Allow configuration of 'allow self-signed' and 'verify validity' in admin console.

a0ce00e5 · Guus der Kinderen · 2ea7e588 · a0ce00e5 · a0ce00e5 · a0ce00e5
Commit a0ce00e5 authored Dec 01, 2015 by Guus der Kinderen
3 changed files
--- a/src/java/org/jivesoftware/openfire/spi/ConnectionListener.java
+++ b/src/java/org/jivesoftware/openfire/spi/ConnectionListener.java
@@ -151,7 +151,7 @@ public class ConnectionListener
            return;
        }
-        JiveGlobals.setProperty( isEnabledPropertyName, Boolean.toString( enable ) );
+            JiveGlobals.setProperty( isEnabledPropertyName, Boolean.toString( enable ) );
        restart();
    }
@@ -856,7 +856,6 @@ public class ConnectionListener
     *
     * @return true when self-signed certificates are accepted, otherwise false.
     */
-    // TODO add setter!
    public boolean acceptSelfSignedCertificates()
    {
        // TODO these are new properties! Deprecate (migrate?) all existing 'accept-selfsigned properties' (Eg: org.jivesoftware.openfire.session.ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS )
@@ -873,13 +872,34 @@ public class ConnectionListener
        }
    }
+    /**
+     * Configuresif self-signed peer certificates can be used to establish an encrypted connection.
+     *
+     * @param accept true when self-signed certificates are accepted, otherwise false.
+     */
+    public void setAcceptSelfSignedCertificates( boolean accept )
+    {
+        final boolean oldValue = verifyCertificateValidity();
+        // Always set the property explicitly even if it appears the equal to the old value (the old value might be a fallback value).
+        JiveGlobals.setProperty( type.getPrefix() + "certificate.accept-selfsigned", Boolean.toString( accept ) );
+        if ( oldValue == accept )
+        {
+            Log.debug( "Ignoring self-signed certificate acceptance policy change request (to '{}'): listener already in this state.", accept );
+            return;
+        }
+        Log.debug( "Changing self-signed certificate acceptance policy from '{}' to '{}'.", oldValue, accept );
+        restart();
+    }
    /**
     * A boolean that indicates if the current validity of certificates (based on their 'notBefore' and 'notAfter'
     * property values) is used when they are used to establish an encrypted connection..
     *
     * @return true when certificates are required to be valid to establish a secured connection, otherwise false.
     */
-    // TODO add setter!
    public boolean verifyCertificateValidity()
    {
        // TODO these are new properties! Deprecate (migrate?) all existing 'verify / verify-validity properties' (Eg: org.jivesoftware.openfire.session.ConnectionSettings.Server.TLS_CERTIFICATE_VERIFY_VALIDITY )
@@ -896,6 +916,29 @@ public class ConnectionListener
        }
    }
+    /**
+     * Configures if the current validity of certificates (based on their 'notBefore' and 'notAfter' property values) is
+     * used when they are used to establish an encrypted connection..
+     *
+     * @param verify true when certificates are required to be valid to establish a secured connection, otherwise false.
+     */
+    public void setVerifyCertificateValidity( boolean verify )
+    {
+        final boolean oldValue = verifyCertificateValidity();
+        // Always set the property explicitly even if it appears the equal to the old value (the old value might be a fallback value).
+        JiveGlobals.setProperty( type.getPrefix() + "certificate.verify.validity", Boolean.toString( verify ) );
+        if ( oldValue == verify )
+        {
+            Log.debug( "Ignoring certificate validity verification configuration change request (to '{}'): listener already in this state.", verify );
+            return;
+        }
+        Log.debug( "Changing certificate validity verification configuration from '{}' to '{}'.", oldValue, verify );
+        restart();
+    }
    /**
     * A collection of protocol names that can be used for encryption of connections.
     *

--- a/src/web/connection-settings-socket-c2s.jsp
+++ b/src/web/connection-settings-socket-c2s.jsp
@@ -29,7 +29,7 @@
    if ( update && errors.isEmpty() )
    {
        // plaintext
-        final boolean plaintextEnabled      = ParamUtils.getBooleanParameter( request, "plaintext-enabled" );
+        final boolean plaintextEnabled      = ParamUtils.getBooleanParameter( request, "plaintext-enabled", plaintextConfiguration.isEnabled() );
        final int plaintextTcpPort          = ParamUtils.getIntParameter( request, "plaintext-tcpPort", plaintextConfiguration.getPort() );
        final int plaintextReadBuffer       = ParamUtils.getIntParameter( request, "plaintext-readBuffer", plaintextConfiguration.getMaxBufferSize() );
        final String plaintextTlsPolicyText = ParamUtils.getParameter( request, "plaintext-tlspolicy", true );
@@ -47,9 +47,11 @@
            plaintextMutualAuthentication = Connection.ClientAuth.valueOf( plaintextMutualAuthenticationText );
        }
        final int plaintextListenerMaxThreads = ParamUtils.getIntParameter( request, "plaintext-maxThreads", plaintextConfiguration.getMaxThreadPoolSize() );
+        final boolean plaintextAcceptSelfSignedCertificates = ParamUtils.getBooleanParameter( request, "plaintext-accept-self-signed-certificates", plaintextConfiguration.isAcceptSelfSignedCertificates() );
+        final boolean plaintextVerifyCertificateValidity = ParamUtils.getBooleanParameter( request, "plaintext-verify-certificate-validity", plaintextConfiguration.isVerifyCertificateValidity() );
        // legacymode
-        final boolean legacymodeEnabled      = ParamUtils.getBooleanParameter( request, "legacymode-enabled" );
+        final boolean legacymodeEnabled      = ParamUtils.getBooleanParameter( request, "legacymode-enabled", legacymodeConfiguration.isEnabled() );
        final int legacymodeTcpPort          = ParamUtils.getIntParameter( request, "legacymode-tcpPort", legacymodeConfiguration.getPort() );
        final int legacymodeReadBuffer       = ParamUtils.getIntParameter( request, "legacymode-readBuffer", legacymodeConfiguration.getMaxBufferSize() );
        final String legacymodeMutualAuthenticationText = ParamUtils.getParameter( request, "legacymode-mutualauthentication", true );
@@ -60,6 +62,8 @@
            legacymodeMutualAuthentication = Connection.ClientAuth.valueOf( legacymodeMutualAuthenticationText );
        }
        final int legacymodeListenerMaxThreads = ParamUtils.getIntParameter( request, "legacymode-maxThreads", legacymodeConfiguration.getMaxThreadPoolSize() );
+        final boolean legacymodeAcceptSelfSignedCertificates = ParamUtils.getBooleanParameter( request, "legacymode-accept-self-signed-certificates", legacymodeConfiguration.isAcceptSelfSignedCertificates() );
+        final boolean legacymodeVerifyCertificateValidity = ParamUtils.getBooleanParameter( request, "legacymode-verify-certificate-validity", legacymodeConfiguration.isVerifyCertificateValidity() );
        // Apply
        final ConnectionListener plaintextListener  = manager.getListener( connectionType, false );
@@ -71,12 +75,16 @@
        plaintextListener.setTLSPolicy( plaintextTlsPolicy );
        plaintextListener.setClientAuth( plaintextMutualAuthentication );
        // TODO: plaintextListener.setMaxThreadPoolSize( plaintextListenerMaxThreads);
+        plaintextListener.setAcceptSelfSignedCertificates( plaintextAcceptSelfSignedCertificates );
+        plaintextListener.setVerifyCertificateValidity( plaintextVerifyCertificateValidity );
        legacymodeListener.enable( legacymodeEnabled );
        legacymodeListener.setPort( legacymodeTcpPort );
        // TODO: legacymodeListener.setMaxBufferSize( legacymodeReadBuffer );
        legacymodeListener.setClientAuth( legacymodeMutualAuthentication );
        // TODO:  legacymodeListener.setMaxThreadPoolSize( legacymodeListenerMaxThreads);
+        legacymodeListener.setAcceptSelfSignedCertificates( legacymodeAcceptSelfSignedCertificates );
+        legacymodeListener.setVerifyCertificateValidity( legacymodeVerifyCertificateValidity );
        // Log the event
        webManager.logEvent( "Updated connection settings for " + connectionType, "Applied configuration to plain-text as well as legacy-mode connection listeners." );
@@ -239,6 +247,23 @@
            <br/>
+            <h4>Certificate chain checking</h4>
+            <p>These options configure some aspects of the verification/validation of the certificates that are presented by peers while setting up encrypted connections.</p>
+            <table cellpadding="3" cellspacing="0" border="0">
+                <tr valign="middle">
+                    <td>
+                        <input type="checkbox" name="plaintext-accept-self-signed-certificates" id="plaintext-accept-self-signed-certificates" ${plaintextConfiguration.acceptSelfSignedCertificates ? 'checked' : ''}/><label for="plaintext-accept-self-signed-certificates">Allow peer certificates to be self-signed.</label>
+                    </td>
+                </tr>
+                <tr valign="middle">
+                    <td>
+                        <input type="checkbox" name="plaintext-verify-certificate-validity" id="plaintext-verify-certificate-validity" ${plaintextConfiguration.verifyCertificateValidity ? 'checked' : ''}/><label for="plaintext-verify-certificate-validity">Verify that the certificate is currently valid (based on the 'notBefore' and 'notAfter' values of the certificate).</label>
+                    </td>
+                </tr>
+            </table>
+            <br/>
            <h4>Miscellaneous settings</h4>
            <table cellpadding="3" cellspacing="0" border="0">
                <tr valign="middle">
@@ -257,7 +282,7 @@
        <table cellpadding="3" cellspacing="0" border="0">
            <tr valign="middle">
-                <td><input type="checkbox" name="tlegacymode-enabled" id="legacymode-enabled" onclick="applyDisplayable('legacymode')" ${legacymodeConfiguration.enabled ? 'checked' : ''}/><label for="legacymode-enabled">Enabled</label></td>
+                <td><input type="checkbox" name="legacymode-enabled" id="legacymode-enabled" onclick="applyDisplayable('legacymode')" ${legacymodeConfiguration.enabled ? 'checked' : ''}/><label for="legacymode-enabled">Enabled</label></td>
            </tr>
        </table>
@@ -304,6 +329,23 @@
            <br/>
+            <h4>Certificate chain checking</h4>
+            <p>These options configure some aspects of the verification/validation of the certificates that are presented by peers while setting up encrypted connections.</p>
+            <table cellpadding="3" cellspacing="0" border="0">
+                <tr valign="middle">
+                    <td>
+                        <input type="checkbox" name="legacymode-accept-self-signed-certificates" id="legacymode-accept-self-signed-certificates" ${legacymodeConfiguration.acceptSelfSignedCertificates ? 'checked' : ''}/><label for="legacymode-accept-self-signed-certificates">Allow peer certificates to be self-signed.</label>
+                    </td>
+                </tr>
+                <tr valign="middle">
+                    <td>
+                        <input type="checkbox" name="legacymode-verify-certificate-validity" id="legacymode-verify-certificate-validity" ${legacymodeConfiguration.verifyCertificateValidity ? 'checked' : ''}/><label for="legacymode-verify-certificate-validity">Verify that the certificate is currently valid (based on the 'notBefore' and 'notAfter' values of the certificate).</label>
+                    </td>
+                </tr>
+            </table>
+            <br/>
            <h4>Miscellaneous settings</h4>
            <table cellpadding="3" cellspacing="0" border="0">
                <tr valign="middle">

--- a/src/web/connection-settings-socket-s2s.jsp
+++ b/src/web/connection-settings-socket-s2s.jsp
@@ -61,11 +61,14 @@
 //        final int plaintextListenerMaxThreads = ParamUtils.getIntParameter( request, "plaintext-maxThreads", plaintextConfiguration.getMaxThreadPoolSize() );
        // legacymode
-        final boolean legacymodeEnabled = ParamUtils.getBooleanParameter( request, "legacymode-enabled" );
+        final boolean legacymodeEnabled = ParamUtils.getBooleanParameter( request, "legacymode-enabled", legacymodeConfiguration.isEnabled() );
        final int legacymodeTcpPort = ParamUtils.getIntParameter( request, "legacymode-tcpPort", legacymodeConfiguration.getPort() );
        final int legacymodeReadBuffer = ParamUtils.getIntParameter( request, "legacymode-readBuffer", legacymodeConfiguration.getMaxBufferSize() );
        final String legacymodeMutualAuthenticationText = ParamUtils.getParameter( request, "legacymode-mutualauthentication", true );
        final Connection.ClientAuth legacymodeMutualAuthentication;
+        final boolean legacymodeAcceptSelfSignedCertificates = ParamUtils.getBooleanParameter( request, "legacymode-accept-self-signed-certificates", legacymodeConfiguration.isAcceptSelfSignedCertificates() );
+        final boolean legacymodeVerifyCertificateValidity = ParamUtils.getBooleanParameter( request, "legacymode-verify-certificate-validity", legacymodeConfiguration.isVerifyCertificateValidity() );
        if ( legacymodeMutualAuthenticationText == null || legacymodeMutualAuthenticationText.isEmpty() )
        {
            legacymodeMutualAuthentication = legacymodeConfiguration.getClientAuth();
@@ -92,6 +95,8 @@
        // TODO: legacymodeListener.setMaxBufferSize( legacymodeReadBuffer );
        legacymodeListener.setClientAuth( legacymodeMutualAuthentication );
        // TODO:  legacymodeListener.setMaxThreadPoolSize( legacymodeListenerMaxThreads);
+        legacymodeListener.setAcceptSelfSignedCertificates( legacymodeAcceptSelfSignedCertificates );
+        legacymodeListener.setVerifyCertificateValidity( legacymodeVerifyCertificateValidity );
        // Log the event
        webManager.logEvent( "Updated connection settings for " + connectionType, "Applied configuration to legacy-mode connection listener." );
@@ -321,7 +326,7 @@
        <table cellpadding="3" cellspacing="0" border="0">
            <tr valign="middle">
-                <td><input type="checkbox" name="tlegacymode-enabled" id="legacymode-enabled" onclick="applyDisplayable('legacymode')" ${legacymodeConfiguration.enabled ? 'checked' : ''}/><label for="legacymode-enabled">Enabled</label></td>
+                <td><input type="checkbox" name="legacymode-enabled" id="legacymode-enabled" onclick="applyDisplayable('legacymode')" ${legacymodeConfiguration.enabled ? 'checked' : ''}/><label for="legacymode-enabled">Enabled</label></td>
            </tr>
        </table>
@@ -343,6 +348,23 @@
            <br/>
+            <h4>Certificate chain checking</h4>
+            <p>These options configure some aspects of the verification/validation of the certificates that are presented by peers while setting up encrypted connections.</p>
+            <table cellpadding="3" cellspacing="0" border="0">
+                <tr valign="middle">
+                    <td>
+                        <input type="checkbox" name="legacymode-accept-self-signed-certificates" id="legacymode-accept-self-signed-certificates" ${legacymodeConfiguration.acceptSelfSignedCertificates ? 'checked' : ''}/><label for="legacymode-accept-self-signed-certificates">Allow peer certificates to be self-signed.</label>
+                    </td>
+                </tr>
+                <tr valign="middle">
+                    <td>
+                        <input type="checkbox" name="legacymode-verify-certificate-validity" id="legacymode-verify-certificate-validity" ${legacymodeConfiguration.verifyCertificateValidity ? 'checked' : ''}/><label for="legacymode-verify-certificate-validity">Verify that the certificate is currently valid (based on the 'notBefore' and 'notAfter' values of the certificate).</label>
+                    </td>
+                </tr>
+            </table>
+            <br/>
            <h4>Miscellaneous settings</h4>
            <table cellpadding="3" cellspacing="0" border="0">
                <tr valign="middle">