Fix potential CVE-2014-3566 vulnerability

git-svn-id: http://svn.code.sf.net/p/davmail/code/trunk@2322 3d1905a2-6b24-0410-a738-b14d5a86fcbd
This commit is contained in:
mguessan 2014-10-27 07:50:03 +00:00
parent dca0002271
commit 411caf611e
1 changed files with 14 additions and 1 deletions

View File

@ -24,6 +24,7 @@ import davmail.ui.tray.DavGatewayTray;
import javax.net.ServerSocketFactory;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.Inet4Address;
@ -31,6 +32,7 @@ import java.net.ServerSocket;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.HashSet;
/**
* Generic abstract server common to SMTP and POP3 implementations
@ -103,7 +105,7 @@ public abstract class AbstractServer extends Thread {
// SSLContext is environment for implementing JSSE...
// create ServerSocketFactory
SSLContext sslContext = SSLContext.getInstance("SSLv3");
SSLContext sslContext = SSLContext.getInstance("TLS");
// initialize sslContext to work with key managers
sslContext.init(kmf.getKeyManagers(), null, null);
@ -131,6 +133,17 @@ public abstract class AbstractServer extends Thread {
} else {
serverSocket = serverSocketFactory.createServerSocket(port, 0, Inet4Address.getByName(bindAddress));
}
if (serverSocket instanceof SSLServerSocket) {
// CVE-2014-3566 disable SSLv3
HashSet<String> protocols = new HashSet<String>();
for (String protocol : ((SSLServerSocket) serverSocket).getEnabledProtocols()) {
if (!protocol.startsWith("SSL")) {
protocols.add(protocol);
}
}
((SSLServerSocket) serverSocket).setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
}
} catch (IOException e) {
throw new DavMailException("LOG_SOCKET_BIND_FAILED", getProtocolName(), port);
}