hbase-server/src/main/java/org/apache/hadoop/hbase/SslRMIServerSocketFactorySecure.java

   1 /**
   2  * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
   3  * agreements. See the NOTICE file distributed with this work for additional information regarding
   4  * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the
   5  * "License"); you may not use this file except in compliance with the License. You may obtain a
   6  * copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable
   7  * law or agreed to in writing, software distributed under the License is distributed on an "AS IS"
   8  * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License
   9  * for the specific language governing permissions and limitations under the License.
  10  */
  11 package org.apache.hadoop.hbase;
  12
  13 import java.io.IOException;
  14 import java.net.ServerSocket;
  15 import java.net.Socket;
  16 import java.util.ArrayList;
  17 import javax.net.ssl.SSLSocket;
  18 import javax.net.ssl.SSLSocketFactory;
  19 import javax.rmi.ssl.SslRMIServerSocketFactory;
  20 import org.apache.yetus.audience.InterfaceAudience;
  21
  22 /**
  23  * Avoid SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566
  24  */
  25 @InterfaceAudience.Private
  26 public class SslRMIServerSocketFactorySecure extends SslRMIServerSocketFactory {
  27   // If you add more constructors, you may have to change the rest of this implementation,
  28   // which assumes an empty constructor, i.e. there are no specially enabled protocols or
  29   // cipher suites on this RMI factory nor a provided SSLContext
  30   public SslRMIServerSocketFactorySecure() {
  31     super();
  32   }
  33
  34   @Override
  35   public ServerSocket createServerSocket(int port) throws IOException {
  36     return new ServerSocket(port) {
  37       @Override
  38       public Socket accept() throws IOException {
  39         Socket socket = super.accept();
  40         SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
  41         SSLSocket sslSocket =
  42             (SSLSocket) sslSocketFactory.createSocket(socket,
  43               socket.getInetAddress().getHostName(), socket.getPort(), true);
  44         sslSocket.setUseClientMode(false);
  45         sslSocket.setNeedClientAuth(false);
  46
  47         ArrayList<String> secureProtocols = new ArrayList<>();
  48         for (String p : sslSocket.getEnabledProtocols()) {
  49           if (!p.contains("SSLv3")) {
  50             secureProtocols.add(p);
  51           }
  52         }
  53         sslSocket.setEnabledProtocols(secureProtocols.toArray(new String[secureProtocols.size()]));
  54
  55         return sslSocket;
  56       }
  57     };
  58   }
  59 }