This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 7f33303db68ccb697dfaae7c962167b3974ae321
Author: ouvtam <ouv...@8n4.pw>
AuthorDate: Mon Oct 24 11:08:31 2022 +0200
[JAMES-1516] allow specifying TLS protocols for inbound connections
---
.../org/apache/james/protocols/netty/Encryption.java | 20 +++++++++++++-------
.../protocols/lib/LegacyJavaEncryptionFactory.java | 4 ++--
.../org/apache/james/protocols/lib/SslConfig.java | 15 +++++++++++----
src/site/xdoc/server/config-ssl-tls.xml | 16 ++++++++++++++++
4 files changed, 42 insertions(+), 13 deletions(-)
diff --git
a/protocols/netty/src/main/java/org/apache/james/protocols/netty/Encryption.java
b/protocols/netty/src/main/java/org/apache/james/protocols/netty/Encryption.java
index 19b8b18441..869d0e88dc 100644
---
a/protocols/netty/src/main/java/org/apache/james/protocols/netty/Encryption.java
+++
b/protocols/netty/src/main/java/org/apache/james/protocols/netty/Encryption.java
@@ -40,7 +40,7 @@ public interface Encryption {
@VisibleForTesting
static Encryption createTls(SSLContext context) {
- return createTls(context, null, ClientAuth.NONE);
+ return createTls(context, null, null, ClientAuth.NONE);
}
/**
@@ -52,13 +52,13 @@ public interface Encryption {
* @param clientAuth
* specifies certificate based client authentication mode
*/
- static Encryption createTls(SSLContext context, String[]
enabledCipherSuites, ClientAuth clientAuth) {
- return new Encryption.LegacyJavaEncryption(context, false,
enabledCipherSuites, clientAuth);
+ static Encryption createTls(SSLContext context, String[]
enabledCipherSuites, String[] enabledProtocols, ClientAuth clientAuth) {
+ return new Encryption.LegacyJavaEncryption(context, false,
enabledCipherSuites, enabledProtocols, clientAuth);
}
@VisibleForTesting
static Encryption createStartTls(SSLContext context) {
- return createStartTls(context, null, ClientAuth.NONE);
+ return createStartTls(context, null, null, ClientAuth.NONE);
}
/**
@@ -70,8 +70,8 @@ public interface Encryption {
* @param clientAuth
* specifies certificate based client authentication mode
*/
- static Encryption createStartTls(SSLContext context, String[]
enabledCipherSuites, ClientAuth clientAuth) {
- return new Encryption.LegacyJavaEncryption(context, true,
enabledCipherSuites, clientAuth);
+ static Encryption createStartTls(SSLContext context, String[]
enabledCipherSuites, String[] enabledProtocols, ClientAuth clientAuth) {
+ return new Encryption.LegacyJavaEncryption(context, true,
enabledCipherSuites, enabledProtocols, clientAuth);
}
/**
@@ -105,12 +105,14 @@ public interface Encryption {
private final SSLContext context;
private final boolean starttls;
private final String[] enabledCipherSuites;
+ private final String[] enabledProtocols;
private final ClientAuth clientAuth;
- private LegacyJavaEncryption(SSLContext context, boolean starttls,
String[] enabledCipherSuites, ClientAuth clientAuth) {
+ private LegacyJavaEncryption(SSLContext context, boolean starttls,
String[] enabledCipherSuites, String[] enabledProtocols, ClientAuth clientAuth)
{
this.context = context;
this.starttls = starttls;
this.enabledCipherSuites = enabledCipherSuites;
+ this.enabledProtocols = enabledProtocols;
this.clientAuth = clientAuth;
}
@@ -167,10 +169,14 @@ public interface Encryption {
// We need to copy the String array because of possible security
issues.
// See https://issues.apache.org/jira/browse/PROTOCOLS-18
String[] cipherSuites = ArrayUtils.clone(enabledCipherSuites);
+ String[] protocols = ArrayUtils.clone(enabledProtocols);
if (cipherSuites != null && cipherSuites.length > 0) {
engine.setEnabledCipherSuites(cipherSuites);
}
+ if (protocols != null && protocols.length > 0) {
+ engine.setEnabledProtocols(protocols);
+ }
if (ClientAuth.NEED.equals(clientAuth)) {
engine.setNeedClientAuth(true);
}
diff --git
a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/LegacyJavaEncryptionFactory.java
b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/LegacyJavaEncryptionFactory.java
index 2b81f8b6e4..ad2371ddc8 100644
---
a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/LegacyJavaEncryptionFactory.java
+++
b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/LegacyJavaEncryptionFactory.java
@@ -91,9 +91,9 @@ public class LegacyJavaEncryptionFactory implements
Encryption.Factory {
SSLContext context = sslFactoryBuilder.build().getSslContext();
if (sslConfig.useStartTLS()) {
- return Encryption.createStartTls(context,
sslConfig.getEnabledCipherSuites(), sslConfig.getClientAuth());
+ return Encryption.createStartTls(context,
sslConfig.getEnabledCipherSuites(), sslConfig.getEnabledProtocols(),
sslConfig.getClientAuth());
} else {
- return Encryption.createTls(context,
sslConfig.getEnabledCipherSuites(), sslConfig.getClientAuth());
+ return Encryption.createTls(context,
sslConfig.getEnabledCipherSuites(), sslConfig.getEnabledProtocols(),
sslConfig.getClientAuth());
}
}
diff --git
a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/SslConfig.java
b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/SslConfig.java
index 94aa6b411d..b46a4c4d6a 100644
---
a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/SslConfig.java
+++
b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/SslConfig.java
@@ -46,6 +46,7 @@ public class SslConfig {
if (useStartTLS || useSSL) {
String[] enabledCipherSuites =
config.getStringArray("tls.supportedCipherSuites.cipherSuite");
+ String[] enabledProtocols =
config.getStringArray("tls.supportedProtocols.protocol");
String keystore = config.getString("tls.keystore", null);
String privateKey = config.getString("tls.privateKey", null);
String certificates = config.getString("tls.certificates", null);
@@ -61,9 +62,9 @@ public class SslConfig {
boolean enableOCSPCRLChecks =
config.getBoolean("tls.enableOCSPCRLChecks", false);
LOGGER.info("TLS enabled with auth {} using truststore {}",
clientAuth, truststore);
- return new SslConfig(useStartTLS, useSSL, clientAuth, keystore,
keystoreType, privateKey, certificates, secret, truststore, truststoreType,
enabledCipherSuites, truststoreSecret, enableOCSPCRLChecks);
+ return new SslConfig(useStartTLS, useSSL, clientAuth, keystore,
keystoreType, privateKey, certificates, secret, truststore, truststoreType,
enabledCipherSuites, enabledProtocols, truststoreSecret, enableOCSPCRLChecks);
} else {
- return new SslConfig(useStartTLS, useSSL, clientAuth, null, null,
null, null, null, null, null, null, null, false);
+ return new SslConfig(useStartTLS, useSSL, clientAuth, null, null,
null, null, null, null, null, null, null, null, false);
}
}
@@ -78,12 +79,13 @@ public class SslConfig {
private final String truststore;
private final String truststoreType;
private final String[] enabledCipherSuites;
+ private final String[] enabledProtocols;
private final char[] truststoreSecret;
private final boolean enableOCSPCRLChecks;
public SslConfig(boolean useStartTLS, boolean useSSL, ClientAuth
clientAuth, String keystore, String keystoreType, String privateKey,
- String certificates, String secret, String truststore,
String truststoreType, String[] enabledCipherSuites, char[] truststoreSecret,
- boolean enableOCSPCRLChecks) {
+ String certificates, String secret, String truststore,
String truststoreType, String[] enabledCipherSuites, String[] enabledProtocols,
+ char[] truststoreSecret, boolean enableOCSPCRLChecks) {
this.useStartTLS = useStartTLS;
this.useSSL = useSSL;
this.clientAuth = clientAuth;
@@ -95,6 +97,7 @@ public class SslConfig {
this.truststore = truststore;
this.truststoreType = truststoreType;
this.enabledCipherSuites = enabledCipherSuites;
+ this.enabledProtocols = enabledProtocols;
this.truststoreSecret = truststoreSecret;
this.enableOCSPCRLChecks = enableOCSPCRLChecks;
}
@@ -111,6 +114,10 @@ public class SslConfig {
return enabledCipherSuites;
}
+ public String[] getEnabledProtocols() {
+ return enabledProtocols;
+ }
+
public boolean useSSL() {
return useSSL;
}
diff --git a/src/site/xdoc/server/config-ssl-tls.xml
b/src/site/xdoc/server/config-ssl-tls.xml
index 23e510f11a..a991cee7de 100644
--- a/src/site/xdoc/server/config-ssl-tls.xml
+++ b/src/site/xdoc/server/config-ssl-tls.xml
@@ -73,6 +73,22 @@
</tls>
</source>
+ <p>Optionally, TLS protocols and/or cipher suites can be specified
explicitly (smtpserver.xml, pop3server.xml, imapserver.xml,..).
+ Otherwise, the default protocols and cipher suites of the used JDK
will be used.</p>
+<source>
+<tls socketTLS="false" startTLS="false">
+ <supportedCipherSuites>
+ <cipherSuite>TLS_AES_256_GCM_SHA384</cipherSuite>
+
<cipherSuite>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</cipherSuite>
+ </supportedCipherSuites>
+ <supportedProtocols>
+ <protocol>TLSv1.2</protocol>
+ <protocol>TLSv1.1</protocol>
+ <protocol>TLSv1</protocol>
+ <protocol>SSLv3</protocol>
+ </supportedProtocols>
+ </tls>
+</source>
<p>Each of these block has an optional boolean configuration element
<b>socketTLS</b> and <b>startTLS</b> which is used to toggle
use of SSL or TLS for the service.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org
