Repository: incubator-atlas Updated Branches: refs/heads/master b72a4c44a -> 6e5863e86
ATLAS-1427: Support an option to exclude protocols in SSL mode Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/6e5863e8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/6e5863e8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/6e5863e8 Branch: refs/heads/master Commit: 6e5863e867791c65916b63e08905a4a04de0beaf Parents: b72a4c4 Author: nixonrodrigues <[email protected]> Authored: Wed Jan 4 18:27:07 2017 +0530 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Jan 5 08:52:41 2017 -0800 ---------------------------------------------------------------------- .../java/org/apache/atlas/security/SecurityProperties.java | 3 +++ .../org/apache/atlas/web/service/SecureEmbeddedServer.java | 9 +++++++++ 2 files changed, 12 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/6e5863e8/common/src/main/java/org/apache/atlas/security/SecurityProperties.java ---------------------------------------------------------------------- diff --git a/common/src/main/java/org/apache/atlas/security/SecurityProperties.java b/common/src/main/java/org/apache/atlas/security/SecurityProperties.java index 191d869..2e953eb 100644 --- a/common/src/main/java/org/apache/atlas/security/SecurityProperties.java +++ b/common/src/main/java/org/apache/atlas/security/SecurityProperties.java @@ -43,4 +43,7 @@ public final class SecurityProperties { public static final String ATLAS_SSL_EXCLUDE_CIPHER_SUITES = "atlas.ssl.exclude.cipher.suites"; public static final List<String> DEFAULT_CIPHER_SUITES = Arrays.asList( ".*NULL.*", ".*RC4.*", ".*MD5.*", ".*DES.*", ".*DSS.*"); + public static final String ATLAS_SSL_EXCLUDE_PROTOCOLS = "atlas.ssl.exclude.protocols"; + public static final String[] DEFAULT_EXCLUDE_PROTOCOLS = new String[] { "TLSv1", "TLSv1.1" }; + } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/6e5863e8/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java b/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java index a6af5a2..fa02e9b 100755 --- a/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java +++ b/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java @@ -49,6 +49,9 @@ import static org.apache.atlas.security.SecurityProperties.KEYSTORE_PASSWORD_KEY import static org.apache.atlas.security.SecurityProperties.SERVER_CERT_PASSWORD_KEY; import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_FILE_KEY; import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_PASSWORD_KEY; +import static org.apache.atlas.security.SecurityProperties.ATLAS_SSL_EXCLUDE_PROTOCOLS; +import static org.apache.atlas.security.SecurityProperties.DEFAULT_EXCLUDE_PROTOCOLS; + /** * This is a jetty server which requires client auth via certificates. @@ -78,6 +81,12 @@ public class SecureEmbeddedServer extends EmbeddedServer { sslContextFactory.setExcludeCipherSuites(cipherList.toArray(new String[cipherList.size()])); sslContextFactory.setRenegotiationAllowed(false); + String[] excludedProtocols = config.containsKey(ATLAS_SSL_EXCLUDE_PROTOCOLS) ? + config.getStringArray(ATLAS_SSL_EXCLUDE_PROTOCOLS) : DEFAULT_EXCLUDE_PROTOCOLS; + if (excludedProtocols != null && excludedProtocols.length > 0) { + sslContextFactory.addExcludeProtocols(excludedProtocols); + } + // SSL HTTP Configuration // HTTP Configuration HttpConfiguration http_config = new HttpConfiguration();
