diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index b07cf3d6b..53dc1c862 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -80,6 +80,7 @@ archive.scan.depth=3 # use HEAD (default) or GET as HTTP request method for query timestamp downloader.quick.query.timestamp=true +downloader.tls.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 analyzer.experimental.enabled=false analyzer.jar.enabled=true diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index ed207a3ff..8ac69695b 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -75,6 +75,7 @@ archive.scan.depth=3 # use HEAD (default) or GET as HTTP request method for query timestamp downloader.quick.query.timestamp=true +downloader.tls.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 analyzer.experimental.enabled=true analyzer.jar.enabled=true diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java index 5965ef1a6..01c3fb4fc 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java @@ -151,6 +151,13 @@ public final class Downloader { } finally { conn = null; } + if ("Connection reset".equalsIgnoreCase(ex.getMessage())) { + final String msg = format("TLS Connection Reset%nThis is a known issue for somme JRE/JDK; please see " + + "https://github.com/jeremylong/DependencyCheck/issues/561%nUntil this issue is resolved please " + + "consider trying a different JRE/JDK.", url.toString()); + LOGGER.error(msg); + throw new DownloadFailedException(msg, ex); + } final String msg = format("Error downloading file %s; unable to connect.", url.toString()); throw new DownloadFailedException(msg, ex); } diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java index 64ed3ae4e..63711ce09 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java @@ -243,17 +243,24 @@ public class SSLSocketFactoryEx extends SSLSocketFactory { * @return the protocol list */ protected String[] getProtocolList() { - final String[] preferredProtocols = {"TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"}; - String[] availableProtocols = null; - SSLSocket socket = null; - + String[] availableProtocols = null; + final String[] preferredProtocols = Settings.getString( + Settings.KEYS.DOWNLOADER_TLS_PROTOCOL_LIST, + "TLSv1,TLSv1.1,TLSv1.2,TLSv1.3") + .split(","); try { final SSLSocketFactory factory = sslCtxt.getSocketFactory(); socket = (SSLSocket) factory.createSocket(); availableProtocols = socket.getSupportedProtocols(); Arrays.sort(availableProtocols); + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("Available Protocols:"); + for (String p : availableProtocols) { + LOGGER.debug(p); + } + } } catch (Exception ex) { LOGGER.debug("Error getting protocol list, using TLSv1", ex); return new String[]{"TLSv1"}; diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 9ddd60b0a..cb8ac2559 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -339,6 +339,10 @@ public final class Settings { * The HTTP request method for query last modified date. */ public static final String DOWNLOADER_QUICK_QUERY_TIMESTAMP = "downloader.quick.query.timestamp"; + /** + * The HTTP protocol list to use. + */ + public static final String DOWNLOADER_TLS_PROTOCOL_LIST = "downloader.tls.protocols"; } // diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java index 1d0f9db2f..83802e482 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java @@ -198,7 +198,7 @@ public final class URLConnectionFactory { } catch (NoSuchAlgorithmException ex) { LOGGER.debug("Unsupported algorithm in SSLSocketFactoryEx", ex); } catch (KeyManagementException ex) { - LOGGER.debug("Key mnagement eception in SSLSocketFactoryEx", ex); + LOGGER.debug("Key management exception in SSLSocketFactoryEx", ex); } } } diff --git a/dependency-check-utils/src/test/resources/dependencycheck.properties b/dependency-check-utils/src/test/resources/dependencycheck.properties index 49f47d480..f580b54e8 100644 --- a/dependency-check-utils/src/test/resources/dependencycheck.properties +++ b/dependency-check-utils/src/test/resources/dependencycheck.properties @@ -66,4 +66,5 @@ analyzer.nexus.url=https://repository.sonatype.org/service/local/ analyzer.nexus.proxy=true # use HEAD (default) or GET as HTTP request method for query timestamp -downloader.quick.query.timestamp=true \ No newline at end of file +downloader.quick.query.timestamp=true +downloader.tls.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 \ No newline at end of file