From 411caf611eea29be2c3e06365914ba2ccdc023c3 Mon Sep 17 00:00:00 2001
From: mguessan <mguessan@3d1905a2-6b24-0410-a738-b14d5a86fcbd>
Date: Mon, 27 Oct 2014 07:50:03 +0000
Subject: [PATCH] Fix potential CVE-2014-3566 vulnerability

git-svn-id: http://svn.code.sf.net/p/davmail/code/trunk@2322 3d1905a2-6b24-0410-a738-b14d5a86fcbd
---
 src/java/davmail/AbstractServer.java | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/java/davmail/AbstractServer.java b/src/java/davmail/AbstractServer.java
index 7638e4ba..39816178 100644
--- a/src/java/davmail/AbstractServer.java
+++ b/src/java/davmail/AbstractServer.java
@@ -24,6 +24,7 @@ import davmail.ui.tray.DavGatewayTray;
 import javax.net.ServerSocketFactory;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocket;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.net.Inet4Address;
@@ -31,6 +32,7 @@ import java.net.ServerSocket;
 import java.net.Socket;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
+import java.util.HashSet;
 
 /**
  * Generic abstract server common to SMTP and POP3 implementations
@@ -103,7 +105,7 @@ public abstract class AbstractServer extends Thread {
 
                 // SSLContext is environment for implementing JSSE...
                 // create ServerSocketFactory
-                SSLContext sslContext = SSLContext.getInstance("SSLv3");
+                SSLContext sslContext = SSLContext.getInstance("TLS");
 
                 // initialize sslContext to work with key managers
                 sslContext.init(kmf.getKeyManagers(), null, null);
@@ -131,6 +133,17 @@ public abstract class AbstractServer extends Thread {
             } else {
                 serverSocket = serverSocketFactory.createServerSocket(port, 0, Inet4Address.getByName(bindAddress));
             }
+            if (serverSocket instanceof  SSLServerSocket) {
+                // CVE-2014-3566 disable SSLv3
+                HashSet<String> protocols = new HashSet<String>();
+                for (String protocol : ((SSLServerSocket) serverSocket).getEnabledProtocols()) {
+                    if (!protocol.startsWith("SSL")) {
+                        protocols.add(protocol);
+                    }
+                }
+                ((SSLServerSocket) serverSocket).setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
+            }
+
         } catch (IOException e) {
             throw new DavMailException("LOG_SOCKET_BIND_FAILED", getProtocolName(), port);
         }