001    /**
002     * Licensed to the Apache Software Foundation (ASF) under one
003     * or more contributor license agreements.  See the NOTICE file
004     * distributed with this work for additional information
005     * regarding copyright ownership.  The ASF licenses this file
006     * to you under the Apache License, Version 2.0 (the
007     * "License"); you may not use this file except in compliance
008     * with the License.  You may obtain a copy of the License at
009     *
010     *     http://www.apache.org/licenses/LICENSE-2.0
011     *
012     * Unless required by applicable law or agreed to in writing, software
013     * distributed under the License is distributed on an "AS IS" BASIS,
014     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015     * See the License for the specific language governing permissions and
016     * limitations under the License.
017     */
018    
019    package org.apache.hadoop.security.ssl;
020    
021    import org.mortbay.jetty.security.SslSocketConnector;
022    
023    import javax.net.ssl.SSLServerSocket;
024    import java.io.IOException;
025    import java.net.ServerSocket;
026    import java.util.ArrayList;
027    
028    /**
029     * This subclass of the Jetty SslSocketConnector exists solely to control
030     * the TLS protocol versions allowed.  This is fallout from the POODLE
031     * vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
032     * Only TLS 1.0 and later protocols are allowed.
033     */
034    public class SslSocketConnectorSecure extends SslSocketConnector {
035    
036      public SslSocketConnectorSecure() {
037        super();
038      }
039    
040      /**
041       * Create a new ServerSocket that will not accept SSLv3 connections,
042       * but will accept TLSv1.x connections.
043       */
044      protected ServerSocket newServerSocket(String host, int port,int backlog)
045              throws IOException {
046        SSLServerSocket socket = (SSLServerSocket)
047                super.newServerSocket(host, port, backlog);
048        ArrayList<String> nonSSLProtocols = new ArrayList<String>();
049        for (String p : socket.getEnabledProtocols()) {
050          if (!p.contains("SSLv3")) {
051            nonSSLProtocols.add(p);
052          }
053        }
054        socket.setEnabledProtocols(nonSSLProtocols.toArray(
055                new String[nonSSLProtocols.size()]));
056        return socket;
057      }
058    }