Commit a742703d authored by Tom Evans's avatar Tom Evans

Merge pull request #486 from surevine/dwd/sslv2

Only use SSLv2Hello for client-mode
parents 8a74b6de ff40722e
...@@ -1661,7 +1661,7 @@ connection.advanced.settings.certchain.label_selfsigned=Allow peer certificates ...@@ -1661,7 +1661,7 @@ connection.advanced.settings.certchain.label_selfsigned=Allow peer certificates
connection.advanced.settings.certchain.label_validity=Verify that the certificate is currently valid (based on the 'notBefore' and 'notAfter' values of the certificate). connection.advanced.settings.certchain.label_validity=Verify that the certificate is currently valid (based on the 'notBefore' and 'notAfter' values of the certificate).
connection.advanced.settings.protocols.boxtitle=Encryption Protocols connection.advanced.settings.protocols.boxtitle=Encryption Protocols
connection.advanced.settings.protocols.info=These are all encryption protocols that this instance of Openfire supports. Those with a checked box are enabled, and can be used to establish an encrypted connection. Deselecting all values will cause a default to be restored. connection.advanced.settings.protocols.info=These are all encryption protocols that this instance of Openfire supports. Those with a checked box are enabled, and can be used to establish an encrypted connection. Deselecting all values will cause a default to be restored.
connection.advanced.settings.protocols.sslv2hello.info=When setting up a new encrypted connection some encryption protocols allow you to have part of the handshake (the 'hello') encapsulated in an SSLv2 format. The SSLv2Hello option below controls this encapsulation. When disabled, all incoming data must conform to the SSLv3/TLSv1 handshake format, and all outgoing data (which applies to outbound server-to-server connections) will conform to the SSLv3/TLSv1 format. connection.advanced.settings.protocols.sslv2hello.info=When setting up a new encrypted connection some encryption protocols allow you to have part of the handshake (the 'hello') encapsulated in an SSLv2 format. The SSLv2Hello option below controls this encapsulation. When enabled, incoming data may use the SSLv2 handshake format (but SSLv2 itself will never be allowed). When disabled, all incoming data must conform to the SSLv3/TLSv1 handshake format. All outgoing data (which applies to outbound server-to-server connections) will always conform to the SSLv3/TLSv1 format irrespective of this setting.
connection.advanced.settings.ciphersuites.boxtitle=Encryption Cipher Suites connection.advanced.settings.ciphersuites.boxtitle=Encryption Cipher Suites
connection.advanced.settings.ciphersuites.info=These are all encryption cipher suites that this instance of Openfire supports. Those in the list on the left are enabled, and can be used to establish an encrypted connection. Removing all values from that list will cause a default to be restored. connection.advanced.settings.ciphersuites.info=These are all encryption cipher suites that this instance of Openfire supports. Those in the list on the left are enabled, and can be used to establish an encrypted connection. Removing all values from that list will cause a default to be restored.
connection.advanced.settings.ciphersuites.label_enable=Enabled connection.advanced.settings.ciphersuites.label_enable=Enabled
......
...@@ -8,10 +8,7 @@ import org.slf4j.LoggerFactory; ...@@ -8,10 +8,7 @@ import org.slf4j.LoggerFactory;
import javax.net.ssl.*; import javax.net.ssl.*;
import java.security.*; import java.security.*;
import java.util.ArrayList; import java.util.*;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
/** /**
* Instances of this class will be able to generate various encryption-related artifacts based on a specific connection * Instances of this class will be able to generate various encryption-related artifacts based on a specific connection
...@@ -90,7 +87,7 @@ public class EncryptionArtifactFactory ...@@ -90,7 +87,7 @@ public class EncryptionArtifactFactory
*/ */
public synchronized SSLContext getSSLContext() throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException public synchronized SSLContext getSSLContext() throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException
{ {
final SSLContext sslContext = SSLContext.getInstance( "TLSv1" ); final SSLContext sslContext = SSLContext.getInstance("TLSv1");
sslContext.init( getKeyManagers(), getTrustManagers(), new SecureRandom() ); sslContext.init( getKeyManagers(), getTrustManagers(), new SecureRandom() );
return sslContext; return sslContext;
} }
...@@ -164,12 +161,17 @@ public class EncryptionArtifactFactory ...@@ -164,12 +161,17 @@ public class EncryptionArtifactFactory
* *
* For Openfire, an engine of this mode is typically used when the server tries to connect to another server. * For Openfire, an engine of this mode is typically used when the server tries to connect to another server.
* *
* These SSLEngines never send SSLV2 ClientHello messages.
*
* @return An initialized SSLEngine instance (never null). * @return An initialized SSLEngine instance (never null).
*/ */
public SSLEngine createClientModeSSLEngine() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException public SSLEngine createClientModeSSLEngine() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException
{ {
final SSLEngine sslEngine = createSSLEngine( ); final SSLEngine sslEngine = createSSLEngine();
sslEngine.setUseClientMode( true ); sslEngine.setUseClientMode( true );
final Set<String> protocols = new LinkedHashSet<>( Arrays.asList( sslEngine.getEnabledProtocols() ) );
protocols.remove( "SSLv2Hello" );
sslEngine.setEnabledProtocols( protocols.toArray( new String[ protocols.size() ] ) );
return sslEngine; return sslEngine;
} }
...@@ -196,7 +198,8 @@ public class EncryptionArtifactFactory ...@@ -196,7 +198,8 @@ public class EncryptionArtifactFactory
final Set<String> protocols = configuration.getEncryptionProtocols(); final Set<String> protocols = configuration.getEncryptionProtocols();
if ( !protocols.isEmpty() ) if ( !protocols.isEmpty() )
{ {
sslContextFactory.setIncludeProtocols( protocols.toArray( new String[ protocols.size() ] ) ); // Note that this is always server-mode, so may support SSLv2Hello.
sslContextFactory.setIncludeProtocols(protocols.toArray(new String[protocols.size()]));
} }
// Configure cipher suite support. // Configure cipher suite support.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment