Author: rareddy Date: 2011-10-06 16:43:45 -0400 (Thu, 06 Oct 2011) New Revision: 3538 Modified: trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java Log: TEIID-1772: adding ability custom configure the cipher suites for ssl connection Modified: trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml =================================================================== --- trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-10-06 19:40:43 UTC (rev 3537) +++ trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-10-06 20:43:45 UTC (rev 3538) @@ -231,6 +231,9 @@ <property name="truststorePassword">passwd</property> <!-- 1-way, 2-way, anonymous --> <property name="authenticationMode">anonymous</property> + <!-- uncomment for enforcing the minimum 128 bit encryption, edit or supply only supported cipher suites from JVM + <property name="enabledCipherSuites">SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_RC4_128_MD5,TLS_KRB5_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_KRB5_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA</property> + --> </bean> <!-- JDBC Socket connection properties (SSL see below) --> Modified: trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java =================================================================== --- trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2011-10-06 19:40:43 UTC (rev 3537) +++ trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2011-10-06 20:43:45 UTC (rev 3538) @@ -24,7 +24,9 @@ import java.io.IOException; import java.security.GeneralSecurityException; +import java.util.ArrayList; import java.util.Arrays; +import java.util.StringTokenizer; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; @@ -59,8 +61,10 @@ private String trustStoreFileName; private String trustStorePassword = ""; //$NON-NLS-1$ private String authenticationMode = ONEWAY; + private String[] enabledCipherSuites; - public SSLEngine getServerSSLEngine() throws IOException, GeneralSecurityException { + + public SSLEngine getServerSSLEngine() throws IOException, GeneralSecurityException { if (!isSslEnabled()) { return null; } @@ -86,10 +90,13 @@ if (!(Arrays.asList(result.getSupportedCipherSuites()).contains(SocketUtil.ANON_CIPHER_SUITE))) { throw new GeneralSecurityException(RuntimePlugin.Util.getString("SSLConfiguration.no_anonymous")); //$NON-NLS-1$ } - result.setEnabledCipherSuites(new String[] { - SocketUtil.ANON_CIPHER_SUITE - }); - } + result.setEnabledCipherSuites(this.enabledCipherSuites == null?new String[] {SocketUtil.ANON_CIPHER_SUITE}:this.enabledCipherSuites); + } else { + if (this.enabledCipherSuites != null) { + result.setEnabledCipherSuites(this.enabledCipherSuites); + } + } + result.setNeedClientAuth(TWOWAY.equals(authenticationMode)); return result; } @@ -142,4 +149,15 @@ this.authenticationMode = value; } + public void setEnabledCipherSuites(String enabledCipherSuites) { + ArrayList<String> ciphers = new ArrayList<String>(); + StringTokenizer st = new StringTokenizer(enabledCipherSuites); + while(st.hasMoreTokens()) { + ciphers.add(st.nextToken().trim()); + } + + if (!ciphers.isEmpty()) { + this.enabledCipherSuites = ciphers.toArray(new String[ciphers.size()]); + } + } }