public class SslContextFactory extends AbstractLifeCycle
Modifier and Type | Class and Description |
---|---|
protected class |
SslContextFactory.Factory |
AbstractLifeCycle.AbstractLifeCycleListener
LifeCycle.Listener
Modifier and Type | Field and Description |
---|---|
protected SslContextFactory.Factory |
_factory |
static String |
DEFAULT_KEYMANAGERFACTORY_ALGORITHM |
static String |
DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM |
static String |
KEYPASSWORD_PROPERTY
String name of key password property.
|
static String |
PASSWORD_PROPERTY
String name of keystore password property.
|
static TrustManager[] |
TRUST_ALL_CERTS |
Constructor and Description |
---|
SslContextFactory()
Construct an instance of SslContextFactory
Default constructor for use in XmlConfiguration files
|
SslContextFactory(boolean trustAll)
Construct an instance of SslContextFactory
Default constructor for use in XmlConfiguration files
|
SslContextFactory(String keyStorePath)
Construct an instance of SslContextFactory
|
Modifier and Type | Method and Description |
---|---|
void |
addExcludeCipherSuites(String... cipher) |
void |
addExcludeProtocols(String... protocol) |
protected void |
checkIsRunning()
Check if the lifecycle has been started and throw runtime exception
|
protected void |
checkIsStarted()
Check if the lifecycle has been started and throw runtime exception
|
protected void |
checkNotStarted()
Check if the lifecycle has been started and throw runtime exception
|
void |
customize(SSLEngine sslEngine) |
static int |
deduceKeyLength(String cipherSuite)
Given the name of a TLS/SSL cipher suite, return an int representing it effective stream
cipher key strength.
|
protected void |
doStart()
Create the SSLContext object and start the lifecycle
|
protected void |
doStop() |
String |
getCertAlias() |
static X509Certificate[] |
getCertChain(SSLSession sslSession) |
Comparator<String> |
getCipherComparator() |
String |
getCrlPath() |
String[] |
getExcludeCipherSuites() |
String[] |
getExcludeProtocols() |
String[] |
getIncludeCipherSuites() |
String[] |
getIncludeProtocols() |
protected KeyManager[] |
getKeyManagers(KeyStore keyStore) |
KeyStore |
getKeyStore() |
String |
getKeyStorePath() |
String |
getKeyStoreProvider() |
Resource |
getKeyStoreResource() |
String |
getKeyStoreType() |
int |
getMaxCertPathLength() |
boolean |
getNeedClientAuth() |
String |
getOcspResponderURL() |
String |
getProtocol() |
String |
getProvider() |
String |
getSecureRandomAlgorithm() |
String[] |
getSelectedCipherSuites() |
String[] |
getSelectedProtocols() |
SSLContext |
getSslContext() |
String |
getSslKeyManagerFactoryAlgorithm() |
int |
getSslSessionCacheSize()
Get SSL session cache size.
|
int |
getSslSessionTimeout()
Get SSL session timeout.
|
String |
getTrustManagerFactoryAlgorithm() |
protected TrustManager[] |
getTrustManagers(KeyStore trustStore,
Collection<? extends CRL> crls) |
KeyStore |
getTrustStore() |
String |
getTrustStoreProvider() |
Resource |
getTrustStoreResource() |
String |
getTrustStoreType() |
boolean |
getWantClientAuth() |
boolean |
isEnableCRLDP() |
boolean |
isEnableOCSP() |
boolean |
isRenegotiationAllowed() |
boolean |
isSessionCachingEnabled() |
boolean |
isTrustAll() |
boolean |
isUseCipherSuitesOrder() |
boolean |
isValidateCerts() |
boolean |
isValidatePeerCerts() |
protected Collection<? extends CRL> |
loadCRL(String crlPath)
Loads certificate revocation list (CRL) from a file.
|
protected KeyStore |
loadKeyStore(Resource resource)
Override this method to provide alternate way to load a keystore.
|
protected KeyStore |
loadTrustStore(Resource resource)
Override this method to provide alternate way to load a truststore.
|
SSLEngine |
newSSLEngine()
Factory method for "scratch"
SSLEngine s, usually only used for retrieving configuration
information such as the application buffer size or the list of protocols/ciphers. |
SSLEngine |
newSSLEngine(InetSocketAddress address)
Server-side only factory method for creating
SSLEngine s. |
SSLEngine |
newSSLEngine(String host,
int port)
General purpose factory method for creating
SSLEngine s, although creation of
SSLEngine s on the server-side should prefer newSSLEngine(InetSocketAddress) . |
SSLServerSocket |
newSslServerSocket(String host,
int port,
int backlog) |
SSLSocket |
newSslSocket() |
protected void |
processIncludeCipherSuites(String[] supportedCipherSuites,
List<String> selected_ciphers) |
protected void |
removeExcludedCipherSuites(List<String> selected_ciphers) |
protected void |
selectCipherSuites(String[] enabledCipherSuites,
String[] supportedCipherSuites)
Select cipher suites to be used by the connector
based on configured inclusion and exclusion lists
as well as enabled and supported cipher suite lists.
|
void |
selectProtocols(String[] enabledProtocols,
String[] supportedProtocols)
Select protocols to be used by the connector
based on configured inclusion and exclusion lists
as well as enabled and supported protocols.
|
void |
setCertAlias(String certAlias)
Set the default certificate Alias.
|
void |
setCipherComparator(Comparator<String> cipherComparator) |
void |
setCrlPath(String crlPath) |
void |
setEnableCRLDP(boolean enableCRLDP)
Enables CRL Distribution Points Support
|
void |
setEnableOCSP(boolean enableOCSP)
Enables On-Line Certificate Status Protocol support
|
void |
setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
When set to "HTTPS" hostname verification will be enabled
|
void |
setExcludeCipherSuites(String... cipherSuites)
You can either use the exact cipher suite name or a a regular expression.
|
void |
setExcludeProtocols(String... protocols) |
void |
setIncludeCipherSuites(String... cipherSuites)
You can either use the exact cipher suite name or a a regular expression.
|
void |
setIncludeProtocols(String... protocols) |
void |
setKeyManagerPassword(String password) |
void |
setKeyStore(KeyStore keyStore)
Set the key store.
|
void |
setKeyStorePassword(String password) |
void |
setKeyStorePath(String keyStorePath) |
void |
setKeyStoreProvider(String keyStoreProvider) |
void |
setKeyStoreResource(Resource resource)
Set the key store resource.
|
void |
setKeyStoreType(String keyStoreType) |
void |
setMaxCertPathLength(int maxCertPathLength) |
void |
setNeedClientAuth(boolean needClientAuth) |
void |
setOcspResponderURL(String ocspResponderURL)
Set the location of the OCSP Responder.
|
void |
setProtocol(String protocol) |
void |
setProvider(String provider) |
void |
setRenegotiationAllowed(boolean renegotiationAllowed) |
void |
setSecureRandomAlgorithm(String algorithm) |
void |
setSessionCachingEnabled(boolean enableSessionCaching)
Set the flag to enable SSL Session caching.
|
void |
setSslContext(SSLContext sslContext) |
void |
setSslKeyManagerFactoryAlgorithm(String algorithm) |
void |
setSslSessionCacheSize(int sslSessionCacheSize)
SEt SSL session cache size.
|
void |
setSslSessionTimeout(int sslSessionTimeout)
Set SSL session timeout.
|
void |
setTrustAll(boolean trustAll) |
void |
setTrustManagerFactoryAlgorithm(String algorithm) |
void |
setTrustStore(KeyStore trustStore)
Set the trust store.
|
void |
setTrustStorePassword(String password) |
void |
setTrustStorePath(String trustStorePath) |
void |
setTrustStoreProvider(String trustStoreProvider) |
void |
setTrustStoreResource(Resource resource)
Set the trust store resource.
|
void |
setTrustStoreType(String trustStoreType) |
void |
setUseCipherSuitesOrder(boolean useCipherSuitesOrder) |
void |
setValidateCerts(boolean validateCerts) |
void |
setValidatePeerCerts(boolean validatePeerCerts) |
void |
setWantClientAuth(boolean wantClientAuth) |
String |
toString() |
addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, setStopTimeout, start, stop
public static final TrustManager[] TRUST_ALL_CERTS
public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM
public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
public static final String KEYPASSWORD_PROPERTY
public static final String PASSWORD_PROPERTY
protected SslContextFactory.Factory _factory
public SslContextFactory()
public SslContextFactory(boolean trustAll)
trustAll
- whether to blindly trust all certificatessetTrustAll(boolean)
public SslContextFactory(String keyStorePath)
keyStorePath
- default keystore locationpublic String[] getSelectedProtocols()
public String[] getSelectedCipherSuites()
public Comparator<String> getCipherComparator()
public void setCipherComparator(Comparator<String> cipherComparator)
protected void doStart() throws Exception
doStart
in class AbstractLifeCycle
Exception
AbstractLifeCycle.doStart()
protected void doStop() throws Exception
doStop
in class AbstractLifeCycle
Exception
public String[] getExcludeProtocols()
SSLEngine.setEnabledProtocols(String[])
public void setExcludeProtocols(String... protocols)
protocols
- The array of protocol names to exclude from
SSLEngine.setEnabledProtocols(String[])
public void addExcludeProtocols(String... protocol)
protocol
- Protocol names to add to SSLEngine.setEnabledProtocols(String[])
public String[] getIncludeProtocols()
SSLEngine.setEnabledProtocols(String[])
public void setIncludeProtocols(String... protocols)
protocols
- The array of protocol names to include in
SSLEngine.setEnabledProtocols(String[])
public String[] getExcludeCipherSuites()
SSLEngine.setEnabledCipherSuites(String[])
public void setExcludeCipherSuites(String... cipherSuites)
cipherSuites
- The array of cipher suite names to exclude from
SSLEngine.setEnabledCipherSuites(String[])
public void addExcludeCipherSuites(String... cipher)
cipher
- Cipher names to add to SSLEngine.setEnabledCipherSuites(String[])
public String[] getIncludeCipherSuites()
SSLEngine.setEnabledCipherSuites(String[])
public void setIncludeCipherSuites(String... cipherSuites)
cipherSuites
- The array of cipher suite names to include in
SSLEngine.setEnabledCipherSuites(String[])
public boolean isUseCipherSuitesOrder()
public void setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
public String getKeyStorePath()
public void setKeyStorePath(String keyStorePath)
keyStorePath
- The file or URL of the SSL Key store.public String getKeyStoreProvider()
public void setKeyStoreProvider(String keyStoreProvider)
keyStoreProvider
- The provider of the key storepublic String getKeyStoreType()
public void setKeyStoreType(String keyStoreType)
keyStoreType
- The type of the key store (default "JKS")public String getCertAlias()
public void setCertAlias(String certAlias)
This can be used if there are multiple non-SNI certificates to specify the certificate that should be used, or with SNI certificates to set a certificate to try if no others match
certAlias
- Alias of SSL certificate for the connectorpublic void setTrustStorePath(String trustStorePath)
trustStorePath
- The file name or URL of the trust store locationpublic String getTrustStoreProvider()
public void setTrustStoreProvider(String trustStoreProvider)
trustStoreProvider
- The provider of the trust storepublic String getTrustStoreType()
public void setTrustStoreType(String trustStoreType)
trustStoreType
- The type of the trust store (default "JKS")public boolean getNeedClientAuth()
SSLEngine.getNeedClientAuth()
public void setNeedClientAuth(boolean needClientAuth)
needClientAuth
- True if SSL needs client authentication.SSLEngine.getNeedClientAuth()
public boolean getWantClientAuth()
SSLEngine.getWantClientAuth()
public void setWantClientAuth(boolean wantClientAuth)
wantClientAuth
- True if SSL wants client authentication.SSLEngine.getWantClientAuth()
public boolean isValidateCerts()
public void setValidateCerts(boolean validateCerts)
validateCerts
- true if SSL certificates have to be validatedpublic boolean isValidatePeerCerts()
public void setValidatePeerCerts(boolean validatePeerCerts)
validatePeerCerts
- true if SSL certificates of the peer have to be validatedpublic void setKeyStorePassword(String password)
password
- The password for the key store. If null is passed then
the Password.getPassword(String, String, String)
is used to
obtain a password either from the "org.eclipse.jetty.ssl.password"
System property or by prompting for manual entry.public void setKeyManagerPassword(String password)
password
- The password (if any) for the specific key within the key store.
If null is passed then
the Password.getPassword(String, String, String)
is used to
obtain a password either from the "org.eclipse.jetty.ssl.keypassword"
System property or by prompting for manual entry.public void setTrustStorePassword(String password)
password
- The password for the trust store. If null is passed then
the Password.getPassword(String, String, String)
is used to
obtain a password either from the "org.eclipse.jetty.ssl.password"
System property or by prompting for manual entry.public String getProvider()
SSLContext.getInstance(String, String)
public void setProvider(String provider)
provider
- The SSL provider name, which if set is passed to
SSLContext.getInstance(String, String)
public String getProtocol()
SSLContext.getInstance(String, String)
public void setProtocol(String protocol)
protocol
- The SSL protocol (default "TLS") passed to
SSLContext.getInstance(String, String)
public String getSecureRandomAlgorithm()
SecureRandom.getInstance(String)
to obtain the SecureRandom
instance passed to
SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
public void setSecureRandomAlgorithm(String algorithm)
algorithm
- The algorithm name, which if set is passed to
SecureRandom.getInstance(String)
to obtain the SecureRandom
instance passed to
SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
public String getSslKeyManagerFactoryAlgorithm()
KeyManagerFactory
public void setSslKeyManagerFactoryAlgorithm(String algorithm)
algorithm
- The algorithm name (default "SunX509") used by the KeyManagerFactory
public String getTrustManagerFactoryAlgorithm()
TrustManagerFactory
public boolean isTrustAll()
public void setTrustAll(boolean trustAll)
trustAll
- True if all certificates should be trusted if there is no KeyStore or TrustStorepublic void setTrustManagerFactoryAlgorithm(String algorithm)
algorithm
- The algorithm name (default "SunX509") used by the TrustManagerFactory
Use the string "TrustAll" to install a trust manager that trusts all.public boolean isRenegotiationAllowed()
public void setRenegotiationAllowed(boolean renegotiationAllowed)
renegotiationAllowed
- whether TLS renegotiation is allowedpublic String getCrlPath()
public void setCrlPath(String crlPath)
crlPath
- Path to file that contains Certificate Revocation Listpublic int getMaxCertPathLength()
public void setMaxCertPathLength(int maxCertPathLength)
maxCertPathLength
- maximum number of intermediate certificates in
the certification path (-1 for unlimited)public SSLContext getSslContext()
public void setSslContext(SSLContext sslContext)
sslContext
- Set a preconfigured SSLContextpublic void setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
endpointIdentificationAlgorithm
- Set the endpointIdentificationAlgorithmprotected KeyStore loadKeyStore(Resource resource) throws Exception
resource
- the resource to load the keystore fromException
- if the keystore cannot be loadedprotected KeyStore loadTrustStore(Resource resource) throws Exception
resource
- the resource to load the truststore fromException
- if the truststore cannot be loadedprotected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
crlPath
- path of certificate revocation list fileException
- if the certificate revocation list cannot be loadedprotected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
Exception
protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
Exception
public void selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
enabledProtocols
- Array of enabled protocolssupportedProtocols
- Array of supported protocolsprotected void selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
enabledCipherSuites
- Array of enabled cipher suitessupportedCipherSuites
- Array of supported cipher suitesprotected void processIncludeCipherSuites(String[] supportedCipherSuites, List<String> selected_ciphers)
protected void checkNotStarted()
protected void checkIsStarted()
protected void checkIsRunning()
public boolean isEnableCRLDP()
public void setEnableCRLDP(boolean enableCRLDP)
enableCRLDP
- true - turn on, false - turns offpublic boolean isEnableOCSP()
public void setEnableOCSP(boolean enableOCSP)
enableOCSP
- true - turn on, false - turn offpublic String getOcspResponderURL()
public void setOcspResponderURL(String ocspResponderURL)
ocspResponderURL
- location of the OCSP Responderpublic void setKeyStore(KeyStore keyStore)
keyStore
- the key store to setpublic KeyStore getKeyStore()
public void setTrustStore(KeyStore trustStore)
trustStore
- the trust store to setpublic KeyStore getTrustStore()
public void setKeyStoreResource(Resource resource)
resource
- the key store resource to setpublic Resource getKeyStoreResource()
public void setTrustStoreResource(Resource resource)
resource
- the trust store resource to setpublic Resource getTrustStoreResource()
public boolean isSessionCachingEnabled()
public void setSessionCachingEnabled(boolean enableSessionCaching)
enableSessionCaching
- the value of the flagpublic int getSslSessionCacheSize()
public void setSslSessionCacheSize(int sslSessionCacheSize)
sslSessionCacheSize
- SSL session cache size to setpublic int getSslSessionTimeout()
public void setSslSessionTimeout(int sslSessionTimeout)
sslSessionTimeout
- SSL session timeout to setpublic SSLServerSocket newSslServerSocket(String host, int port, int backlog) throws IOException
IOException
public SSLSocket newSslSocket() throws IOException
IOException
public SSLEngine newSSLEngine()
SSLEngine
s, usually only used for retrieving configuration
information such as the application buffer size or the list of protocols/ciphers.
This method should not be used for creating SSLEngine
s that are used in actual socket
communication.
SSLEngine
public SSLEngine newSSLEngine(String host, int port)
SSLEngine
s, although creation of
SSLEngine
s on the server-side should prefer newSSLEngine(InetSocketAddress)
.host
- the remote hostport
- the remote portSSLEngine
public SSLEngine newSSLEngine(InetSocketAddress address)
SSLEngine
s.
If the given address
is null, it is equivalent to newSSLEngine()
, otherwise
newSSLEngine(String, int)
is called.
If getNeedClientAuth()
is true
, then the host name is passed to
newSSLEngine(String, int)
, possibly incurring in a reverse DNS lookup, which takes time
and may hang the selector (since this method is usually called by the selector thread).
Otherwise, the host address is passed to newSSLEngine(String, int)
without DNS lookup
penalties.
Clients that wish to create SSLEngine
instances must use newSSLEngine(String, int)
.
address
- the remote peer addressSSLEngine
public void customize(SSLEngine sslEngine)
public static X509Certificate[] getCertChain(SSLSession sslSession)
public static int deduceKeyLength(String cipherSuite)
This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol Version 1.0, Appendix C. CipherSuite definitions:
Effective Cipher Type Key Bits NULL * Stream 0 IDEA_CBC Block 128 RC2_CBC_40 * Block 40 RC4_40 * Stream 40 RC4_128 Stream 128 DES40_CBC * Block 40 DES_CBC Block 56 3DES_EDE_CBC Block 168
cipherSuite
- String name of the TLS cipher suite.Copyright © 1995-2015 Webtide. All Rights Reserved.