Specify Enabled Encryption Protocols

MATLAB Production Server supports the following encryption protocols:

By default, all protocols are enabled. If you want to control which protocols are enabled, you override the getSSLContext() method to return an instance of MWCustomSSLContext with a list of enabled protocols. Protocols not on the list are not enabled. For example, to avoid the POODLE vulnerability by disabling SSL protocols, you enable the TLS protocols.

import javax.net.ssl.SSLContext;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import com.mathworks.mps.client.*;

public class MySSLConfig extends MWSSLDefaultConfig 
{
  public SSLContext getSSLContext()
  {
    try 
    {
      final SSLContext context = MWCustomSSLContext.getInstance("TLSv1", "TLSv1.1", "TLSv1.2");
      context.init(null,null,null);
      return context;
    }
    catch (NoSuchAlgorithmException e)
    {
      return null;
    } 
    catch (KeyManagementException e) 
    {
      return null;
    }
  }
}

Override Default Hostname Verification

As part of the SSL handshake, the HTTPS layer attempts to match the hostname in the provided URL to the hostname provided in the server certificate. If the two hostnames do not match, the HTTPS layer calls the HostnameVerifier.verify() method as an additional check. The return value of the HostnameVerifier.verify() method determines if the hostname is verified.

The implementation of the HostnameVerifier.verify() method provided by the MWSSLDefaultConfig object always returns false. The result is that if the hostname in the URL and the hostname in the server certificate do not match, the HTTPS handshake fails.

For a more robust hostname verification scheme, extend the MWSSLDefaultConfig class to return an implementation of HostnameVerifier.verify() that uses custom logic. For example, if you only wanted to generate one certificate for all of the servers on which MATLAB Production Server instances run, you could specify MPS for the certificate’s hostname. Then your implementation of HostnameVerifier.verify() returns true if the hostname stored in the certificate is MPS.

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import com.mathworks.mps.client.*;

public class MySSLConfig extends MWSSLDefaultConfig
{
  public HostnameVerifier getHostnameVerifier() 
  {
    return new HostNameVerifier() 
    {
      public boolean verify(String s, SSLSession sslSession) 
      {
        if (sslSession.getPeerHost().equals("MPS"))
          return true;
        else
          return false;
      }
    }
  }
}

For more information on HostnameVerify see Oracle's Java Documentation.

For information on disabling host name verification, see Disable Host Name Verification.

Use Additional Server Authentication

After the HTTPS layer establishes a secure connection, a client can perform an additional authentication step before sending requests to a server. An implementation of the MWSSLServerAuthorizer interface performs this additional authentication. An MWSSLSServerAuthorizer implementation performs two checks to authorize a server:

The MWSSLSServerAuthorizer implementation returned by the MWSSLDefaultConfig object authorizes all servers without performing any checks.

To use server authentication, extend the MWSSLDefaultConfig class and override the implementation of getServerAuthorizer() to return a MWSSLSServerAuthorizer implementation that does perform authorization checks.