLPORT, false) && SSLConfig.getStore( Purpose.SOCKETBASED_IDENTITYSTORE ).size() > 0;
+            return JiveGlobals.getBooleanProperty(ConnectionSettings.Client.ENABLE_OLD_SSLPORT, false) && SSLConfig.getIdentityStore( Purpose.SOCKET_C2S ).size() > 0;
         } catch (KeyStoreException e) {
             return false;
         }

src/web/import-keystore-certificate.jsp

@@ -31,11 +31,6 @@
         storePurpose = null;
     }
 
-    if (! storePurpose.isIdentityStore() ) {
-        errors.put( "storePurpose", "shoud be an identity store (not a trust store)");
-        storePurpose = null;
-    }
-
     pageContext.setAttribute( "storePurpose", storePurpose );
 
     if (save) {
@@ -47,7 +42,7 @@
         }
         if (errors.isEmpty()) {
             try {
-                final IdentityStoreConfig identityStoreConfig = (IdentityStoreConfig) SSLConfig.getInstance().getStoreConfig( storePurpose );
+                final IdentityStoreConfig identityStoreConfig = SSLConfig.getInstance().getIdentityStoreConfig( storePurpose );
 
                 // Create an alias for the signed certificate
                 String domain = XMPPServer.getInstance().getServerInfo().getXMPPDomain();
@@ -62,7 +57,7 @@
                 identityStoreConfig.installCertificate( alias, privateKey, passPhrase, certificate );
 
                 // Log the event
-                webManager.logEvent("imported SSL certificate in "+ storePurposeText, "alias = "+alias);
+                webManager.logEvent("imported SSL certificate in identity store "+ storePurposeText, "alias = "+alias);
 
                 response.sendRedirect("security-keystore.jsp?storePurpose="+storePurposeText);
                 return;
@@ -77,8 +72,8 @@
 
 <html>
   <head>
-      <title><fmt:message key="ssl.import.certificate.keystore.${connectivityType}.title"/></title>
-      <meta name="pageID" content="security-keystore-${connectivityType}"/>
+      <title><fmt:message key="ssl.import.certificate.keystore.${storePurpose}.title"/></title>
+      <meta name="pageID" content="security-keystore-${storePurpose}"/>
   </head>
   <body>
 
@@ -120,7 +115,7 @@
 
   <!-- BEGIN 'Import Private Key and Certificate' -->
   <form action="import-keystore-certificate.jsp" method="post" name="f">
-      <input type="hidden" name="connectivityType" value="${connectivityType}"/>
+      <input type="hidden" name="storePurpose" value="${storePurpose}"/>
       <div class="jive-contentBoxHeader">
           <fmt:message key="ssl.import.certificate.keystore.boxtitle" />
       </div>

src/web/import-truststore-certificate.jsp

@@ -29,16 +29,11 @@
         storePurpose = null;
     }
 
-    if (! storePurpose.isTrustStore() ) {
-        errors.put( "storePurpose", "shoud be a trust store (not an identity store)");
-        storePurpose = null;
-    }
-
     pageContext.setAttribute( "storePurpose", storePurpose );
 
     if (save && errors.isEmpty())
     {
-        final TrustStoreConfig trustStoreConfig = (TrustStoreConfig) SSLConfig.getInstance().getStoreConfig( storePurpose );
+        final TrustStoreConfig trustStoreConfig = SSLConfig.getInstance().getTrustStoreConfig( storePurpose );
 
         if (alias == null || "".equals(alias))
         {
@@ -62,7 +57,7 @@
                 trustStoreConfig.installCertificate( alias, certificate );
 
                 // Log the event
-                webManager.logEvent("imported SSL certificate in "+ storePurposeText, "alias = "+alias);
+                webManager.logEvent("imported SSL certificate in trust store "+ storePurposeText, "alias = "+alias);
 
                 response.sendRedirect( "security-truststore.jsp?storePurpose=" + storePurposeText + "&importsuccess=true" );
                 return;
@@ -79,9 +74,9 @@
 <html>
 <head>
     <title>
-        <fmt:message key="ssl.import.certificate.keystore.${connectivityType}.title"/> - <fmt:message key="ssl.certificates.truststore.${param.type}-title"/>
+        <fmt:message key="ssl.import.certificate.keystore.${storePurpose}.title"/> - <fmt:message key="ssl.certificates.truststore.${param.type}-title"/>
     </title>
-    <meta name="pageID" content="security-truststore-${connectivityType}-${param.type}"/>
+    <meta name="pageID" content="security-truststore-${storePurpose}-${param.type}"/>
 </head>
 <body>
 
@@ -129,7 +124,7 @@
 
     <!-- BEGIN 'Import Certificate' -->
     <form action="import-truststore-certificate.jsp?type=${param.type}" method="post" name="f">
-        <input type="hidden" name="connectivityType" value="${connectivityType}"/>
+        <input type="hidden" name="connectivityType" value="${storePurpose}"/>
         <div class="jive-contentBoxHeader">
             <fmt:message key="ssl.import.certificate.keystore.boxtitle"/>
         </div>

src/web/index.jsp

@@ -253,7 +253,7 @@
                     <fmt:message key="index.server_name" />
                 </td>
                 <td class="c2">
-                    <% final IdentityStoreConfig storeConfig = (IdentityStoreConfig) SSLConfig.getInstance().getStoreConfig( Purpose.SOCKETBASED_IDENTITYSTORE ); %>
+                    <% final IdentityStoreConfig storeConfig = SSLConfig.getInstance().getIdentityStoreConfig( Purpose.SOCKET_C2S ); %>
                     <% try { %>
                     <% if (!storeConfig.containsDomainCertificate( "RSA" )) {%>
                     <img src="images/warning-16x16.gif" width="16" height="16" border="0" alt="<fmt:message key="index.certificate-warning" />" title="<fmt:message key="index.certificate-warning" />">&nbsp;

src/web/security-certificate-details.jsp

@@ -9,6 +9,7 @@
 <%@ page import="java.security.AlgorithmParameters" %>
 <%@ page import="org.jivesoftware.openfire.keystore.Purpose" %>
 <%@ page import="org.jivesoftware.openfire.keystore.CertificateStoreConfig" %>
+<%@ page import="java.security.KeyStore" %>
 
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
@@ -21,6 +22,7 @@
 
     final String alias            = ParamUtils.getParameter( request, "alias" );
     final String storePurposeText = ParamUtils.getParameter( request, "storePurpose" );
+    final boolean isTrustStore    = ParamUtils.getBooleanParameter( request, "isTrustStore" );
 
     final Map<String, String> errors = new HashMap<String, String>();
 
@@ -42,10 +44,15 @@
     {
         try
         {
-            final CertificateStoreConfig certificateStoreConfig = SSLConfig.getInstance().getStoreConfig( storePurpose );
+            final KeyStore store;
+            if (isTrustStore) {
+                store = SSLConfig.getTrustStore( storePurpose );
+            } else {
+                store = SSLConfig.getIdentityStore( storePurpose );
+            }
 
             // Get the certificate
-            final X509Certificate certificate = (X509Certificate) certificateStoreConfig.getStore().getCertificate( alias );
+            final X509Certificate certificate = (X509Certificate) store.getCertificate( alias );
 
             if ( certificate == null ) {
                 errors.put( "alias", "alias" );
@@ -62,7 +69,7 @@
 
     // Handle a "go back" click:
     if ( request.getParameter( "back" ) != null ) {
-        if ( storePurpose.isTrustStore() ) {
+        if ( isTrustStore ) {
             response.sendRedirect( "security-truststore.jsp?storePurpose=" + storePurpose );
         } else {
             response.sendRedirect( "security-keystore.jsp?storePurpose=" + storePurpose );
@@ -77,11 +84,11 @@
 <head>
     <title><fmt:message key="ssl.certificate.details.title"/></title>
     <c:choose>
-        <c:when test="${storePurpose.identityStore}">
-            <meta name="pageID" content="security-keystore"/>
+        <c:when test="${isTrustStore}">
+            <meta name="pageID" content="security-truststore"/>
         </c:when>
         <c:otherwise>
-            <meta name="pageID" content="security-truststore"/>
+            <meta name="pageID" content="security-keystore"/>
         </c:otherwise>
     </c:choose>
 </head>

src/web/security-certificate-store-management.jsp

@@ -16,41 +16,12 @@
 
     // Read parameters
     final boolean save                       = request.getParameter("save") != null;
-    final String paramLocKeySocket           = ParamUtils.getParameter(request, "loc-key-socket");
-    final String paramLocTrustSocketS2S      = ParamUtils.getParameter(request, "loc-trust-socket-s2s");
-    final String paramLocTrustSocketC2S      = ParamUtils.getParameter(request, "loc-trust-socket-c2s");
-    final String paramLocKeyBosh             = ParamUtils.getParameter(request, "loc-key-bosh");
-    final String paramLocTrustBoshC2S        = ParamUtils.getParameter(request, "loc-trust-bosh-c2s");
-    final String paramLocKeyWebadmin         = ParamUtils.getParameter(request, "loc-key-webadmin");
-    final String paramLocTrustWebadmin       = ParamUtils.getParameter(request, "loc-trust-webadmin");
-    final String paramLocKeyAdministrative   = ParamUtils.getParameter( request, "loc-key-administrative" );
-    final String paramLocTrustAdministrative = ParamUtils.getParameter( request, "loc-trust-administrative" );
     // TODO actually save something!
 
     // Pre-update property values
-    final String locKeySocket           = SSLConfig.getNonCanonicalizedLocation( Purpose.SOCKETBASED_IDENTITYSTORE );
-    final String locTrustSocketS2S      = SSLConfig.getNonCanonicalizedLocation( Purpose.SOCKETBASED_S2S_TRUSTSTORE );
-    final String locTrustSocketC2S      = SSLConfig.getNonCanonicalizedLocation( Purpose.SOCKETBASED_C2S_TRUSTSTORE );
-    final String locKeyBosh             = SSLConfig.getNonCanonicalizedLocation( Purpose.BOSHBASED_IDENTITYSTORE );
-    final String locTrustBoshC2S        = SSLConfig.getNonCanonicalizedLocation( Purpose.BOSHBASED_C2S_TRUSTSTORE );
-    final String locKeyWebadmin         = SSLConfig.getNonCanonicalizedLocation( Purpose.WEBADMIN_IDENTITYSTORE );
-    final String locTrustWebadmin       = SSLConfig.getNonCanonicalizedLocation( Purpose.WEBADMIN_TRUSTSTORE );
-    final String locKeyAdministrative   = SSLConfig.getNonCanonicalizedLocation( Purpose.ADMINISTRATIVE_IDENTITYSTORE );
-    final String locTrustAdministrative = SSLConfig.getNonCanonicalizedLocation( Purpose.ADMINISTRATIVE_TRUSTSTORE );
-
     final Map<String, String> errors = new HashMap<>();
 
     pageContext.setAttribute( "errors", errors );
-
-    pageContext.setAttribute( "locKeySocket", locKeySocket );
-    pageContext.setAttribute( "locTrustSocketS2S",locTrustSocketS2S );
-    pageContext.setAttribute( "locTrustSocketC2S", locTrustSocketC2S );
-    pageContext.setAttribute( "locKeyBosh", locKeyBosh );
-    pageContext.setAttribute( "locTrustBoshC2S", locTrustBoshC2S );
-    pageContext.setAttribute( "locKeyWebadmin", locKeyWebadmin );
-    pageContext.setAttribute( "locTrustWebadmin", locTrustWebadmin );
-    pageContext.setAttribute( "locKeyAdministrative", locKeyAdministrative );
-    pageContext.setAttribute( "locTrustAdministrative", locTrustAdministrative );
 %>
 
 <html>

src/web/security-keystore.jsp

@@ -36,20 +36,12 @@
     try
     {
         storePurpose = Purpose.valueOf( storePurposeText );
-
-        if ( !storePurpose.isIdentityStore() )
-        {
-            errors.put( "storePurpose", "should be an identity store (not a trust store)");
-        }
-        else
-        {
-            storeConfig = (IdentityStoreConfig) SSLConfig.getInstance().getStoreConfig( storePurpose );
+        storeConfig =  SSLConfig.getInstance().getIdentityStoreConfig( storePurpose );
         if ( storeConfig == null )
         {
             errors.put( "storeConfig", "Unable to get an instance." );
         }
     }
-    }
     catch (RuntimeException ex)
     {
         errors.put( "storePurpose", ex.getMessage() );
@@ -60,7 +52,7 @@
         pageContext.setAttribute( "storePurpose", storePurpose );
         pageContext.setAttribute( "storeConfig", storeConfig );
 
-        final Set<Purpose> sameStorePurposes = SSLConfig.getInstance().getOtherPurposesForSameStore( storePurpose );
+        final Set<Purpose> sameStorePurposes = Collections.EMPTY_SET; // TODO FIXME: SSLConfig.getInstance().getOtherPurposesForSameStore( storePurpose );
         pageContext.setAttribute( "sameStorePurposes", sameStorePurposes );
 
         final Map<String, X509Certificate> certificates = storeConfig.getAllCertificates();

src/web/security-truststore.jsp

@@ -7,6 +7,7 @@
 <%@ page import="org.jivesoftware.openfire.keystore.Purpose" %>
 <%@ page import="org.jivesoftware.openfire.keystore.TrustStoreConfig" %>
 <%@ page import="java.util.Set" %>
+<%@ page import="java.util.Collections" %>
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
@@ -28,20 +29,12 @@
     try
     {
         storePurpose = Purpose.valueOf( storePurposeText );
-
-        if ( !storePurpose.isTrustStore() )
-        {
-            errors.put( "storePurpose", "should be a trust store (not an identity store)");
-        }
-        else
-        {
-            storeConfig = (TrustStoreConfig) SSLConfig.getInstance().getStoreConfig( storePurpose );
+        storeConfig = SSLConfig.getInstance().getTrustStoreConfig( storePurpose );
         if ( storeConfig == null )
         {
             errors.put( "storeConfig", "Unable to get an instance." );
         }
     }
-    }
     catch (RuntimeException ex)
     {
         errors.put( "storePurpose", ex.getMessage() );
@@ -52,7 +45,7 @@
         pageContext.setAttribute( "storePurpose", storePurpose );
         pageContext.setAttribute( "storeConfig", storeConfig );
 
-        final Set<Purpose> sameStorePurposes = SSLConfig.getInstance().getOtherPurposesForSameStore( storePurpose );
+        final Set<Purpose> sameStorePurposes = Collections.EMPTY_SET; // TODO FIXME: SSLConfig.getInstance().getOtherPurposesForSameStore( storePurpose );
         pageContext.setAttribute( "sameStorePurposes", sameStorePurposes );
 
         if ( delete )

src/web/ssl-signing-request.jsp

@@ -38,10 +38,6 @@
         storePurpose = null;
     }
 
-    if (! storePurpose.isIdentityStore() ) {
-        errors.put( "storePurpose", "shoud be an identity store (not a trust store)");
-        storePurpose = null;
-    }
     pageContext.setAttribute( "storePurpose", storePurpose );
 
 //    if (save) {