This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 7f33303db68ccb697dfaae7c962167b3974ae321 Author: ouvtam <ouv...@8n4.pw> AuthorDate: Mon Oct 24 11:08:31 2022 +0200 [JAMES-1516] allow specifying TLS protocols for inbound connections --- .../org/apache/james/protocols/netty/Encryption.java | 20 +++++++++++++------- .../protocols/lib/LegacyJavaEncryptionFactory.java | 4 ++-- .../org/apache/james/protocols/lib/SslConfig.java | 15 +++++++++++---- src/site/xdoc/server/config-ssl-tls.xml | 16 ++++++++++++++++ 4 files changed, 42 insertions(+), 13 deletions(-) diff --git a/protocols/netty/src/main/java/org/apache/james/protocols/netty/Encryption.java b/protocols/netty/src/main/java/org/apache/james/protocols/netty/Encryption.java index 19b8b18441..869d0e88dc 100644 --- a/protocols/netty/src/main/java/org/apache/james/protocols/netty/Encryption.java +++ b/protocols/netty/src/main/java/org/apache/james/protocols/netty/Encryption.java @@ -40,7 +40,7 @@ public interface Encryption { @VisibleForTesting static Encryption createTls(SSLContext context) { - return createTls(context, null, ClientAuth.NONE); + return createTls(context, null, null, ClientAuth.NONE); } /** @@ -52,13 +52,13 @@ public interface Encryption { * @param clientAuth * specifies certificate based client authentication mode */ - static Encryption createTls(SSLContext context, String[] enabledCipherSuites, ClientAuth clientAuth) { - return new Encryption.LegacyJavaEncryption(context, false, enabledCipherSuites, clientAuth); + static Encryption createTls(SSLContext context, String[] enabledCipherSuites, String[] enabledProtocols, ClientAuth clientAuth) { + return new Encryption.LegacyJavaEncryption(context, false, enabledCipherSuites, enabledProtocols, clientAuth); } @VisibleForTesting static Encryption createStartTls(SSLContext context) { - return createStartTls(context, null, ClientAuth.NONE); + return createStartTls(context, null, null, ClientAuth.NONE); } /** @@ -70,8 +70,8 @@ public interface Encryption { * @param clientAuth * specifies certificate based client authentication mode */ - static Encryption createStartTls(SSLContext context, String[] enabledCipherSuites, ClientAuth clientAuth) { - return new Encryption.LegacyJavaEncryption(context, true, enabledCipherSuites, clientAuth); + static Encryption createStartTls(SSLContext context, String[] enabledCipherSuites, String[] enabledProtocols, ClientAuth clientAuth) { + return new Encryption.LegacyJavaEncryption(context, true, enabledCipherSuites, enabledProtocols, clientAuth); } /** @@ -105,12 +105,14 @@ public interface Encryption { private final SSLContext context; private final boolean starttls; private final String[] enabledCipherSuites; + private final String[] enabledProtocols; private final ClientAuth clientAuth; - private LegacyJavaEncryption(SSLContext context, boolean starttls, String[] enabledCipherSuites, ClientAuth clientAuth) { + private LegacyJavaEncryption(SSLContext context, boolean starttls, String[] enabledCipherSuites, String[] enabledProtocols, ClientAuth clientAuth) { this.context = context; this.starttls = starttls; this.enabledCipherSuites = enabledCipherSuites; + this.enabledProtocols = enabledProtocols; this.clientAuth = clientAuth; } @@ -167,10 +169,14 @@ public interface Encryption { // We need to copy the String array because of possible security issues. // See https://issues.apache.org/jira/browse/PROTOCOLS-18 String[] cipherSuites = ArrayUtils.clone(enabledCipherSuites); + String[] protocols = ArrayUtils.clone(enabledProtocols); if (cipherSuites != null && cipherSuites.length > 0) { engine.setEnabledCipherSuites(cipherSuites); } + if (protocols != null && protocols.length > 0) { + engine.setEnabledProtocols(protocols); + } if (ClientAuth.NEED.equals(clientAuth)) { engine.setNeedClientAuth(true); } diff --git a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/LegacyJavaEncryptionFactory.java b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/LegacyJavaEncryptionFactory.java index 2b81f8b6e4..ad2371ddc8 100644 --- a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/LegacyJavaEncryptionFactory.java +++ b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/LegacyJavaEncryptionFactory.java @@ -91,9 +91,9 @@ public class LegacyJavaEncryptionFactory implements Encryption.Factory { SSLContext context = sslFactoryBuilder.build().getSslContext(); if (sslConfig.useStartTLS()) { - return Encryption.createStartTls(context, sslConfig.getEnabledCipherSuites(), sslConfig.getClientAuth()); + return Encryption.createStartTls(context, sslConfig.getEnabledCipherSuites(), sslConfig.getEnabledProtocols(), sslConfig.getClientAuth()); } else { - return Encryption.createTls(context, sslConfig.getEnabledCipherSuites(), sslConfig.getClientAuth()); + return Encryption.createTls(context, sslConfig.getEnabledCipherSuites(), sslConfig.getEnabledProtocols(), sslConfig.getClientAuth()); } } diff --git a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/SslConfig.java b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/SslConfig.java index 94aa6b411d..b46a4c4d6a 100644 --- a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/SslConfig.java +++ b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/SslConfig.java @@ -46,6 +46,7 @@ public class SslConfig { if (useStartTLS || useSSL) { String[] enabledCipherSuites = config.getStringArray("tls.supportedCipherSuites.cipherSuite"); + String[] enabledProtocols = config.getStringArray("tls.supportedProtocols.protocol"); String keystore = config.getString("tls.keystore", null); String privateKey = config.getString("tls.privateKey", null); String certificates = config.getString("tls.certificates", null); @@ -61,9 +62,9 @@ public class SslConfig { boolean enableOCSPCRLChecks = config.getBoolean("tls.enableOCSPCRLChecks", false); LOGGER.info("TLS enabled with auth {} using truststore {}", clientAuth, truststore); - return new SslConfig(useStartTLS, useSSL, clientAuth, keystore, keystoreType, privateKey, certificates, secret, truststore, truststoreType, enabledCipherSuites, truststoreSecret, enableOCSPCRLChecks); + return new SslConfig(useStartTLS, useSSL, clientAuth, keystore, keystoreType, privateKey, certificates, secret, truststore, truststoreType, enabledCipherSuites, enabledProtocols, truststoreSecret, enableOCSPCRLChecks); } else { - return new SslConfig(useStartTLS, useSSL, clientAuth, null, null, null, null, null, null, null, null, null, false); + return new SslConfig(useStartTLS, useSSL, clientAuth, null, null, null, null, null, null, null, null, null, null, false); } } @@ -78,12 +79,13 @@ public class SslConfig { private final String truststore; private final String truststoreType; private final String[] enabledCipherSuites; + private final String[] enabledProtocols; private final char[] truststoreSecret; private final boolean enableOCSPCRLChecks; public SslConfig(boolean useStartTLS, boolean useSSL, ClientAuth clientAuth, String keystore, String keystoreType, String privateKey, - String certificates, String secret, String truststore, String truststoreType, String[] enabledCipherSuites, char[] truststoreSecret, - boolean enableOCSPCRLChecks) { + String certificates, String secret, String truststore, String truststoreType, String[] enabledCipherSuites, String[] enabledProtocols, + char[] truststoreSecret, boolean enableOCSPCRLChecks) { this.useStartTLS = useStartTLS; this.useSSL = useSSL; this.clientAuth = clientAuth; @@ -95,6 +97,7 @@ public class SslConfig { this.truststore = truststore; this.truststoreType = truststoreType; this.enabledCipherSuites = enabledCipherSuites; + this.enabledProtocols = enabledProtocols; this.truststoreSecret = truststoreSecret; this.enableOCSPCRLChecks = enableOCSPCRLChecks; } @@ -111,6 +114,10 @@ public class SslConfig { return enabledCipherSuites; } + public String[] getEnabledProtocols() { + return enabledProtocols; + } + public boolean useSSL() { return useSSL; } diff --git a/src/site/xdoc/server/config-ssl-tls.xml b/src/site/xdoc/server/config-ssl-tls.xml index 23e510f11a..a991cee7de 100644 --- a/src/site/xdoc/server/config-ssl-tls.xml +++ b/src/site/xdoc/server/config-ssl-tls.xml @@ -73,6 +73,22 @@ </tls> </source> + <p>Optionally, TLS protocols and/or cipher suites can be specified explicitly (smtpserver.xml, pop3server.xml, imapserver.xml,..). + Otherwise, the default protocols and cipher suites of the used JDK will be used.</p> +<source> +<tls socketTLS="false" startTLS="false"> + <supportedCipherSuites> + <cipherSuite>TLS_AES_256_GCM_SHA384</cipherSuite> + <cipherSuite>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</cipherSuite> + </supportedCipherSuites> + <supportedProtocols> + <protocol>TLSv1.2</protocol> + <protocol>TLSv1.1</protocol> + <protocol>TLSv1</protocol> + <protocol>SSLv3</protocol> + </supportedProtocols> + </tls> +</source> <p>Each of these block has an optional boolean configuration element <b>socketTLS</b> and <b>startTLS</b> which is used to toggle use of SSL or TLS for the service.</p> --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org For additional commands, e-mail: notifications-h...@james.apache.org