Merge pull request #993 from microsoft/default_tls1.2

Use tls1.2 by default

Author: littleaj

core/build.gradle

@@ -122,7 +122,7 @@ dependencies {
     compile ([group: 'io.grpc', name: 'grpc-protobuf', version: '1.16.1'])
     runtime ([group: 'io.grpc', name: 'grpc-netty-shaded', version: '1.16.1'])
     // update transitive dependency version
-    runtime ([group: 'com.google.guava', name: 'guava', version: '27.1-android'])
+    compile ([group: 'com.google.guava', name: 'guava', version: '27.1-android'])
     testCompile group: 'org.hamcrest', name:'hamcrest-core', version:'1.3'
     testCompile group: 'org.hamcrest', name:'hamcrest-library', version:'1.3'
     testCompile group: 'org.mockito', name: 'mockito-core', version: '1.10.19'

core/src/main/java/com/microsoft/applicationinsights/internal/channel/common/ApacheSender43.java

@@ -22,25 +22,24 @@
 package com.microsoft.applicationinsights.internal.channel.common;
 
 import java.io.IOException;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.LinkedBlockingDeque;
-import java.util.concurrent.ThreadPoolExecutor;
-import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicReference;
 
 import com.microsoft.applicationinsights.internal.logger.InternalLogger;
 
-import com.microsoft.applicationinsights.internal.shutdown.SDKShutdownActivity;
-import com.microsoft.applicationinsights.internal.util.ThreadPoolUtils;
+import com.microsoft.applicationinsights.internal.util.SSLOptionsUtil;
 import org.apache.http.HttpResponse;
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpPost;
+import org.apache.http.config.RegistryBuilder;
+import org.apache.http.conn.socket.ConnectionSocketFactory;
+import org.apache.http.conn.socket.PlainConnectionSocketFactory;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
+import org.apache.http.ssl.SSLContexts;
 
 /**
  * Created by gupele on 6/4/2015.
@@ -51,16 +50,18 @@ final class ApacheSender43 implements ApacheSender {
 
     static ApacheSender43 create() {
         final ApacheSender43 sender = new ApacheSender43();
+        final String[] allowedProtocols = SSLOptionsUtil.getAllowedProtocols();
         Thread initThread = new Thread(
                 new Runnable() {
-
                     @Override
                     public void run() {
-                        PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager();
+                        final PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(RegistryBuilder.<ConnectionSocketFactory>create()
+                                .register("https", new SSLConnectionSocketFactory(SSLContexts.createDefault(), allowedProtocols, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier()))
+                                .register("http", PlainConnectionSocketFactory.getSocketFactory())
+                                .build());
                         cm.setMaxTotal(DEFAULT_MAX_TOTAL_CONNECTIONS);
                         cm.setDefaultMaxPerRoute(DEFAULT_MAX_CONNECTIONS_PER_ROUTE);
-
-                            sender.httpClientRef.compareAndSet(null, HttpClients.custom()
+                        sender.httpClientRef.compareAndSet(null, HttpClients.custom()
                                 .setConnectionManager(cm)
                                 .useSystemProperties()
                                 .build());

core/src/main/java/com/microsoft/applicationinsights/internal/util/NoSupportedProtocolsException.java

@@ -0,0 +1,10 @@
+package com.microsoft.applicationinsights.internal.util;
+
+public class NoSupportedProtocolsException extends RuntimeException {
+    public NoSupportedProtocolsException() {
+    }
+
+    public NoSupportedProtocolsException(String message) {
+        super(message);
+    }
+}

core/src/main/java/com/microsoft/applicationinsights/internal/util/SSLOptionsUtil.java

@@ -0,0 +1,89 @@
+package com.microsoft.applicationinsights.internal.util;
+
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
+import com.microsoft.applicationinsights.internal.logger.InternalLogger;
+import org.apache.commons.lang3.exception.ExceptionUtils;
+
+import javax.net.ssl.SSLContext;
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+public class SSLOptionsUtil {
+
+    private SSLOptionsUtil() {}
+
+    public static final String APPLICATION_INSIGHTS_SSL_PROTOCOLS_PROPERTY = "applicationinsights.ssl.protocols";
+
+    private static final String[] DEFAULT_SUPPORTED_PROTOCOLS;
+    private static final String[] DEFAULT_PROTOCOLS = new String[] {"TLSv1.3", "TLSv1.2"};
+
+    static {
+        DEFAULT_SUPPORTED_PROTOCOLS = filterSupportedProtocols(Arrays.asList(DEFAULT_PROTOCOLS), false);
+        if (DEFAULT_SUPPORTED_PROTOCOLS.length == 0 && InternalLogger.INSTANCE.isErrorEnabled()) {
+            InternalLogger.INSTANCE.error("Default protocols are not supported in this JVM: %s. System property '%s' can be used to configure supported SSL protocols.",
+                    Arrays.toString(DEFAULT_PROTOCOLS), APPLICATION_INSIGHTS_SSL_PROTOCOLS_PROPERTY);
+        }
+    }
+
+    private static String[] filterSupportedProtocols(Iterable<String> defaultValue, boolean reportErrors) {
+        List<String> supported = new ArrayList<>();
+        for (String protocol : defaultValue) {
+            try {
+                SSLContext.getInstance(protocol);
+                supported.add(protocol);
+            } catch (NoSuchAlgorithmException e) {
+                if (InternalLogger.INSTANCE.isErrorEnabled() && reportErrors) {
+                    InternalLogger.INSTANCE.error("Could not find protocol '%s': %s", protocol, ExceptionUtils.getStackTrace(e));
+                }
+            }
+        }
+        return supported.toArray(new String[0]);
+    }
+
+    /**
+     * <p>Finds the list of supported SSL/TLS protocols. If custom protocols are specified with the system property {@value #APPLICATION_INSIGHTS_SSL_PROTOCOLS_PROPERTY}, this overrides the defaults.
+     * An error will be logged if the property contains no supported protocols.</p>
+     *
+     * <p>If no supported protocols are specified, the defaults are used (see static constructor). If no default protocols are available on this JVM, an error is logged.</p>
+     *
+     * @return An array of supported protocols. If there are none found, an empty array.
+     * @throws NoSupportedProtocolsException If the defaults are to be used and none of the defaults are supported by this JVM
+     */
+    public static String[] getAllowedProtocols() {
+        final String rawProp = System.getProperty(APPLICATION_INSIGHTS_SSL_PROTOCOLS_PROPERTY);
+        if (rawProp == null) {
+            return defaultSupportedProtocols();
+        }
+
+        if (Strings.isNullOrEmpty(rawProp)) {
+            if (InternalLogger.INSTANCE.isWarnEnabled()) {
+                InternalLogger.INSTANCE.warn("%s specifies no protocols; using defaults: %s", APPLICATION_INSIGHTS_SSL_PROTOCOLS_PROPERTY, Arrays.toString(DEFAULT_SUPPORTED_PROTOCOLS));
+            }
+            return defaultSupportedProtocols();
+        }
+
+        String[] customProtocols = filterSupportedProtocols(Splitter.on(',').trimResults().omitEmptyStrings().split(rawProp), true);
+        if (customProtocols.length == 0) {
+            if (InternalLogger.INSTANCE.isErrorEnabled()) {
+                InternalLogger.INSTANCE.error("%s contained no supported protocols: '%s'; using default: %s", APPLICATION_INSIGHTS_SSL_PROTOCOLS_PROPERTY, rawProp, Arrays.toString(DEFAULT_SUPPORTED_PROTOCOLS));
+            }
+            return defaultSupportedProtocols();
+        }
+
+        if (InternalLogger.INSTANCE.isInfoEnabled()) {
+            InternalLogger.INSTANCE.info("Found %s='%s'; HTTP client will allow only these protocols", APPLICATION_INSIGHTS_SSL_PROTOCOLS_PROPERTY, Arrays.toString(customProtocols));
+        }
+        return customProtocols;
+    }
+
+    private static String[] defaultSupportedProtocols() {
+        if (DEFAULT_SUPPORTED_PROTOCOLS.length == 0) {
+            throw new NoSupportedProtocolsException(String.format("None of the default TLS protocols are supported by this JVM: %s. Use the system property '%s' to override.", Arrays.toString(DEFAULT_PROTOCOLS), APPLICATION_INSIGHTS_SSL_PROTOCOLS_PROPERTY));
+        }
+        return DEFAULT_SUPPORTED_PROTOCOLS;
+    }
+
+}

web/src/main/java/com/microsoft/applicationinsights/web/internal/correlation/CdsProfileFetcher.java

@@ -24,12 +24,15 @@
 import com.microsoft.applicationinsights.internal.logger.InternalLogger;
 import com.microsoft.applicationinsights.internal.shutdown.SDKShutdownActivity;
 import com.microsoft.applicationinsights.internal.util.PeriodicTaskPool;
+import com.microsoft.applicationinsights.internal.util.SSLOptionsUtil;
 import org.apache.http.HttpResponse;
 import org.apache.http.ParseException;
 import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
 import org.apache.http.impl.nio.client.HttpAsyncClients;
+import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
+import org.apache.http.ssl.SSLContexts;
 import org.apache.http.util.EntityUtils;
 
 import java.io.IOException;
@@ -39,7 +42,6 @@
 import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.Future;
-import java.util.concurrent.ScheduledFuture;
 import java.util.concurrent.TimeUnit;
 
 public class CdsProfileFetcher implements AppProfileFetcher {
@@ -72,8 +74,10 @@ public CdsProfileFetcher(CdsRetryPolicy retryPolicy) {
                 .setConnectionRequestTimeout(5000)
                 .build();
 
+        final String[] allowedProtocols = SSLOptionsUtil.getAllowedProtocols();
         setHttpClient(HttpAsyncClients.custom()
                 .setDefaultRequestConfig(requestConfig)
+                .setSSLStrategy(new SSLIOSessionStrategy(SSLContexts.createDefault(), allowedProtocols, null, SSLIOSessionStrategy.getDefaultHostnameVerifier()))
                 .useSystemProperties()
                 .build());