This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new 56e962c CXF-8265: [JDK14] Accommodate SSLv3 deprecation
56e962c is described below
commit 56e962c295f48e9f48dbd0884df79e5e48601284
Author: reta <drr...@gmail.com>
AuthorDate: Sun Apr 19 14:25:28 2020 -0400
CXF-8265: [JDK14] Accommodate SSLv3 deprecation
---
.../main/java/org/apache/cxf/helpers/JavaUtils.java | 16 +++++++++++++---
.../transport/http_jetty/JettyHTTPServerEngine.java | 19 +++++++++++++++++--
.../java/org/apache/cxf/https/ssl3/SSLv3Server.java | 8 ++++++++
3 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java
b/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java
index 0c0aa65..04462d0 100644
--- a/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java
@@ -51,6 +51,7 @@ public final class JavaUtils {
private static boolean isJava11Compatible;
private static boolean isJava9Compatible;
private static boolean isJava8Before161;
+ private static Integer javaMajorVersion;
static {
String version = SystemPropertyAction.getProperty("java.version");
@@ -68,8 +69,10 @@ public final class JavaUtils {
version = version.substring(0, version.indexOf('-'));
}
- setJava9Compatible(Integer.valueOf(version) >= 9);
- setJava11Compatible(Integer.valueOf(version) >= 11);
+ final Integer javaVersion = Integer.valueOf(version);
+ setJava9Compatible(javaVersion >= 9);
+ setJava11Compatible(javaVersion >= 11);
+ setJavaMajorVersion(javaVersion);
}
private JavaUtils() {
@@ -99,7 +102,7 @@ public final class JavaUtils {
public static boolean isJava11Compatible() {
return isJava11Compatible;
}
-
+
private static void setJava9Compatible(boolean java9Compatible) {
JavaUtils.isJava9Compatible = java9Compatible;
}
@@ -112,4 +115,11 @@ public final class JavaUtils {
return isJava8Before161;
}
+ public static void setJavaMajorVersion(Integer javaMajorVersion) {
+ JavaUtils.javaMajorVersion = javaMajorVersion;
+ }
+
+ public static Integer getJavaMajorVersion() {
+ return javaMajorVersion;
+ }
}
diff --git
a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
index 32acc08..afbb406 100644
---
a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
+++
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java
@@ -51,6 +51,7 @@ import org.apache.cxf.common.util.SystemPropertyAction;
import org.apache.cxf.configuration.jsse.SSLUtils;
import org.apache.cxf.configuration.jsse.TLSServerParameters;
import org.apache.cxf.configuration.security.ClientAuthentication;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.transport.HttpUriMapper;
import org.eclipse.jetty.http.HttpStatus;
@@ -724,8 +725,8 @@ public class JettyHTTPServerEngine implements ServerEngine {
}
SSLContext context = tlsServerParameters.getJsseProvider() == null
- ? SSLContext.getInstance(proto)
- : SSLContext.getInstance(proto,
tlsServerParameters.getJsseProvider());
+ ? SSLContext.getInstance(detectProto(proto, allowSSLv3))
+ : SSLContext.getInstance(detectProto(proto, allowSSLv3),
tlsServerParameters.getJsseProvider());
KeyManager[] keyManagers = tlsServerParameters.getKeyManagers();
KeyManager[] configuredKeyManagers =
org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias(
@@ -759,6 +760,20 @@ public class JettyHTTPServerEngine implements ServerEngine
{
return context;
}
+
+ protected static String detectProto(String proto, boolean allowSSLv3) {
+ if (allowSSLv3 && JavaUtils.getJavaMajorVersion() >= 14) {
+ // Since Java 14, the SSLv3 aliased to TLSv1 (so SSLv3 effectively
is not
+ // supported). To make it work, the custom SSL context has to be
created
+ // instead along with specifying server / client properties as
needed, for
+ // example:
+ // -Djdk.tls.server.protocols=SSLv3,TLSv1
+ // -Djdk.tls.client.protocols=SSLv3,TLSv1
+ return "SSL";
+ } else {
+ return proto;
+ }
+ }
@SuppressWarnings("deprecation")
protected void setClientAuthentication(SslContextFactory con,
diff --git
a/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Server.java
b/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Server.java
index 1d5f49c..b4a4eeb 100644
---
a/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Server.java
+++
b/systests/transports-ssl3/src/test/java/org/apache/cxf/https/ssl3/SSLv3Server.java
@@ -25,6 +25,7 @@ import java.security.Security;
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.helpers.JavaUtils;
import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
public class SSLv3Server extends AbstractBusTestServerBase {
@@ -32,6 +33,13 @@ public class SSLv3Server extends AbstractBusTestServerBase {
public SSLv3Server() {
// Remove "SSLv3" from the default disabled algorithm list for the
purposes of this test
Security.setProperty("jdk.tls.disabledAlgorithms", "MD5");
+ if (JavaUtils.getJavaMajorVersion() >= 14) {
+ // Since Java 14, the SSLv3 aliased to TLSv1 (so SSLv3 effectively
is not
+ // supported). To make it work, the custom SSL context has to be
created and
+ // SSLv3 and TLSv1 has to be explicitly enabled:
+ // -Djdk.tls.client.protocols=SSLv3
+ System.setProperty("jdk.tls.client.protocols", "SSLv3,TLSv1");
+ }
}
protected void run() {
