[Sblim-commit] jsr48-client/src/org/sblim/cimclient/internal/http HttpClient.java, 1.12.2.35, 1.12.2.36 HttpClientPool.java, 1.5.2.7, 1.5.2.8 HttpServerConnection.java, 1.7.2.10, 1.7.2.11

[Dave B. <bla...@us...>]

Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/http
In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv26938/src/org/sblim/cimclient/internal/http

Modified Files:
      Tag: Experimental
	HttpClient.java HttpClientPool.java HttpServerConnection.java 
Log Message:
2618 Need to add property to disable weak cipher suites for the secure indication

Index: HttpClientPool.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/http/HttpClientPool.java,v
retrieving revision 1.5.2.7
retrieving revision 1.5.2.8
diff -u -d -r1.5.2.7 -r1.5.2.8
--- HttpClientPool.java	8 Sep 2011 12:26:08 -0000	1.5.2.7
+++ HttpClientPool.java	5 Mar 2013 15:31:07 -0000	1.5.2.8
@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2005, 2011
+ * (C) Copyright IBM Corp. 2005, 2013
  *
  * THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE 
  * ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE 
@@ -27,6 +27,7 @@
  * 2524131    2009-01-21  raman_arora  Upgrade client to JDK 1.5 (Phase 1)
  * 2531371    2009-02-10  raman_arora  Upgrade client to JDK 1.5 (Phase 2)
  * 3400209    2011-08-31  blaschke-oss Highlighted Static Analysis (PMD) issues
+ *    2618    2013-02-27  blaschke-oss Need to add property to disable weak cipher suites for the secure indication
  */
 
 package org.sblim.cimclient.internal.http;
@@ -40,6 +41,7 @@
 import javax.net.ssl.SSLContext;
 
 import org.sblim.cimclient.internal.logging.LogAndTraceBroker;
+import org.sblim.cimclient.internal.util.Util;
 import org.sblim.cimclient.internal.util.WBEMConfiguration;
 
 /**
@@ -72,6 +74,8 @@
 	 */
 	private SSLContext iSslContext;
 
+	private String[] iEnabledCipherSuites = null;
+
 	/**
 	 * Ctor.
 	 * 
@@ -85,6 +89,7 @@
 		this.iAvailableConnections = new ArrayList<HttpClient>(pConfiguration.getHttpPoolSize());
 		this.iPoolSize = pConfiguration.getHttpPoolSize();
 		this.iSslContext = null;
+		this.iEnabledCipherSuites = null;
 	}
 
 	/**
@@ -269,4 +274,36 @@
 		return this.iPoolSize;
 	}
 
+	/**
+	 * Returns updated array of cipher suites which is current cipher suites
+	 * less any cipher suites listed to be disabled
+	 * 
+	 * NOTE: The updated array is generated only upon first invocation and then
+	 * saved, effectively making this a lazy initialization of the cipher suites
+	 * on a HttpClientPool basis - it has to be done here and not in WBEMClient
+	 * where it belongs because socket characteristics are not known to
+	 * WBEMClient
+	 * 
+	 * @param pCurrentCipherSuites
+	 *            The currently enabled cipher suites
+	 * @param pDisableCipherSuites
+	 *            The list of cipher suites to be disabled
+	 * @return The updated enabled cipher suites
+	 */
+	public synchronized String[] getUpdatedCipherSuites(String[] pCurrentCipherSuites,
+			String pDisableCipherSuites) {
+		if (this.iEnabledCipherSuites == null) {
+			this.iEnabledCipherSuites = Util.getFilteredStringArray(pCurrentCipherSuites,
+					pDisableCipherSuites);
+			int before = pCurrentCipherSuites.length;
+			int after = this.iEnabledCipherSuites.length;
+			if (before > 0 && after == 0) LogAndTraceBroker.getBroker().trace(Level.WARNING,
+					"All cipher suites disabled!");
+			else if (before > after) LogAndTraceBroker.getBroker().trace(Level.FINE,
+					"Some (" + (before - after) + ") cipher suites disabled");
+			else if (before == after) LogAndTraceBroker.getBroker().trace(Level.FINER,
+					"No cipher suites disabled");
+		}
+		return this.iEnabledCipherSuites;
+	}
 }

Index: HttpServerConnection.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/http/HttpServerConnection.java,v
retrieving revision 1.7.2.10
retrieving revision 1.7.2.11
diff -u -d -r1.7.2.10 -r1.7.2.11
--- HttpServerConnection.java	13 Sep 2012 12:01:56 -0000	1.7.2.10
+++ HttpServerConnection.java	5 Mar 2013 15:31:08 -0000	1.7.2.11
@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2005, 2012
+ * (C) Copyright IBM Corp. 2005, 2013
  *
  * THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE 
  * ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE 
@@ -30,6 +30,7 @@
  * 3027392    2010-07-09  blaschke-oss Nullcheck of value previously dereferenced
  * 3206904    2011-03-11  lupusalex    Indication listener deadlock causes JVM to run out sockets
  * 3536399    2012-08-25  hellerda     Add client/listener peer authentication properties
+ *    2618    2013-02-27  blaschke-oss Need to add property to disable weak cipher suites for the secure indication
  */
 
 package org.sblim.cimclient.internal.http;
@@ -50,6 +51,7 @@
 
 import org.sblim.cimclient.internal.logging.LogAndTraceBroker;
 import org.sblim.cimclient.internal.util.ThreadPool;
+import org.sblim.cimclient.internal.util.Util;
 import org.sblim.cimclient.internal.util.WBEMConfiguration;
 
 /**
@@ -127,6 +129,22 @@
 				logger.trace(Level.FINER, "Listener peer verification: require");
 				((SSLServerSocket) this.iServerSocket).setNeedClientAuth(true);
 			}
+
+			String disableCipherSuites = this.iSessionProperties.getSslCipherSuitesToDisable();
+			if (disableCipherSuites != null) {
+				SSLServerSocket sslSock = (SSLServerSocket) this.iServerSocket;
+				String[] currentCipherSuites = sslSock.getEnabledCipherSuites();
+				String[] updatedCipherSuites = Util.getFilteredStringArray(currentCipherSuites,
+						disableCipherSuites);
+				sslSock.setEnabledCipherSuites(updatedCipherSuites);
+				int before = currentCipherSuites.length;
+				int after = updatedCipherSuites.length;
+				if (before > 0 && after == 0) logger.trace(Level.WARNING,
+						"All cipher suites disabled!");
+				else if (before > after) logger.trace(Level.FINE, "Some (" + (before - after)
+						+ ") cipher suites disabled");
+				else if (before == after) logger.trace(Level.FINER, "No cipher suites disabled");
+			}
 		}
 		this.iTimeout = this.iSessionProperties.getListenerHttpTimeout();
 		logger.exit();

Index: HttpClient.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/http/HttpClient.java,v
retrieving revision 1.12.2.35
retrieving revision 1.12.2.36
diff -u -d -r1.12.2.35 -r1.12.2.36
--- HttpClient.java	23 Feb 2013 15:35:16 -0000	1.12.2.35
+++ HttpClient.java	5 Mar 2013 15:31:07 -0000	1.12.2.36
@@ -69,6 +69,7 @@
  * 3601894    2013-01-23  blaschke-oss Enhance HTTP and CIM-XML tracing
  *    2619    2013-02-22  blaschke-oss Host should contain port when not 5988/5989
  *    2621    2013-02-23  blaschke-oss Not all chunked input has trailers
+ *    2618    2013-02-27  blaschke-oss Need to add property to disable weak cipher suites for the secure indication
  */
 package org.sblim.cimclient.internal.http;
 
@@ -1125,6 +1126,13 @@
 						sk.setEnabledCipherSuites(ciphersuites);
 					}
 
+					String disableCipherSuites = this.iHttpClientPool.getConfigurationContext()
+							.getSslCipherSuitesToDisable();
+					if (disableCipherSuites != null) {
+						sk.setEnabledCipherSuites(this.iHttpClientPool.getUpdatedCipherSuites(sk
+								.getEnabledCipherSuites(), disableCipherSuites));
+					}
+
 					// Determine whether we need to perform synchronized SSL
 					// handshake or not
 					boolean synchronizedHandshake = this.iHttpClientPool.getConfigurationContext()