Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018
019package org.apache.hadoop.security.ssl;
020
021import org.mortbay.jetty.security.SslSocketConnector;
022
023import javax.net.ssl.SSLServerSocket;
024import java.io.IOException;
025import java.net.ServerSocket;
026import java.util.ArrayList;
027
028/**
029 * This subclass of the Jetty SslSocketConnector exists solely to control
030 * the TLS protocol versions allowed.  This is fallout from the POODLE
031 * vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
032 * Only TLS 1.0 and later protocols are allowed.
033 */
034public class SslSocketConnectorSecure extends SslSocketConnector {
035
036  public SslSocketConnectorSecure() {
037    super();
038  }
039
040  /**
041   * Create a new ServerSocket that will not accept SSLv3 connections,
042   * but will accept TLSv1.x connections.
043   */
044  protected ServerSocket newServerSocket(String host, int port,int backlog)
045          throws IOException {
046    SSLServerSocket socket = (SSLServerSocket)
047            super.newServerSocket(host, port, backlog);
048    ArrayList<String> nonSSLProtocols = new ArrayList<String>();
049    for (String p : socket.getEnabledProtocols()) {
050      if (!p.contains("SSLv3")) {
051        nonSSLProtocols.add(p);
052      }
053    }
054    socket.setEnabledProtocols(nonSSLProtocols.toArray(
055            new String[nonSSLProtocols.size()]));
056    return socket;
057  }
058}