Commit c29a3358 authored by guus's avatar guus

Stop checking if every certificate in the local certificate chain is...

Stop checking if every certificate in the local certificate chain is self-signed. Only the first certificate from the chain is the local certificate. The rest of them are CA's (OF-405).

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@12235 b35dd754-fafc-0310-a699-88a17e54d16e
parent ba8d7621
......@@ -97,18 +97,23 @@ public interface Connection {
*/
public String getHostName() throws UnknownHostException;
/**
* Returns the local underlying {@link javax.security.cert.X509Certificate} for the connection.
*
* @return <tt>null</tt> if no {@link javax.security.cert.X509Certificate} is present for the connection.
*/
/**
* Returns the local underlying {@link javax.security.cert.X509Certificate}
* chain for the connection.
*
* @return an ordered array of certificates, with the local certificate
* first followed by any certificate authorities. If no certificates
* is present for the connection, then <tt>null</tt> is returned.
*/
public Certificate[] getLocalCertificates();
/**
* Returns the underlying {@link javax.security.cert.X509Certificate} for the connection of the peer.
*
* @return <tt>null</tt> if no {@link javax.security.cert.X509Certificate} is present for the connection.
*/
/**
* Returns the underlying {@link javax.security.cert.X509Certificate} for
* the connection of the peer.
*
* @return an ordered array of peer certificates, with the peer's own
* certificate first followed by any certificate authorities.
*/
public Certificate[] getPeerCertificates();
/**
......
......@@ -20,8 +20,10 @@
package org.jivesoftware.openfire.net;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.UnknownHostException;
import java.security.KeyStoreException;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
......@@ -119,7 +121,6 @@ public class SASLAuthentication {
}
}
@SuppressWarnings({"UnnecessarySemicolon"}) // Support for QDox Parser
public enum Status {
/**
* Entity needs to respond last challenge. Session is still negotiating
......@@ -153,20 +154,24 @@ public class SASLAuthentication {
StringBuilder sb = new StringBuilder(195);
sb.append("<mechanisms xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">");
if (session instanceof IncomingServerSession) {
// Server connections dont follow the same rules as clients
// Server connections don't follow the same rules as clients
if (session.isSecure()) {
boolean usingSelfSigned = false;
Certificate[] certificates = session.getConnection().getLocalCertificates();
for (Certificate certificate : certificates) {
try {
if (CertificateManager
.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) certificate)) {
usingSelfSigned = true;
}
} catch (Exception e) {
usingSelfSigned = true;
}
boolean usingSelfSigned;
final Certificate[] chain = session.getConnection().getLocalCertificates();
if (chain == null || chain.length == 0) {
usingSelfSigned = true;
} else {
try {
usingSelfSigned = CertificateManager.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) chain[0]);
} catch (KeyStoreException ex) {
Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
usingSelfSigned = true;
} catch (IOException ex) {
Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
usingSelfSigned = true;
}
}
if (!usingSelfSigned) {
// Offer SASL EXTERNAL only if TLS has already been negotiated and we are not
// using a self-signed certificate
......
......@@ -20,6 +20,7 @@
package org.jivesoftware.openfire.session;
import java.io.IOException;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
......@@ -363,27 +364,34 @@ public class LocalIncomingServerSession extends LocalSession implements Incoming
@Override
public String getAvailableStreamFeatures() {
StringBuilder sb = new StringBuilder();
// Include Stream Compression Mechanism
if (conn.getCompressionPolicy() != Connection.CompressionPolicy.disabled &&
!conn.isCompressed()) {
sb.append("<compression xmlns=\"http://jabber.org/features/compress\"><method>zlib</method></compression>");
}
// Offer server dialback if using self-signed certificaftes and no authentication has been done yet
boolean usingSelfSigned = false;
Certificate[] certificates = conn.getLocalCertificates();
for (Certificate certificate : certificates) {
try {
if (CertificateManager
.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) certificate)) {
usingSelfSigned = true;
}
} catch (Exception e) {
// Ignore
}
// Offer server dialback if using self-signed certificates and no authentication has been done yet
boolean usingSelfSigned;
final Certificate[] chain = conn.getLocalCertificates();
if (chain == null || chain.length == 0) {
usingSelfSigned = true;
} else {
try {
usingSelfSigned = CertificateManager.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) chain[0]);
} catch (KeyStoreException ex) {
Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
usingSelfSigned = true;
} catch (IOException ex) {
Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
usingSelfSigned = true;
}
}
if (usingSelfSigned && ServerDialback.isEnabledForSelfSigned() && validatedDomains.isEmpty()) {
sb.append("<dialback xmlns=\"urn:xmpp:features:dialback\"/>");
}
return sb.toString();
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment