From c8901a799076859f9bc0100ad0ace2677d2270d9 Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Fri, 13 Mar 2015 17:31:30 +0530 Subject: [PATCH] utils: use a better extended implementation of SSLSocketFactory Signed-off-by: Rohit Yadav (cherry picked from commit b4a5a32a7488ecd93f295670e7f641fc32198aa7) Signed-off-by: Rohit Yadav --- .../resource/XenServerConnectionPool.java | 45 +++---- .../opendaylight/api/NeutronRestApi.java | 38 +++--- .../datastore/util/ElastistorUtil.java | 45 +++---- .../main/java/streamer/SocketWrapperImpl.java | 29 ++-- .../com/cloud/consoleproxy/util/RawHTTP.java | 16 ++- .../utils/rest/RESTServiceConnector.java | 60 ++++----- .../cloudstack/utils/security/SSLUtils.java | 7 + .../security/SecureSSLSocketFactory.java | 124 ++++++++++++++++++ .../hypervisor/vmware/util/VmwareClient.java | 36 +++-- .../hypervisor/vmware/util/VmwareContext.java | 44 +++---- 10 files changed, 282 insertions(+), 162 deletions(-) create mode 100644 utils/src/org/apache/cloudstack/utils/security/SecureSSLSocketFactory.java diff --git a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java index 8df415e2612..9bc8d9e8bf0 100644 --- a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java +++ b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/XenServerConnectionPool.java @@ -16,6 +16,26 @@ // under the License. package com.cloud.hypervisor.xenserver.resource; +import com.cloud.utils.NumbersUtil; +import com.cloud.utils.PropertiesUtil; +import com.cloud.utils.exception.CloudRuntimeException; +import com.xensource.xenapi.APIVersion; +import com.xensource.xenapi.Connection; +import com.xensource.xenapi.Host; +import com.xensource.xenapi.Pool; +import com.xensource.xenapi.Session; +import com.xensource.xenapi.Types; +import com.xensource.xenapi.Types.BadServerResponse; +import com.xensource.xenapi.Types.XenAPIException; +import org.apache.cloudstack.utils.security.SSLUtils; +import org.apache.cloudstack.utils.security.SecureSSLSocketFactory; +import org.apache.log4j.Logger; +import org.apache.xmlrpc.XmlRpcException; +import org.apache.xmlrpc.client.XmlRpcClientException; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLSession; import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; @@ -27,29 +47,6 @@ import java.util.Map; import java.util.Properties; import java.util.Queue; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.SSLSession; - -import org.apache.log4j.Logger; -import org.apache.xmlrpc.XmlRpcException; -import org.apache.xmlrpc.client.XmlRpcClientException; - -import org.apache.cloudstack.utils.security.SSLUtils; - -import com.xensource.xenapi.APIVersion; -import com.xensource.xenapi.Connection; -import com.xensource.xenapi.Host; -import com.xensource.xenapi.Pool; -import com.xensource.xenapi.Session; -import com.xensource.xenapi.Types; -import com.xensource.xenapi.Types.BadServerResponse; -import com.xensource.xenapi.Types.XenAPIException; - -import com.cloud.utils.NumbersUtil; -import com.cloud.utils.PropertiesUtil; -import com.cloud.utils.exception.CloudRuntimeException; - public class XenServerConnectionPool { private static final Logger s_logger = Logger.getLogger(XenServerConnectionPool.class); protected HashMap _conns = new HashMap(); @@ -81,7 +78,7 @@ public class XenServerConnectionPool { trustAllCerts[0] = tm; javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, null); - javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); + javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(new SecureSSLSocketFactory(sc)); HostnameVerifier hv = new HostnameVerifier() { @Override public boolean verify(String hostName, SSLSession session) { diff --git a/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java b/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java index 528a4ac4a32..ab6595ef696 100644 --- a/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java +++ b/plugins/network-elements/opendaylight/src/main/java/org/apache/cloudstack/network/opendaylight/api/NeutronRestApi.java @@ -20,6 +20,24 @@ package org.apache.cloudstack.network.opendaylight.api; import org.apache.cloudstack.utils.security.SSLUtils; +import org.apache.cloudstack.utils.security.SecureSSLSocketFactory; +import org.apache.commons.httpclient.ConnectTimeoutException; +import org.apache.commons.httpclient.HttpClient; +import org.apache.commons.httpclient.HttpException; +import org.apache.commons.httpclient.HttpMethodBase; +import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager; +import org.apache.commons.httpclient.cookie.CookiePolicy; +import org.apache.commons.httpclient.params.HttpConnectionParams; +import org.apache.commons.httpclient.protocol.Protocol; +import org.apache.commons.httpclient.protocol.ProtocolSocketFactory; +import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; +import org.apache.log4j.Logger; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import javax.net.ssl.X509TrustManager; import java.io.IOException; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; @@ -33,24 +51,6 @@ import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSocket; -import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; - -import org.apache.commons.httpclient.ConnectTimeoutException; -import org.apache.commons.httpclient.HttpClient; -import org.apache.commons.httpclient.HttpException; -import org.apache.commons.httpclient.HttpMethodBase; -import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager; -import org.apache.commons.httpclient.cookie.CookiePolicy; -import org.apache.commons.httpclient.params.HttpConnectionParams; -import org.apache.commons.httpclient.protocol.Protocol; -import org.apache.commons.httpclient.protocol.ProtocolSocketFactory; -import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; -import org.apache.log4j.Logger; - public class NeutronRestApi { private static final Logger s_logger = Logger.getLogger(NeutronRestApi.class); @@ -179,7 +179,7 @@ public class NeutronRestApi { // Install the all-trusting trust manager SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, new java.security.SecureRandom()); - ssf = sc.getSocketFactory(); + ssf = new SecureSSLSocketFactory(sc); } catch (KeyManagementException e) { throw new IOException(e); } catch (NoSuchAlgorithmException e) { diff --git a/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java b/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java index 564ba8ef296..861c18081a5 100644 --- a/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java +++ b/plugins/storage/volume/cloudbyte/src/org/apache/cloudstack/storage/datastore/util/ElastistorUtil.java @@ -19,11 +19,21 @@ package org.apache.cloudstack.storage.datastore.util; -import java.net.ConnectException; -import java.security.InvalidParameterException; -import java.security.SecureRandom; -import java.security.cert.X509Certificate; -import java.util.HashMap; +import com.cloud.agent.api.Answer; +import com.cloud.utils.exception.CloudRuntimeException; +import com.google.gson.Gson; +import com.google.gson.annotations.SerializedName; +import com.sun.jersey.api.client.Client; +import com.sun.jersey.api.client.ClientResponse; +import com.sun.jersey.api.client.WebResource; +import com.sun.jersey.api.client.config.ClientConfig; +import com.sun.jersey.api.client.config.DefaultClientConfig; +import com.sun.jersey.core.util.MultivaluedMapImpl; +import org.apache.cloudstack.framework.config.dao.ConfigurationDao; +import org.apache.cloudstack.utils.security.SSLUtils; +import org.apache.cloudstack.utils.security.SecureSSLSocketFactory; +import org.apache.http.auth.InvalidCredentialsException; +import org.apache.log4j.Logger; import javax.naming.ServiceUnavailableException; import javax.net.ssl.HostnameVerifier; @@ -36,24 +46,11 @@ import javax.net.ssl.X509TrustManager; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.UriBuilder; - -import org.apache.http.auth.InvalidCredentialsException; -import org.apache.log4j.Logger; -import org.apache.cloudstack.utils.security.SSLUtils; - -import com.google.gson.Gson; -import com.google.gson.annotations.SerializedName; -import com.sun.jersey.api.client.Client; -import com.sun.jersey.api.client.ClientResponse; -import com.sun.jersey.api.client.WebResource; -import com.sun.jersey.api.client.config.ClientConfig; -import com.sun.jersey.api.client.config.DefaultClientConfig; -import com.sun.jersey.core.util.MultivaluedMapImpl; - -import org.apache.cloudstack.framework.config.dao.ConfigurationDao; - -import com.cloud.agent.api.Answer; -import com.cloud.utils.exception.CloudRuntimeException; +import java.net.ConnectException; +import java.security.InvalidParameterException; +import java.security.SecureRandom; +import java.security.cert.X509Certificate; +import java.util.HashMap; public class ElastistorUtil { @@ -1098,7 +1095,7 @@ public class ElastistorUtil { try { SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, new SecureRandom()); - HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); + HttpsURLConnection.setDefaultSSLSocketFactory(new SecureSSLSocketFactory(sc)); HttpsURLConnection.setDefaultHostnameVerifier(hv); } catch (Exception e) { ; diff --git a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java index 14089ce609c..4713173bd2e 100644 --- a/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java +++ b/services/console-proxy-rdp/rdpconsole/src/main/java/streamer/SocketWrapperImpl.java @@ -16,9 +16,18 @@ // under the License. package streamer; -import static streamer.debug.MockServer.Packet.PacketType.CLIENT; -import static streamer.debug.MockServer.Packet.PacketType.SERVER; +import org.apache.cloudstack.utils.security.SSLUtils; +import org.apache.cloudstack.utils.security.SecureSSLSocketFactory; +import streamer.debug.MockServer; +import streamer.debug.MockServer.Packet; +import streamer.ssl.SSLState; +import streamer.ssl.TrustAllX509TrustManager; +import javax.net.SocketFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; @@ -26,18 +35,8 @@ import java.net.InetSocketAddress; import java.net.Socket; import java.util.HashMap; -import javax.net.SocketFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSocket; -import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; - -import org.apache.cloudstack.utils.security.SSLUtils; - -import streamer.debug.MockServer; -import streamer.debug.MockServer.Packet; -import streamer.ssl.SSLState; -import streamer.ssl.TrustAllX509TrustManager; +import static streamer.debug.MockServer.Packet.PacketType.CLIENT; +import static streamer.debug.MockServer.Packet.PacketType.SERVER; public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper { @@ -137,7 +136,7 @@ public class SocketWrapperImpl extends PipelineImpl implements SocketWrapper { // Trust all certificates (FIXME: insecure) sslContext.init(null, new TrustManager[] {new TrustAllX509TrustManager(sslState)}, null); - SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); + SSLSocketFactory sslSocketFactory = new SecureSSLSocketFactory(sslContext); sslSocket = (SSLSocket)sslSocketFactory.createSocket(socket, address.getHostName(), address.getPort(), true); sslSocket.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslSocket.getEnabledProtocols())); diff --git a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java index 8f78fb34570..21b62414178 100644 --- a/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java +++ b/services/console-proxy/server/src/com/cloud/consoleproxy/util/RawHTTP.java @@ -17,7 +17,13 @@ package com.cloud.consoleproxy.util; import org.apache.cloudstack.utils.security.SSLUtils; +import org.apache.cloudstack.utils.security.SecureSSLSocketFactory; +import javax.net.SocketFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.TrustManager; +import javax.net.ssl.X509TrustManager; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; @@ -32,12 +38,6 @@ import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; -import javax.net.SocketFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSocket; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; - // // This file is originally from XenConsole with modifications // @@ -151,7 +151,7 @@ public final class RawHTTP { SSLSocket ssl = null; try { context.init(null, trustAllCerts, new SecureRandom()); - SocketFactory factory = context.getSocketFactory(); + SocketFactory factory = new SecureSSLSocketFactory(context); ssl = (SSLSocket)factory.createSocket(host, port); ssl.setEnabledProtocols(SSLUtils.getSupportedProtocols(ssl.getEnabledProtocols())); /* ssl.setSSLParameters(context.getDefaultSSLParameters()); */ @@ -160,6 +160,8 @@ public final class RawHTTP { throw e; } catch (KeyManagementException e) { s_logger.error("KeyManagementException: " + e.getMessage(), e); + } catch (NoSuchAlgorithmException e) { + s_logger.error("NoSuchAlgorithmException: " + e.getMessage(), e); } return ssl; } else { diff --git a/utils/src/com/cloud/utils/rest/RESTServiceConnector.java b/utils/src/com/cloud/utils/rest/RESTServiceConnector.java index cdacd1f5ff6..6ededcb9524 100644 --- a/utils/src/com/cloud/utils/rest/RESTServiceConnector.java +++ b/utils/src/com/cloud/utils/rest/RESTServiceConnector.java @@ -19,29 +19,13 @@ package com.cloud.utils.rest; -import java.io.IOException; -import java.io.UnsupportedEncodingException; -import java.lang.reflect.Type; -import java.net.InetAddress; -import java.net.InetSocketAddress; -import java.net.MalformedURLException; -import java.net.Socket; -import java.net.URL; -import java.net.UnknownHostException; -import java.security.KeyManagementException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.List; -import java.util.Map; -import java.util.Map.Entry; - -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSocket; -import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; - +import com.google.gson.FieldNamingPolicy; +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.google.gson.JsonDeserializer; +import com.google.gson.reflect.TypeToken; +import org.apache.cloudstack.utils.security.SSLUtils; +import org.apache.cloudstack.utils.security.SecureSSLSocketFactory; import org.apache.commons.httpclient.ConnectTimeoutException; import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.HttpException; @@ -62,13 +46,27 @@ import org.apache.commons.httpclient.protocol.ProtocolSocketFactory; import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; import org.apache.log4j.Logger; -import org.apache.cloudstack.utils.security.SSLUtils; - -import com.google.gson.FieldNamingPolicy; -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import com.google.gson.JsonDeserializer; -import com.google.gson.reflect.TypeToken; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import javax.net.ssl.X509TrustManager; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.lang.reflect.Type; +import java.net.InetAddress; +import java.net.InetSocketAddress; +import java.net.MalformedURLException; +import java.net.Socket; +import java.net.URL; +import java.net.UnknownHostException; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.Map.Entry; /** * This abstraction encapsulates client side code for REST service communication. It encapsulates @@ -339,7 +337,7 @@ public class RESTServiceConnector { // Install the all-trusting trust manager final SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, new java.security.SecureRandom()); - ssf = sc.getSocketFactory(); + ssf = new SecureSSLSocketFactory(sc); } catch (final KeyManagementException e) { throw new IOException(e); } catch (final NoSuchAlgorithmException e) { diff --git a/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java index 3de4c50c7bf..5ea89b1eb11 100644 --- a/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java +++ b/utils/src/org/apache/cloudstack/utils/security/SSLUtils.java @@ -24,6 +24,7 @@ import org.apache.log4j.Logger; import javax.net.ssl.SSLContext; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; +import java.util.Arrays; import java.util.HashSet; import java.util.Set; @@ -41,6 +42,12 @@ public class SSLUtils { return (String[]) set.toArray(new String[set.size()]); } + public static String[] getSupportedCiphers() throws NoSuchAlgorithmException { + String[] availableCiphers = getSSLContext().getSocketFactory().getSupportedCipherSuites(); + Arrays.sort(availableCiphers); + return availableCiphers; + } + public static SSLContext getSSLContext() throws NoSuchAlgorithmException { return SSLContext.getInstance("TLSv1"); } diff --git a/utils/src/org/apache/cloudstack/utils/security/SecureSSLSocketFactory.java b/utils/src/org/apache/cloudstack/utils/security/SecureSSLSocketFactory.java new file mode 100644 index 00000000000..fa9d492d8d1 --- /dev/null +++ b/utils/src/org/apache/cloudstack/utils/security/SecureSSLSocketFactory.java @@ -0,0 +1,124 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// + +package org.apache.cloudstack.utils.security; + +import org.apache.log4j.Logger; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import java.io.IOException; +import java.net.InetAddress; +import java.net.Socket; +import java.net.UnknownHostException; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; + +public class SecureSSLSocketFactory extends SSLSocketFactory { + + public static final Logger s_logger = Logger.getLogger(SecureSSLSocketFactory.class); + private SSLContext _sslContext; + + public SecureSSLSocketFactory() throws NoSuchAlgorithmException { + _sslContext = SSLUtils.getSSLContext(); + } + + public SecureSSLSocketFactory(SSLContext sslContext) throws NoSuchAlgorithmException { + if (sslContext != null) { + _sslContext = sslContext; + } else { + _sslContext = SSLUtils.getSSLContext(); + } + } + + public SecureSSLSocketFactory(KeyManager[] km, TrustManager[] tm, SecureRandom random) throws NoSuchAlgorithmException, KeyManagementException, IOException { + _sslContext = SSLUtils.getSSLContext(); + _sslContext.init(km, tm, random); + } + + @Override + public String[] getDefaultCipherSuites() { + return getSupportedCipherSuites(); + } + + @Override + public String[] getSupportedCipherSuites() { + String[] ciphers = null; + try { + ciphers = SSLUtils.getSupportedCiphers(); + } catch (NoSuchAlgorithmException e) { + s_logger.error("SecureSSLSocketFactory::getDefaultCipherSuites found no cipher suites"); + } + return ciphers; + } + + @Override + public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException { + SSLSocketFactory factory = _sslContext.getSocketFactory(); + Socket socket = factory.createSocket(s, host, port, autoClose); + if (socket instanceof SSLSocket) { + ((SSLSocket)socket).setEnabledProtocols(SSLUtils.getSupportedProtocols(((SSLSocket)socket).getEnabledProtocols())); + } + return socket; + } + + @Override + public Socket createSocket(String host, int port) throws IOException, UnknownHostException { + SSLSocketFactory factory = _sslContext.getSocketFactory(); + Socket socket = factory.createSocket(host, port); + if (socket instanceof SSLSocket) { + ((SSLSocket)socket).setEnabledProtocols(SSLUtils.getSupportedProtocols(((SSLSocket)socket).getEnabledProtocols())); + } + return socket; + } + + @Override + public Socket createSocket(String host, int port, InetAddress inetAddress, int localPort) throws IOException, UnknownHostException { + SSLSocketFactory factory = _sslContext.getSocketFactory(); + Socket socket = factory.createSocket(host, port, inetAddress, localPort); + if (socket instanceof SSLSocket) { + ((SSLSocket)socket).setEnabledProtocols(SSLUtils.getSupportedProtocols(((SSLSocket)socket).getEnabledProtocols())); + } + return socket; + } + + @Override + public Socket createSocket(InetAddress inetAddress, int localPort) throws IOException { + SSLSocketFactory factory = _sslContext.getSocketFactory(); + Socket socket = factory.createSocket(inetAddress, localPort); + if (socket instanceof SSLSocket) { + ((SSLSocket)socket).setEnabledProtocols(SSLUtils.getSupportedProtocols(((SSLSocket)socket).getEnabledProtocols())); + } + return socket; + } + + @Override + public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { + SSLSocketFactory factory = this._sslContext.getSocketFactory(); + Socket socket = factory.createSocket(address, port, localAddress, localPort); + if (socket instanceof SSLSocket) { + ((SSLSocket)socket).setEnabledProtocols(SSLUtils.getSupportedProtocols(((SSLSocket)socket).getEnabledProtocols())); + } + return socket; + } +} \ No newline at end of file diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java index cc657a64185..f3f7e0c93fa 100644 --- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java +++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareClient.java @@ -16,24 +16,6 @@ // under the License. package com.cloud.hypervisor.vmware.util; -import java.lang.reflect.Method; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; -import java.util.Map; -import java.util.StringTokenizer; - -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.SSLSession; -import javax.xml.ws.BindingProvider; -import javax.xml.ws.WebServiceException; -import javax.xml.ws.handler.MessageContext; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.utils.security.SSLUtils; - import com.vmware.vim25.DynamicProperty; import com.vmware.vim25.InvalidCollectorVersionFaultMsg; import com.vmware.vim25.InvalidPropertyFaultMsg; @@ -56,6 +38,22 @@ import com.vmware.vim25.TraversalSpec; import com.vmware.vim25.UpdateSet; import com.vmware.vim25.VimPortType; import com.vmware.vim25.VimService; +import org.apache.cloudstack.utils.security.SSLUtils; +import org.apache.cloudstack.utils.security.SecureSSLSocketFactory; +import org.apache.log4j.Logger; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLSession; +import javax.xml.ws.BindingProvider; +import javax.xml.ws.WebServiceException; +import javax.xml.ws.handler.MessageContext; +import java.lang.reflect.Method; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import java.util.Map; +import java.util.StringTokenizer; /** * A wrapper class to handle Vmware vsphere connection and disconnection. @@ -109,7 +107,7 @@ public class VmwareClient { javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext(); sslsc.setSessionTimeout(0); sc.init(null, trustAllCerts, null); - javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); + javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(new SecureSSLSocketFactory(sc)); } private final ManagedObjectReference svcInstRef = new ManagedObjectReference(); diff --git a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java index cb0c4d7d6e2..bec4b37936b 100644 --- a/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java +++ b/vmware-base/src/com/cloud/hypervisor/vmware/util/VmwareContext.java @@ -16,6 +16,26 @@ // under the License. package com.cloud.hypervisor.vmware.util; +import com.cloud.hypervisor.vmware.mo.DatacenterMO; +import com.cloud.hypervisor.vmware.mo.DatastoreFile; +import com.cloud.utils.ActionDelegate; +import com.vmware.vim25.ManagedObjectReference; +import com.vmware.vim25.ObjectContent; +import com.vmware.vim25.ObjectSpec; +import com.vmware.vim25.PropertyFilterSpec; +import com.vmware.vim25.PropertySpec; +import com.vmware.vim25.ServiceContent; +import com.vmware.vim25.TaskInfo; +import com.vmware.vim25.TraversalSpec; +import com.vmware.vim25.VimPortType; +import org.apache.cloudstack.utils.security.SSLUtils; +import org.apache.cloudstack.utils.security.SecureSSLSocketFactory; +import org.apache.log4j.Logger; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLSession; +import javax.xml.ws.soap.SOAPFaultException; import java.io.BufferedInputStream; import java.io.BufferedOutputStream; import java.io.BufferedReader; @@ -35,28 +55,6 @@ import java.util.HashMap; import java.util.List; import java.util.Map; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.SSLSession; -import javax.xml.ws.soap.SOAPFaultException; - -import org.apache.log4j.Logger; -import org.apache.cloudstack.utils.security.SSLUtils; - -import com.vmware.vim25.ManagedObjectReference; -import com.vmware.vim25.ObjectContent; -import com.vmware.vim25.ObjectSpec; -import com.vmware.vim25.PropertyFilterSpec; -import com.vmware.vim25.PropertySpec; -import com.vmware.vim25.ServiceContent; -import com.vmware.vim25.TaskInfo; -import com.vmware.vim25.TraversalSpec; -import com.vmware.vim25.VimPortType; - -import com.cloud.hypervisor.vmware.mo.DatacenterMO; -import com.cloud.hypervisor.vmware.mo.DatastoreFile; -import com.cloud.utils.ActionDelegate; - public class VmwareContext { private static final Logger s_logger = Logger.getLogger(VmwareContext.class); @@ -82,7 +80,7 @@ public class VmwareContext { trustAllCerts[0] = tm; javax.net.ssl.SSLContext sc = SSLUtils.getSSLContext(); sc.init(null, trustAllCerts, null); - javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); + javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(new SecureSSLSocketFactory(sc)); HostnameVerifier hv = new HostnameVerifier() { @Override