/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* or http://forgerock.org/license/CDDLv1.0.html.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008 Sun Microsystems, Inc.
* Portions Copyright 2011-2015 ForgeRock AS
*/
package org.opends.server.replication.protocol;
import java.io.IOException;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import java.net.Socket;
import java.util.SortedSet;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import org.forgerock.opendj.config.server.ConfigException;
import org.opends.server.types.CryptoManager;
import org.opends.server.types.DirectoryConfig;
import static org.opends.messages.ReplicationMessages.*;
import static org.opends.server.util.StaticUtils.*;
/**
* This class represents the security configuration for replication protocol
* sessions. It contains all the configuration required to use SSL, and it
* determines whether encryption should be enabled for a session to a given
* replication server.
*/
public final class ReplSessionSecurity
{
private static final String REPLICATION_SERVER_NAME = "Replication Server";
private static final String REPLICATION_CLIENT_NAME = "Replication Client";
private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
/**
* Whether replication sessions use SSL encryption.
*/
private final boolean sslEncryption;
/**
* The names of the local certificates to use, or null if none is specified.
*/
private final SortedSet<String> sslCertNicknames;
/**
* The set of enabled SSL protocols, or null for the default set.
*/
private final String sslProtocols[];
/**
* The set of enabled SSL cipher suites, or null for the default set.
*/
private final String sslCipherSuites[];
/**
* Create a ReplSessionSecurity instance from a provided multimaster domain
* configuration.
*
* @throws ConfigException
* If the supplied configuration was not valid.
*/
public ReplSessionSecurity() throws ConfigException
{
// Currently use global settings from the crypto manager.
this(DirectoryConfig.getCryptoManager().getSslCertNicknames(),
DirectoryConfig.getCryptoManager().getSslProtocols(),
DirectoryConfig.getCryptoManager().getSslCipherSuites(),
DirectoryConfig.getCryptoManager().isSslEncryption());
}
/**
* Create a ReplSessionSecurity instance from the supplied configuration
* values.
*
* @param sslCertNicknames
* The names of the local certificates to use, or null if none is
* specified.
* @param sslProtocols
* The protocols that should be enabled, or null if the default
* protocols should be used.
* @param sslCipherSuites
* The cipher suites that should be enabled, or null if the default
* cipher suites should be used.
* @param sslEncryption
* Whether replication sessions use SSL encryption.
* @throws ConfigException
* If the supplied configuration was not valid.
*/
public ReplSessionSecurity(final SortedSet<String> sslCertNicknames,
final SortedSet<String> sslProtocols,
final SortedSet<String> sslCipherSuites,
final boolean sslEncryption) throws ConfigException
{
if (sslProtocols == null || sslProtocols.isEmpty())
{
this.sslProtocols = null;
}
else
{
this.sslProtocols = new String[sslProtocols.size()];
sslProtocols.toArray(this.sslProtocols);
}
if (sslCipherSuites == null || sslCipherSuites.isEmpty())
{
this.sslCipherSuites = null;
}
else
{
this.sslCipherSuites = new String[sslCipherSuites.size()];
sslCipherSuites.toArray(this.sslCipherSuites);
}
this.sslEncryption = sslEncryption;
this.sslCertNicknames = sslCertNicknames;
}
/**
* Create a new protocol session in the client role on the provided socket.
*
* @param socket
* The connected socket.
* @param soTimeout
* The socket timeout option to use for the protocol session.
* @return The new protocol session.
* @throws ConfigException
* If the protocol session could not be established due to a
* configuration problem.
* @throws IOException
* If the protocol session could not be established for some other
* reason.
*/
public Session createClientSession(final Socket socket,
final int soTimeout) throws ConfigException, IOException
{
boolean hasCompleted = false;
SSLSocket secureSocket = null;
try
{
// Create a new SSL context every time to make sure we pick up the
// latest contents of the trust store.
final CryptoManager cryptoManager = DirectoryConfig.getCryptoManager();
final SSLContext sslContext = cryptoManager.getSslContext(REPLICATION_CLIENT_NAME, sslCertNicknames);
final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
secureSocket = (SSLSocket) sslSocketFactory.createSocket(
socket, socket.getInetAddress().getHostName(),
socket.getPort(), false);
secureSocket.setUseClientMode(true);
secureSocket.setSoTimeout(soTimeout);
if (sslProtocols != null)
{
secureSocket.setEnabledProtocols(sslProtocols);
}
if (sslCipherSuites != null)
{
secureSocket.setEnabledCipherSuites(sslCipherSuites);
}
// Force TLS negotiation now.
secureSocket.startHandshake();
hasCompleted = true;
return new Session(socket, secureSocket);
}
finally
{
if (!hasCompleted)
{
close(socket);
close(secureSocket);
}
}
}
/**
* Create a new protocol session in the server role on the provided socket.
*
* @param socket
* The connected socket.
* @param soTimeout
* The socket timeout option to use for the protocol session.
* @return The new protocol session.
* @throws ConfigException
* If the protocol session could not be established due to a
* configuration problem.
* @throws IOException
* If the protocol session could not be established for some other
* reason.
*/
public Session createServerSession(final Socket socket,
final int soTimeout) throws ConfigException, IOException
{
boolean hasCompleted = false;
SSLSocket secureSocket = null;
try
{
// Create a new SSL context every time to make sure we pick up the
// latest contents of the trust store.
final CryptoManager cryptoManager = DirectoryConfig.getCryptoManager();
final SSLContext sslContext = cryptoManager.getSslContext(REPLICATION_SERVER_NAME, sslCertNicknames);
final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
secureSocket = (SSLSocket) sslSocketFactory.createSocket(
socket, socket.getInetAddress().getHostName(),
socket.getPort(), false);
secureSocket.setUseClientMode(false);
secureSocket.setNeedClientAuth(true);
secureSocket.setSoTimeout(soTimeout);
if (sslProtocols != null)
{
secureSocket.setEnabledProtocols(sslProtocols);
}
if (sslCipherSuites != null)
{
secureSocket.setEnabledCipherSuites(sslCipherSuites);
}
// Force TLS negotiation now.
secureSocket.startHandshake();
hasCompleted = true;
return new Session(socket, secureSocket);
}
catch (final SSLException e)
{
// This is probably a connection attempt from an unexpected client
// log that to warn the administrator.
logger.debug(INFO_SSL_SERVER_CON_ATTEMPT_ERROR, socket.getRemoteSocketAddress(),
socket.getLocalSocketAddress(), e.getLocalizedMessage());
return null;
}
finally
{
if (!hasCompleted)
{
close(socket);
close(secureSocket);
}
}
}
/**
* Determine whether sessions to a given replication server should be
* encrypted.
*
* @return true if sessions to the given replication server should be
* encrypted, or false if they should not be encrypted.
*/
public boolean isSslEncryption()
{
// Currently use global settings from the crypto manager.
return sslEncryption;
}
/** {@inheritDoc} */
@Override
public String toString()
{
return getClass().getSimpleName() + " " + (sslEncryption ? "with SSL" : "");
}
}