Minor patch below which lets one lock down the admin https connection with certs explicitly. If not set - defaults to current behaviour (and existing normal trust stores).
Below is against -release.
Dw.
diff -r -c openfire_src.orig/src/java/org/jivesoftware/openfire/container/AdminConsolePlug in.java openfire_src/src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.ja va
*** openfire_src.orig/src/java/org/jivesoftware/openfire/container/AdminConsolePlug in.java Fri Nov 21 19:53:55 2008
— openfire_src/src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.ja va Mon Dec 29 22:48:30 2008
*** 95,121 ****
// Create a connector for https traffic if it’s enabled.
sslEnabled = false;
try {
! if (adminSecurePort > 0 && CertificateManager.isRSACertificate(SSLConfig.getKeyStore(), “*”))
{
! if (!CertificateManager.isRSACertificate(SSLConfig.getKeyStore(),
! XMPPServer.getInstance().getServerInfo().getXMPPDomain())) {
! Log.warn(“Admin console: Using RSA certificates but they are not valid for the hosted domain”);
}
JiveSslConnector httpsConnector = new JiveSslConnector();
String bindInterface = getBindInterface();
httpsConnector.setHost(bindInterface);
httpsConnector.setPort(adminSecurePort);
! httpsConnector.setTrustPassword(SSLConfig.gets2sTrustPassword());
httpsConnector.setTruststoreType(SSLConfig.getStoreType());
! httpsConnector.setTruststore(SSLConfig.gets2sTruststoreLocation());
! httpsConnector.setNeedClientAuth(false);
! httpsConnector.setWantClientAuth(false);
! httpsConnector.setKeyPassword(SSLConfig.getKeyPassword());
httpsConnector.setKeystoreType(SSLConfig.getStoreType());
! httpsConnector.setKeystore(SSLConfig.getKeystoreLocation());
adminServer.addConnector(httpsConnector);
sslEnabled = true;
— 95,137 ----
// Create a connector for https traffic if it’s enabled.
sslEnabled = false;
try {
! if (adminSecurePort > 0 && CertificateManager.isRSACertificate(SSLConfig.getAdminKeyStore(), “*”))
{
! String fqdn = XMPPServer.getInstance().getServerInfo().getXMPPDomain();
! if (!CertificateManager.isRSACertificate(SSLConfig.getAdminKeyStore(), fqdn)) {
! Log.warn("Admin console: RSA certificate used for the admin console does " +
! “not match the domain name '”+ fqdn+"’");
}
JiveSslConnector httpsConnector = new JiveSslConnector();
String bindInterface = getBindInterface();
httpsConnector.setHost(bindInterface);
httpsConnector.setPort(adminSecurePort);
! // Only needed if we’re actually checking client certs.
! //
! httpsConnector.setTrustPassword(SSLConfig.getAdminTrustPassword());
httpsConnector.setTruststoreType(SSLConfig.getStoreType());
! httpsConnector.setTruststore(SSLConfig.getAdminTruststoreLocation());
!
! // Set policy for checking client certificates - if any
! String certPol = JiveGlobals.getProperty(“xmpp.socket.ssl.admin.policy”, “disabled”);
! if(certPol.equals(“needed”) || certPol.equals(“enabled”)) {
! httpsConnector.setNeedClientAuth(true);
! httpsConnector.setWantClientAuth(true);
! } else if(certPol.equals(“wanted”)) {
! httpsConnector.setNeedClientAuth(false);
! httpsConnector.setWantClientAuth(true);
! } else {
! httpsConnector.setNeedClientAuth(false);
! httpsConnector.setWantClientAuth(false);
! }
! // Cert used for the actual key
! httpsConnector.setKeyPassword(SSLConfig.getAdminKeyPassword());
httpsConnector.setKeystoreType(SSLConfig.getStoreType());
! httpsConnector.setKeystore(SSLConfig.getAdminKeystoreLocation());
adminServer.addConnector(httpsConnector);
sslEnabled = true;
diff -r -c openfire_src.orig/src/java/org/jivesoftware/openfire/net/SSLConfig.java openfire_src/src/java/org/jivesoftware/openfire/net/SSLConfig.java
*** openfire_src.orig/src/java/org/jivesoftware/openfire/net/SSLConfig.java Fri Nov 21 19:53:56 2008
— openfire_src/src/java/org/jivesoftware/openfire/net/SSLConfig.java Mon Dec 29 22:47:47 2008
*** 49,54 ****
— 49,58 ----
private static String keyStoreLocation;
private static String keypass;
-
private static KeyStore adminKeyStore;
-
private static String adminKeyStoreLocation;
-
private static String adminkeypass;
private static KeyStore s2sTrustStore;
private static String s2sTrustStoreLocation;
private static String s2sTrustpass;
*** 57,62 ****
— 61,69 ----
private static String c2sTrustStoreLocation;
private static String c2sTrustpass;
-
private static KeyStore adminTrustStore;
-
private static String adminTrustStoreLocation;
-
private static String admintrustpass;
private SSLConfig() {
}
*** 68,83 ****
// Get the keystore location. The default location is security/keystore
keyStoreLocation = JiveGlobals.getProperty(“xmpp.socket.ssl.keystore”,
“resources” + File.separator + “security” + File.separator + “keystore”);
-
keyStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + keyStoreLocation;
// Get the keystore password. The default password is “changeit”.
keypass = JiveGlobals.getProperty(“xmpp.socket.ssl.keypass”, “changeit”);
keypass = keypass.trim();
// Get the truststore location for c2s connections
c2sTrustStoreLocation = JiveGlobals.getProperty(“xmpp.socket.ssl.client.truststore”,
“resources” + File.separator + “security” + File.separator + “client.truststore”);
-
c2sTrustStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + c2sTrustStoreLocation;
c2sTrustpass = JiveGlobals.getProperty(“xmpp.socket.ssl.client.trustpass”, “changeit”);
c2sTrustpass = c2sTrustpass.trim();
— 75,97 ----
// Get the keystore location. The default location is security/keystore
keyStoreLocation = JiveGlobals.getProperty(“xmpp.socket.ssl.keystore”,
“resources” + File.separator + “security” + File.separator + “keystore”);
// Get the keystore password. The default password is “changeit”.
keypass = JiveGlobals.getProperty(“xmpp.socket.ssl.keypass”, “changeit”);
keypass = keypass.trim();
-
// Get the admin keystore location. The default location is the keystore location.
-
adminKeyStoreLocation = JiveGlobals.getProperty("xmpp.socket.ssl.admin.keystore", keyStoreLocation);
-
// Get the admin keystore password. The default password is that of the keystore location.
-
adminkeypass = JiveGlobals.getProperty("xmpp.socket.ssl.admin.keypass", keypass);
-
adminkeypass = adminkeypass.trim();
// Get the truststore location for c2s connections
- //
c2sTrustStoreLocation = JiveGlobals.getProperty(“xmpp.socket.ssl.client.truststore”,
“resources” + File.separator + “security” + File.separator + “client.truststore”);
c2sTrustpass = JiveGlobals.getProperty(“xmpp.socket.ssl.client.trustpass”, “changeit”);
c2sTrustpass = c2sTrustpass.trim();
*** 85,114 ****
// Get the truststore location for s2s connections
s2sTrustStoreLocation = JiveGlobals.getProperty(“xmpp.socket.ssl.truststore”,
“resources” + File.separator + “security” + File.separator + “truststore”);
-
s2sTrustStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + s2sTrustStoreLocation;
// Get the truststore passwprd; default is “changeit”.
s2sTrustpass = JiveGlobals.getProperty(“xmpp.socket.ssl.trustpass”, “changeit”);
s2sTrustpass = s2sTrustpass.trim();
! // Load s2s keystore and trusstore
try {
keyStore = KeyStore.getInstance(storeType);
keyStore.load(new FileInputStream(keyStoreLocation), keypass.toCharArray());
s2sTrustStore = KeyStore.getInstance(storeType);
s2sTrustStore.load(new FileInputStream(s2sTrustStoreLocation), s2sTrustpass.toCharArray());
!
}
catch (Exception e) {
! Log.error(“SSLConfig startup problem.\n” +
" storeType: [" + storeType + “]\n” +
" keyStoreLocation: [" + keyStoreLocation + “]\n” +
! " keypass: [" + keypass + “]\n” +
" s2sTrustStoreLocation: [" + s2sTrustStoreLocation + “]\n” +
! " s2sTrustpass: [" + s2sTrustpass + “]\n”);
keyStore = null;
s2sTrustStore = null;
s2sFactory = null;
}
— 99,152 ----
// Get the truststore location for s2s connections
s2sTrustStoreLocation = JiveGlobals.getProperty(“xmpp.socket.ssl.truststore”,
“resources” + File.separator + “security” + File.separator + “truststore”);
// Get the truststore passwprd; default is “changeit”.
s2sTrustpass = JiveGlobals.getProperty(“xmpp.socket.ssl.trustpass”, “changeit”);
s2sTrustpass = s2sTrustpass.trim();
! // Get the truststore location for s2s connections - default is same as s2s
! adminTrustStoreLocation = JiveGlobals.getProperty(“xmpp.socket.ssl.admin.truststore”,
! s2sTrustStoreLocation);
!
! // Get the admin truststore passwprd; default is same as s2s.
! admintrustpass = JiveGlobals.getProperty(“xmpp.socket.ssl.admin.trustpass”, s2sTrustpass);
! admintrustpass = admintrustpass.trim();
!
! // Move them relative to the home dir
! keyStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + keyStoreLocation;
! adminKeyStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + adminKeyStoreLocation;
! adminTrustStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + adminTrustStoreLocation;
! s2sTrustStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + s2sTrustStoreLocation;
! c2sTrustStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + c2sTrustStoreLocation;
!
! // Load s2s keystore and trusstores for the normal http and admin http interface
try {
keyStore = KeyStore.getInstance(storeType);
keyStore.load(new FileInputStream(keyStoreLocation), keypass.toCharArray());
-
adminKeyStore = KeyStore.getInstance(storeType);
-
adminKeyStore.load(new FileInputStream(adminKeyStoreLocation), adminkeypass.toCharArray());
s2sTrustStore = KeyStore.getInstance(storeType);
s2sTrustStore.load(new FileInputStream(s2sTrustStoreLocation), s2sTrustpass.toCharArray());
! adminTrustStore = KeyStore.getInstance(storeType);
! adminTrustStore.load(new FileInputStream(adminTrustStoreLocation), admintrustpass.toCharArray());
}
catch (Exception e) {
! Log.error(“SSLConfig startup problem: “+e.getMessage()+”\n” +
" storeType: [" + storeType + “]\n” +
" keyStoreLocation: [" + keyStoreLocation + “]\n” +
! " keypass: [" + _obscure(keypass) + “]\n” +
! " adminKeyStoreLocation: [" + adminKeyStoreLocation + “]\n” +
! " adminkeypass: [" + _obscure(adminkeypass) + “]\n” +
! " adminTrustKeyStoreLocation: [" + adminTrustStoreLocation + “]\n” +
! " admintrustpass: [" + _obscure(admintrustpass) + “]\n” +
" s2sTrustStoreLocation: [" + s2sTrustStoreLocation + “]\n” +
! " s2sTrustpass: [" + _obscure(s2sTrustpass) + “]\n”);
keyStore = null;
-
adminKeyStore = null;
-
adminTrustStore = null;
s2sTrustStore = null;
s2sFactory = null;
}
*** 129,135 ****
c2sTrustStore.load(null, c2sTrustpass.toCharArray());
}
catch (Exception ex) {
! Log.error(“SSLConfig startup problem.\n” +
" storeType: [" + storeType + “]\n” +
" c2sTrustStoreLocation: [" + c2sTrustStoreLocation + “]\n” +
" c2sTrustPass: [" + c2sTrustpass + “]”, e);
— 167,173 ----
c2sTrustStore.load(null, c2sTrustpass.toCharArray());
}
catch (Exception ex) {
! Log.error(“SSLConfig startup problem: “+e.getMessage()+”\n” +
" storeType: [" + storeType + “]\n” +
" c2sTrustStoreLocation: [" + c2sTrustStoreLocation + “]\n” +
" c2sTrustPass: [" + c2sTrustpass + “]”, e);
*** 156,161 ****
— 194,208 ----
});
}
-
private static String _obscure(String s) {
-
String obscure = JiveGlobals.getProperty("xmpp.socket.ssl.showpasswords", "false");
-
if (obscure.equals("true"))
-
return s;
-
return "****";
-
}
private static void resetFactory() {
try {
String algorithm = JiveGlobals.getProperty(“xmpp.socket.ssl.algorithm”, “TLS”);
*** 201,206 ****
— 248,254 ----
" c2sTrustStoreLocation: [" + c2sTrustStoreLocation + “]\n” +
" c2sTrustpass: [" + c2sTrustpass + “]”, e);
keyStore = null;
-
adminKeyStore = null;
s2sTrustStore = null;
c2sTrustStore = null;
s2sFactory = null;
*** 218,223 ****
— 266,289 ----
}
/**
-
* Get the Admin Key Store password
-
*
-
* @return the key store password
-
*/
-
public static String getAdminKeyPassword() {
-
return adminkeypass;
-
}
-
/**
-
* Get the Admin Trust Store password
-
*
-
* @return the trust store password
-
*/
-
public static String getAdminTrustPassword() {
-
return admintrustpass;
-
}
-
/**
-
Return the Trust Store password for s2s connections.
-
@return the s2s trust store password.
*** 271,276 ****
— 337,365 ----
}
/**
-
* Get the Admin Key Store
-
*
-
* @return the Key Store
-
*/
-
public static KeyStore getAdminKeyStore() throws IOException {
-
if (adminKeyStore == null) {
-
throw new IOException();
-
}
-
return adminKeyStore;
-
}
-
/**
-
* Get the Admin Key Trust Store
-
*
-
* @return the Key Store
-
*/
-
public static KeyStore getAdminTrustStore() throws IOException {
-
if (adminTrustStore == null) {
-
throw new IOException();
-
}
-
return adminTrustStore;
-
}
-
/**
-
Get the Trust Store for s2s connections
-
@return the s2s Trust Store
*** 296,302 ****
/**
- Initializes (wipes and recreates) the keystore, and returns the new keystore.
! *
- @return Newly initialized keystore.
*/
public static KeyStore initializeKeyStore() {
— 385,391 ----
/**
- Initializes (wipes and recreates) the keystore, and returns the new keystore.
! * @todo Never used ?
- @return Newly initialized keystore.
*/
public static KeyStore initializeKeyStore() {
*** 369,374 ****
— 458,481 ----
}
/**
-
* Get the Admin Key Store location
-
*
-
* @return the admin keystore location
-
*/
-
public static String getAdminKeystoreLocation() {
-
return adminKeyStoreLocation;
-
}
-
/**
-
* Get the Admin Trust Store location
-
*
-
* @return the admin trust store location
-
*/
-
public static String getAdminTruststoreLocation() {
-
return adminTrustStoreLocation;
-
}
-
/**
-
Get the s2s Trust Store location
-
@return the s2s Trust Store location