Commit a0ce00e5 authored by Guus der Kinderen's avatar Guus der Kinderen

Allow configuration of 'allow self-signed' and 'verify validity' in admin console.

parent 2ea7e588
......@@ -151,7 +151,7 @@ public class ConnectionListener
return;
}
JiveGlobals.setProperty( isEnabledPropertyName, Boolean.toString( enable ) );
JiveGlobals.setProperty( isEnabledPropertyName, Boolean.toString( enable ) );
restart();
}
......@@ -856,7 +856,6 @@ public class ConnectionListener
*
* @return true when self-signed certificates are accepted, otherwise false.
*/
// TODO add setter!
public boolean acceptSelfSignedCertificates()
{
// TODO these are new properties! Deprecate (migrate?) all existing 'accept-selfsigned properties' (Eg: org.jivesoftware.openfire.session.ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS )
......@@ -873,13 +872,34 @@ public class ConnectionListener
}
}
/**
* Configuresif self-signed peer certificates can be used to establish an encrypted connection.
*
* @param accept true when self-signed certificates are accepted, otherwise false.
*/
public void setAcceptSelfSignedCertificates( boolean accept )
{
final boolean oldValue = verifyCertificateValidity();
// Always set the property explicitly even if it appears the equal to the old value (the old value might be a fallback value).
JiveGlobals.setProperty( type.getPrefix() + "certificate.accept-selfsigned", Boolean.toString( accept ) );
if ( oldValue == accept )
{
Log.debug( "Ignoring self-signed certificate acceptance policy change request (to '{}'): listener already in this state.", accept );
return;
}
Log.debug( "Changing self-signed certificate acceptance policy from '{}' to '{}'.", oldValue, accept );
restart();
}
/**
* A boolean that indicates if the current validity of certificates (based on their 'notBefore' and 'notAfter'
* property values) is used when they are used to establish an encrypted connection..
*
* @return true when certificates are required to be valid to establish a secured connection, otherwise false.
*/
// TODO add setter!
public boolean verifyCertificateValidity()
{
// TODO these are new properties! Deprecate (migrate?) all existing 'verify / verify-validity properties' (Eg: org.jivesoftware.openfire.session.ConnectionSettings.Server.TLS_CERTIFICATE_VERIFY_VALIDITY )
......@@ -896,6 +916,29 @@ public class ConnectionListener
}
}
/**
* Configures if the current validity of certificates (based on their 'notBefore' and 'notAfter' property values) is
* used when they are used to establish an encrypted connection..
*
* @param verify true when certificates are required to be valid to establish a secured connection, otherwise false.
*/
public void setVerifyCertificateValidity( boolean verify )
{
final boolean oldValue = verifyCertificateValidity();
// Always set the property explicitly even if it appears the equal to the old value (the old value might be a fallback value).
JiveGlobals.setProperty( type.getPrefix() + "certificate.verify.validity", Boolean.toString( verify ) );
if ( oldValue == verify )
{
Log.debug( "Ignoring certificate validity verification configuration change request (to '{}'): listener already in this state.", verify );
return;
}
Log.debug( "Changing certificate validity verification configuration from '{}' to '{}'.", oldValue, verify );
restart();
}
/**
* A collection of protocol names that can be used for encryption of connections.
*
......
......@@ -29,7 +29,7 @@
if ( update && errors.isEmpty() )
{
// plaintext
final boolean plaintextEnabled = ParamUtils.getBooleanParameter( request, "plaintext-enabled" );
final boolean plaintextEnabled = ParamUtils.getBooleanParameter( request, "plaintext-enabled", plaintextConfiguration.isEnabled() );
final int plaintextTcpPort = ParamUtils.getIntParameter( request, "plaintext-tcpPort", plaintextConfiguration.getPort() );
final int plaintextReadBuffer = ParamUtils.getIntParameter( request, "plaintext-readBuffer", plaintextConfiguration.getMaxBufferSize() );
final String plaintextTlsPolicyText = ParamUtils.getParameter( request, "plaintext-tlspolicy", true );
......@@ -47,9 +47,11 @@
plaintextMutualAuthentication = Connection.ClientAuth.valueOf( plaintextMutualAuthenticationText );
}
final int plaintextListenerMaxThreads = ParamUtils.getIntParameter( request, "plaintext-maxThreads", plaintextConfiguration.getMaxThreadPoolSize() );
final boolean plaintextAcceptSelfSignedCertificates = ParamUtils.getBooleanParameter( request, "plaintext-accept-self-signed-certificates", plaintextConfiguration.isAcceptSelfSignedCertificates() );
final boolean plaintextVerifyCertificateValidity = ParamUtils.getBooleanParameter( request, "plaintext-verify-certificate-validity", plaintextConfiguration.isVerifyCertificateValidity() );
// legacymode
final boolean legacymodeEnabled = ParamUtils.getBooleanParameter( request, "legacymode-enabled" );
final boolean legacymodeEnabled = ParamUtils.getBooleanParameter( request, "legacymode-enabled", legacymodeConfiguration.isEnabled() );
final int legacymodeTcpPort = ParamUtils.getIntParameter( request, "legacymode-tcpPort", legacymodeConfiguration.getPort() );
final int legacymodeReadBuffer = ParamUtils.getIntParameter( request, "legacymode-readBuffer", legacymodeConfiguration.getMaxBufferSize() );
final String legacymodeMutualAuthenticationText = ParamUtils.getParameter( request, "legacymode-mutualauthentication", true );
......@@ -60,6 +62,8 @@
legacymodeMutualAuthentication = Connection.ClientAuth.valueOf( legacymodeMutualAuthenticationText );
}
final int legacymodeListenerMaxThreads = ParamUtils.getIntParameter( request, "legacymode-maxThreads", legacymodeConfiguration.getMaxThreadPoolSize() );
final boolean legacymodeAcceptSelfSignedCertificates = ParamUtils.getBooleanParameter( request, "legacymode-accept-self-signed-certificates", legacymodeConfiguration.isAcceptSelfSignedCertificates() );
final boolean legacymodeVerifyCertificateValidity = ParamUtils.getBooleanParameter( request, "legacymode-verify-certificate-validity", legacymodeConfiguration.isVerifyCertificateValidity() );
// Apply
final ConnectionListener plaintextListener = manager.getListener( connectionType, false );
......@@ -71,12 +75,16 @@
plaintextListener.setTLSPolicy( plaintextTlsPolicy );
plaintextListener.setClientAuth( plaintextMutualAuthentication );
// TODO: plaintextListener.setMaxThreadPoolSize( plaintextListenerMaxThreads);
plaintextListener.setAcceptSelfSignedCertificates( plaintextAcceptSelfSignedCertificates );
plaintextListener.setVerifyCertificateValidity( plaintextVerifyCertificateValidity );
legacymodeListener.enable( legacymodeEnabled );
legacymodeListener.setPort( legacymodeTcpPort );
// TODO: legacymodeListener.setMaxBufferSize( legacymodeReadBuffer );
legacymodeListener.setClientAuth( legacymodeMutualAuthentication );
// TODO: legacymodeListener.setMaxThreadPoolSize( legacymodeListenerMaxThreads);
legacymodeListener.setAcceptSelfSignedCertificates( legacymodeAcceptSelfSignedCertificates );
legacymodeListener.setVerifyCertificateValidity( legacymodeVerifyCertificateValidity );
// Log the event
webManager.logEvent( "Updated connection settings for " + connectionType, "Applied configuration to plain-text as well as legacy-mode connection listeners." );
......@@ -239,6 +247,23 @@
<br/>
<h4>Certificate chain checking</h4>
<p>These options configure some aspects of the verification/validation of the certificates that are presented by peers while setting up encrypted connections.</p>
<table cellpadding="3" cellspacing="0" border="0">
<tr valign="middle">
<td>
<input type="checkbox" name="plaintext-accept-self-signed-certificates" id="plaintext-accept-self-signed-certificates" ${plaintextConfiguration.acceptSelfSignedCertificates ? 'checked' : ''}/><label for="plaintext-accept-self-signed-certificates">Allow peer certificates to be self-signed.</label>
</td>
</tr>
<tr valign="middle">
<td>
<input type="checkbox" name="plaintext-verify-certificate-validity" id="plaintext-verify-certificate-validity" ${plaintextConfiguration.verifyCertificateValidity ? 'checked' : ''}/><label for="plaintext-verify-certificate-validity">Verify that the certificate is currently valid (based on the 'notBefore' and 'notAfter' values of the certificate).</label>
</td>
</tr>
</table>
<br/>
<h4>Miscellaneous settings</h4>
<table cellpadding="3" cellspacing="0" border="0">
<tr valign="middle">
......@@ -257,7 +282,7 @@
<table cellpadding="3" cellspacing="0" border="0">
<tr valign="middle">
<td><input type="checkbox" name="tlegacymode-enabled" id="legacymode-enabled" onclick="applyDisplayable('legacymode')" ${legacymodeConfiguration.enabled ? 'checked' : ''}/><label for="legacymode-enabled">Enabled</label></td>
<td><input type="checkbox" name="legacymode-enabled" id="legacymode-enabled" onclick="applyDisplayable('legacymode')" ${legacymodeConfiguration.enabled ? 'checked' : ''}/><label for="legacymode-enabled">Enabled</label></td>
</tr>
</table>
......@@ -304,6 +329,23 @@
<br/>
<h4>Certificate chain checking</h4>
<p>These options configure some aspects of the verification/validation of the certificates that are presented by peers while setting up encrypted connections.</p>
<table cellpadding="3" cellspacing="0" border="0">
<tr valign="middle">
<td>
<input type="checkbox" name="legacymode-accept-self-signed-certificates" id="legacymode-accept-self-signed-certificates" ${legacymodeConfiguration.acceptSelfSignedCertificates ? 'checked' : ''}/><label for="legacymode-accept-self-signed-certificates">Allow peer certificates to be self-signed.</label>
</td>
</tr>
<tr valign="middle">
<td>
<input type="checkbox" name="legacymode-verify-certificate-validity" id="legacymode-verify-certificate-validity" ${legacymodeConfiguration.verifyCertificateValidity ? 'checked' : ''}/><label for="legacymode-verify-certificate-validity">Verify that the certificate is currently valid (based on the 'notBefore' and 'notAfter' values of the certificate).</label>
</td>
</tr>
</table>
<br/>
<h4>Miscellaneous settings</h4>
<table cellpadding="3" cellspacing="0" border="0">
<tr valign="middle">
......
......@@ -61,11 +61,14 @@
// final int plaintextListenerMaxThreads = ParamUtils.getIntParameter( request, "plaintext-maxThreads", plaintextConfiguration.getMaxThreadPoolSize() );
// legacymode
final boolean legacymodeEnabled = ParamUtils.getBooleanParameter( request, "legacymode-enabled" );
final boolean legacymodeEnabled = ParamUtils.getBooleanParameter( request, "legacymode-enabled", legacymodeConfiguration.isEnabled() );
final int legacymodeTcpPort = ParamUtils.getIntParameter( request, "legacymode-tcpPort", legacymodeConfiguration.getPort() );
final int legacymodeReadBuffer = ParamUtils.getIntParameter( request, "legacymode-readBuffer", legacymodeConfiguration.getMaxBufferSize() );
final String legacymodeMutualAuthenticationText = ParamUtils.getParameter( request, "legacymode-mutualauthentication", true );
final Connection.ClientAuth legacymodeMutualAuthentication;
final boolean legacymodeAcceptSelfSignedCertificates = ParamUtils.getBooleanParameter( request, "legacymode-accept-self-signed-certificates", legacymodeConfiguration.isAcceptSelfSignedCertificates() );
final boolean legacymodeVerifyCertificateValidity = ParamUtils.getBooleanParameter( request, "legacymode-verify-certificate-validity", legacymodeConfiguration.isVerifyCertificateValidity() );
if ( legacymodeMutualAuthenticationText == null || legacymodeMutualAuthenticationText.isEmpty() )
{
legacymodeMutualAuthentication = legacymodeConfiguration.getClientAuth();
......@@ -92,6 +95,8 @@
// TODO: legacymodeListener.setMaxBufferSize( legacymodeReadBuffer );
legacymodeListener.setClientAuth( legacymodeMutualAuthentication );
// TODO: legacymodeListener.setMaxThreadPoolSize( legacymodeListenerMaxThreads);
legacymodeListener.setAcceptSelfSignedCertificates( legacymodeAcceptSelfSignedCertificates );
legacymodeListener.setVerifyCertificateValidity( legacymodeVerifyCertificateValidity );
// Log the event
webManager.logEvent( "Updated connection settings for " + connectionType, "Applied configuration to legacy-mode connection listener." );
......@@ -321,7 +326,7 @@
<table cellpadding="3" cellspacing="0" border="0">
<tr valign="middle">
<td><input type="checkbox" name="tlegacymode-enabled" id="legacymode-enabled" onclick="applyDisplayable('legacymode')" ${legacymodeConfiguration.enabled ? 'checked' : ''}/><label for="legacymode-enabled">Enabled</label></td>
<td><input type="checkbox" name="legacymode-enabled" id="legacymode-enabled" onclick="applyDisplayable('legacymode')" ${legacymodeConfiguration.enabled ? 'checked' : ''}/><label for="legacymode-enabled">Enabled</label></td>
</tr>
</table>
......@@ -343,6 +348,23 @@
<br/>
<h4>Certificate chain checking</h4>
<p>These options configure some aspects of the verification/validation of the certificates that are presented by peers while setting up encrypted connections.</p>
<table cellpadding="3" cellspacing="0" border="0">
<tr valign="middle">
<td>
<input type="checkbox" name="legacymode-accept-self-signed-certificates" id="legacymode-accept-self-signed-certificates" ${legacymodeConfiguration.acceptSelfSignedCertificates ? 'checked' : ''}/><label for="legacymode-accept-self-signed-certificates">Allow peer certificates to be self-signed.</label>
</td>
</tr>
<tr valign="middle">
<td>
<input type="checkbox" name="legacymode-verify-certificate-validity" id="legacymode-verify-certificate-validity" ${legacymodeConfiguration.verifyCertificateValidity ? 'checked' : ''}/><label for="legacymode-verify-certificate-validity">Verify that the certificate is currently valid (based on the 'notBefore' and 'notAfter' values of the certificate).</label>
</td>
</tr>
</table>
<br/>
<h4>Miscellaneous settings</h4>
<table cellpadding="3" cellspacing="0" border="0">
<tr valign="middle">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment