Java Code Examples for org.eclipse.jetty.util.ssl.SslContextFactory#addExcludeProtocols()

The following examples show how to use org.eclipse.jetty.util.ssl.SslContextFactory#addExcludeProtocols() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: App.java    From mysql_perf_analyzer with Apache License 2.0 6 votes vote down vote up 
/**
 * Create ssl connector if https is used
 * @return
 */
private ServerConnector sslConnector() {
	HttpConfiguration http_config = new HttpConfiguration();
	http_config.setSecureScheme("https");
	http_config.setSecurePort(this.getPort());
	
	HttpConfiguration https_config = new HttpConfiguration(http_config);
	https_config.addCustomizer(new SecureRequestCustomizer());
	
	SslContextFactory sslContextFactory = new SslContextFactory(this.getCertKeyStorePath());
	sslContextFactory.setKeyStorePassword(this.getCertKeyStorePassword());
	//exclude weak ciphers
	sslContextFactory.setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
	//only support tlsv1.2
	sslContextFactory.addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1");
	
	ServerConnector connector = new ServerConnector(jettyServer, 
			new SslConnectionFactory(sslContextFactory, "http/1.1"),
			new HttpConnectionFactory(https_config));
	connector.setPort(this.getPort());
	connector.setIdleTimeout(50000);
	return connector;
}
Example 2
Source File: SecureEmbeddedServer.java    From atlas with Apache License 2.0 4 votes vote down vote up 
@Override
protected Connector getConnector(String host, int port) throws IOException {
    org.apache.commons.configuration.Configuration config = getConfiguration();

    SSLContext sslContext = getSSLContext();
    if (sslContext != null) {
        SSLContext.setDefault(sslContext);
    }

    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStorePath(config.getString(KEYSTORE_FILE_KEY,
            System.getProperty(KEYSTORE_FILE_KEY, DEFAULT_KEYSTORE_FILE_LOCATION)));
    sslContextFactory.setKeyStorePassword(getPassword(config, KEYSTORE_PASSWORD_KEY));
    sslContextFactory.setKeyManagerPassword(getPassword(config, SERVER_CERT_PASSWORD_KEY));
    sslContextFactory.setTrustStorePath(config.getString(TRUSTSTORE_FILE_KEY,
            System.getProperty(TRUSTSTORE_FILE_KEY, DEFATULT_TRUSTORE_FILE_LOCATION)));
    sslContextFactory.setTrustStorePassword(getPassword(config, TRUSTSTORE_PASSWORD_KEY));
    sslContextFactory.setWantClientAuth(config.getBoolean(CLIENT_AUTH_KEY, Boolean.getBoolean(CLIENT_AUTH_KEY)));

    List<Object> cipherList = config.getList(ATLAS_SSL_EXCLUDE_CIPHER_SUITES, DEFAULT_CIPHER_SUITES);
    sslContextFactory.setExcludeCipherSuites(cipherList.toArray(new String[cipherList.size()]));
    sslContextFactory.setRenegotiationAllowed(false);

    String[] excludedProtocols = config.containsKey(ATLAS_SSL_EXCLUDE_PROTOCOLS) ?
            config.getStringArray(ATLAS_SSL_EXCLUDE_PROTOCOLS) : DEFAULT_EXCLUDE_PROTOCOLS;
    if (excludedProtocols != null && excludedProtocols.length > 0) {
        sslContextFactory.addExcludeProtocols(excludedProtocols);
    }

    // SSL HTTP Configuration
    // HTTP Configuration
    HttpConfiguration http_config = new HttpConfiguration();
    http_config.setSecureScheme("https");
    final int bufferSize = AtlasConfiguration.WEBSERVER_REQUEST_BUFFER_SIZE.getInt();
    http_config.setSecurePort(port);
    http_config.setRequestHeaderSize(bufferSize);
    http_config.setResponseHeaderSize(bufferSize);
    http_config.setSendServerVersion(true);
    http_config.setSendDateHeader(false);

    HttpConfiguration https_config = new HttpConfiguration(http_config);
    https_config.addCustomizer(new SecureRequestCustomizer());

    // SSL Connector
    ServerConnector sslConnector = new ServerConnector(server,
        new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
        new HttpConnectionFactory(https_config));
    sslConnector.setPort(port);
    server.addConnector(sslConnector);

    return sslConnector;
}
Example 3
Source File: SecureEmbeddedServer.java    From incubator-atlas with Apache License 2.0 4 votes vote down vote up 
protected Connector getConnector(int port) throws IOException {
    org.apache.commons.configuration.Configuration config = getConfiguration();

    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStorePath(config.getString(KEYSTORE_FILE_KEY,
            System.getProperty(KEYSTORE_FILE_KEY, DEFAULT_KEYSTORE_FILE_LOCATION)));
    sslContextFactory.setKeyStorePassword(getPassword(config, KEYSTORE_PASSWORD_KEY));
    sslContextFactory.setKeyManagerPassword(getPassword(config, SERVER_CERT_PASSWORD_KEY));
    sslContextFactory.setTrustStorePath(config.getString(TRUSTSTORE_FILE_KEY,
            System.getProperty(TRUSTSTORE_FILE_KEY, DEFATULT_TRUSTORE_FILE_LOCATION)));
    sslContextFactory.setTrustStorePassword(getPassword(config, TRUSTSTORE_PASSWORD_KEY));
    sslContextFactory.setWantClientAuth(config.getBoolean(CLIENT_AUTH_KEY, Boolean.getBoolean(CLIENT_AUTH_KEY)));

    List<Object> cipherList = config.getList(ATLAS_SSL_EXCLUDE_CIPHER_SUITES, DEFAULT_CIPHER_SUITES);
    sslContextFactory.setExcludeCipherSuites(cipherList.toArray(new String[cipherList.size()]));
    sslContextFactory.setRenegotiationAllowed(false);

    String[] excludedProtocols = config.containsKey(ATLAS_SSL_EXCLUDE_PROTOCOLS) ?
            config.getStringArray(ATLAS_SSL_EXCLUDE_PROTOCOLS) : DEFAULT_EXCLUDE_PROTOCOLS;
    if (excludedProtocols != null && excludedProtocols.length > 0) {
        sslContextFactory.addExcludeProtocols(excludedProtocols);
    }

    // SSL HTTP Configuration
    // HTTP Configuration
    HttpConfiguration http_config = new HttpConfiguration();
    http_config.setSecureScheme("https");
    final int bufferSize = AtlasConfiguration.WEBSERVER_REQUEST_BUFFER_SIZE.getInt();
    http_config.setSecurePort(port);
    http_config.setRequestHeaderSize(bufferSize);
    http_config.setResponseHeaderSize(bufferSize);
    http_config.setSendServerVersion(true);
    http_config.setSendDateHeader(false);

    HttpConfiguration https_config = new HttpConfiguration(http_config);
    https_config.addCustomizer(new SecureRequestCustomizer());

    // SSL Connector
    ServerConnector sslConnector = new ServerConnector(server,
        new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
        new HttpConnectionFactory(https_config));
    sslConnector.setPort(port);
    server.addConnector(sslConnector);

    return sslConnector;
}
Example 4
Source File: JettyHTTPServerEngine.java    From cxf with Apache License 2.0 4 votes vote down vote up 
protected SSLContext createSSLContext(SslContextFactory scf) throws Exception  {
    String proto = tlsServerParameters.getSecureSocketProtocol() == null
        ? "TLS" : tlsServerParameters.getSecureSocketProtocol();

    // Jetty 9 excludes SSLv3 by default. So if we want it then we need to
    // remove it from the default excluded protocols
    boolean allowSSLv3 = "SSLv3".equals(proto);
    if (allowSSLv3 || !tlsServerParameters.getIncludeProtocols().isEmpty()) {
        List<String> excludedProtocols = new ArrayList<>();
        for (String excludedProtocol : scf.getExcludeProtocols()) {
            if (!(tlsServerParameters.getIncludeProtocols().contains(excludedProtocol)
                || (allowSSLv3 && ("SSLv3".equals(excludedProtocol)
                    || "SSLv2Hello".equals(excludedProtocol))))) {
                excludedProtocols.add(excludedProtocol);
            }
        }
        String[] revisedProtocols = new String[excludedProtocols.size()];
        excludedProtocols.toArray(revisedProtocols);
        scf.setExcludeProtocols(revisedProtocols);
    }

    for (String p : tlsServerParameters.getExcludeProtocols()) {
        scf.addExcludeProtocols(p);
    }

    SSLContext context = tlsServerParameters.getJsseProvider() == null
        ? SSLContext.getInstance(detectProto(proto, allowSSLv3))
            : SSLContext.getInstance(detectProto(proto, allowSSLv3), tlsServerParameters.getJsseProvider());

    KeyManager[] keyManagers = tlsServerParameters.getKeyManagers();
    KeyManager[] configuredKeyManagers = org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias(
        tlsServerParameters, keyManagers);

    context.init(configuredKeyManagers,
                 tlsServerParameters.getTrustManagers(),
                 tlsServerParameters.getSecureRandom());

    // Set the CipherSuites
    final String[] supportedCipherSuites =
        SSLUtils.getServerSupportedCipherSuites(context);

    if (tlsServerParameters.getCipherSuitesFilter() != null
        && tlsServerParameters.getCipherSuitesFilter().isSetExclude()) {
        String[] excludedCipherSuites =
            SSLUtils.getFilteredCiphersuites(tlsServerParameters.getCipherSuitesFilter(),
                                             supportedCipherSuites,
                                             LOG,
                                             true);
        scf.setExcludeCipherSuites(excludedCipherSuites);
    }

    String[] includedCipherSuites =
        SSLUtils.getCiphersuitesToInclude(tlsServerParameters.getCipherSuites(),
                                          tlsServerParameters.getCipherSuitesFilter(),
                                          context.getServerSocketFactory().getDefaultCipherSuites(),
                                          supportedCipherSuites,
                                          LOG);
    scf.setIncludeCipherSuites(includedCipherSuites);

    return context;
}