View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.http;
20  
21  import org.mortbay.jetty.security.SslSocketConnector;
22  
23  import javax.net.ssl.SSLServerSocket;
24  import java.io.IOException;
25  import java.net.ServerSocket;
26  import java.util.ArrayList;
27  
28  /**
29   * This subclass of the Jetty SslSocketConnector exists solely to control
30   * the TLS protocol versions allowed.  This is fallout from the POODLE
31   * vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
32   * Only TLS 1.0 and later protocols are allowed.
33   */
34  public class SslSocketConnectorSecure extends SslSocketConnector {
35  
36    public SslSocketConnectorSecure() {
37      super();
38    }
39  
40    /**
41     * Create a new ServerSocket that will not accept SSLv3 connections,
42     * but will accept TLSv1.x connections.
43     */
44    protected ServerSocket newServerSocket(String host, int port,int backlog)
45            throws IOException {
46      SSLServerSocket socket = (SSLServerSocket)
47              super.newServerSocket(host, port, backlog);
48      ArrayList<String> nonSSLProtocols = new ArrayList<String>();
49      for (String p : socket.getEnabledProtocols()) {
50        if (!p.contains("SSLv3")) {
51          nonSSLProtocols.add(p);
52        }
53      }
54      socket.setEnabledProtocols(nonSSLProtocols.toArray(
55              new String[nonSSLProtocols.size()]));
56      return socket;
57    }
58  }