init

java/org/apache/tomcat/util/net/jsse/JSSEUtil.java

@@ -0,0 +1,147 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.tomcat.util.net.jsse;
+
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Locale;
+import java.util.Set;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.compat.JreVendor;
+import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.net.SSLContext;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.apache.tomcat.util.net.SSLUtilBase;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * SSLUtil implementation for JSSE.
+ *
+ * @author Harish Prabandham
+ * @author Costin Manolache
+ * @author Stefan Freyr Stefansson
+ * @author EKR
+ * @author Jan Luehe
+ */
+public class JSSEUtil extends SSLUtilBase {
+
+    private static final Log log = LogFactory.getLog(JSSEUtil.class);
+    private static final StringManager sm = StringManager.getManager(JSSEUtil.class);
+
+    private static final Set<String> implementedProtocols;
+    private static final Set<String> implementedCiphers;
+
+    static {
+        SSLContext context;
+        try {
+            context = new JSSESSLContext(Constants.SSL_PROTO_TLS);
+            context.init(null,  null,  null);
+        } catch (NoSuchAlgorithmException | KeyManagementException e) {
+            // This is fatal for the connector so throw an exception to prevent
+            // it from starting
+            throw new IllegalArgumentException(e);
+        }
+
+        String[] implementedProtocolsArray = context.getSupportedSSLParameters().getProtocols();
+        implementedProtocols = new HashSet<>(implementedProtocolsArray.length);
+
+        // Filter out SSLv2 from the list of implemented protocols (just in case
+        // we are running on a JVM that supports it) since it is no longer
+        // considered secure but allow SSLv2Hello.
+        // Note SSLv3 is allowed despite known insecurities because some users
+        // still have a requirement for it.
+        for (String protocol : implementedProtocolsArray) {
+            String protocolUpper = protocol.toUpperCase(Locale.ENGLISH);
+            if (!"SSLV2HELLO".equals(protocolUpper) && !"SSLV3".equals(protocolUpper)) {
+                if (protocolUpper.contains("SSL")) {
+                    log.debug(sm.getString("jsse.excludeProtocol", protocol));
+                    continue;
+                }
+            }
+            implementedProtocols.add(protocol);
+        }
+
+        if (implementedProtocols.size() == 0) {
+            log.warn(sm.getString("jsse.noDefaultProtocols"));
+        }
+
+        String[] implementedCipherSuiteArray = context.getSupportedSSLParameters().getCipherSuites();
+        // The IBM JRE will accept cipher suites names SSL_xxx or TLS_xxx but
+        // only returns the SSL_xxx form for supported cipher suites. Therefore
+        // need to filter the requested cipher suites using both forms with an
+        // IBM JRE.
+        if (JreVendor.IS_IBM_JVM) {
+            implementedCiphers = new HashSet<>(implementedCipherSuiteArray.length * 2);
+            for (String name : implementedCipherSuiteArray) {
+                implementedCiphers.add(name);
+                if (name.startsWith("SSL")) {
+                    implementedCiphers.add("TLS" + name.substring(3));
+                }
+            }
+        } else {
+            implementedCiphers = new HashSet<>(implementedCipherSuiteArray.length);
+            implementedCiphers.addAll(Arrays.asList(implementedCipherSuiteArray));
+        }
+    }
+
+
+    public JSSEUtil (SSLHostConfigCertificate certificate) {
+        this(certificate, true);
+    }
+
+
+    public JSSEUtil (SSLHostConfigCertificate certificate, boolean warnOnSkip) {
+        super(certificate, warnOnSkip);
+    }
+
+
+    @Override
+    protected Log getLog() {
+        return log;
+    }
+
+
+    @Override
+    protected Set<String> getImplementedProtocols() {
+        return implementedProtocols;
+    }
+
+
+    @Override
+    protected Set<String> getImplementedCiphers() {
+        return implementedCiphers;
+    }
+
+
+    @Override
+    protected boolean isTls13RenegAuthAvailable() {
+        // TLS 1.3 does not support authentication after the initial handshake
+        return false;
+    }
+
+
+    @Override
+    public SSLContext createSSLContextInternal(List<String> negotiableProtocols)
+            throws NoSuchAlgorithmException {
+        return new JSSESSLContext(sslHostConfig.getSslProtocol());
+    }
+}