OF-946: Jetty SslContextFactory instantion should not be duplicated.

SSLConfig can now be used to get a consistently configured Jetty SSL configuration.

src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java

@@ -148,23 +148,10 @@ public class AdminConsolePlugin implements Plugin {
                     Log.warn("Admin console: Using RSA certificates but they are not valid for the hosted domain");
                 }
 
-                final TrustStoreConfig trustStoreConfig = SSLConfig.getInstance().getTrustStoreConfig( Purpose.WEBADMIN );
-
-                final SslContextFactory sslContextFactory = new SslContextFactory();
-                sslContextFactory.setTrustStorePath( trustStoreConfig.getCanonicalPath() );
-                sslContextFactory.setTrustStorePassword( trustStoreConfig.getPassword() );
-                sslContextFactory.setTrustStoreType( trustStoreConfig.getType() );
-                sslContextFactory.setKeyStorePath( identityStoreConfig.getCanonicalPath() );
-                sslContextFactory.setKeyStorePassword( identityStoreConfig.getPassword() );
-                sslContextFactory.setKeyStoreType( identityStoreConfig.getType() );
-
-                sslContextFactory.addExcludeProtocols( "SSLv3" );
-                sslContextFactory.setNeedClientAuth( false );
-                sslContextFactory.setWantClientAuth( false );
+                final SslContextFactory sslContextFactory = SSLConfig.getSslContextFactory( Purpose.WEBADMIN );
 
                 final ServerConnector httpsConnector;
-                if ("npn".equals(JiveGlobals.getXMLProperty("spdy.protocol", "")))
-				{
+                if ("npn".equals(JiveGlobals.getXMLProperty("spdy.protocol", ""))) {
 					httpsConnector = new HTTPSPDYServerConnector(adminServer, sslContextFactory);
 
 				} else {

src/java/org/jivesoftware/openfire/http/HttpBindManager.java

@@ -64,6 +64,7 @@ import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.keystore.IdentityStoreConfig;
 import org.jivesoftware.openfire.keystore.Purpose;
 import org.jivesoftware.openfire.keystore.CertificateStoreConfig;
+import org.jivesoftware.openfire.keystore.TrustStoreConfig;
 import org.jivesoftware.openfire.net.SSLConfig;
 import org.jivesoftware.openfire.session.ConnectionSettings;
 import org.jivesoftware.util.CertificateEventListener;
@@ -259,38 +260,15 @@ public final class HttpBindManager {
                             "the hosted domain");
                 }
 
-                final TrustStoreConfig trustStoreConfig = SSLConfig.getInstance().getTrustStoreConfig( Purpose.BOSH_C2S );
-
-                final SslContextFactory sslContextFactory = new SslContextFactory();
-                sslContextFactory.setTrustStorePath( trustStoreConfig.getCanonicalPath() );
-                sslContextFactory.setTrustStorePassword( trustStoreConfig.getPassword() );
-                sslContextFactory.setTrustStoreType( trustStoreConfig.getType() );
-                sslContextFactory.setKeyStorePath( identityStoreConfig.getCanonicalPath() );
-                sslContextFactory.setKeyStorePassword( identityStoreConfig.getPassword() );
-                sslContextFactory.setKeyStoreType( identityStoreConfig.getType() );
-
-                sslContextFactory.addExcludeProtocols( "SSLv3" );
-
-                // Set policy for checking client certificates
-                String certPol = JiveGlobals.getProperty(HTTP_BIND_AUTH_PER_CLIENTCERT_POLICY, "disabled");
-                if(certPol.equals("needed")) {
-                	sslContextFactory.setNeedClientAuth(true);
-                	sslContextFactory.setWantClientAuth(true);
-                } else if(certPol.equals("wanted")) {
-                	sslContextFactory.setNeedClientAuth(false);
-                	sslContextFactory.setWantClientAuth(true);
-                } else {
-                	sslContextFactory.setNeedClientAuth(false);
-                	sslContextFactory.setWantClientAuth(false);
-                }
+                final SslContextFactory sslContextFactory = SSLConfig.getSslContextFactory( Purpose.BOSH_C2S );
 
- 				HttpConfiguration httpsConfig = new HttpConfiguration();
+ 				final HttpConfiguration httpsConfig = new HttpConfiguration();
 				httpsConfig.setSecureScheme("https");
 				httpsConfig.setSecurePort(securePort);
  				configureProxiedConnector(httpsConfig);
  				httpsConfig.addCustomizer(new SecureRequestCustomizer());
 
- 				ServerConnector sslConnector = null;
+ 				final ServerConnector sslConnector;
 
 				if ("npn".equals(JiveGlobals.getXMLProperty("spdy.protocol", "")))
 				{

src/java/org/jivesoftware/openfire/keystore/Purpose.java

@@ -4,6 +4,7 @@ import org.jivesoftware.util.JiveGlobals;
 
 import java.io.File;
 import java.io.IOException;
+import java.util.Set;
 
 /**
  * Potential intended usages (for TLS connectivity).
@@ -138,7 +139,7 @@ public enum Purpose
 
     public String getIdentityStoreLocation() throws IOException
     {
-        return canonicalize( getIdentityStoreLocation() );
+        return canonicalize( getIdentityStoreLocationNonCanonicalized() );
     }
 
     public String getIdentityStoreLocationNonCanonicalized()
@@ -158,7 +159,7 @@ public enum Purpose
 
     public String getTrustStoreLocation() throws IOException
     {
-        return canonicalize( getTrustStoreLocation() );
+        return canonicalize( getTrustStoreLocationNonCanonicalized() );
     }
 
     public String getTrustStoreLocationNonCanonicalized()
@@ -176,6 +177,67 @@ public enum Purpose
         }
     }
 
+    public String getProtocolsEnabled()
+    {
+        final String propertyName = prefix + "protocols.enabled";
+        final String defaultValue = "TLSv1,TLSv1.1,TLSv1.2";
+
+        if ( fallback == null )
+        {
+            return JiveGlobals.getProperty( propertyName, defaultValue ).trim();
+        }
+        else
+        {
+            return JiveGlobals.getProperty( propertyName, fallback.getProtocolsEnabled() ).trim();
+        }
+    }
+
+    public String getProtocolsDisabled()
+    {
+        final String propertyName = prefix + "protocols.disabled";
+        final String defaultValue = "SSLv1,SSLv2,SSLv2Hello,SSLv3";
+
+        if ( fallback == null )
+        {
+            return JiveGlobals.getProperty( propertyName, defaultValue ).trim();
+        }
+        else
+        {
+            return JiveGlobals.getProperty( propertyName, fallback.getProtocolsDisabled() ).trim();
+        }
+    }
+
+    public String getCipherSuitesEnabled()
+    {
+        final String propertyName = prefix + "ciphersuites.enabled";
+        final String defaultValue = "";
+
+        final String result;
+        if ( fallback == null )
+        {
+            return JiveGlobals.getProperty( propertyName, defaultValue );
+        }
+        else
+        {
+            return JiveGlobals.getProperty( propertyName, fallback.getCipherSuitesEnabled() );
+        }
+    }
+
+    public String getCipherSuitesDisabled()
+    {
+        final String propertyName = prefix + "ciphersuites.disabled";
+        final String defaultValue = null;
+
+        if ( fallback == null )
+        {
+            return JiveGlobals.getProperty( propertyName, defaultValue ).trim();
+        }
+        else
+        {
+            return JiveGlobals.getProperty( propertyName, fallback.getCipherSuitesDisabled() ).trim();
+        }
+    }
+
     public static String canonicalize( String path ) throws IOException
     {
         File file = new File( path );

src/java/org/jivesoftware/openfire/net/SSLConfig.java

@@ -21,6 +21,7 @@
 package org.jivesoftware.openfire.net;
 
 import org.apache.mina.filter.ssl.SslFilter;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.jivesoftware.openfire.Connection;
 import org.jivesoftware.openfire.keystore.*;
 import org.jivesoftware.openfire.session.ConnectionSettings;
@@ -406,7 +407,6 @@ public class SSLConfig
 
         final SSLContext sslContext = SSLContext.getInstance( purpose.getIdentityStoreType() );
         sslContext.init( keyManagers, trustManagers, new SecureRandom() );
-
         return sslContext;
     }
 
@@ -473,12 +473,89 @@ public class SSLConfig
         final SSLContext sslContext = getSSLContext( purpose );
 
         final SSLEngine sslEngine = sslContext.createSSLEngine();
-        configureProtocols( sslEngine, purpose );
-        configureCipherSuites( sslEngine, purpose );
+
+        // Configure protocol support.
+        if ( purpose.getProtocolsEnabled() != null && !purpose.getProtocolsEnabled().isEmpty() )
+        {
+            // When an explicit list of enabled protocols is defined, use only those.
+            sslEngine.setEnabledProtocols( purpose.getProtocolsEnabled().split( "," ) );
+        }
+        else if ( purpose.getProtocolsDisabled() != null && !purpose.getProtocolsDisabled().isEmpty() )
+        {
+            // Otherwise, use all supported protocols (except for the ones that are explicitly disabled).
+            final List<String> disabled = Arrays.asList( purpose.getProtocolsDisabled() );
+            final ArrayList<String> supported = new ArrayList<>(  );
+            for ( final String candidate : sslEngine.getSupportedProtocols() ) {
+                if ( !disabled.contains( candidate ) ) {
+                    supported.add( candidate );
+                }
+            }
+
+            sslEngine.setEnabledProtocols( supported.toArray( new String[ supported.size()] ) );
+        }
+
+        // Configure cipher suite support.
+        if ( purpose.getCipherSuitesEnabled() != null && !purpose.getCipherSuitesEnabled().isEmpty() )
+        {
+            // When an explicit list of enabled protocols is defined, use only those.
+            sslEngine.setEnabledCipherSuites( purpose.getCipherSuitesEnabled().split( "," ) );
+        }
+        else if ( purpose.getCipherSuitesDisabled() != null && !purpose.getCipherSuitesDisabled().isEmpty() )
+        {
+            // Otherwise, use all supported cipher suites (except for the ones that are explicitly disabled).
+            final List<String> disabled = Arrays.asList( purpose.getCipherSuitesDisabled() );
+            final ArrayList<String> supported = new ArrayList<>(  );
+            for ( final String candidate : sslEngine.getSupportedCipherSuites() ) {
+                if ( !disabled.contains( candidate ) ) {
+                    supported.add( candidate );
+                }
+            }
+
+            sslEngine.setEnabledCipherSuites( supported.toArray( new String[ supported.size() ] ) );
+        }
+
+        // TODO: Set policy for checking client certificates
 
         return sslEngine;
     }
 
+    public static SslContextFactory getSslContextFactory( final Purpose purpose )
+    {
+        final SslContextFactory sslContextFactory = new SslContextFactory();
+
+        sslContextFactory.setTrustStore( SSLConfig.getTrustStore( purpose ) );
+        sslContextFactory.setKeyStore( SSLConfig.getIdentityStore( purpose ) );
+
+        // Configure protocol and cipher suite support.
+        if ( purpose.getProtocolsEnabled() != null ) {
+            sslContextFactory.setIncludeProtocols( purpose.getProtocolsEnabled().split( "," ) );
+        }
+        if ( purpose.getProtocolsDisabled() != null ) {
+            sslContextFactory.setExcludeProtocols( purpose.getProtocolsDisabled().split( "," ) );
+        }
+        if ( purpose.getCipherSuitesEnabled() != null) {
+            sslContextFactory.setIncludeCipherSuites( purpose.getCipherSuitesEnabled().split( "," ) );
+        }
+        if ( purpose.getCipherSuitesDisabled() != null ) {
+            sslContextFactory.setExcludeCipherSuites( purpose.getCipherSuitesDisabled().split( "," ) );
+        }
+
+// TODO: Set policy for checking client certificates
+//        String certPol = JiveGlobals.getProperty(HTTP_BIND_AUTH_PER_CLIENTCERT_POLICY, "disabled");
+//        if(certPol.equals("needed")) {
+//            sslContextFactory.setNeedClientAuth(true);
+//            sslContextFactory.setWantClientAuth(true);
+//        } else if(certPol.equals("wanted")) {
+//            sslContextFactory.setNeedClientAuth(false);
+//            sslContextFactory.setWantClientAuth(true);
+//        } else {
+//            sslContextFactory.setNeedClientAuth(false);
+//            sslContextFactory.setWantClientAuth(false);
+//        }
+
+        return sslContextFactory;
+    }
+
     /**
      * Enables a specific set of protocols in an SSLEngine instance.
      *
@@ -493,7 +570,7 @@ public class SSLConfig
      *
      * @param sslEngine The instance to configure. Cannot be null.
      * @param purpose The type of configuration to use (used to select the relevent property). Cannot be null.
-     */
+
     private static void configureProtocols( SSLEngine sslEngine, Purpose purpose )
     {
         // Find configuration, using fallback where applicable.
@@ -530,6 +607,7 @@ public class SSLConfig
             sslEngine.setEnabledProtocols( defaultEnabled.toArray( new String[ defaultEnabled.size()] ) );
         }
     }
+                      */
 
     /**
      * Enables a specific set of cipher suites in an SSLEngine instance.
@@ -545,7 +623,7 @@ public class SSLConfig
      *
      * @param sslEngine The instance to configure. Cannot be null.
      * @param purpose The type of configuration to use (used to select the relevent property). Cannot be null.
-     */
+
     private static void configureCipherSuites( SSLEngine sslEngine, Purpose purpose )
     {
         String enabledCipherSuites = JiveGlobals.getProperty( purpose.getPrefix() + "enabled.ciphersuites" );
@@ -588,6 +666,7 @@ public class SSLConfig
             sslEngine.setEnabledCipherSuites( defaultEnabled.toArray( new String[ defaultEnabled.size()] ) );
         }
     }
+                      */
 
     /**
      * Creates an Apache MINA SslFilter that is configured to use server mode when handshaking.