From ecb0c74ea75e3c7f13df1dcec2f0b562c0c3a202 Mon Sep 17 00:00:00 2001 From: Niels Date: Wed, 16 Nov 2022 17:35:25 +0100 Subject: [PATCH] Remove insecure SSLSocketFactory (#4004) --- .../ldap/LdapFindMemberPipe.java | 8 +- .../webcontrol/DummySSLSocketFactory.java | 113 ------------------ 2 files changed, 3 insertions(+), 118 deletions(-) delete mode 100644 core/src/main/java/nl/nn/adapterframework/webcontrol/DummySSLSocketFactory.java diff --git a/core/src/main/java/nl/nn/adapterframework/ldap/LdapFindMemberPipe.java b/core/src/main/java/nl/nn/adapterframework/ldap/LdapFindMemberPipe.java index 8adc0459f08..77c26488d18 100644 --- a/core/src/main/java/nl/nn/adapterframework/ldap/LdapFindMemberPipe.java +++ b/core/src/main/java/nl/nn/adapterframework/ldap/LdapFindMemberPipe.java @@ -1,5 +1,5 @@ /* - Copyright 2016, 2019, 2020 Nationale-Nederlanden + Copyright 2016, 2019-2020 Nationale-Nederlanden, 2022 WeAreFrank! Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -27,14 +27,13 @@ import org.apache.commons.lang3.StringUtils; -import nl.nn.adapterframework.core.PipeLineSession; import nl.nn.adapterframework.core.ParameterException; +import nl.nn.adapterframework.core.PipeLineSession; import nl.nn.adapterframework.core.PipeRunException; import nl.nn.adapterframework.core.PipeRunResult; import nl.nn.adapterframework.doc.IbisDoc; import nl.nn.adapterframework.parameters.ParameterValueList; import nl.nn.adapterframework.stream.Message; -import nl.nn.adapterframework.webcontrol.DummySSLSocketFactory; /** * Pipe that checks if a specified dn exists as 'member' in another specified dn @@ -108,8 +107,7 @@ private boolean findMember(String host, int port, String dnSearchIn, boolean use ctx = new InitialDirContext(env); } catch (CommunicationException e) { log.info("Cannot create constructor for DirContext ["+ e.getMessage() + "], will try again with dummy SocketFactory",e); - env.put("java.naming.ldap.factory.socket", DummySSLSocketFactory.class.getName()); - ctx = new InitialLdapContext(env, null); + ctx = new InitialLdapContext(env, null); //Try again without connection request controls. } Attribute attrs = ctx.getAttributes("").get("member"); if (attrs != null) { diff --git a/core/src/main/java/nl/nn/adapterframework/webcontrol/DummySSLSocketFactory.java b/core/src/main/java/nl/nn/adapterframework/webcontrol/DummySSLSocketFactory.java deleted file mode 100644 index 3acaed5264f..00000000000 --- a/core/src/main/java/nl/nn/adapterframework/webcontrol/DummySSLSocketFactory.java +++ /dev/null @@ -1,113 +0,0 @@ -/* - Copyright 2013 Nationale-Nederlanden - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - */ -package nl.nn.adapterframework.webcontrol; - -import java.io.IOException; -import java.net.InetAddress; -import java.net.Socket; -import java.security.cert.X509Certificate; - -import javax.net.SocketFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; - -/** - * Dummy SSLSocketFactory for LdapFindMemberPipe. - * - * (to avoid java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty). - * - * @author Peter Leeuwenburgh - * @version $Id$ - */ - -public class DummySSLSocketFactory extends SSLSocketFactory { - private SSLSocketFactory factory; - - public DummySSLSocketFactory() { - try { - SSLContext sslcontext = SSLContext.getInstance("TLS"); - sslcontext.init( - null, // No KeyManager required - new TrustManager[] { new DummyTrustManager() }, - new java.security.SecureRandom()); - - factory = sslcontext.getSocketFactory(); - } catch (Exception ex) { - ex.printStackTrace(); - } - } - - public static SocketFactory getDefault() { - return new DummySSLSocketFactory(); - } - - @Override - public Socket createSocket(Socket socket, String s, int i, boolean flag) - throws IOException { - return factory.createSocket(socket, s, i, flag); - } - - @Override - public Socket createSocket(InetAddress inaddr, int i, InetAddress inaddr1, - int j) throws IOException { - return factory.createSocket(inaddr, i, inaddr1, j); - } - - @Override - public Socket createSocket(InetAddress inaddr, int i) throws IOException { - return factory.createSocket(inaddr, i); - } - - @Override - public Socket createSocket(String s, int i, InetAddress inaddr, int j) - throws IOException { - return factory.createSocket(s, i, inaddr, j); - } - - @Override - public Socket createSocket(String s, int i) throws IOException { - return factory.createSocket(s, i); - } - - @Override - public String[] getDefaultCipherSuites() { - return factory.getSupportedCipherSuites(); - } - - @Override - public String[] getSupportedCipherSuites() { - return factory.getSupportedCipherSuites(); - } - - public class DummyTrustManager implements X509TrustManager { - @Override - public void checkClientTrusted(X509Certificate[] cert, String authType) { - return; - } - - @Override - public void checkServerTrusted(X509Certificate[] cert, String authType) { - return; - } - - @Override - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[0]; - } - } -} \ No newline at end of file