FLUME-2549: Enable SSLv2Hello for HttpSource (Hari Shreedharan via Jarek Jarcec Cecho)
Project: http://git-wip-us.apache.org/repos/asf/flume/repo Commit: http://git-wip-us.apache.org/repos/asf/flume/commit/3aceda6e Tree: http://git-wip-us.apache.org/repos/asf/flume/tree/3aceda6e Diff: http://git-wip-us.apache.org/repos/asf/flume/diff/3aceda6e Branch: refs/heads/flume-1.5 Commit: 3aceda6eb8f677e457e3322ac2fce9e2719a8c6d Parents: 2a59111 Author: Jarek Jarcec Cecho <[email protected]> Authored: Wed Nov 12 07:35:06 2014 -0800 Committer: Hari Shreedharan <[email protected]> Committed: Wed Nov 12 11:50:41 2014 -0800 ---------------------------------------------------------------------- .../apache/flume/source/http/HTTPSource.java | 23 +++++- .../http/HTTPSourceConfigurationConstants.java | 1 + .../flume/source/http/TestHTTPSource.java | 79 +------------------- flume-ng-doc/sphinx/FlumeUserGuide.rst | 31 ++++---- 4 files changed, 39 insertions(+), 95 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/flume/blob/3aceda6e/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java ---------------------------------------------------------------------- diff --git a/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java b/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java index 4b2717c..b520b03 100644 --- a/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java +++ b/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java @@ -93,6 +93,7 @@ public class HTTPSource extends AbstractSource implements private volatile String keyStorePath; private volatile String keyStorePassword; private volatile Boolean sslEnabled; + private final List<String> excludedProtocols = new LinkedList<String>(); @Override @@ -120,7 +121,18 @@ public class HTTPSource extends AbstractSource implements Preconditions.checkArgument(keyStorePath != null && !keyStorePath.isEmpty(), "Keystore is required for SSL Conifguration" ); keyStorePassword = context.getString(HTTPSourceConfigurationConstants.SSL_KEYSTORE_PASSWORD); - Preconditions.checkArgument(keyStorePassword != null, "Keystore password is required for SSL Configuration"); + Preconditions.checkArgument(keyStorePassword != null, + "Keystore password is required for SSL Configuration"); + String excludeProtocolsStr = context.getString(HTTPSourceConfigurationConstants + .EXCLUDE_PROTOCOLS); + if (excludeProtocolsStr == null) { + excludedProtocols.add("SSLv3"); + } else { + excludedProtocols.addAll(Arrays.asList(excludeProtocolsStr.split(" "))); + if (!excludedProtocols.contains("SSLv3")) { + excludedProtocols.add("SSLv3"); + } + } } @@ -172,7 +184,7 @@ public class HTTPSource extends AbstractSource implements if (sslEnabled) { - SslSocketConnector sslSocketConnector = new HTTPSourceSocketConnector(); + SslSocketConnector sslSocketConnector = new HTTPSourceSocketConnector(excludedProtocols); sslSocketConnector.setKeystore(keyStorePath); sslSocketConnector.setKeyPassword(keyStorePassword); sslSocketConnector.setReuseAddress(true); @@ -274,6 +286,11 @@ public class HTTPSource extends AbstractSource implements private static class HTTPSourceSocketConnector extends SslSocketConnector { + private final List<String> excludedProtocols; + HTTPSourceSocketConnector(List<String> excludedProtocols) { + this.excludedProtocols = excludedProtocols; + } + @Override public ServerSocket newServerSocket(String host, int port, int backlog) throws IOException { @@ -282,7 +299,7 @@ public class HTTPSource extends AbstractSource implements String[] protocols = socket.getEnabledProtocols(); List<String> newProtocols = new ArrayList<String>(protocols.length); for(String protocol: protocols) { - if (!(protocol.equals("SSLv3") || protocol.equals("SSLv2Hello"))) { + if (!excludedProtocols.contains(protocol)) { newProtocols.add(protocol); } } http://git-wip-us.apache.org/repos/asf/flume/blob/3aceda6e/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSourceConfigurationConstants.java ---------------------------------------------------------------------- diff --git a/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSourceConfigurationConstants.java b/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSourceConfigurationConstants.java index ed52827..86caf7d 100644 --- a/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSourceConfigurationConstants.java +++ b/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSourceConfigurationConstants.java @@ -37,5 +37,6 @@ public class HTTPSourceConfigurationConstants { public static final String SSL_KEYSTORE = "keystore"; public static final String SSL_KEYSTORE_PASSWORD = "keystorePassword"; public static final String SSL_ENABLED = "enableSSL"; + public static final String EXCLUDE_PROTOCOLS = "excludeProtocols"; } http://git-wip-us.apache.org/repos/asf/flume/blob/3aceda6e/flume-ng-core/src/test/java/org/apache/flume/source/http/TestHTTPSource.java ---------------------------------------------------------------------- diff --git a/flume-ng-core/src/test/java/org/apache/flume/source/http/TestHTTPSource.java b/flume-ng-core/src/test/java/org/apache/flume/source/http/TestHTTPSource.java index 64111be..c59fdd4 100644 --- a/flume-ng-core/src/test/java/org/apache/flume/source/http/TestHTTPSource.java +++ b/flume-ng-core/src/test/java/org/apache/flume/source/http/TestHTTPSource.java @@ -321,11 +321,6 @@ public class TestHTTPSource { doTestHttps("SSLv3"); } - @Test (expected = javax.net.ssl.SSLHandshakeException.class) - public void testHttpsSSLv2Hello() throws Exception { - doTestHttps("SSLv2Hello"); - } - public void doTestHttps(String protocol) throws Exception { Type listType = new TypeToken<List<JSONEvent>>() { }.getType(); @@ -384,7 +379,7 @@ public class TestHTTPSource { if(protocol != null) { factory = new DisabledProtocolsSocketFactory(sc.getSocketFactory(), protocol); } else { - factory = new EnabledProtocolsSocketFactory(sc.getSocketFactory()); + factory = sc.getSocketFactory(); } HttpsURLConnection.setDefaultSSLSocketFactory(factory); HttpsURLConnection.setDefaultHostnameVerifier( @@ -498,78 +493,8 @@ public class TestHTTPSource { DisabledProtocolsSocketFactory(javax.net.ssl.SSLSocketFactory factory, String protocol) { this.socketFactory = factory; - if(protocol.equals("SSLv2Hello")) { - protocols = new String[2]; - protocols[0] = "TLSv1"; - protocols[1] = protocol; - } else { - protocols = new String[1]; - protocols[0] = protocol; - } - } - - @Override - public String[] getDefaultCipherSuites() { - return socketFactory.getDefaultCipherSuites(); - } - - @Override - public String[] getSupportedCipherSuites() { - return socketFactory.getSupportedCipherSuites(); - } - - @Override - public Socket createSocket(Socket socket, String s, int i, boolean b) - throws IOException { - SSLSocket sc = (SSLSocket) socketFactory.createSocket(socket, s, i, b); - sc.setEnabledProtocols(protocols); - return sc; - } - - @Override - public Socket createSocket(String s, int i) - throws IOException, UnknownHostException { - SSLSocket sc = (SSLSocket)socketFactory.createSocket(s, i); - sc.setEnabledProtocols(protocols); - return sc; - } - - @Override - public Socket createSocket(String s, int i, InetAddress inetAddress, int i2) - throws IOException, UnknownHostException { - SSLSocket sc = (SSLSocket)socketFactory.createSocket(s, i, inetAddress, - i2); - sc.setEnabledProtocols(protocols); - return sc; - } - - @Override - public Socket createSocket(InetAddress inetAddress, int i) - throws IOException { - SSLSocket sc = (SSLSocket)socketFactory.createSocket(inetAddress, i); - sc.setEnabledProtocols(protocols); - return sc; - } - - @Override - public Socket createSocket(InetAddress inetAddress, int i, - InetAddress inetAddress2, int i2) throws IOException { - SSLSocket sc = (SSLSocket)socketFactory.createSocket(inetAddress, i, - inetAddress2, i2); - sc.setEnabledProtocols(protocols); - return sc; - } - } - - private class EnabledProtocolsSocketFactory extends javax.net.ssl.SSLSocketFactory { - - private final javax.net.ssl.SSLSocketFactory socketFactory; - private final String[] protocols; - - EnabledProtocolsSocketFactory(javax.net.ssl.SSLSocketFactory factory) { - this.socketFactory = factory; protocols = new String[1]; - protocols[0] = "TLSv1"; + protocols[0] = protocol; } @Override http://git-wip-us.apache.org/repos/asf/flume/blob/3aceda6e/flume-ng-doc/sphinx/FlumeUserGuide.rst ---------------------------------------------------------------------- diff --git a/flume-ng-doc/sphinx/FlumeUserGuide.rst b/flume-ng-doc/sphinx/FlumeUserGuide.rst index 2da8092..68bac8b 100644 --- a/flume-ng-doc/sphinx/FlumeUserGuide.rst +++ b/flume-ng-doc/sphinx/FlumeUserGuide.rst @@ -1292,22 +1292,23 @@ unavailable status. All events sent in one post request are considered to be one batch and inserted into the channel in one transaction. -============== ============================================ ==================================================================== -Property Name Default Description -============== ============================================ ==================================================================== -**type** The component type name, needs to be ``http`` -**port** -- The port the source should bind to. -bind 0.0.0.0 The hostname or IP address to listen on -handler ``org.apache.flume.source.http.JSONHandler`` The FQCN of the handler class. -handler.* -- Config parameters for the handler -selector.type replicating replicating or multiplexing -selector.* Depends on the selector.type value -interceptors -- Space-separated list of interceptors +================= ============================================ ===================================================================================== +Property Name Default Description +================= ============================================ ===================================================================================== +**type** The component type name, needs to be ``http`` +**port** -- The port the source should bind to. +bind 0.0.0.0 The hostname or IP address to listen on +handler ``org.apache.flume.source.http.JSONHandler`` The FQCN of the handler class. +handler.* -- Config parameters for the handler +selector.type replicating replicating or multiplexing +selector.* Depends on the selector.type value +interceptors -- Space-separated list of interceptors interceptors.* -enableSSL false Set the property true, to enable SSL -keystore Location of the keystore includng keystore file name -keystorePassword Keystore password -================================================================================================================================== +enableSSL false Set the property true, to enable SSL. *HTTP Source does not support SSLv3.* +excludeProtocols SSLv3 Space-separated list of SSL/TLS protocols to exclude. SSLv3 is always excluded. +keystore Location of the keystore includng keystore file name +keystorePassword Keystore password +====================================================================================================================================================== For example, a http source for agent named a1:
