This is an automated email from the ASF dual-hosted git repository. reta pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push: new 56e962c CXF-8265: [JDK14] Accommodate SSLv3 deprecation 56e962c is described below commit 56e962c295f48e9f48dbd0884df79e5e48601284 Author: reta <drr...@gmail.com> AuthorDate: Sun Apr 19 14:25:28 2020 -0400 CXF-8265: [JDK14] Accommodate SSLv3 deprecation --- .../main/java/org/apache/cxf/helpers/JavaUtils.java | 16 +++++++++++++--- .../transport/http_jetty/JettyHTTPServerEngine.java | 19 +++++++++++++++++-- .../java/org/apache/cxf/https/ssl3/SSLv3Server.java | 8 ++++++++ 3 files changed, 38 insertions(+), 5 deletions(-) diff --git a/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java b/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java index 0c0aa65..04462d0 100644 --- a/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java +++ b/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java @@ -51,6 +51,7 @@ public final class JavaUtils { private static boolean isJava11Compatible; private static boolean isJava9Compatible; private static boolean isJava8Before161; + private static Integer javaMajorVersion; static { String version = SystemPropertyAction.getProperty("java.version"); @@ -68,8 +69,10 @@ public final class JavaUtils { version = version.substring(0, version.indexOf('-')); } - setJava9Compatible(Integer.valueOf(version) >= 9); - setJava11Compatible(Integer.valueOf(version) >= 11); + final Integer javaVersion = Integer.valueOf(version); + setJava9Compatible(javaVersion >= 9); + setJava11Compatible(javaVersion >= 11); + setJavaMajorVersion(javaVersion); } private JavaUtils() { @@ -99,7 +102,7 @@ public final class JavaUtils { public static boolean isJava11Compatible() { return isJava11Compatible; } - + private static void setJava9Compatible(boolean java9Compatible) { JavaUtils.isJava9Compatible = java9Compatible; } @@ -112,4 +115,11 @@ public final class JavaUtils { return isJava8Before161; } + public static void setJavaMajorVersion(Integer javaMajorVersion) { + JavaUtils.javaMajorVersion = javaMajorVersion; + } + + public static Integer getJavaMajorVersion() { + return javaMajorVersion; + } } diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java index 32acc08..afbb406 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java @@ -51,6 +51,7 @@ import org.apache.cxf.common.util.SystemPropertyAction; import org.apache.cxf.configuration.jsse.SSLUtils; import org.apache.cxf.configuration.jsse.TLSServerParameters; import org.apache.cxf.configuration.security.ClientAuthentication; +import org.apache.cxf.helpers.JavaUtils; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.transport.HttpUriMapper; import org.eclipse.jetty.http.HttpStatus; @@ -724,8 +725,8 @@ public class JettyHTTPServerEngine implements ServerEngine { } SSLContext context = tlsServerParameters.getJsseProvider() == null - ? SSLContext.getInstance(proto) - : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider()); + ? SSLContext.getInstance(detectProto(proto, allowSSLv3)) + : SSLContext.getInstance(detectProto(proto, allowSSLv3), tlsServerParameters.getJsseProvider()); KeyManager[] keyManagers = tlsServerParameters.getKeyManagers(); KeyManager[] configuredKeyManagers = org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias( @@ -759,6 +760,20 @@ public class JettyHTTPServerEngine implements ServerEngine { return context; } + + protected static String detectProto(String proto, boolean allowSSLv3) { + if (allowSSLv3 && JavaUtils.getJavaMajorVersion() >= 14) { + // Since Java 14, the SSLv3 aliased to TLSv1 (so SSLv3 effectively is not + // supported). To make it work, the custom SSL context has to be created + // instead along with specifying server / client properties as needed, for + // example: + // -Djdk.tls.server.protocols=SSLv3,TLSv1 + // -Djdk.tls.client.protocols=SSLv3,TLSv1 + return "SSL"; + } else { + return proto; + } + } @SuppressWarnings("deprecation") protected void setClientAuthentication(SslContextFactory con, diff --git a/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Server.java b/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Server.java index 1d5f49c..b4a4eeb 100644 --- a/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Server.java +++ b/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Server.java @@ -25,6 +25,7 @@ import java.security.Security; import org.apache.cxf.Bus; import org.apache.cxf.BusFactory; import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.helpers.JavaUtils; import org.apache.cxf.testutil.common.AbstractBusTestServerBase; public class SSLv3Server extends AbstractBusTestServerBase { @@ -32,6 +33,13 @@ public class SSLv3Server extends AbstractBusTestServerBase { public SSLv3Server() { // Remove "SSLv3" from the default disabled algorithm list for the purposes of this test Security.setProperty("jdk.tls.disabledAlgorithms", "MD5"); + if (JavaUtils.getJavaMajorVersion() >= 14) { + // Since Java 14, the SSLv3 aliased to TLSv1 (so SSLv3 effectively is not + // supported). To make it work, the custom SSL context has to be created and + // SSLv3 and TLSv1 has to be explicitly enabled: + // -Djdk.tls.client.protocols=SSLv3 + System.setProperty("jdk.tls.client.protocols", "SSLv3,TLSv1"); + } } protected void run() {