diff options
Diffstat (limited to 'org.eclipse.jgit/src/org/eclipse/jgit')
4 files changed, 214 insertions, 3 deletions
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java b/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java index e8ee8b4050..5735060948 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java @@ -343,6 +343,7 @@ public class JGitText extends TranslationBundle { /***/ public String expectedReportForRefNotReceived; /***/ public String failedAtomicFileCreation; /***/ public String failedCreateLockFile; + /***/ public String failedReadHttpsProtocols; /***/ public String failedToDetermineFilterDefinition; /***/ public String failedToConvert; /***/ public String failedUpdatingRefs; diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/http/JDKHttpConnection.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/http/JDKHttpConnection.java index 734b549294..fa8742fd29 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/http/JDKHttpConnection.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/http/JDKHttpConnection.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Christian Halstrick <christian.halstrick@sap.com> + * Copyright (C) 2013, 2020 Christian Halstrick <christian.halstrick@sap.com> * and other copyright owners as documented in the project's IP log. * * This program and the accompanying materials are made available @@ -61,9 +61,12 @@ import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; import org.eclipse.jgit.annotations.NonNull; +import org.eclipse.jgit.transport.internal.DelegatingSSLSocketFactory; +import org.eclipse.jgit.util.HttpSupport; /** * A {@link org.eclipse.jgit.transport.http.HttpConnection} which simply * delegates every call to a {@link java.net.HttpURLConnection}. This is the @@ -265,7 +268,15 @@ public class JDKHttpConnection implements HttpConnection { KeyManagementException { SSLContext ctx = SSLContext.getInstance("TLS"); //$NON-NLS-1$ ctx.init(km, tm, random); - ((HttpsURLConnection) wrappedUrlConnection).setSSLSocketFactory(ctx - .getSocketFactory()); + ((HttpsURLConnection) wrappedUrlConnection).setSSLSocketFactory( + new DelegatingSSLSocketFactory(ctx.getSocketFactory()) { + + @Override + protected void configure(SSLSocket socket) + throws IOException { + HttpSupport.configureTLS(socket); + } + }); } + } diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/internal/DelegatingSSLSocketFactory.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/internal/DelegatingSSLSocketFactory.java new file mode 100644 index 0000000000..d25ecd459d --- /dev/null +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/internal/DelegatingSSLSocketFactory.java @@ -0,0 +1,101 @@ +/* + * Copyright (c) 2020 Thomas Wolf <thomas.wolf@paranor.ch> + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Distribution License v. 1.0 which is available at + * https://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +package org.eclipse.jgit.transport.internal; + +import java.io.IOException; +import java.net.InetAddress; +import java.net.Socket; + +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; + +/** + * An {@link SSLSocketFactory} that delegates to another factory and allows + * configuring the created socket via {@link #configure(SSLSocket)} before it is + * returned. + */ +public abstract class DelegatingSSLSocketFactory extends SSLSocketFactory { + + private final SSLSocketFactory delegate; + + /** + * Creates a new {@link DelegatingSSLSocketFactory} based on the given + * delegate. + * + * @param delegate + * {@link SSLSocketFactory} to delegate to + */ + public DelegatingSSLSocketFactory(SSLSocketFactory delegate) { + this.delegate = delegate; + } + + @Override + public SSLSocket createSocket() throws IOException { + return prepare(delegate.createSocket()); + } + + @Override + public SSLSocket createSocket(String host, int port) throws IOException { + return prepare(delegate.createSocket(host, port)); + } + + @Override + public SSLSocket createSocket(String host, int port, + InetAddress localAddress, int localPort) throws IOException { + return prepare( + delegate.createSocket(host, port, localAddress, localPort)); + } + + @Override + public SSLSocket createSocket(InetAddress host, int port) + throws IOException { + return prepare(delegate.createSocket(host, port)); + } + + @Override + public SSLSocket createSocket(InetAddress host, int port, + InetAddress localAddress, int localPort) throws IOException { + return prepare( + delegate.createSocket(host, port, localAddress, localPort)); + } + + @Override + public SSLSocket createSocket(Socket socket, String host, int port, + boolean autoClose) throws IOException { + return prepare(delegate.createSocket(socket, host, port, autoClose)); + } + + @Override + public String[] getDefaultCipherSuites() { + return delegate.getDefaultCipherSuites(); + } + + @Override + public String[] getSupportedCipherSuites() { + return delegate.getSupportedCipherSuites(); + } + + private SSLSocket prepare(Socket socket) throws IOException { + SSLSocket sslSocket = (SSLSocket) socket; + configure(sslSocket); + return sslSocket; + } + + /** + * Configure the newly created socket. + * + * @param socket + * to configure + * @throws IOException + * if the socket cannot be configured + */ + protected abstract void configure(SSLSocket socket) throws IOException; + +} diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/util/HttpSupport.java b/org.eclipse.jgit/src/org/eclipse/jgit/util/HttpSupport.java index d897255062..9be04143b1 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/util/HttpSupport.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/util/HttpSupport.java @@ -59,19 +59,29 @@ import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; import java.text.MessageFormat; +import java.util.Arrays; +import java.util.Collections; +import java.util.LinkedHashSet; +import java.util.Set; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import org.eclipse.jgit.internal.JGitText; import org.eclipse.jgit.transport.http.HttpConnection; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * Extra utilities to support usage of HTTP. */ public class HttpSupport { + private final static Logger LOG = LoggerFactory + .getLogger(HttpSupport.class); + /** The {@code GET} HTTP method. */ public static final String METHOD_GET = "GET"; //$NON-NLS-1$ @@ -191,6 +201,8 @@ public class HttpSupport { */ public static final String HDR_SET_COOKIE2 = "Set-Cookie2"; //$NON-NLS-1$ + private static Set<String> configuredHttpsProtocols; + /** * URL encode a value string into an output buffer. * @@ -359,6 +371,92 @@ public class HttpSupport { } } + /** + * Enables all supported TLS protocol versions on the socket given. If + * system property "https.protocols" is set, only protocols specified there + * are enabled. + * <p> + * This is primarily a mechanism to deal with using TLS on IBM JDK. IBM JDK + * returns sockets that support all TLS protocol versions but have only the + * one specified in the context enabled. Oracle or OpenJDK return sockets + * that have all available protocols enabled already, up to the one + * specified. + * <p> + * <table> + * <tr> + * <td>SSLContext.getInstance()</td> + * <td>OpenJDK</td> + * <td>IDM JDK</td> + * </tr> + * <tr> + * <td>"TLS"</td> + * <td>Supported: TLSv1, TLSV1.1, TLSv1.2 (+ TLSv1.3)<br /> + * Enabled: TLSv1, TLSV1.1, TLSv1.2 (+ TLSv1.3)</td> + * <td>Supported: TLSv1, TLSV1.1, TLSv1.2<br /> + * Enabled: TLSv1</td> + * </tr> + * <tr> + * <td>"TLSv1.2"</td> + * <td>Supported: TLSv1, TLSV1.1, TLSv1.2<br /> + * Enabled: TLSv1, TLSV1.1, TLSv1.2</td> + * <td>Supported: TLSv1, TLSV1.1, TLSv1.2<br /> + * Enabled: TLSv1.2</td> + * </tr> + * </table> + * + * @param socket + * to configure + * @see <a href= + * "https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html">Behavior + * of SSLContext.getInstance("TLS") on IBM JDK</a> + * @see <a href= + * "https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization">Customizing + * JSSE about https.protocols</a> + * @since 5.7 + */ + public static void configureTLS(SSLSocket socket) { + // 1. Enable all available TLS protocol versions + Set<String> enabled = new LinkedHashSet<>( + Arrays.asList(socket.getEnabledProtocols())); + for (String s : socket.getSupportedProtocols()) { + if (s.startsWith("TLS")) { //$NON-NLS-1$ + enabled.add(s); + } + } + // 2. Respect the https.protocols system property + Set<String> configured = getConfiguredProtocols(); + if (!configured.isEmpty()) { + enabled.retainAll(configured); + } + if (!enabled.isEmpty()) { + socket.setEnabledProtocols(enabled.toArray(new String[0])); + } + } + + private static Set<String> getConfiguredProtocols() { + Set<String> result = configuredHttpsProtocols; + if (result == null) { + String configured = getProperty("https.protocols"); //$NON-NLS-1$ + if (StringUtils.isEmptyOrNull(configured)) { + result = Collections.emptySet(); + } else { + result = new LinkedHashSet<>( + Arrays.asList(configured.split("\\s*,\\s*"))); //$NON-NLS-1$ + } + configuredHttpsProtocols = result; + } + return result; + } + + private static String getProperty(String property) { + try { + return SystemReader.getInstance().getProperty(property); + } catch (SecurityException e) { + LOG.warn(JGitText.get().failedReadHttpsProtocols, e); + return null; + } + } + private HttpSupport() { // Utility class only. } |