1 /*
2 * Copyright (c) 2016. Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License").
5 * You may not use this file except in compliance with the License.
6 * A copy of the License is located at
7 *
8 * http://aws.amazon.com/apache2.0
9 *
10 * or in the "license" file accompanying this file. This file is distributed
11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 * express or implied. See the License for the specific language governing
13 * permissions and limitations under the License.
14 */
15
16 package com.amazonaws.http.conn.ssl;
17
18 import com.amazonaws.internal.SdkPredicate;
19 import com.amazonaws.util.JavaVersionParser.JavaVersion;
20
21 import javax.net.ssl.SSLException;
22 import java.util.Arrays;
23 import java.util.List;
24
25 /**
26 * Determines whether we should apply the workaround to bug that causes the SSL session cache to be
27 * stuck in a bad state for either 24 hours or the next JVM restart. The workaround is to clear out
28 * SSL sessions upon receiving an SSL exception. Whether we apply the workaround depends on the type
29 * of SSL exception thrown and the JVM version in use.
30 *
31 * @see <a href="http://tiny/1jjdylxma/wamazindeJava">http://tiny/1jjdylxma/wamazindeJava</a>
32 */
33 public class ShouldClearSslSessionPredicate extends SdkPredicate<SSLException> {
34
35 /**
36 * Fixed per http://bugs.java.com/view_bug.do?bug_id=8075750
37 */
38 public static final JavaVersion FIXED_JAVA_7 = new JavaVersion(1, 7, 0, 85);
39
40 /**
41 * Fixed per http://bugs.java.com/view_bug.do?bug_id=8074944
42 */
43 public static final JavaVersion FIXED_JAVA_8 = new JavaVersion(1, 8, 0, 60);
44
45 /**
46 * Message that may indicate the SSL session cache is in a bad state and needs to be cleared.
47 */
48 private static List<String> EXCEPTION_MESSAGE_WHITELIST = Arrays.asList("server certificate change is restricted",
49 "peer not authenticated");
50
51 private final JavaVersion javaVersion;
52
53 /**
54 * @param javaVersion
55 * Current JVM version
56 */
57 public ShouldClearSslSessionPredicate(JavaVersion javaVersion) {
58 this.javaVersion = javaVersion;
59 }
60
61 /**
62 * @param sslEx
63 * SSLException thrown during connect
64 * @return True is the SSL session cache should be cleared, false otherwise.
65 */
66 @Override
67 public boolean test(SSLException sslEx) {
68 return isExceptionAffected(sslEx.getMessage()) && isJvmAffected();
69 }
70
71 /**
72 * @return True if the current JVM version is subject to the bug described above, false
73 * otherwise.
74 */
75 private boolean isJvmAffected() {
76 switch (javaVersion.getKnownVersion()) {
77 case JAVA_6:
78 // Java 6 was not and will not be patched for this bug
79 return true;
80 case JAVA_7:
81 return javaVersion.compareTo(FIXED_JAVA_7) < 0;
82 case JAVA_8:
83 return javaVersion.compareTo(FIXED_JAVA_8) < 0;
84 case JAVA_9:
85 // No Java 9 version is affected
86 return false;
87 case UNKNOWN:
88 // If we can't determine the Java version err on the side of caution and apply the fix
89 return true;
90 }
91 return true;
92 }
93
94 /**
95 * Restrict the workaround to only certain types of SSLExceptions that indicate the bug may have
96 * been encountered.
97 *
98 * @param exceptionMessage
99 * Message of the {@link SSLException}
100 * @return True if message indicates the bug may have been encountered, false otherwise
101 */
102 private boolean isExceptionAffected(final String exceptionMessage) {
103 if (exceptionMessage != null) {
104 for (String affectedMessage : EXCEPTION_MESSAGE_WHITELIST) {
105 if (exceptionMessage.contains(affectedMessage)) {
106 return true;
107 }
108 }
109 }
110 return false;
111 }
112
113 }
114