changeset 1506:d80395468b4e

ssl security in code
author Franklin Schmidt <fschmidt@gmail.com>
date Fri, 15 May 2020 18:29:47 -0600 (2020-05-16)
parents 01e38174d580
children c8f4867fd083
files scripts/install.sh src/goodjava/io/IoUtils.java src/goodjava/lucene/backup/BackupIndexWriter.java src/goodjava/lucene/backup/BackupServer.java src/luan/modules/Rpc.luan
diffstat 5 files changed, 23 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/scripts/install.sh	Thu May 14 15:49:45 2020 -0600
+++ b/scripts/install.sh	Fri May 15 18:29:47 2020 -0600
@@ -6,9 +6,8 @@
 
 cat >/usr/local/bin/luan <<End
 for i in `pwd`/jars/* ; do CLASSPATH=\$CLASSPATH:\$i ; done
-SECURITY=`pwd`/jvm.java.security;
 
-java -classpath \$CLASSPATH -Djava.security.properties="\$SECURITY" luan.Luan "\$@"
+java -classpath \$CLASSPATH luan.Luan "\$@"
 End
 
 chmod +x /usr/local/bin/luan
--- a/src/goodjava/io/IoUtils.java	Thu May 14 15:49:45 2020 -0600
+++ b/src/goodjava/io/IoUtils.java	Fri May 15 18:29:47 2020 -0600
@@ -5,6 +5,9 @@
 import java.io.OutputStream;
 import java.io.IOException;
 import java.nio.file.Files;
+import java.security.Security;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.SSLServerSocketFactory;
 
 
 public final class IoUtils {
@@ -54,4 +57,18 @@
 		in.close();
 	}
 
+
+	static {
+		// undo restrictions of modern scum
+		Security.setProperty("jdk.tls.disabledAlgorithms","SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC");
+	}
+
+	public static SSLSocketFactory getSSLSocketFactory() {
+		return (SSLSocketFactory)SSLSocketFactory.getDefault();
+	}
+
+	public static SSLServerSocketFactory getSSLServerSocketFactory() {
+		return (SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
+	}
+
 }
\ No newline at end of file
--- a/src/goodjava/lucene/backup/BackupIndexWriter.java	Thu May 14 15:49:45 2020 -0600
+++ b/src/goodjava/lucene/backup/BackupIndexWriter.java	Fri May 15 18:29:47 2020 -0600
@@ -11,7 +11,6 @@
 import java.util.Arrays;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ExecutorService;
-import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.SSLSocket;
 import goodjava.io.IoUtils;
 import goodjava.rpc.RpcClient;
@@ -142,7 +141,7 @@
 		if( BackupServer.cipherSuites == null ) {
 			socket = new Socket(backupDomain,BackupServer.port);
 		} else {
-			socket = SSLSocketFactory.getDefault().createSocket(backupDomain,BackupServer.port);
+			socket = IoUtils.getSSLSocketFactory().createSocket(backupDomain,BackupServer.port);
 			((SSLSocket)socket).setEnabledCipherSuites(BackupServer.cipherSuites);
 		}
 		return new RpcClient(socket);
--- a/src/goodjava/lucene/backup/BackupServer.java	Thu May 14 15:49:45 2020 -0600
+++ b/src/goodjava/lucene/backup/BackupServer.java	Fri May 15 18:29:47 2020 -0600
@@ -7,7 +7,6 @@
 import java.net.ServerSocket;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ExecutorService;
-import javax.net.ssl.SSLServerSocketFactory;
 import javax.net.ssl.SSLServerSocket;
 import goodjava.util.SoftCacheMap;
 import goodjava.io.IoUtils;
@@ -34,9 +33,6 @@
 		"SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
 		"SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
 	};
-	static {
-		cipherSuites = null;  // for now, until I figure out disgusting java security
-	}
 
 	private final File backupDir;
 	private static final ExecutorService threadPool = Executors.newCachedThreadPool();
@@ -52,7 +48,7 @@
 		if( cipherSuites == null ) {
 			ss = new ServerSocket(port);
 		} else {
-			ss = SSLServerSocketFactory.getDefault().createServerSocket(port);
+			ss = IoUtils.getSSLServerSocketFactory().createServerSocket(port);
 			((SSLServerSocket)ss).setEnabledCipherSuites(cipherSuites);
 		}
 		threadPool.execute(new Runnable(){public void run() {
--- a/src/luan/modules/Rpc.luan	Thu May 14 15:49:45 2020 -0600
+++ b/src/luan/modules/Rpc.luan	Fri May 15 18:29:47 2020 -0600
@@ -1,8 +1,7 @@
 require "java"
 local Socket = require "java:java.net.Socket"
 local ServerSocket = require "java:java.net.ServerSocket"
-local SSLSocketFactory = require "java:javax.net.ssl.SSLSocketFactory"
-local SSLServerSocketFactory = require "java:javax.net.ssl.SSLServerSocketFactory"
+local IoUtils = require "java:goodjava.io.IoUtils"
 local RpcClient = require "java:goodjava.rpc.RpcClient"
 local RpcServer = require "java:goodjava.rpc.RpcServer"
 local RpcCall = require "java:goodjava.rpc.RpcCall"
@@ -178,7 +177,7 @@
 	if Rpc.cipher_suites == nil then
 		socket = Socket.new(domain,Rpc.port)
 	else
-		socket = SSLSocketFactory.getDefault().createSocket(domain,Rpc.port)
+		socket = IoUtils.getSSLSocketFactory().createSocket(domain,Rpc.port)
 		socket.setEnabledCipherSuites(Rpc.cipher_suites)
 	end
 	local call = rpc_caller(socket)
@@ -204,7 +203,7 @@
 	if Rpc.cipher_suites == nil then
 		socket_server = ServerSocket.new(port)
 	else
-		socket_server = SSLServerSocketFactory.getDefault().createServerSocket(port)
+		socket_server = IoUtils.getSSLServerSocketFactory().createServerSocket(port)
 		socket_server.setEnabledCipherSuites(Rpc.cipher_suites)
 	end
 	while true do