Commit c29a3358 authored by guus's avatar guus

Stop checking if every certificate in the local certificate chain is...

Stop checking if every certificate in the local certificate chain is self-signed. Only the first certificate from the chain is the local certificate. The rest of them are CA's (OF-405).

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@12235 b35dd754-fafc-0310-a699-88a17e54d16e
parent ba8d7621
...@@ -98,16 +98,21 @@ public interface Connection { ...@@ -98,16 +98,21 @@ public interface Connection {
public String getHostName() throws UnknownHostException; public String getHostName() throws UnknownHostException;
/** /**
* Returns the local underlying {@link javax.security.cert.X509Certificate} for the connection. * Returns the local underlying {@link javax.security.cert.X509Certificate}
* chain for the connection.
* *
* @return <tt>null</tt> if no {@link javax.security.cert.X509Certificate} is present for the connection. * @return an ordered array of certificates, with the local certificate
* first followed by any certificate authorities. If no certificates
* is present for the connection, then <tt>null</tt> is returned.
*/ */
public Certificate[] getLocalCertificates(); public Certificate[] getLocalCertificates();
/** /**
* Returns the underlying {@link javax.security.cert.X509Certificate} for the connection of the peer. * Returns the underlying {@link javax.security.cert.X509Certificate} for
* the connection of the peer.
* *
* @return <tt>null</tt> if no {@link javax.security.cert.X509Certificate} is present for the connection. * @return an ordered array of peer certificates, with the peer's own
* certificate first followed by any certificate authorities.
*/ */
public Certificate[] getPeerCertificates(); public Certificate[] getPeerCertificates();
......
...@@ -20,8 +20,10 @@ ...@@ -20,8 +20,10 @@
package org.jivesoftware.openfire.net; package org.jivesoftware.openfire.net;
import java.io.IOException;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.net.UnknownHostException; import java.net.UnknownHostException;
import java.security.KeyStoreException;
import java.security.Security; import java.security.Security;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
...@@ -119,7 +121,6 @@ public class SASLAuthentication { ...@@ -119,7 +121,6 @@ public class SASLAuthentication {
} }
} }
@SuppressWarnings({"UnnecessarySemicolon"}) // Support for QDox Parser
public enum Status { public enum Status {
/** /**
* Entity needs to respond last challenge. Session is still negotiating * Entity needs to respond last challenge. Session is still negotiating
...@@ -153,20 +154,24 @@ public class SASLAuthentication { ...@@ -153,20 +154,24 @@ public class SASLAuthentication {
StringBuilder sb = new StringBuilder(195); StringBuilder sb = new StringBuilder(195);
sb.append("<mechanisms xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">"); sb.append("<mechanisms xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">");
if (session instanceof IncomingServerSession) { if (session instanceof IncomingServerSession) {
// Server connections dont follow the same rules as clients // Server connections don't follow the same rules as clients
if (session.isSecure()) { if (session.isSecure()) {
boolean usingSelfSigned = false; boolean usingSelfSigned;
Certificate[] certificates = session.getConnection().getLocalCertificates(); final Certificate[] chain = session.getConnection().getLocalCertificates();
for (Certificate certificate : certificates) { if (chain == null || chain.length == 0) {
usingSelfSigned = true;
} else {
try { try {
if (CertificateManager usingSelfSigned = CertificateManager.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) chain[0]);
.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) certificate)) { } catch (KeyStoreException ex) {
Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
usingSelfSigned = true; usingSelfSigned = true;
} } catch (IOException ex) {
} catch (Exception e) { Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
usingSelfSigned = true; usingSelfSigned = true;
} }
} }
if (!usingSelfSigned) { if (!usingSelfSigned) {
// Offer SASL EXTERNAL only if TLS has already been negotiated and we are not // Offer SASL EXTERNAL only if TLS has already been negotiated and we are not
// using a self-signed certificate // using a self-signed certificate
......
...@@ -20,6 +20,7 @@ ...@@ -20,6 +20,7 @@
package org.jivesoftware.openfire.session; package org.jivesoftware.openfire.session;
import java.io.IOException; import java.io.IOException;
import java.security.KeyStoreException;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.Collection; import java.util.Collection;
...@@ -363,27 +364,34 @@ public class LocalIncomingServerSession extends LocalSession implements Incoming ...@@ -363,27 +364,34 @@ public class LocalIncomingServerSession extends LocalSession implements Incoming
@Override @Override
public String getAvailableStreamFeatures() { public String getAvailableStreamFeatures() {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
// Include Stream Compression Mechanism // Include Stream Compression Mechanism
if (conn.getCompressionPolicy() != Connection.CompressionPolicy.disabled && if (conn.getCompressionPolicy() != Connection.CompressionPolicy.disabled &&
!conn.isCompressed()) { !conn.isCompressed()) {
sb.append("<compression xmlns=\"http://jabber.org/features/compress\"><method>zlib</method></compression>"); sb.append("<compression xmlns=\"http://jabber.org/features/compress\"><method>zlib</method></compression>");
} }
// Offer server dialback if using self-signed certificaftes and no authentication has been done yet
boolean usingSelfSigned = false; // Offer server dialback if using self-signed certificates and no authentication has been done yet
Certificate[] certificates = conn.getLocalCertificates(); boolean usingSelfSigned;
for (Certificate certificate : certificates) { final Certificate[] chain = conn.getLocalCertificates();
if (chain == null || chain.length == 0) {
usingSelfSigned = true;
} else {
try { try {
if (CertificateManager usingSelfSigned = CertificateManager.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) chain[0]);
.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) certificate)) { } catch (KeyStoreException ex) {
Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
usingSelfSigned = true;
} catch (IOException ex) {
Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
usingSelfSigned = true; usingSelfSigned = true;
}
} catch (Exception e) {
// Ignore
} }
} }
if (usingSelfSigned && ServerDialback.isEnabledForSelfSigned() && validatedDomains.isEmpty()) { if (usingSelfSigned && ServerDialback.isEnabledForSelfSigned() && validatedDomains.isEmpty()) {
sb.append("<dialback xmlns=\"urn:xmpp:features:dialback\"/>"); sb.append("<dialback xmlns=\"urn:xmpp:features:dialback\"/>");
} }
return sb.toString(); return sb.toString();
} }
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment