From eecaad8b8e2c447429c31a01d49260ddd6b4ee03 Mon Sep 17 00:00:00 2001
From: Paul Martin <paul@paulsputer.com>
Date: Sat, 16 Apr 2016 17:35:32 -0400
Subject: [PATCH] Proof of concept #1026

---
 src/main/java/com/gitblit/GitblitSslContextFactory.java |   31 ++++++-------------------------
 1 files changed, 6 insertions(+), 25 deletions(-)

diff --git a/src/main/java/com/gitblit/GitblitSslContextFactory.java b/src/main/java/com/gitblit/GitblitSslContextFactory.java
index f025c45..bda92af 100644
--- a/src/main/java/com/gitblit/GitblitSslContextFactory.java
+++ b/src/main/java/com/gitblit/GitblitSslContextFactory.java
@@ -32,7 +32,7 @@
 /**
  * Special SSL context factory that configures Gitblit GO and replaces the
  * primary trustmanager with a GitblitTrustManager.
- *  
+ *
  * @author James Moger
  */
 public class GitblitSslContextFactory extends SslContextFactory {
@@ -40,41 +40,22 @@
 	private static final Logger logger = LoggerFactory.getLogger(GitblitSslContextFactory.class);
 
 	private final File caRevocationList;
-	
+
 	public GitblitSslContextFactory(String certAlias, File keyStore, File clientTrustStore,
 			String storePassword, File caRevocationList) {
 		super(keyStore.getAbsolutePath());
-		
+
 		this.caRevocationList = caRevocationList;
 
-		// disable renegotiation unless this is a patched JVM
-		boolean allowRenegotiation = false;
-		String v = System.getProperty("java.version");
-		if (v.startsWith("1.7")) {
-			allowRenegotiation = true;
-		} else if (v.startsWith("1.6")) {
-			// 1.6.0_22 was first release with RFC-5746 implemented fix.
-			if (v.indexOf('_') > -1) {
-				String b = v.substring(v.indexOf('_') + 1);
-				if (Integer.parseInt(b) >= 22) {
-					allowRenegotiation = true;
-				}
-			}
-		}
-		if (allowRenegotiation) {
-			logger.info("   allowing SSL renegotiation on Java " + v);
-			setAllowRenegotiate(allowRenegotiation);
-		}
-		
-		
 		if (!StringUtils.isEmpty(certAlias)) {
 			logger.info("   certificate alias = " + certAlias);
 			setCertAlias(certAlias);
 		}
 		setKeyStorePassword(storePassword);
-		setTrustStore(clientTrustStore.getAbsolutePath());
+		setTrustStorePath(clientTrustStore.getAbsolutePath());
 		setTrustStorePassword(storePassword);
-		
+		addExcludeProtocols("SSLv3");
+
 		logger.info("   keyStorePath   = " + keyStore.getAbsolutePath());
 		logger.info("   trustStorePath = " + clientTrustStore.getAbsolutePath());
 		logger.info("   crlPath        = " + caRevocationList.getAbsolutePath());

--
Gitblit v1.9.1