From 12fd63204132024a3deda67f00b64c0ae3b8bd53 Mon Sep 17 00:00:00 2001 From: James Lewis Date: Tue, 31 Dec 2019 08:51:58 -0500 Subject: [PATCH] Added the ability to restrict which SSL/TLS protocols are permitted --- src/main/distrib/data/defaults.properties | 7 +++++++ src/main/java/com/gitblit/GitBlitServer.java | 8 +++++++- src/main/java/com/gitblit/GitblitSslContextFactory.java | 6 ++++-- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/src/main/distrib/data/defaults.properties b/src/main/distrib/data/defaults.properties index 5dea6a0a4..02b0fe26d 100644 --- a/src/main/distrib/data/defaults.properties +++ b/src/main/distrib/data/defaults.properties @@ -2131,6 +2131,13 @@ server.certificateAlias = localhost # RESTART REQUIRED server.storePassword = gitblit +# SSL/TLS protocols to exclude +# Comma separated list of SSL/TLS protocols to exclude from HTTPS support +# +# SINCE 1.9.0 +# RESTART REQUIRED +server.sslExcludeProtocols = SSLv3 + # If serving over https (recommended) you might consider requiring clients to # authenticate with ssl certificates. If enabled, only https clients with the # a valid client certificate will be able to access Gitblit. diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java index 06000f531..9a48e07c5 100644 --- a/src/main/java/com/gitblit/GitBlitServer.java +++ b/src/main/java/com/gitblit/GitBlitServer.java @@ -287,8 +287,14 @@ public void log(String message) { * HTTPS */ logger.info("Setting up HTTPS transport on port " + params.securePort); + String sslExcludeProtocolsStr = settings.getString(Keys.server.sslExcludeProtocols, "SSLv3"); + String[] sslExcludeProtocols = null; + if (sslExcludeProtocolsStr.length() > 0) { + sslExcludeProtocols = sslExcludeProtocolsStr.split(","); + } GitblitSslContextFactory factory = new GitblitSslContextFactory(params.alias, - serverKeyStore, serverTrustStore, params.storePassword, caRevocationList); + serverKeyStore, serverTrustStore, params.storePassword, caRevocationList, + sslExcludeProtocols); if (params.requireClientCertificates) { factory.setNeedClientAuth(true); } else { diff --git a/src/main/java/com/gitblit/GitblitSslContextFactory.java b/src/main/java/com/gitblit/GitblitSslContextFactory.java index bda92afa4..d919aa7ca 100644 --- a/src/main/java/com/gitblit/GitblitSslContextFactory.java +++ b/src/main/java/com/gitblit/GitblitSslContextFactory.java @@ -42,7 +42,7 @@ public class GitblitSslContextFactory extends SslContextFactory { private final File caRevocationList; public GitblitSslContextFactory(String certAlias, File keyStore, File clientTrustStore, - String storePassword, File caRevocationList) { + String storePassword, File caRevocationList, String[] excludeProtocols) { super(keyStore.getAbsolutePath()); this.caRevocationList = caRevocationList; @@ -54,7 +54,9 @@ public GitblitSslContextFactory(String certAlias, File keyStore, File clientTrus setKeyStorePassword(storePassword); setTrustStorePath(clientTrustStore.getAbsolutePath()); setTrustStorePassword(storePassword); - addExcludeProtocols("SSLv3"); + if ((excludeProtocols != null) && (excludeProtocols.length > 0)) { + addExcludeProtocols(excludeProtocols); + } logger.info(" keyStorePath = " + keyStore.getAbsolutePath()); logger.info(" trustStorePath = " + clientTrustStore.getAbsolutePath());