KNOX-2772 - add configuration for jetty renegotiation (#605)
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
index 3e45bac..ba572a2 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
@@ -177,6 +177,7 @@
private static final String SSL_EXCLUDE_PROTOCOLS = "ssl.exclude.protocols";
private static final String SSL_INCLUDE_CIPHERS = "ssl.include.ciphers";
private static final String SSL_EXCLUDE_CIPHERS = "ssl.exclude.ciphers";
+ private static final String SSL_RENEGOTIATION = "ssl.renegotiation";
// END BACKWARD COMPATIBLE BLOCK
public static final String DEFAULT_HTTP_PORT = "8888";
@@ -603,6 +604,11 @@
}
@Override
+ public boolean isSSLRenegotiationAllowed() {
+ return getBoolean(SSL_RENEGOTIATION, true);
+ }
+
+ @Override
public boolean isClientAuthNeeded() {
return Boolean.parseBoolean(get( CLIENT_AUTH_NEEDED, "false" ));
}
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
index 867e3df..55f297e 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java
@@ -224,6 +224,8 @@
if (sslExcludeProtocols != null && !sslExcludeProtocols.isEmpty()) {
sslContextFactory.setExcludeProtocols( sslExcludeProtocols.toArray(new String[0]) );
}
+
+ sslContextFactory.setRenegotiationAllowed(config.isSSLRenegotiationAllowed());
return sslContextFactory;
}
diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
index 5ec699b..9fe737e 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java
@@ -167,6 +167,18 @@
assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
}
+ // KNOX-2772
+ @Test
+ public void testisSSLRenegotiationAllowed() {
+ GatewayConfigImpl config = new GatewayConfigImpl();
+ boolean isSSLRenegotiationAllowed = config.isSSLRenegotiationAllowed();
+ assertThat( isSSLRenegotiationAllowed, is(true));
+
+ config.set("ssl.renegotiation", "false");
+ isSSLRenegotiationAllowed = config.isSSLRenegotiationAllowed();
+ assertThat( isSSLRenegotiationAllowed, is(false));
+ }
+
@Test( timeout = TestUtils.SHORT_TIMEOUT )
public void testGlobalRulesServices() {
GatewayConfigImpl config = new GatewayConfigImpl();
diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
index eb667ea..51cdf05 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java
@@ -481,6 +481,7 @@
expect(config.getIncludedSSLCiphers()).andReturn(null).atLeastOnce();
expect(config.getExcludedSSLCiphers()).andReturn(null).atLeastOnce();
expect(config.getExcludedSSLProtocols()).andReturn(null).atLeastOnce();
+ expect(config.isSSLRenegotiationAllowed()).andReturn(true).atLeastOnce();
return config;
}
diff --git a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
index 24d07b4..e493892 100644
--- a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
+++ b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
@@ -300,6 +300,11 @@
return excludedSSLCiphers;
}
+ @Override
+ public boolean isSSLRenegotiationAllowed() {
+ return true;
+ }
+
public void setExcludedSSLCiphers( List<String> list ) {
excludedSSLCiphers = list;
}
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
index bf6eee3..68cf6ff 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
@@ -177,6 +177,8 @@
List<String> getExcludedSSLCiphers();
+ boolean isSSLRenegotiationAllowed();
+
boolean isHadoopKerberosSecured();
String getKerberosConfig();