提交 2779341f authored 作者: Thomas Mueller's avatar Thomas Mueller

H2 Console and server mode: SSL is now disabled and TLS is used to protect…

H2 Console and server mode: SSL is now disabled and TLS is used to protect against the POODLE SSLv3 vulnerability. The system property to disable secure anonymous connections is now "h2.enableAnonymousTLS". The default certificate is still self-signed, so you need to manually install another one if you want to avoid man in the middle attacks.
上级 82edcc19
...@@ -63,8 +63,8 @@ Advanced ...@@ -63,8 +63,8 @@ Advanced
Restricting Class Loading and Usage</a><br /> Restricting Class Loading and Usage</a><br />
<a href="#security_protocols"> <a href="#security_protocols">
Security Protocols</a><br /> Security Protocols</a><br />
<a href="#ssl_tls_connections"> <a href="#tls_connections">
SSL/TLS Connections</a><br /> TLS Connections</a><br />
<a href="#uuid"> <a href="#uuid">
Universally Unique Identifiers (UUID)</a><br /> Universally Unique Identifiers (UUID)</a><br />
<a href="#system_properties"> <a href="#system_properties">
...@@ -1349,11 +1349,10 @@ There is a default self-certified certificate to support an easy starting point, ...@@ -1349,11 +1349,10 @@ There is a default self-certified certificate to support an easy starting point,
custom certificates are supported as well. custom certificates are supported as well.
</p> </p>
<h2 id="ssl_tls_connections">SSL/TLS Connections</h2> <h2 id="tls_connections">TLS Connections</h2>
<p> <p>
Remote SSL/TLS connections are supported using the Java Secure Socket Extension Remote TLS connections are supported using the Java Secure Socket Extension
(<code>SSLServerSocket, SSLSocket</code>). By default, anonymous SSL is enabled. (<code>SSLServerSocket, SSLSocket</code>). By default, anonymous TLS is enabled.
The default cipher suite is <code>SSL_DH_anon_WITH_RC4_128_MD5</code>.
</p> </p>
<p> <p>
To use your own keystore, set the system properties <code>javax.net.ssl.keyStore</code> and To use your own keystore, set the system properties <code>javax.net.ssl.keyStore</code> and
...@@ -1363,7 +1362,7 @@ Customizing the Default Key and Trust Stores, Store Types, and Store Passwords</ ...@@ -1363,7 +1362,7 @@ Customizing the Default Key and Trust Stores, Store Types, and Store Passwords</
for more information. for more information.
</p> </p>
<p> <p>
To disable anonymous SSL, set the system property <code>h2.enableAnonymousSSL</code> to false. To disable anonymous TLS, set the system property <code>h2.enableAnonymousTLS</code> to false.
</p> </p>
<h2 id="uuid">Universally Unique Identifiers (UUID)</h2> <h2 id="uuid">Universally Unique Identifiers (UUID)</h2>
...@@ -1495,7 +1494,7 @@ For a complete list of settings, see ...@@ -1495,7 +1494,7 @@ For a complete list of settings, see
Usually server sockets accept connections on any/all local addresses. Usually server sockets accept connections on any/all local addresses.
This may be a problem on multi-homed hosts. This may be a problem on multi-homed hosts.
To bind only to one address, use the system property <code>h2.bindAddress</code>. To bind only to one address, use the system property <code>h2.bindAddress</code>.
This setting is used for both regular server sockets and for SSL server sockets. This setting is used for both regular server sockets and for TLS server sockets.
IPv4 and IPv6 address formats are supported. IPv4 and IPv6 address formats are supported.
</p> </p>
......
...@@ -17,6 +17,14 @@ Change Log ...@@ -17,6 +17,14 @@ Change Log
<h1>Change Log</h1> <h1>Change Log</h1>
<h2>Next Version (unreleased)</h2> <h2>Next Version (unreleased)</h2>
<ul><li>H2 Console and server mode: SSL is now disabled and TLS is used
to protect against the POODLE SSLv3 vulnerability.
The system property to disable secure anonymous connections is now
"h2.enableAnonymousTLS".
The default certificate is still self-signed, so you need to manually install
another one if you want to avoid man in the middle attacks.
</li><li>MVStore: the R-tree did not correctly measure the memory usage.
</li><li>MVStore: compacting a store with an R-tree did not always work.
<ul><li>Issue 581: When running in LOCK_MODE=0, <ul><li>Issue 581: When running in LOCK_MODE=0,
JdbcDatabaseMetaData#supportsTransactionIsolationLevel(TRANSACTION_READ_UNCOMMITTED) JdbcDatabaseMetaData#supportsTransactionIsolationLevel(TRANSACTION_READ_UNCOMMITTED)
should return false should return false
......
...@@ -130,8 +130,8 @@ Features ...@@ -130,8 +130,8 @@ Features
it also doesn't apply if you set the password in the database URL) it also doesn't apply if you set the password in the database URL)
</li><li>All database files (including script files that can be used to backup data) can be </li><li>All database files (including script files that can be used to backup data) can be
encrypted using the AES-128 encryption algorithm encrypted using the AES-128 encryption algorithm
</li><li>The remote JDBC driver supports TCP/IP connections over SSL/TLS </li><li>The remote JDBC driver supports TCP/IP connections over TLS
</li><li>The built-in web server supports connections over SSL/TLS </li><li>The built-in web server supports connections over TLS
</li><li>Passwords can be sent to the database using char arrays instead of Strings </li><li>Passwords can be sent to the database using char arrays instead of Strings
</li></ul> </li></ul>
...@@ -487,7 +487,7 @@ This is achieved using different database URLs. Settings in the URLs are not cas ...@@ -487,7 +487,7 @@ This is achieved using different database URLs. Settings in the URLs are not cas
</td> </td>
</tr> </tr>
<tr> <tr>
<td><a href="advanced.html#ssl_tls_connections">Server mode (remote connections)<br /> using SSL/TLS</a></td> <td><a href="advanced.html#tls_connections">Server mode (remote connections)<br /> using TLS</a></td>
<td class="notranslate"> <td class="notranslate">
jdbc:h2:ssl://&lt;server&gt;[:&lt;port&gt;]/&lt;databaseName&gt;<br /> jdbc:h2:ssl://&lt;server&gt;[:&lt;port&gt;]/&lt;databaseName&gt;<br />
jdbc:h2:ssl://localhost:8085/~/sample; jdbc:h2:ssl://localhost:8085/~/sample;
...@@ -628,7 +628,7 @@ class loader environment. ...@@ -628,7 +628,7 @@ class loader environment.
</p><p> </p><p>
To access an in-memory database from another process or from another computer, To access an in-memory database from another process or from another computer,
you need to start a TCP server in the same process as the in-memory database was created. you need to start a TCP server in the same process as the in-memory database was created.
The other processes then need to access the database over TCP/IP or SSL/TLS, The other processes then need to access the database over TCP/IP or TLS,
using a database URL such as: <code>jdbc:h2:tcp://localhost/mem:db1</code>. using a database URL such as: <code>jdbc:h2:tcp://localhost/mem:db1</code>.
</p><p> </p><p>
By default, closing the last connection to a database closes the database. By default, closing the last connection to a database closes the database.
...@@ -845,7 +845,7 @@ connections to the same database. The number of open database is only limited by ...@@ -845,7 +845,7 @@ connections to the same database. The number of open database is only limited by
If you want to access the same database at the same time from different processes or computers, If you want to access the same database at the same time from different processes or computers,
you need to use the client / server mode. In this case, one process acts as the server, and the you need to use the client / server mode. In this case, one process acts as the server, and the
other processes (that could reside on other computers as well) connect to the server via TCP/IP other processes (that could reside on other computers as well) connect to the server via TCP/IP
(or SSL/TLS over TCP/IP for improved security). (or TLS over TCP/IP for improved security).
</p> </p>
<h3>Multithreading Support</h3> <h3>Multithreading Support</h3>
......
...@@ -180,7 +180,7 @@ Javascript needs to be enabled. ...@@ -180,7 +180,7 @@ Javascript needs to be enabled.
If you started the server on the same computer as the browser, open the URL <code>http://localhost:8082</code>. If you started the server on the same computer as the browser, open the URL <code>http://localhost:8082</code>.
If you want to connect to the application from another computer, you need to provide the IP address of the server, for example: If you want to connect to the application from another computer, you need to provide the IP address of the server, for example:
<code>http://192.168.0.2:8082</code>. <code>http://192.168.0.2:8082</code>.
If you enabled SSL on the server side, the URL needs to start with <code>https://</code>. If you enabled TLS on the server side, the URL needs to start with <code>https://</code>.
</p> </p>
<h3>Multiple Concurrent Sessions</h3> <h3>Multiple Concurrent Sessions</h3>
...@@ -431,7 +431,7 @@ Supported settings are: ...@@ -431,7 +431,7 @@ Supported settings are:
</p> </p>
<ul><li><code>webAllowOthers</code>: allow other computers to connect. <ul><li><code>webAllowOthers</code>: allow other computers to connect.
</li><li><code>webPort</code>: the port of the H2 Console </li><li><code>webPort</code>: the port of the H2 Console
</li><li><code>webSSL</code>: use encrypted (HTTPS) connections. </li><li><code>webSSL</code>: use encrypted TLS (HTTPS) connections.
</li></ul> </li></ul>
<p> <p>
In addition to those settings, the properties of the last recently used connection In addition to those settings, the properties of the last recently used connection
......
...@@ -97,12 +97,11 @@ public class SysProperties { ...@@ -97,12 +97,11 @@ public class SysProperties {
Utils.getProperty(H2_BROWSER, null); Utils.getProperty(H2_BROWSER, null);
/** /**
* System property <code>h2.enableAnonymousSSL</code> (default: true).<br /> * System property <code>h2.enableAnonymousTLS</code> (default: true).<br />
* When using SSL connection, the anonymous cipher suite * When using TLS connection, the anonymous cipher suites should be enabled.
* SSL_DH_anon_WITH_RC4_128_MD5 should be enabled.
*/ */
public static final boolean ENABLE_ANONYMOUS_SSL = public static final boolean ENABLE_ANONYMOUS_TLS =
Utils.getProperty("h2.enableAnonymousSSL", true); Utils.getProperty("h2.enableAnonymousTLS", true);
/** /**
* System property <code>h2.bindAddress</code> (default: null).<br /> * System property <code>h2.bindAddress</code> (default: null).<br />
......
...@@ -21,6 +21,8 @@ import java.security.cert.Certificate; ...@@ -21,6 +21,8 @@ import java.security.cert.Certificate;
import java.security.cert.CertificateFactory; import java.security.cert.CertificateFactory;
import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Properties; import java.util.Properties;
import javax.net.ServerSocketFactory; import javax.net.ServerSocketFactory;
import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLServerSocket;
...@@ -52,8 +54,6 @@ public class CipherFactory { ...@@ -52,8 +54,6 @@ public class CipherFactory {
"javax.net.ssl.keyStore"; "javax.net.ssl.keyStore";
private static final String KEYSTORE_PASSWORD_KEY = private static final String KEYSTORE_PASSWORD_KEY =
"javax.net.ssl.keyStorePassword"; "javax.net.ssl.keyStorePassword";
private static final String ANONYMOUS_CIPHER_SUITE =
"SSL_DH_anon_WITH_RC4_128_MD5";
private CipherFactory() { private CipherFactory() {
// utility class // utility class
...@@ -92,9 +92,12 @@ public class CipherFactory { ...@@ -92,9 +92,12 @@ public class CipherFactory {
SSLSocket secureSocket = (SSLSocket) f.createSocket(); SSLSocket secureSocket = (SSLSocket) f.createSocket();
secureSocket.connect(new InetSocketAddress(address, port), secureSocket.connect(new InetSocketAddress(address, port),
SysProperties.SOCKET_CONNECT_TIMEOUT); SysProperties.SOCKET_CONNECT_TIMEOUT);
if (SysProperties.ENABLE_ANONYMOUS_SSL) { secureSocket.setEnabledCipherSuites(
String[] list = secureSocket.getEnabledCipherSuites(); disableSSL(secureSocket.getEnabledCipherSuites()));
list = addAnonymous(list); if (SysProperties.ENABLE_ANONYMOUS_TLS) {
String[] list = enableAnonymous(
secureSocket.getEnabledCipherSuites(),
secureSocket.getSupportedCipherSuites());
secureSocket.setEnabledCipherSuites(list); secureSocket.setEnabledCipherSuites(list);
} }
socket = secureSocket; socket = secureSocket;
...@@ -121,11 +124,15 @@ public class CipherFactory { ...@@ -121,11 +124,15 @@ public class CipherFactory {
} else { } else {
secureSocket = (SSLServerSocket) f.createServerSocket(port, 0, bindAddress); secureSocket = (SSLServerSocket) f.createServerSocket(port, 0, bindAddress);
} }
if (SysProperties.ENABLE_ANONYMOUS_SSL) { secureSocket.setEnabledCipherSuites(
String[] list = secureSocket.getEnabledCipherSuites(); disableSSL(secureSocket.getEnabledCipherSuites()));
list = addAnonymous(list); if (SysProperties.ENABLE_ANONYMOUS_TLS) {
String[] list = enableAnonymous(
secureSocket.getEnabledCipherSuites(),
secureSocket.getSupportedCipherSuites());
secureSocket.setEnabledCipherSuites(list); secureSocket.setEnabledCipherSuites(list);
} }
socket = secureSocket; socket = secureSocket;
return socket; return socket;
} }
...@@ -262,11 +269,28 @@ public class CipherFactory { ...@@ -262,11 +269,28 @@ public class CipherFactory {
} }
} }
private static String[] addAnonymous(String[] list) { private static String[] enableAnonymous(String[] enabled, String[] supported) {
String[] newList = new String[list.length + 1]; HashSet<String> set = new HashSet<String>();
System.arraycopy(list, 0, newList, 1, list.length); Collections.addAll(set, enabled);
newList[0] = ANONYMOUS_CIPHER_SUITE; for (String x : supported) {
return newList; if (x.startsWith("SSL") &&
x.indexOf("_anon_") >= 0 &&
x.indexOf("_AES_") >= 0 &&
x.indexOf("_SHA") >= 0) {
set.add(x);
}
}
return set.toArray(new String[0]);
}
private static String[] disableSSL(String[] enabled) {
HashSet<String> set = new HashSet<String>();
for (String x : enabled) {
if (!x.startsWith("SSL")) {
set.add(x);
}
}
return set.toArray(new String[0]);
} }
} }
Markdown 格式
0%
您添加了 0 到此讨论。请谨慎行事。
请先完成此评论的编辑!
注册 或者 后发表评论