CLOUDSTACK-8160: use preferable protocols

(cherry picked from commit debfcdef788ce0d51be06db0ef10f6815f9b563b) Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2025-10-26 08:42:29 +01:00 · 2015-01-21 18:01:34 +05:30 · 2015-01-21 18:01:34 +05:30 · 664186f483
commit 664186f483
parent e7c80021d6
26 changed files with 156 additions and 47 deletions
--- a/client/tomcatconf/server-nonssl.xml.in
+++ b/client/tomcatconf/server-nonssl.xml.in
@ -82,7 +82,7 @@
    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" 
+               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
               keystoreType="PKCS12"
 	       keystoreFile="conf\cloud-localhost.pk12" 
 	       keystorePass="password"
--- a/client/tomcatconf/server-ssl.xml.in
+++ b/client/tomcatconf/server-ssl.xml.in
@ -82,7 +82,7 @@
    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" 
+               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
               keystoreType="PKCS12"
 	       keystoreFile="conf\cloud-localhost.pk12" 
 	       keystorePass="password"
--- a/client/tomcatconf/server7-nonssl.xml.in
+++ b/client/tomcatconf/server7-nonssl.xml.in
@ -82,7 +82,7 @@
    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS"
+               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
               keystoreType="PKCS12"
 	       keystoreFile="conf\cloud-localhost.pk12"
 	       keystorePass="password"
--- a/client/tomcatconf/server7-ssl.xml.in
+++ b/client/tomcatconf/server7-ssl.xml.in
@ -82,7 +82,7 @@
    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS"
+               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"
               keystoreType="PKCS12"
 	       keystoreFile="conf\cloud-localhost.pk12"
 	       keystorePass="password"
--- a/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
+++ b/engine/orchestration/src/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
@ -53,6 +53,7 @@ import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.cloudstack.managed.context.ManagedContextTimerTask;
 import org.apache.cloudstack.utils.identity.ManagementServerNode;
+import org.apache.cloudstack.utils.security.SSLUtils;

 import com.cloud.agent.AgentManager;
 import com.cloud.agent.api.Answer;
@ -505,6 +506,7 @@ public class ClusteredAgentManagerImpl extends AgentManagerImpl implements Clust
                        SSLContext sslContext = Link.initSSLContext(true);
                        sslEngine = sslContext.createSSLEngine(ip, Port.value());
                        sslEngine.setUseClientMode(true);
+                        sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));

                        Link.doHandshake(ch1, sslEngine, true);
                        s_logger.info("SSL: Handshake done");
--- a/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
+++ b/plugins/event-bus/rabbitmq/src/org/apache/cloudstack/mom/rabbitmq/RabbitMQEventBus.java
@ -59,6 +59,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
    private static Integer port;
    private static String username;
    private static String password;
+    private static String secureProtocol = "TLSv1.2";

    public synchronized static void setVirtualHost(String virtualHost) {
        RabbitMQEventBus.virtualHost = virtualHost;
@ -153,6 +154,10 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
        RabbitMQEventBus.port = port;
    }

+    public void setSecureProtocol(String protocol) {
+        RabbitMQEventBus.secureProtocol = protocol;
+    }
+
    @Override
    public void setName(String name) {
        this.name = name;
@ -373,7 +378,7 @@ public class RabbitMQEventBus extends ManagerBase implements EventBus {
            }

            if (useSsl != null && !useSsl.isEmpty() && useSsl.equalsIgnoreCase("true")) {
-                factory.useSslProtocol();
+                factory.useSslProtocol(this.secureProtocol);
            }
            Connection connection = factory.newConnection();
            connection.addShutdownListener(disconnectHandler);
--- a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java
+++ b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java
@ -35,6 +35,8 @@ import org.apache.log4j.Logger;
 import org.apache.xmlrpc.XmlRpcException;
 import org.apache.xmlrpc.client.XmlRpcClientException;

+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import com.xensource.xenapi.APIVersion;
 import com.xensource.xenapi.Connection;
 import com.xensource.xenapi.Host;
@ -77,7 +79,7 @@ public class XenServerConnectionPool {
            javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
            javax.net.ssl.TrustManager tm = new TrustAllManager();
            trustAllCerts[0] = tm;
-            javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("TLS");
+            javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
            sc.init(null, trustAllCerts, null);
            javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
            HostnameVerifier hv = new HostnameVerifier() {
--- a/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
+++ b/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java
@ -19,6 +19,7 @@

 package org.apache.cloudstack.network.opendaylight.api;

+import org.apache.cloudstack.utils.security.SSLUtils;
 import java.io.IOException;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
@ -33,6 +34,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Certificate;

 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
@ -175,7 +177,7 @@ public class NeutronRestApi {

            try {
                // Install the all-trusting trust manager
-                SSLContext sc = SSLContext.getInstance("SSL");
+                SSLContext sc = SSLUtils.getSSLContext();
                sc.init(null, trustAllCerts, new java.security.SecureRandom());
                ssf = sc.getSocketFactory();
            } catch (KeyManagementException e) {
@ -187,17 +189,23 @@ public class NeutronRestApi {

        @Override
        public Socket createSocket(final String host, final int port) throws IOException {
-            return ssf.createSocket(host, port);
+            SSLSocket s = (SSLSocket) ssf.createSocket(host, port);
+            s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+            return s;
        }

        @Override
        public Socket createSocket(final String address, final int port, final InetAddress localAddress, final int localPort) throws IOException, UnknownHostException {
-            return ssf.createSocket(address, port, localAddress, localPort);
+            SSLSocket s = (SSLSocket) ssf.createSocket(address, port, localAddress, localPort);
+            s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+            return s;
        }

        @Override
        public Socket createSocket(final Socket socket, final String host, final int port, final boolean autoClose) throws IOException, UnknownHostException {
-            return ssf.createSocket(socket, host, port, autoClose);
+            SSLSocket s = (SSLSocket) ssf.createSocket(socket, host, port, autoClose);
+            s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+            return s;
        }

        @Override
@ -207,7 +215,8 @@ public class NeutronRestApi {
            if (timeout == 0) {
                return createSocket(host, port, localAddress, localPort);
            } else {
-                Socket s = ssf.createSocket();
+                SSLSocket s = (SSLSocket) ssf.createSocket();
+                s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
                s.bind(new InetSocketAddress(localAddress, localPort));
                s.connect(new InetSocketAddress(host, port), timeout);
                return s;
--- a/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
+++ b/plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java
@ -27,6 +27,8 @@ import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;

+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import org.apache.http.client.HttpClient;
 import org.apache.http.conn.ClientConnectionManager;
 import org.apache.http.conn.scheme.Scheme;
@ -39,7 +41,7 @@ public class HttpClientWrapper {

    public static HttpClient wrapClient(HttpClient base) {
        try {
-            SSLContext ctx = SSLContext.getInstance("TLS");
+            SSLContext ctx = SSLUtils.getSSLContext();
            X509TrustManager tm = new X509TrustManager() {

                @Override
--- a/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
+++ b/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java
@ -39,6 +39,7 @@ import javax.ws.rs.core.UriBuilder;

 import org.apache.http.auth.InvalidCredentialsException;
 import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;

 import com.google.gson.Gson;
 import com.google.gson.annotations.SerializedName;
@ -1086,7 +1087,7 @@ public class ElastistorUtil {

                // Install the all-trusting trust manager
                try {
-                    SSLContext sc = SSLContext.getInstance("TLS");
+                    SSLContext sc = SSLUtils.getSSLContext();
                    sc.init(null, trustAllCerts, new SecureRandom());
                    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
                    HttpsURLConnection.setDefaultHostnameVerifier(hv);
--- a/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java
+++ b/plugins/storage/volume/nexenta/src/org/apache/cloudstack/storage/datastore/util/NexentaNmsClient.java
@ -45,6 +45,8 @@ import org.apache.http.impl.client.DefaultHttpClient;
 import org.apache.http.impl.conn.BasicClientConnectionManager;
 import org.apache.log4j.Logger;

+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import com.google.gson.Gson;
 import com.google.gson.annotations.SerializedName;

@ -80,7 +82,7 @@ public class NexentaNmsClient {

    protected DefaultHttpClient getHttpsClient() {
        try {
-            SSLContext sslContext = SSLContext.getInstance("SSL");
+            SSLContext sslContext = SSLUtils.getSSLContext();
            X509TrustManager tm = new X509TrustManager() {
                @Override
                public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
--- a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
+++ b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/util/SolidFireUtil.java
@ -54,6 +54,8 @@ import org.apache.http.entity.StringEntity;
 import org.apache.http.impl.client.DefaultHttpClient;
 import org.apache.http.impl.conn.BasicClientConnectionManager;

+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;

@ -1688,7 +1690,7 @@ public class SolidFireUtil {

    private static DefaultHttpClient getHttpClient(int iPort) {
        try {
-            SSLContext sslContext = SSLContext.getInstance("SSL");
+            SSLContext sslContext = SSLUtils.getSSLContext();
            X509TrustManager tm = new X509TrustManager() {
                @Override
                public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
--- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
+++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java
@ -139,7 +139,7 @@ public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper {

            SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
            sslSocket = (SSLSocket)sslSocketFactory.createSocket(socket, address.getHostName(), address.getPort(), true);
-
+            sslSocket.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
            sslSocket.startHandshake();

            InputStream sis = sslSocket.getInputStream();
--- a/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
+++ b/services/console-proxy/server/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
@ -21,6 +21,7 @@ import com.sun.net.httpserver.HttpServer;
 import com.sun.net.httpserver.HttpsConfigurator;
 import com.sun.net.httpserver.HttpsParameters;
 import com.sun.net.httpserver.HttpsServer;
+import org.apache.cloudstack.utils.security.SSLUtils;
 import org.apache.log4j.Logger;

 import javax.net.ssl.KeyManagerFactory;
@ -71,7 +72,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
                tmf.init(ks);
                s_logger.info("Trust manager factory is initialized");

-                sslContext = SSLContext.getInstance("TLS");
+                sslContext = SSLUtils.getSSLContext();
                sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
                s_logger.info("SSL context is initialized");
            } catch (Exception ioe) {
@ -94,7 +95,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
                tmf.init(ks);
                s_logger.info("Trust manager factory is initialized");

-                sslContext = SSLContext.getInstance("TLS");
+                sslContext = SSLUtils.getSSLContext();
                sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
                s_logger.info("SSL context is initialized");
            } catch (Exception e) {
@ -139,6 +140,7 @@ public class ConsoleProxySecureServerFactoryImpl implements ConsoleProxyServerFa
            SSLServerSocket srvSock = null;
            SSLServerSocketFactory ssf = sslContext.getServerSocketFactory();
            srvSock = (SSLServerSocket)ssf.createServerSocket(port);
+            srvSock.setEnabledProtocols(SSLUtils.getSupportedProtocols(srvSock.getEnabledProtocols()));

            s_logger.info("create SSL server socket on port: " + port);
            return srvSock;
--- a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
+++ b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java
@ -16,6 +16,8 @@
 // under the License.
 package com.cloud.consoleproxy.util;

+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@ -134,7 +136,15 @@ public final class RawHTTP {

    private Socket _getSocket() throws IOException {
        if (useSSL) {
-            SSLContext context = getClientSSLContext();
+            SSLContext context = null;
+            try {
+                context = SSLUtils.getSSLContext("SunJSSE");
+            } catch (NoSuchAlgorithmException e) {
+                s_logger.error("Unexpected exception ", e);
+            } catch (NoSuchProviderException e) {
+                s_logger.error("Unexpected exception ", e);
+            }
+
            if (context == null)
                throw new IOException("Unable to setup SSL context");

@ -143,6 +153,7 @@ public final class RawHTTP {
                context.init(null, trustAllCerts, new SecureRandom());
                SocketFactory factory = context.getSocketFactory();
                ssl = (SSLSocket)factory.createSocket(host, port);
+                ssl.setEnabledProtocols(SSLUtils.getSupportedProtocols(ssl.getEnabledProtocols()));
                /* ssl.setSSLParameters(context.getDefaultSSLParameters()); */
            } catch (IOException e) {
                s_logger.error("IOException: " + e.getMessage(), e);
@ -229,16 +240,4 @@ public final class RawHTTP {
            }
        }
    }
-
-    private SSLContext getClientSSLContext() {
-        SSLContext sslContext = null;
-        try {
-            sslContext = SSLContext.getInstance("SSL", "SunJSSE");
-        } catch (NoSuchAlgorithmException e) {
-            s_logger.error("Unexpected exception ", e);
-        } catch (NoSuchProviderException e) {
-            s_logger.error("Unexpected exception ", e);
-        }
-        return sslContext;
-    }
 }
--- a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
+++ b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
@ -42,6 +42,7 @@
 	#   SSL Engine Switch:
 	#   Enable/Disable SSL for this virtual host.
 	SSLEngine on
+	SSLProtocol all -SSLv2 -SSLv3

 	#   A self-signed (snakeoil) certificate can be created by installing
 	#   the ssl-cert package. See
--- a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
+++ b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
@ -86,6 +86,7 @@
 	#   SSL Engine Switch:
 	#   Enable/Disable SSL for this virtual host.
 	SSLEngine on
+	SSLProtocol all -SSLv2 -SSLv3

 	#   A self-signed (snakeoil) certificate can be created by installing
 	#   the ssl-cert package. See
--- a/systemvm/scripts/config_ssl.sh
+++ b/systemvm/scripts/config_ssl.sh
@ -37,6 +37,7 @@ config_httpd_conf() {
  echo "  DocumentRoot /var/www/html/" >> /etc/httpd/conf/httpd.conf
  echo "  ServerName $srvr" >> /etc/httpd/conf/httpd.conf
  echo "  SSLEngine on" >>  /etc/httpd/conf/httpd.conf
+  echo "  SSLProtocol all -SSLv2 -SSLv3" >>  /etc/httpd/conf/httpd.conf
  echo "  SSLCertificateFile /etc/httpd/ssl/certs/realhostip.crt" >>  /etc/httpd/conf/httpd.conf
  echo "  SSLCertificateKeyFile /etc/httpd/ssl/keys/realhostip.key" >> /etc/httpd/conf/httpd.conf
  echo "</VirtualHost>" >> /etc/httpd/conf/httpd.conf
@ -54,6 +55,7 @@ config_apache2_conf() {
  sed -i -e "s/NameVirtualHost .*:80/NameVirtualHost $ip:80/g" /etc/apache2/ports.conf
  sed -i  's/ssl-cert-snakeoil.key/cert_apache.key/' /etc/apache2/sites-available/default-ssl
  sed -i  's/ssl-cert-snakeoil.pem/cert_apache.crt/' /etc/apache2/sites-available/default-ssl
+  sed -i  's/SSLProtocol.*$/SSLProtocol all -SSLv2 -SSLv3/' /etc/apache2/sites-available/default-ssl
  if [ -f /etc/ssl/certs/cert_apache_chain.crt ]
  then
    sed -i -e "s/#SSLCertificateChainFile.*/SSLCertificateChainFile \/etc\/ssl\/certs\/cert_apache_chain.crt/" /etc/apache2/sites-available/default-ssl
--- a/utils/src/com/cloud/utils/nio/Link.java
+++ b/utils/src/com/cloud/utils/nio/Link.java
@ -44,6 +44,7 @@ import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;

+import org.apache.cloudstack.utils.security.SSLUtils;
 import org.apache.log4j.Logger;

 import com.cloud.utils.PropertiesUtil;
@ -443,7 +444,7 @@ public class Link {
            tms[0] = new TrustAllManager();
        }

-        sslContext = SSLContext.getInstance("TLS");
+        sslContext = SSLUtils.getSSLContext();
        sslContext.init(kmf.getKeyManagers(), tms, null);
        if (s_logger.isTraceEnabled()) {
            s_logger.trace("SSL: SSLcontext has been initialized");
--- a/utils/src/com/cloud/utils/nio/NioClient.java
+++ b/utils/src/com/cloud/utils/nio/NioClient.java
@ -31,6 +31,8 @@ import javax.net.ssl.SSLEngine;

 import org.apache.log4j.Logger;

+import org.apache.cloudstack.utils.security.SSLUtils;
+
 public class NioClient extends NioConnection {
    private static final Logger s_logger = Logger.getLogger(NioClient.class);

@ -74,6 +76,7 @@ public class NioClient extends NioConnection {
            SSLContext sslContext = Link.initSSLContext(true);
            sslEngine = sslContext.createSSLEngine(_host, _port);
            sslEngine.setUseClientMode(true);
+            sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));

            Link.doHandshake(_clientConnection, sslEngine, true);
            s_logger.info("SSL: Handshake done");
--- a/utils/src/com/cloud/utils/nio/NioConnection.java
+++ b/utils/src/com/cloud/utils/nio/NioConnection.java
@ -41,6 +41,8 @@ import java.util.concurrent.TimeUnit;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;

+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import org.apache.log4j.Logger;

 import com.cloud.utils.concurrency.NamedThreadFactory;
@ -198,6 +200,7 @@ public abstract class NioConnection implements Runnable {
            sslEngine = sslContext.createSSLEngine();
            sslEngine.setUseClientMode(false);
            sslEngine.setNeedClientAuth(false);
+            sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols()));

            Link.doHandshake(socketChannel, sslEngine, false);

--- a/utils/src/com/cloud/utils/rest/RESTServiceConnector.java
+++ b/utils/src/com/cloud/utils/rest/RESTServiceConnector.java
@ -37,6 +37,7 @@ import java.util.Map;
 import java.util.Map.Entry;

 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
@ -61,6 +62,8 @@ import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
 import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
 import org.apache.log4j.Logger;

+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import com.google.gson.FieldNamingPolicy;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
@ -334,7 +337,7 @@ public class RESTServiceConnector {

            try {
                // Install the all-trusting trust manager
-                final SSLContext sc = SSLContext.getInstance("SSL");
+                final SSLContext sc = SSLUtils.getSSLContext();
                sc.init(null, trustAllCerts, new java.security.SecureRandom());
                ssf = sc.getSocketFactory();
            } catch (final KeyManagementException e) {
@ -346,17 +349,23 @@ public class RESTServiceConnector {

        @Override
        public Socket createSocket(final String host, final int port) throws IOException {
-            return ssf.createSocket(host, port);
+            SSLSocket socket = (SSLSocket) ssf.createSocket(host, port);
+            socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+            return socket;
        }

        @Override
        public Socket createSocket(final String address, final int port, final InetAddress localAddress, final int localPort) throws IOException, UnknownHostException {
-            return ssf.createSocket(address, port, localAddress, localPort);
+            SSLSocket socket = (SSLSocket) ssf.createSocket(address, port, localAddress, localPort);
+            socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+            return socket;
        }

        @Override
        public Socket createSocket(final Socket socket, final String host, final int port, final boolean autoClose) throws IOException, UnknownHostException {
-            return ssf.createSocket(socket, host, port, autoClose);
+            SSLSocket s = (SSLSocket) ssf.createSocket(socket, host, port, autoClose);
+            s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+            return s;
        }

        @Override
@ -366,7 +375,8 @@ public class RESTServiceConnector {
            if (timeout == 0) {
                return createSocket(host, port, localAddress, localPort);
            } else {
-                final Socket s = ssf.createSocket();
+                final SSLSocket s = (SSLSocket) ssf.createSocket();
+                s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
                s.bind(new InetSocketAddress(localAddress, localPort));
                s.connect(new InetSocketAddress(host, port), timeout);
                return s;
--- a/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
+++ b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java
@ -0,0 +1,51 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package org.apache.cloudstack.utils.security;
+
+import org.apache.log4j.Logger;
+
+import javax.net.ssl.SSLContext;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.util.HashSet;
+import java.util.Set;
+
+public class SSLUtils {
+    public static final Logger s_logger = Logger.getLogger(SSLUtils.class);
+
+    public static String[] getSupportedProtocols(String[] protocols) {
+        Set set = new HashSet();
+        for (String s : protocols) {
+            if (s.equals("SSLv3") || s.equals("SSLv2Hello")) {
+                continue;
+            }
+            set.add(s);
+        }
+        return (String[]) set.toArray(new String[set.size()]);
+    }
+
+    public static SSLContext getSSLContext() throws NoSuchAlgorithmException {
+        return SSLContext.getInstance("TLSv1.2");
+    }
+
+    public static SSLContext getSSLContext(String provider) throws NoSuchAlgorithmException, NoSuchProviderException {
+        return SSLContext.getInstance("TLSv1.2", provider);
+    }
+}
--- a/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
+++ b/utils/src/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
@ -19,6 +19,7 @@

 package org.apache.commons.httpclient.contrib.ssl;

+import org.apache.cloudstack.utils.security.SSLUtils;
 import org.apache.commons.httpclient.ConnectTimeoutException;
 import org.apache.commons.httpclient.HttpClientError;
 import org.apache.commons.httpclient.params.HttpConnectionParams;
@ -28,6 +29,7 @@ import org.apache.commons.logging.LogFactory;

 import javax.net.SocketFactory;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;
 import java.io.IOException;
 import java.net.InetAddress;
@ -99,7 +101,7 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory {

    private static SSLContext createEasySSLContext() {
        try {
-            SSLContext context = SSLContext.getInstance("SSL");
+            SSLContext context = SSLUtils.getSSLContext();
            context.init(null, new TrustManager[] {new EasyX509TrustManager(null)}, null);
            return context;
        } catch (Exception e) {
@ -120,8 +122,9 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory {
     */
    @Override
    public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException {
-
-        return getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort);
+        SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort);
+        socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+        return socket;
    }

    /**
@ -135,8 +138,8 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory {
     *
     * @param host the host name/IP
     * @param port the port on the host
-     * @param clientHost the local host name/IP to bind the socket to
-     * @param clientPort the port on the local machine
+     * @param localAddress the local host name/IP to bind the socket to
+     * @param localPort the port on the local machine
     * @param params {@link HttpConnectionParams Http connection parameters}
     *
     * @return Socket a new socket
@ -156,7 +159,8 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory {
        if (timeout == 0) {
            return socketfactory.createSocket(host, port, localAddress, localPort);
        } else {
-            Socket socket = socketfactory.createSocket();
+            SSLSocket socket = (SSLSocket)  socketfactory.createSocket();
+            socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
            SocketAddress localaddr = new InetSocketAddress(localAddress, localPort);
            SocketAddress remoteaddr = new InetSocketAddress(host, port);
            socket.bind(localaddr);
@ -170,11 +174,15 @@ public class EasySSLProtocolSocketFactory implements ProtocolSocketFactory {
     */
    @Override
    public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
-        return getSSLContext().getSocketFactory().createSocket(host, port);
+        SSLSocket socket = (SSLSocket) getSSLContext().getSocketFactory().createSocket(host, port);
+        socket.setEnabledProtocols(SSLUtils.getSupportedProtocols(socket.getEnabledProtocols()));
+        return socket;
    }

    public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
-        return getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
+        SSLSocket s= (SSLSocket) getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
+        s.setEnabledProtocols(SSLUtils.getSupportedProtocols(s.getEnabledProtocols()));
+        return s;
    }

    @Override
--- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
+++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java
@ -32,6 +32,8 @@ import javax.xml.ws.handler.MessageContext;

 import org.apache.log4j.Logger;

+import org.apache.cloudstack.utils.security.SSLUtils;
+
 import com.vmware.vim25.DynamicProperty;
 import com.vmware.vim25.InvalidCollectorVersionFaultMsg;
 import com.vmware.vim25.InvalidPropertyFaultMsg;
@ -103,7 +105,7 @@ public class VmwareClient {
        javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
        javax.net.ssl.TrustManager tm = new TrustAllTrustManager();
        trustAllCerts[0] = tm;
-        javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
+        javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
        javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext();
        sslsc.setSessionTimeout(0);
        sc.init(null, trustAllCerts, null);
--- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
+++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java
@ -41,6 +41,7 @@ import javax.net.ssl.SSLSession;
 import javax.xml.ws.soap.SOAPFaultException;

 import org.apache.log4j.Logger;
+import org.apache.cloudstack.utils.security.SSLUtils;

 import com.vmware.vim25.ManagedObjectReference;
 import com.vmware.vim25.ObjectContent;
@ -79,7 +80,7 @@ public class VmwareContext {
            javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
            javax.net.ssl.TrustManager tm = new TrustAllManager();
            trustAllCerts[0] = tm;
-            javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
+            javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext();
            sc.init(null, trustAllCerts, null);
            javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());