001: package com.sun.portal.rproxy.server;
002:
003: import java.io.IOException;
004: import java.net.InetAddress;
005: import java.net.ServerSocket;
006: import java.net.SocketException;
007: import java.net.UnknownHostException;
008: import java.util.ArrayList;
009: import java.util.List;
010: import java.util.logging.Level;
011: import java.util.logging.Logger;
012:
013: import org.mozilla.jss.ssl.SSLServerSocket;
014: import org.mozilla.jss.ssl.SSLSocket;
015:
016: import com.sun.portal.log.common.PortalLogger;
017: import com.sun.portal.rproxy.configservlet.client.GatewayProfile;
018: import com.sun.portal.rproxy.monitoring.MonitoringSubsystem;
019: import com.sun.portal.util.*;
020:
021: public class ServerSocketFactory {
022: // making constructor private so that nobody can create an instance.
023: private ServerSocketFactory() {
024: }
025:
026: public static ServerSocket createNormalServerSocket(int port) {
027:
028: try {
029: // String address = "127.0.0.1";
030:
031: String address = SystemProperties
032: .get("gateway.bindipaddress");
033: ServerSocket serverSocket = null;
034: if (address == null)
035: serverSocket = new ServerSocket(port);
036: else
037: serverSocket = new ServerSocket(port, 50, InetAddress
038: .getByName(address));
039:
040: MonitoringSubsystem
041: .handleEvent(SRAEvent.SERVER_SOCKET_CREATED);
042: return serverSocket;
043: } catch (IOException ex) {
044: // logger.log(Level.SEVERE, "FATAL: Not able to create Http Server
045: // Socket:" + port, ex);
046: Object[] params0 = { port + "", ex };
047: logger.log(Level.SEVERE, "PSSRRPROXY_CSPRS001", params0);
048: return null;
049: }
050: }
051:
052: // /////////////////////////////////////////////////////////////////////
053:
054: private static final String HTTPPROXY_PORT = "HTTPProxyPort";
055:
056: private static final int HTTPPROXY_DEFAULT_PORT = 10443;
057:
058: private static boolean allow40bitBrowser;
059:
060: /*
061: * Bug 4467976 The customer does not want to be able to connect to the
062: * gateway using SSLv2.0.
063: */
064: private static boolean enableSSLV2 = true;
065:
066: // end of code change for Bug 4467976
067:
068: /*
069: * Bug 4777917 Option to enable/disable SSL v3 & null ciphers
070: */
071: private static boolean enableSSLV3 = true;
072:
073: private static boolean disableNullCiphers = false;
074:
075: // end of code change for Bug 4467976
076:
077: /*
078: * Certificate Administration PRD - 3.9, The portal administrator should be
079: * able to select which of the SSL encryption algorithms (ciphers) will be
080: * supported by each gateway.
081: */
082: private static boolean individualCipherSelectionMode;
083:
084: private static List enabledSSL2CipherList = null;
085:
086: private static List enabledSSL3CipherList = null;
087:
088: private static List enabledTLSCipherList = null;
089:
090: // private static Logger logger =
091: // Logger.getLogger("com.sun.portal.sra.rproxy");
092: private static Logger logger = PortalLogger
093: .getLogger(ServerSocketFactory.class);
094:
095: static {
096: String tmpstr = GatewayProfile.getString(
097: "Allow40BitConnections", "true");
098: allow40bitBrowser = tmpstr.equals("true");
099:
100: tmpstr = GatewayProfile.getString("EnableSSLv2", "true");
101: enableSSLV2 = tmpstr.equals("true");
102:
103: tmpstr = GatewayProfile.getString("EnableSSLv3", "true");
104: enableSSLV3 = tmpstr.equals("true");
105:
106: tmpstr = GatewayProfile.getString("DisableNull", "false");
107: disableNullCiphers = tmpstr.equals("true");
108:
109: tmpstr = GatewayProfile.getString(
110: "EnableIndividualCipherSelectionMode", "false");
111: individualCipherSelectionMode = tmpstr.equals("true");
112:
113: if (individualCipherSelectionMode) {
114: enabledSSL2CipherList = GatewayProfile
115: .getStringList("EnabledSSL2CipherList");
116: enabledSSL3CipherList = GatewayProfile
117: .getStringList("EnabledSSL3CipherList");
118: enabledTLSCipherList = GatewayProfile
119: .getStringList("EnabledTLSCipherList");
120: }
121:
122: }
123:
124: public static ServerSocket createSSLSocketServer(int port)
125: throws SocketException {
126:
127: SSLServerSocket.configServerSessionIDCache(15000, 86400, 86400,
128: null);
129: certificationAdministration();
130:
131: SSLServerSocket sock = null;
132: int qlen = GatewayProfile.getInt("EProxyConnectionQueue", 50);
133: String _address = SystemProperties.get("gateway.bindipaddress");
134:
135: /* JSS3.1.1 change - begin */
136: try {
137:
138: /*
139: * if (ServiceIdentifier.isGateway()) { // RProxy seperation
140: *
141: * if (onlyRProxy) { rProxyPort =
142: * GatewayProfile.getInt("EProxyHTTPSPort", 443); //
143: * logger.info("HTTPSConnectionManager: port number = " +
144: * rProxyPort); Object[] params1 = { rProxyPort}; logger.log(
145: * Level.INFO , "PSSRRPROXY_CSPRS002" , params1 ); } if (_address ==
146: * null) sock = new SSLServerSocket(rProxyPort, qlen); else sock =
147: * new SSLServerSocket(rProxyPort, qlen,
148: * InetAddress.getByName(_address)); } else { sock = new
149: * SSLServerSocket(0, qlen); rProxyPort = sock.getLocalPort(); //
150: * logger.info("HTTPSConnectionManager: port number = " +
151: * rProxyPort); Object[] params2 = { rProxyPort}; logger.log(
152: * Level.INFO , "PSSRRPROXY_CSPRS003" , params2 ); } // EOC : RProxy
153: * seperation } else { sock = new SSLServerSocket(_httpproxyport,
154: * qlen, InetAddress.getByName(_address)); }
155: *
156: */
157: if (_address == null) {
158: _address = "127.0.0.1";
159: }
160: sock = new SSLServerSocket(port, qlen, InetAddress
161: .getByName(_address));
162:
163: // logger.info("ServerSocketFactory:createSSLSocketServer nickname =
164: // " +
165: logger
166: .info("ServerSocketFactory:createSSLSocketServer nickname = "
167: + GWNSSInit.nickname);
168:
169: sock.setServerCertNickname(GWNSSInit.nickname);
170: MonitoringSubsystem
171: .handleEvent(SRAEvent.SERVER_SOCKET_CREATED);
172: } catch (UnknownHostException ue) {
173: // logger.log(Level.SEVERE,
174: // "ServerSocketFactory:createSSLSocketServer localhost unknown
175: // host", ue);
176: logger.log(Level.SEVERE, "PSSRRPROXY_CSPRS005");
177: sock = null;
178: } catch (IOException e) {
179: // logger.log(Level.SEVERE,
180: // "ServerSocketFactory:createSSLSocketServer cannot create server
181: // socket", e);
182: logger.log(Level.SEVERE, "PSSRRPROXY_CSPRS006");
183: sock = null;
184: }
185: /* JSS3.1.1 change - end */
186:
187: String rphost = SystemProperties.get("gateway.host", null);
188: List certSet = toLowerCase(GatewayProfile
189: .getStringList("CertificateEnabledList"));
190:
191: boolean doingPDC = certSet.contains(rphost.toLowerCase())
192: && ServiceIdentifier.isGateway();
193:
194: if (doingPDC) {
195: // logger.info("Doing PDC");
196: logger.info("PSSRRPROXY_CSPRS007");
197: /* JSS3.1.1 change - begin */
198: try {
199: sock.requestClientAuth(true);
200: // sock.setNeedClientAuth(true);
201: } catch (java.net.SocketException se) {
202: // logger.severe("Unable to request client authentication");
203: logger.severe("PSSRRPROXY_CSPRS008");
204: }
205: /* JSS3.1.1 change - end */
206: }
207: return (sock);
208: }
209:
210: private static void certificationAdministration()
211: throws SocketException {
212: if (individualCipherSelectionMode) {
213: GWNSSInit.disableAllCiphers();
214:
215: enableCipherList(enabledSSL2CipherList);
216: enableCipherList(enabledSSL3CipherList);
217: enableCipherList(enabledTLSCipherList);
218:
219: } else {
220: if (!enableSSLV2) {
221: GWNSSInit
222: .disableCipher(GWNSSInit.cipherSuites128BitSSL2);
223: }
224:
225: if (!enableSSLV3) {
226: GWNSSInit
227: .disableCipher(GWNSSInit.cipherSuites128BitSSL3);
228: }
229:
230: if (disableNullCiphers || !allow40bitBrowser) {
231: GWNSSInit.disableCipher(GWNSSInit.cipherSuitesSSL3Null);
232: }
233:
234: if (!allow40bitBrowser) {
235: GWNSSInit
236: .disableCipher(GWNSSInit.cipherSuites40BitSSL2);
237: GWNSSInit
238: .disableCipher(GWNSSInit.cipherSuites40BitSSL3);
239: GWNSSInit
240: .disableCipher(GWNSSInit.cipherSuitesOthersSSL2);
241: GWNSSInit
242: .disableCipher(GWNSSInit.cipherSuitesOthersSSL3);
243: GWNSSInit
244: .disableCipher(GWNSSInit.cipherSuitesOthersTLS);
245: } else {
246: if (!enableSSLV2) {
247: GWNSSInit
248: .disableCipher(GWNSSInit.cipherSuites40BitSSL2);
249: GWNSSInit
250: .disableCipher(GWNSSInit.cipherSuitesOthersSSL2);
251: }
252: if (!enableSSLV3) {
253: GWNSSInit
254: .disableCipher(GWNSSInit.cipherSuites40BitSSL3);
255: GWNSSInit
256: .disableCipher(GWNSSInit.cipherSuitesOthersSSL3);
257: GWNSSInit
258: .disableCipher(GWNSSInit.cipherSuitesSSL3Null);
259: GWNSSInit
260: .disableCipher(GWNSSInit.cipherSuitesOthersTLS);
261: }
262:
263: }
264:
265: }
266: // End of code change for the Certificate Administration PRD - 3.9
267: }
268:
269: private static void enableCipherList(List list)
270: throws SocketException {
271: int size = list.size();
272: for (int i = 0; i < size; i++) {
273: enableCipher((String) list.get(i));
274: }
275: }
276:
277: private static void enableCipher(String cipher)
278: throws SocketException {
279: if ((!enableSSLV2)
280: && (cipher.toLowerCase().indexOf("ssl2") != -1)) {
281: return;
282: } else if ((!enableSSLV3)
283: && (cipher.toLowerCase().indexOf("ssl3") != -1)) {
284: return;
285: // }else if ((!enableSSLV3) &&
286: // (cipher.toLowerCase().indexOf("tls_rsa_export1024") != -1)) {
287: } else if ((!enableSSLV3)
288: && (cipher.toLowerCase().indexOf("ssl_rsa_fips") != -1)) {
289: return;
290: } else if ((disableNullCiphers)
291: && (cipher.toLowerCase().indexOf("null") != -1)) {
292: return;
293: }
294:
295: cipher = cipher.trim();
296: if ((!allow40bitBrowser)
297: && (cipher
298: .equalsIgnoreCase("SSL2_RC2_128_CBC_EXPORT40_WITH_MD5")
299: || cipher
300: .equalsIgnoreCase("SSL2_RC4_128_EXPORT40_WITH_MD5")
301: || cipher
302: .equalsIgnoreCase("SSL3_RSA_EXPORT_WITH_RC4_40_MD5")
303: || cipher
304: .equalsIgnoreCase("SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5")
305: || cipher
306: .equalsIgnoreCase("SSL2_DES_64_CBC_WITH_MD5")
307: || cipher
308: .equalsIgnoreCase("SSL3_RSA_WITH_DES_CBC_SHA")
309: || cipher
310: .equalsIgnoreCase("SSL3_RSA_WITH_NULL_MD5")
311: || cipher
312: .equalsIgnoreCase("TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA")
313: || cipher
314: .equalsIgnoreCase("TLS_RSA_EXPORT1024_WITH_RC4_56_SHA") || cipher
315: .equalsIgnoreCase("SSL_RSA_FIPS_WITH_DES_CBC_SHA")
316:
317: /*
318: * ||
319: * cipher.equalsIgnoreCase("TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA") ||
320: * cipher.equalsIgnoreCase("TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA")
321: */)) {
322: return;
323: }
324: if (cipher.equalsIgnoreCase("SSL2_RC2_128_CBC_WITH_MD5")) {
325: SSLSocket.setCipherPreferenceDefault(
326: SSLSocket.SSL2_RC2_128_CBC_WITH_MD5, true);
327: } else if (cipher
328: .equalsIgnoreCase("SSL2_DES_192_EDE3_CBC_WITH_MD5")) {
329: SSLSocket.setCipherPreferenceDefault(
330: SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5, true);
331: } else if (cipher.equalsIgnoreCase("SSL2_RC4_128_WITH_MD5")) {
332: SSLSocket.setCipherPreferenceDefault(
333: SSLSocket.SSL2_RC4_128_WITH_MD5, true);
334: } else if (cipher
335: .equalsIgnoreCase("SSL3_RSA_WITH_3DES_EDE_CBC_SHA")) {
336: SSLSocket.setCipherPreferenceDefault(
337: SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA, true);
338: } else if (cipher.equalsIgnoreCase("SSL3_RSA_WITH_RC4_128_MD5")) {
339: SSLSocket.setCipherPreferenceDefault(
340: SSLSocket.SSL3_RSA_WITH_RC4_128_MD5, true);
341: } else if (cipher.equalsIgnoreCase("SSL3_RSA_WITH_RC4_128_SHA")) {
342: SSLSocket.setCipherPreferenceDefault(
343: SSLSocket.SSL3_RSA_WITH_RC4_128_SHA, true);
344: } else if (cipher
345: .equalsIgnoreCase("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA")) {
346: SSLSocket.setCipherPreferenceDefault(
347: SSLSocket.SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, true);
348: }
349:
350: /*
351: * else if(cipher.equalsIgnoreCase("TLS_DHE_DSS_WITH_RC4_128_SHA")){
352: * SSLSocket.setCipherPreference(SSLSocket.TLS_DHE_DSS_WITH_RC4_128_SHA,
353: * true); }
354: */
355: else if (cipher
356: .equalsIgnoreCase("SSL2_RC2_128_CBC_EXPORT40_WITH_MD5")) {
357: SSLSocket.setCipherPreferenceDefault(
358: SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5, true);
359: } else if (cipher
360: .equalsIgnoreCase("SSL2_RC4_128_EXPORT40_WITH_MD5")) {
361: SSLSocket.setCipherPreferenceDefault(
362: SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5, true);
363: } else if (cipher
364: .equalsIgnoreCase("SSL3_RSA_EXPORT_WITH_RC4_40_MD5")) {
365: SSLSocket.setCipherPreferenceDefault(
366: SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5, true);
367: } else if (cipher
368: .equalsIgnoreCase("SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5")) {
369: SSLSocket
370: .setCipherPreferenceDefault(
371: SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
372: true);
373: } else if (cipher.equalsIgnoreCase("SSL2_DES_64_CBC_WITH_MD5")) {
374: SSLSocket.setCipherPreferenceDefault(
375: SSLSocket.SSL2_DES_64_CBC_WITH_MD5, true);
376: } else if (cipher.equalsIgnoreCase("SSL3_RSA_WITH_DES_CBC_SHA")) {
377: SSLSocket.setCipherPreferenceDefault(
378: SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA, true);
379: } else if (cipher.equalsIgnoreCase("SSL3_RSA_WITH_NULL_MD5")) {
380: SSLSocket.setCipherPreferenceDefault(
381: SSLSocket.SSL3_RSA_WITH_NULL_MD5, true);
382: } else if (cipher
383: .equalsIgnoreCase("TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA")) {
384: SSLSocket
385: .setCipherPreferenceDefault(
386: SSLSocket.TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
387: true);
388: } else if (cipher
389: .equalsIgnoreCase("TLS_RSA_EXPORT1024_WITH_RC4_56_SHA")) {
390: SSLSocket.setCipherPreferenceDefault(
391: SSLSocket.TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, true);
392: } else if (cipher
393: .equalsIgnoreCase("SSL_RSA_FIPS_WITH_DES_CBC_SHA")) {
394: SSLSocket.setCipherPreferenceDefault(
395: SSLSocket.SSL_RSA_FIPS_WITH_DES_CBC_SHA, true);
396: }
397: /*
398: * else if (cipher.equalsIgnoreCase("TLS_RSA_WITH_AES_128_CBC_SHA")) {
399: * SSLSocket.setCipherPreference(SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
400: * true); } else if
401: * (cipher.equalsIgnoreCase("TLS_RSA_WITH_AES_256_CBC_SHA")) {
402: * SSLSocket.setCipherPreference(SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
403: * true); }
404: */
405: /*
406: * else if
407: * (cipher.equalsIgnoreCase("TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA")) {
408: * SSLSocket.setCipherPreference(SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
409: * true); } else if
410: * (cipher.equalsIgnoreCase("TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA")) {
411: * SSLSocket.setCipherPreference(SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
412: * true); }
413: */
414: }
415:
416: private static List toLowerCase(List list) {
417: int size = list.size();
418: List ret = new ArrayList(size);
419: for (int i = 0; i < size; i++) {
420: String host = (String) list.get(i);
421: ret.add(host.toLowerCase());
422: }
423: return ret;
424: }
425:
426: // ////////////////////////////////////////////////////////////////////
427:
428: public static ServerSocket createSRAPServerSocket(int port) {
429:
430: int qlen = GatewayProfile.getInt("EProxyConnectionQueue", 50);
431: String _address = SystemProperties.get("gateway.bindipaddress");
432: if (_address == null) {
433: _address = "127.0.0.1";
434: }
435:
436: try {
437:
438: ServerSocket socket = new SRAPServerSocket(port, qlen,
439: InetAddress.getByName(_address));
440:
441: MonitoringSubsystem
442: .handleEvent(SRAEvent.SERVER_SOCKET_CREATED);
443: return socket;
444: } catch (IOException e) {
445: // logger.log(Level.SEVERE, "EProxyConnection cannot create server
446: // socket on " + port, e);
447: Object[] params8 = { port + "", e };
448: logger.log(Level.SEVERE, "PSSRRPROXY_CSPRS009", params8);
449: return null;
450: }
451:
452: }
453:
454: }
|