Console, I2CP, i2ptunnel, SSLEepGet: Set allowed SSL protocols and ciphers

2014-10-15 20:44:23 +00:00
parent 3bea7f5ad5
commit 83b3f242a9
7 changed files with 300 additions and 3 deletions
--- a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelClientBase.java
+++ b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelClientBase.java
@@ -24,6 +24,7 @@ import java.util.concurrent.TimeUnit;
 import java.util.concurrent.ThreadFactory;
 import java.util.concurrent.atomic.AtomicLong;

+import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLServerSocketFactory;

 import net.i2p.I2PAppContext;
@@ -36,6 +37,7 @@ import net.i2p.client.streaming.I2PSocketOptions;
 import net.i2p.data.Destination;
 import net.i2p.util.EventDispatcher;
 import net.i2p.util.I2PAppThread;
+import net.i2p.util.I2PSSLSocketFactory;
 import net.i2p.util.Log;

 public abstract class I2PTunnelClientBase extends I2PTunnelTask implements Runnable {
@@ -622,6 +624,7 @@ public abstract class I2PTunnelClientBase extends I2PTunnelTask implements Runna
                }
                SSLServerSocketFactory fact = SSLClientUtil.initializeFactory(opts);
                ss = fact.createServerSocket(localPort, 0, addr);
+                I2PSSLSocketFactory.setProtocolsAndCiphers((SSLServerSocket) ss);
            } else {
                ss = new ServerSocket(localPort, 0, addr);
            }
--- a/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java
@@ -37,6 +37,7 @@ import net.i2p.util.FileUtil;
 import net.i2p.util.I2PAppThread;
 import net.i2p.util.PortMapper;
 import net.i2p.util.SecureDirectory;
+import net.i2p.util.I2PSSLSocketFactory;
 import net.i2p.util.SystemVersion;
 import org.eclipse.jetty.security.HashLoginService;
 import org.eclipse.jetty.security.ConstraintMapping;
@@ -464,6 +465,10 @@ public class RouterConsoleRunner implements RouterApp {
                    sslFactory.setKeyStorePassword(_context.getProperty(PROP_KEYSTORE_PASSWORD, DEFAULT_KEYSTORE_PASSWORD));
                    // the X.509 cert password (if not present, verifyKeyStore() returned false)
                    sslFactory.setKeyManagerPassword(_context.getProperty(PROP_KEY_PASSWORD, "thisWontWork"));
+                    sslFactory.addExcludeProtocols(I2PSSLSocketFactory.EXCLUDE_PROTOCOLS.toArray(
+                                                   new String[I2PSSLSocketFactory.EXCLUDE_PROTOCOLS.size()]));
+                    sslFactory.addExcludeCipherSuites(I2PSSLSocketFactory.INCLUDE_CIPHERS.toArray(
+                                                      new String[I2PSSLSocketFactory.EXCLUDE_CIPHERS.size()]));
                    StringTokenizer tok = new StringTokenizer(_sslListenHost, " ,");
                    while (tok.hasMoreTokens()) {
                        String host = tok.nextToken().trim();