ATLAS-1427: Support an option to exclude protocols in SSL mode

Signed-off-by: Madhan Neethiraj <madhan@apache.org>

ATLAS-1427: Support an option to exclude protocols in SSL mode
6e5863e8 · nixonrodrigues · Madhan Neethiraj · b72a4c44 · 6e5863e8 · 6e5863e8
Commit 6e5863e8 authored Jan 04, 2017 by nixonrodrigues Committed by Madhan Neethiraj Jan 05, 2017
Showing with 12 additions and 0 deletions

SecurityProperties.java ...in/java/org/apache/atlas/security/SecurityProperties.java +3 -0

SecureEmbeddedServer.java ...va/org/apache/atlas/web/service/SecureEmbeddedServer.java +9 -0

No files found.
--- a/common/src/main/java/org/apache/atlas/security/SecurityProperties.java
+++ b/common/src/main/java/org/apache/atlas/security/SecurityProperties.java
@@ -43,4 +43,7 @@ public final class SecurityProperties {
    public static final String ATLAS_SSL_EXCLUDE_CIPHER_SUITES = "atlas.ssl.exclude.cipher.suites";
    public static final List<String> DEFAULT_CIPHER_SUITES = Arrays.asList(
            ".*NULL.*", ".*RC4.*", ".*MD5.*", ".*DES.*", ".*DSS.*");
+    public static final String ATLAS_SSL_EXCLUDE_PROTOCOLS = "atlas.ssl.exclude.protocols";
+    public static final String[] DEFAULT_EXCLUDE_PROTOCOLS = new String[] { "TLSv1", "TLSv1.1" };
+
 }
--- a/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java
+++ b/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java
@@ -49,6 +49,9 @@ import static org.apache.atlas.security.SecurityProperties.KEYSTORE_PASSWORD_KEY
 import static org.apache.atlas.security.SecurityProperties.SERVER_CERT_PASSWORD_KEY;
 import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_FILE_KEY;
 import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_PASSWORD_KEY;
+import static org.apache.atlas.security.SecurityProperties.ATLAS_SSL_EXCLUDE_PROTOCOLS;
+import static org.apache.atlas.security.SecurityProperties.DEFAULT_EXCLUDE_PROTOCOLS;
+

 /**
 * This is a jetty server which requires client auth via certificates.
@@ -78,6 +81,12 @@ public class SecureEmbeddedServer extends EmbeddedServer {
        sslContextFactory.setExcludeCipherSuites(cipherList.toArray(new String[cipherList.size()]));
        sslContextFactory.setRenegotiationAllowed(false);

+        String[] excludedProtocols = config.containsKey(ATLAS_SSL_EXCLUDE_PROTOCOLS) ?
+                config.getStringArray(ATLAS_SSL_EXCLUDE_PROTOCOLS) : DEFAULT_EXCLUDE_PROTOCOLS;
+        if (excludedProtocols != null && excludedProtocols.length > 0) {
+            sslContextFactory.addExcludeProtocols(excludedProtocols);
+        }
+
        // SSL HTTP Configuration
        // HTTP Configuration
        HttpConfiguration http_config = new HttpConfiguration();