Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordmills2014-10-17 09:10:33 -0400
committerdmills2014-10-17 09:10:33 -0400
commit3688c5c5d5724a33460d7f4c4d52a6ebdc72e003 (patch)
treedf41e3d24f9133d7a0b1a8b13d9ab52160e480d6
parentb92a0016b72b6fcef36d22769ad101248e986d28 (diff)
downloadorg.eclipse.hudson.core-3688c5c5d5724a33460d7f4c4d52a6ebdc72e003.tar.gz
org.eclipse.hudson.core-3688c5c5d5724a33460d7f4c4d52a6ebdc72e003.tar.xz
org.eclipse.hudson.core-3688c5c5d5724a33460d7f4c4d52a6ebdc72e003.zip
Address bug 447469 to disable SSl3 protocol when using Hudson in https mode
-rw-r--r--hudson-jetty-war-executable/src/main/java/org/eclipse/hudson/jetty/JettyLauncher.java20
1 files changed, 15 insertions, 5 deletions
diff --git a/hudson-jetty-war-executable/src/main/java/org/eclipse/hudson/jetty/JettyLauncher.java b/hudson-jetty-war-executable/src/main/java/org/eclipse/hudson/jetty/JettyLauncher.java
index f07dd31f..d6438748 100644
--- a/hudson-jetty-war-executable/src/main/java/org/eclipse/hudson/jetty/JettyLauncher.java
+++ b/hudson-jetty-war-executable/src/main/java/org/eclipse/hudson/jetty/JettyLauncher.java
@@ -10,7 +10,7 @@
*
* Contributors:
*
- * Winston Prakash
+ * Winston Prakash, Duncan Mills
*
******************************************************************************
*/
@@ -26,6 +26,7 @@ import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.nio.SelectChannelConnector;
import org.eclipse.jetty.server.ssl.SslSocketConnector;
+import org.eclipse.jetty.http.ssl.SslContextFactory;
import org.eclipse.jetty.webapp.WebAppContext;
/**
@@ -103,14 +104,23 @@ public class JettyLauncher {
// HTTPS (SSL) connector
if (httpsPort != -1) {
- SslSocketConnector httpsConnector = new SslSocketConnector();
- httpsConnector.setPort(httpsPort);
+ // Switch to using a ContextFactory this helps us to
+ // address 447469 - disable SSL3 to prevent Poodle attacks
+ SslContextFactory sslContextFactory = new SslContextFactory();
+ sslContextFactory.addExcludeProtocols("SSLv3");
+
+ //KeyStore path and password now injected via this new context rather
+ //than being added directly to the connection (those APIs are deprecated
+ // in any case so this is the better approach
if (keyStorePath != null) {
- httpsConnector.setKeystore(keyStorePath);
+ sslContextFactory.setKeyStore(keyStorePath);
}
if (keyStorePassword != null) {
- httpsConnector.setKeyPassword(keyStorePassword);
+ sslContextFactory.setKeyManagerPassword(keyStorePassword);
}
+
+ SslSocketConnector httpsConnector = new SslSocketConnector(sslContextFactory);
+ httpsConnector.setPort(httpsPort);
connectors.add(httpsConnector);
}

Back to the top