db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1639540 - in /db/derby/code/branches/10.11: ./ java/client/org/apache/derby/client/net/ java/drda/org/apache/derby/impl/drda/
Date Thu, 13 Nov 2014 22:22:12 GMT
Author: mamta
Date: Thu Nov 13 22:22:12 2014
New Revision: 1639540

URL: http://svn.apache.org/r1639540
Log:
DERBY-6764(analyze impact of poodle security alert on Derby client - server ssl support)

Backporting to 10.11


Modified:
    db/derby/code/branches/10.11/   (props changed)
    db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/NaiveTrustManager.java
    db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/OpenSocketAction.java
    db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
    db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java

Propchange: db/derby/code/branches/10.11/
------------------------------------------------------------------------------
  Merged /db/derby/code/trunk:r1636509,1636668,1636798

Modified: db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/NaiveTrustManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/NaiveTrustManager.java?rev=1639540&r1=1639539&r2=1639540&view=diff
==============================================================================
--- db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/NaiveTrustManager.java
(original)
+++ db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/NaiveTrustManager.java
Thu Nov 13 22:22:12 2014
@@ -73,7 +73,7 @@ class NaiveTrustManager
             thisManager = new TrustManager [] {new NaiveTrustManager()};
         }
 
-        SSLContext ctx = SSLContext.getInstance("SSL");
+        SSLContext ctx = SSLContext.getInstance("TLS");
         
         if (ctx.getProvider().getName().equals("SunJSSE") &&
             (System.getProperty("javax.net.ssl.keyStore") != null) &&

Modified: db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/OpenSocketAction.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/OpenSocketAction.java?rev=1639540&r1=1639539&r2=1639540&view=diff
==============================================================================
--- db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/OpenSocketAction.java
(original)
+++ db/derby/code/branches/10.11/java/client/org/apache/derby/client/net/OpenSocketAction.java
Thu Nov 13 22:22:12 2014
@@ -22,6 +22,7 @@
 package org.apache.derby.client.net;
 
 import java.io.IOException;
+
 import java.net.Socket;
 import java.net.UnknownHostException;
 import java.security.KeyManagementException;
@@ -32,6 +33,7 @@ import java.security.PrivilegedException
 import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 import javax.net.SocketFactory;
+import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 import org.apache.derby.jdbc.BasicClientDataSource40;
 
@@ -75,7 +77,45 @@ class OpenSocketAction implements Privil
             sf = SocketFactory.getDefault();
             break;
         }
-        return sf.createSocket(server_, port_);
+        if (clientSSLMode_ == BasicClientDataSource40.SSL_BASIC ||
+            clientSSLMode_ == BasicClientDataSource40.SSL_PEER_AUTHENTICATION){
+        	//DERBY-6764(analyze impact of poodle security alert on Derby 
+        	// client - server ssl support)
+        	//If SSLv3 and/or SSLv2Hello is one of the enabled protocols,  
+        	// then we want to remove it from the list of enabled protocols  
+        	// because of poodle security breach
+        	SSLSocket sSocket = (SSLSocket)sf.createSocket(server_, port_);
+        	String[] enabledProtocols = sSocket.getEnabledProtocols();
+
+            //If SSLv3 and/or SSLv2Hello is one of the enabled protocols, 
+            // then remove it from the list of enabled protocols because of 
+            // its security breach.
+            String[] supportedProtocols = new String[enabledProtocols.length];
+            int supportedProtocolsCount  = 0;
+            for ( int i = 0; i < enabledProtocols.length; i++ )
+            {
+                if (!(enabledProtocols[i].toUpperCase().contains("SSLV3") ||
+                    enabledProtocols[i].toUpperCase().contains("SSLV2HELLO"))) {
+                	supportedProtocols[supportedProtocolsCount] = 
+                			enabledProtocols[i];
+                	supportedProtocolsCount++;
+                }
+            }
+            if(supportedProtocolsCount < enabledProtocols.length) {
+            	String[] newEnabledProtocolsList = null;
+            	//We found that SSLv3 and or SSLv2Hello is one of the enabled 
+            	// protocols for this jvm. Following code will remove it from 
+            	// enabled list.
+            	newEnabledProtocolsList = 
+            			new String[supportedProtocolsCount];
+            	System.arraycopy(supportedProtocols, 0, 
+            			newEnabledProtocolsList, 0, 
+            			supportedProtocolsCount);
+            	sSocket.setEnabledProtocols(newEnabledProtocolsList);
+            }
+            return sSocket;
+        } else
+            return sf.createSocket(server_, port_);
     }
 
 }

Modified: db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java?rev=1639540&r1=1639539&r2=1639540&view=diff
==============================================================================
--- db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
(original)
+++ db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NaiveTrustManager.java
Thu Nov 13 22:22:12 2014
@@ -68,7 +68,7 @@ public class NaiveTrustManager
             thisManager = new TrustManager [] {new NaiveTrustManager()};
         }
 
-        SSLContext ctx = SSLContext.getInstance("SSL");
+        SSLContext ctx = SSLContext.getInstance("TLS");
         
         if (ctx.getProvider().getName().equals("SunJSSE") &&
             (PropertyUtil.getSystemProperty("javax.net.ssl.keyStore") != null) &&

Modified: db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java?rev=1639540&r1=1639539&r2=1639540&view=diff
==============================================================================
--- db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
(original)
+++ db/derby/code/branches/10.11/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
Thu Nov 13 22:22:12 2014
@@ -724,9 +724,17 @@ public final class NetworkServerControlI
         case SSL_BASIC:
             SSLServerSocketFactory ssf =
                 (SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
-            return (SSLServerSocket)ssf.createServerSocket(portNumber,
-                                                           0,
-                                                           hostAddress);
+            SSLServerSocket sss1= 
+                    (SSLServerSocket)ssf.createServerSocket(portNumber,
+                    0,
+                    hostAddress);
+            //DERBY-6764(analyze impact of poodle security alert on 
+            // Derby client - server ssl support)
+            String[] removeTwoProtocols = 
+            		removeSSLv3andSSLv2Hello(
+                            sss1.getEnabledProtocols());
+            sss1.setEnabledProtocols(removeTwoProtocols);
+            return sss1;
         case SSL_PEER_AUTHENTICATION:
             SSLServerSocketFactory ssf2 =
                 (SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
@@ -734,6 +742,12 @@ public final class NetworkServerControlI
                 (SSLServerSocket)ssf2.createServerSocket(portNumber,
                                                          0,
                                                          hostAddress);
+            //DERBY-6764(analyze impact of poodle security alert on 
+            // Derby client - server ssl support)
+            removeTwoProtocols = 
+            		removeSSLv3andSSLv2Hello(
+                            sss2.getEnabledProtocols());
+            sss2.setEnabledProtocols(removeTwoProtocols);
             sss2.setNeedClientAuth(true);
             return sss2;
         }
@@ -2628,6 +2642,12 @@ public final class NetworkServerControlI
                                         case SSL_BASIC:
                                             SSLSocket s1 = (SSLSocket)NaiveTrustManager.getSocketFactory().
                                                 createSocket(hostAddress, portNumber);
+                                            //DERBY-6764(analyze impact of poodle security
alert on 
+                                            // Derby client - server ssl support)
+                                            String[] removeTwoProtocols = 
+                                            		removeSSLv3andSSLv2Hello(s1.getEnabledProtocols());
+                                            s1.setEnabledProtocols(
+                                            		removeTwoProtocols);
                                             // Need to handshake now to get proper error
reporting.
                                             s1.startHandshake();
                                             return s1;
@@ -2635,6 +2655,12 @@ public final class NetworkServerControlI
                                         case SSL_PEER_AUTHENTICATION:
                                             SSLSocket s2 = (SSLSocket)SSLSocketFactory.getDefault().
                                                 createSocket(hostAddress, portNumber);
+                                            //DERBY-6764(analyze impact of poodle security
alert on 
+                                            // Derby client - server ssl support)
+                                            removeTwoProtocols = 
+                                            		removeSSLv3andSSLv2Hello(s2.getEnabledProtocols());
+                                            s2.setEnabledProtocols(
+                                            		removeTwoProtocols);
                                             // Need to handshake now to get proper error
reporting.
                                             s2.startHandshake();
                                             return s2;
@@ -2676,7 +2702,38 @@ public final class NetworkServerControlI
         }
     }
 
-    
+    //DERBY-6764(analyze impact of poodle security alert on 
+    // Derby client - server ssl support)
+    //Remove SSLv3 and SSLv2Hello protocols from list of enabled protocols
+    private String[] removeSSLv3andSSLv2Hello(String[] enabledProtocols) {
+        //If SSLv3 and SSLv2Hello are one of the enabled protocols, then 
+        // remove them from the list of enabled protocols because of the 
+        // possible security breach.
+        String[] supportedProtocols = new String[enabledProtocols.length];
+        int supportedProtocolsCount  = 0;
+        for ( int i = 0; i < enabledProtocols.length; i++ )
+        {
+            if (!(enabledProtocols[i].toUpperCase().contains("SSLV3") ||
+            	enabledProtocols[i].toUpperCase().contains("SSLV2HELLO"))) {
+            	supportedProtocols[supportedProtocolsCount] = enabledProtocols[i];
+            	supportedProtocolsCount++;
+            }
+        }
+        if(supportedProtocolsCount < enabledProtocols.length) {
+            //We found SSLv3 and/or SSLv2Hello as one of the enabled 
+            // protocols for this jvm. Following code will remove them from 
+            // enabled list.
+            String[] newEnabledProtocolsList = null;
+            newEnabledProtocolsList = 
+                new String[supportedProtocolsCount];
+            System.arraycopy(supportedProtocols, 0, 
+                newEnabledProtocolsList, 0, 
+                supportedProtocolsCount);
+            return(newEnabledProtocolsList);
+        } else 
+            return(enabledProtocols);
+    }
+
     private void checkAddressIsLocal(InetAddress inetAddr) throws UnknownHostException,Exception
     {
         if (localAddresses.contains(inetAddr)) {



Mime
View raw message