diff --git a/README.md b/README.md index 1b4ef8e..aeb5120 100644 --- a/README.md +++ b/README.md @@ -61,4 +61,5 @@ There are a few more options : - logfile : send logs to this file instead of stdout - logfilesize : maximum size of each log file (default 10M) - logfilenumber : number of rotated log files (default 5) + - disableLegacySSL : disable using SSLv2Hello and SSLv3 protocols diff --git a/src/main/java/info/fetter/logstashforwarder/Forwarder.java b/src/main/java/info/fetter/logstashforwarder/Forwarder.java index dc52bbb..d7969e2 100644 --- a/src/main/java/info/fetter/logstashforwarder/Forwarder.java +++ b/src/main/java/info/fetter/logstashforwarder/Forwarder.java @@ -67,6 +67,7 @@ public class Forwarder { private static String logfileSize = "10MB"; private static int logfileNumber = 5; private static String sincedbFile = SINCEDB; + private static boolean legacySslDisabled = false; public static void main(String[] args) { try { @@ -154,6 +155,7 @@ static void parseOptions(String[] args) { Option debugWatcherOption = new Option("debugwatcher", "operate watcher in debug mode"); Option traceOption = new Option("trace", "operate in trace mode"); Option tailOption = new Option("tail", "read new files from the end"); + Option disableLegacySSL = new Option("disableLegacySSL", "disable using SSLv2Hello and SSLv3 protocols"); Option spoolSizeOption = OptionBuilder.withArgName("number of events") .hasArg() @@ -202,7 +204,8 @@ static void parseOptions(String[] args) { .addOption(logfileOption) .addOption(logfileNumberOption) .addOption(logfileSizeOption) - .addOption(sincedbOption); + .addOption(sincedbOption) + .addOption(disableLegacySSL); CommandLineParser parser = new GnuParser(); try { @@ -246,13 +249,16 @@ static void parseOptions(String[] args) { if(line.hasOption("sincedb")) { sincedbFile = line.getOptionValue("sincedb"); } + if(line.hasOption("disableLegacySSL")) { + legacySslDisabled = true; + } } catch(ParseException e) { printHelp(options); - System.exit(1);; + System.exit(1); } catch(NumberFormatException e) { System.err.println("Value must be an integer"); printHelp(options); - System.exit(2);; + System.exit(2); } } @@ -284,4 +290,7 @@ private static void setupLogging() throws IOException { // Logger.getLogger(FileReader.class).setAdditivity(false); } + public static boolean isLegacySslDisabled() { + return legacySslDisabled; + } } diff --git a/src/main/java/info/fetter/logstashforwarder/protocol/LumberjackClient.java b/src/main/java/info/fetter/logstashforwarder/protocol/LumberjackClient.java index b07a27b..3ad14da 100644 --- a/src/main/java/info/fetter/logstashforwarder/protocol/LumberjackClient.java +++ b/src/main/java/info/fetter/logstashforwarder/protocol/LumberjackClient.java @@ -18,6 +18,7 @@ */ import info.fetter.logstashforwarder.Event; +import info.fetter.logstashforwarder.Forwarder; import info.fetter.logstashforwarder.ProtocolAdapter; import info.fetter.logstashforwarder.util.AdapterException; @@ -32,9 +33,7 @@ import java.net.ProtocolException; import java.net.Socket; import java.security.KeyStore; -import java.util.ArrayList; -import java.util.List; -import java.util.Map; +import java.util.*; import java.util.zip.Deflater; import javax.net.ssl.SSLContext; @@ -88,6 +87,15 @@ public LumberjackClient(String keyStorePath, String server, int port, int timeou socket.connect(new InetSocketAddress(InetAddress.getByName(server), port), timeout); socket.setSoTimeout(timeout); sslSocket = (SSLSocket)socketFactory.createSocket(socket, server, port, true); + if(Forwarder.isLegacySslDisabled()) { + String[] protocols = sslSocket.getEnabledProtocols(); + Set set = new HashSet(); + for (String s : protocols) { + if (s.equals("SSLv3") || s.equals("SSLv2Hello")) continue; + set.add(s); + } + sslSocket.setEnabledProtocols(set.toArray(new String[0])); + } sslSocket.setUseClientMode(true); sslSocket.startHandshake();