AMBARI-8019. Create ability to disable protocols for https connections in Ambari. (dlysnichenko)

ambari-server/conf/unix/ambari.properties

@@ -18,6 +18,7 @@
 
 security.server.keys_dir = /var/lib/ambari-server/keys
 #security.server.disabled.ciphers=SSL_RSA_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_RC4_40_MD5|SSL_DHE_RSA_WITH_DES_CBC_SHA|SSL_DHE_DSS_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA|SSL_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_RSA_WITH_DES_CBC_SHA
+#security.server.disabled.protocols=SSL|SSLv2|SSLv3
 resources.dir = /var/lib/ambari-server/resources
 shared.resources.dir = /usr/lib/ambari-server/lib/ambari_commons/resources
 custom.action.definitions = /var/lib/ambari-server/resources/custom_action_definitions

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -93,6 +93,7 @@ public class Configuration {
       "security.server.passphrase_env_var";
   public static final String PASSPHRASE_KEY = "security.server.passphrase";
   public static final String SRVR_DISABLED_CIPHERS = "security.server.disabled.ciphers";
+  public static final String SRVR_DISABLED_PROTOCOLS = "security.server.disabled.protocols";
   public static final String RESOURCES_DIR_KEY = "resources.dir";
   public static final String METADETA_DIR_PATH = "metadata.path";
   public static final String SERVER_VERSION_FILE = "server.version.file";
@@ -263,6 +264,7 @@ public class Configuration {
   private static final String SRVR_CRT_PASS_FILE_DEFAULT = "pass.txt";
   private static final String SRVR_CRT_PASS_LEN_DEFAULT = "50";
   private static final String SRVR_DISABLED_CIPHERS_DEFAULT = "";
+  private static final String SRVR_DISABLED_PROTOCOLS_DEFAULT = "";
   private static final String PASSPHRASE_ENV_DEFAULT = "AMBARI_PASSPHRASE";
   private static final String RESOURCES_DIR_DEFAULT =
       "/var/lib/ambari-server/resources/";
@@ -367,7 +369,9 @@ public class Configuration {
     configsMap.put(SRVR_CRT_PASS_LEN_KEY, properties.getProperty(
         SRVR_CRT_PASS_LEN_KEY, SRVR_CRT_PASS_LEN_DEFAULT));
     configsMap.put(SRVR_DISABLED_CIPHERS, properties.getProperty(
-            SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT));
+        SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT));
+    configsMap.put(SRVR_DISABLED_PROTOCOLS, properties.getProperty(
+        SRVR_DISABLED_PROTOCOLS, SRVR_DISABLED_PROTOCOLS_DEFAULT));
 
     configsMap.put(CLIENT_API_SSL_KSTR_DIR_NAME_KEY, properties.getProperty(
       CLIENT_API_SSL_KSTR_DIR_NAME_KEY, configsMap.get(SRVR_KSTR_DIR_KEY)));
@@ -939,6 +943,12 @@ public class Configuration {
     return disabledCiphers.trim();
   }
 
+  public String getSrvrDisabledProtocols() {
+    String disabledProtocols = properties.getProperty(SRVR_DISABLED_PROTOCOLS,
+            properties.getProperty(SRVR_DISABLED_PROTOCOLS, SRVR_DISABLED_PROTOCOLS_DEFAULT));
+    return disabledProtocols.trim();
+  }
+
   public int getOneWayAuthPort() {
     return Integer.parseInt(properties.getProperty(SRVR_ONE_WAY_SSL_PORT_KEY, String.valueOf(SRVR_ONE_WAY_SSL_PORT_DEFAULT)));
   }

ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java

@@ -140,7 +140,7 @@ public class AmbariServer {
   final String CONTEXT_PATH = "/";
   final String SPRING_CONTEXT_LOCATION =
       "classpath:/webapp/WEB-INF/spring-security.xml";
-  final String DISABLED_CIPHERS_SPLITTER = "\\|";
+  final String DISABLED_ENTRIES_SPLITTER = "\\|";
 
   @Inject
   Configuration configs;
@@ -292,10 +292,7 @@ public class AmbariServer {
 
       //Secured connector for 2-way auth
       SslContextFactory contextFactoryTwoWay = new SslContextFactory();
-      if (! configs.getSrvrDisabledCiphers().isEmpty()) {
-        String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER);
-        contextFactoryTwoWay.setExcludeCipherSuites(masks);
-      }
+      disableInsecureProtocols(contextFactoryTwoWay);
       SslSelectChannelConnector sslConnectorTwoWay = new
           SslSelectChannelConnector(contextFactoryTwoWay);
       sslConnectorTwoWay.setPort(configs.getTwoWayAuthPort());
@@ -323,10 +320,7 @@ public class AmbariServer {
       contextFactoryOneWay.setKeyStoreType("PKCS12");
       contextFactoryOneWay.setTrustStoreType("PKCS12");
       contextFactoryOneWay.setNeedClientAuth(false);
-      if (! configs.getSrvrDisabledCiphers().isEmpty()) {
-        String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER);
-        contextFactoryOneWay.setExcludeCipherSuites(masks);
-      }
+      disableInsecureProtocols(contextFactoryOneWay);
 
       //Secured connector for 1-way auth
       SslSelectChannelConnector sslConnectorOneWay = new SslSelectChannelConnector(contextFactoryOneWay);
@@ -415,11 +409,7 @@ public class AmbariServer {
         String httpsCrtPass = configsMap.get(Configuration.CLIENT_API_SSL_CRT_PASS_KEY);
 
         SslContextFactory contextFactoryApi = new SslContextFactory();
-        if (! configs.getSrvrDisabledCiphers().isEmpty()) {
-          String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER);
-          contextFactoryApi.setExcludeCipherSuites(masks);
-        }
-
+        disableInsecureProtocols(contextFactoryApi);
         SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector(contextFactoryApi);
         sapiConnector.setPort(configs.getClientSSLApiPort());
         sapiConnector.setKeystore(httpsKeystore);
@@ -507,6 +497,21 @@ public class AmbariServer {
     }
   }
 
+  /**
+   * Disables insecure protocols and cipher suites (exact list is defined
+   * at server properties)
+   */
+  private void disableInsecureProtocols(SslContextFactory factory) {
+    if (! configs.getSrvrDisabledCiphers().isEmpty()) {
+      String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_ENTRIES_SPLITTER);
+      factory.setExcludeCipherSuites(masks);
+    }
+    if (! configs.getSrvrDisabledProtocols().isEmpty()) {
+      String [] masks = configs.getSrvrDisabledProtocols().split(DISABLED_ENTRIES_SPLITTER);
+      factory.setExcludeProtocols(masks);
+    }
+  }
+
   /**
    * Performs basic configuration of root handler with static values and values from
    * configuration file.