View Javadoc

1   //
2   //  ========================================================================
3   //  Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
4   //  ------------------------------------------------------------------------
5   //  All rights reserved. This program and the accompanying materials
6   //  are made available under the terms of the Eclipse Public License v1.0
7   //  and Apache License v2.0 which accompanies this distribution.
8   //
9   //      The Eclipse Public License is available at
10  //      http://www.eclipse.org/legal/epl-v10.html
11  //
12  //      The Apache License v2.0 is available at
13  //      http://www.opensource.org/licenses/apache2.0.php
14  //
15  //  You may elect to redistribute this code under either of these licenses.
16  //  ========================================================================
17  //
18  
19  package org.eclipse.jetty.server.ssl;
20  
21  import java.io.IOException;
22  import java.nio.channels.SocketChannel;
23  
24  import javax.net.ssl.SSLContext;
25  import javax.net.ssl.SSLEngine;
26  import javax.net.ssl.SSLSession;
27  import javax.net.ssl.SSLSocket;
28  
29  import org.eclipse.jetty.http.HttpSchemes;
30  import org.eclipse.jetty.io.AsyncEndPoint;
31  import org.eclipse.jetty.io.Buffers;
32  import org.eclipse.jetty.io.Buffers.Type;
33  import org.eclipse.jetty.io.BuffersFactory;
34  import org.eclipse.jetty.io.EndPoint;
35  import org.eclipse.jetty.io.RuntimeIOException;
36  import org.eclipse.jetty.io.bio.SocketEndPoint;
37  import org.eclipse.jetty.io.nio.AsyncConnection;
38  import org.eclipse.jetty.io.nio.SslConnection;
39  import org.eclipse.jetty.server.Request;
40  import org.eclipse.jetty.server.nio.SelectChannelConnector;
41  import org.eclipse.jetty.util.component.AggregateLifeCycle;
42  import org.eclipse.jetty.util.ssl.SslContextFactory;
43  
44  /* ------------------------------------------------------------ */
45  /**
46   * SslSelectChannelConnector.
47   *
48   * @org.apache.xbean.XBean element="sslConnector" description="Creates an NIO ssl connector"
49   */
50  public class SslSelectChannelConnector extends SelectChannelConnector implements SslConnector
51  {
52      private final SslContextFactory _sslContextFactory;
53      private Buffers _sslBuffers;
54  
55      /* ------------------------------------------------------------ */
56      public SslSelectChannelConnector()
57      {
58          this(new SslContextFactory(SslContextFactory.DEFAULT_KEYSTORE_PATH));
59          setSoLingerTime(30000);
60      }
61  
62      /* ------------------------------------------------------------ */
63      /** Construct with explicit SslContextFactory.
64       * The SslContextFactory passed is added via {@link #addBean(Object)} so that 
65       * it's lifecycle may be managed with {@link AggregateLifeCycle}.
66       * @param sslContextFactory
67       */
68      public SslSelectChannelConnector(SslContextFactory sslContextFactory)
69      {
70          _sslContextFactory = sslContextFactory;
71          addBean(_sslContextFactory);
72          setUseDirectBuffers(false);
73          setSoLingerTime(30000);
74      }
75  
76      /* ------------------------------------------------------------ */
77      /**
78       * Allow the Listener a chance to customise the request. before the server
79       * does its stuff. <br>
80       * This allows the required attributes to be set for SSL requests. <br>
81       * The requirements of the Servlet specs are:
82       * <ul>
83       * <li> an attribute named "javax.servlet.request.ssl_session_id" of type
84       * String (since Servlet Spec 3.0).</li>
85       * <li> an attribute named "javax.servlet.request.cipher_suite" of type
86       * String.</li>
87       * <li> an attribute named "javax.servlet.request.key_size" of type Integer.</li>
88       * <li> an attribute named "javax.servlet.request.X509Certificate" of type
89       * java.security.cert.X509Certificate[]. This is an array of objects of type
90       * X509Certificate, the order of this array is defined as being in ascending
91       * order of trust. The first certificate in the chain is the one set by the
92       * client, the next is the one used to authenticate the first, and so on.
93       * </li>
94       * </ul>
95       *
96       * @param endpoint
97       *                The Socket the request arrived on. This should be a
98       *                {@link SocketEndPoint} wrapping a {@link SSLSocket}.
99       * @param request
100      *                HttpRequest to be customised.
101      */
102     @Override
103     public void customize(EndPoint endpoint, Request request) throws IOException
104     {
105         request.setScheme(HttpSchemes.HTTPS);
106         super.customize(endpoint,request);
107 
108         SslConnection.SslEndPoint sslEndpoint=(SslConnection.SslEndPoint)endpoint;
109         SSLEngine sslEngine=sslEndpoint.getSslEngine();
110         SSLSession sslSession=sslEngine.getSession();
111 
112         SslCertificates.customize(sslSession,endpoint,request);
113     }
114 
115     /* ------------------------------------------------------------ */
116     /**
117      * @return True if SSL re-negotiation is allowed (default false)
118      * @deprecated
119      */
120     @Deprecated
121     public boolean isAllowRenegotiate()
122     {
123         return _sslContextFactory.isAllowRenegotiate();
124     }
125 
126     /* ------------------------------------------------------------ */
127     /**
128      * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
129      * a vulnerability in SSL/TLS with re-negotiation.  If your JVM
130      * does not have CVE-2009-3555 fixed, then re-negotiation should
131      * not be allowed.  CVE-2009-3555 was fixed in Sun java 1.6 with a ban
132      * of renegotiate in u19 and with RFC5746 in u22.
133      * @param allowRenegotiate true if re-negotiation is allowed (default false)
134      * @deprecated
135      */
136     @Deprecated
137     public void setAllowRenegotiate(boolean allowRenegotiate)
138     {
139         _sslContextFactory.setAllowRenegotiate(allowRenegotiate);
140     }
141 
142     /* ------------------------------------------------------------ */
143     /**
144      * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
145      * @deprecated
146      */
147     @Deprecated
148     public String[] getExcludeCipherSuites()
149     {
150         return _sslContextFactory.getExcludeCipherSuites();
151     }
152 
153     /* ------------------------------------------------------------ */
154     /**
155      * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
156      * @deprecated
157      */
158     @Deprecated
159     public void setExcludeCipherSuites(String[] cipherSuites)
160     {
161         _sslContextFactory.setExcludeCipherSuites(cipherSuites);
162     }
163 
164     /* ------------------------------------------------------------ */
165     /**
166      * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
167      * @deprecated
168      */
169     @Deprecated
170     public String[] getIncludeCipherSuites()
171     {
172         return _sslContextFactory.getIncludeCipherSuites();
173     }
174 
175     /* ------------------------------------------------------------ */
176     /**
177      * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
178      * @deprecated
179      */
180     @Deprecated
181     public void setIncludeCipherSuites(String[] cipherSuites)
182     {
183         _sslContextFactory.setIncludeCipherSuites(cipherSuites);
184     }
185 
186     /* ------------------------------------------------------------ */
187     /**
188      * @see org.eclipse.jetty.server.ssl.SslConnector#setPassword(java.lang.String)
189      * @deprecated
190      */
191     @Deprecated
192     public void setPassword(String password)
193     {
194         _sslContextFactory.setKeyStorePassword(password);
195     }
196 
197     /* ------------------------------------------------------------ */
198     /**
199      * @see org.eclipse.jetty.server.ssl.SslConnector#setTrustPassword(java.lang.String)
200      * @deprecated
201      */
202     @Deprecated
203     public void setTrustPassword(String password)
204     {
205         _sslContextFactory.setTrustStorePassword(password);
206     }
207 
208     /* ------------------------------------------------------------ */
209     /**
210      * @see org.eclipse.jetty.server.ssl.SslConnector#setKeyPassword(java.lang.String)
211      * @deprecated
212      */
213     @Deprecated
214     public void setKeyPassword(String password)
215     {
216         _sslContextFactory.setKeyManagerPassword(password);
217     }
218 
219     /* ------------------------------------------------------------ */
220     /**
221      * Unsupported.
222      *
223      * TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
224      * @deprecated
225      */
226     @Deprecated
227     public String getAlgorithm()
228     {
229         throw new UnsupportedOperationException();
230     }
231 
232     /* ------------------------------------------------------------ */
233     /**
234      * Unsupported.
235      *
236      * TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
237      * @deprecated
238      */
239     @Deprecated
240     public void setAlgorithm(String algorithm)
241     {
242         throw new UnsupportedOperationException();
243     }
244 
245     /* ------------------------------------------------------------ */
246     /**
247      * @see org.eclipse.jetty.server.ssl.SslConnector#getProtocol()
248      * @deprecated
249      */
250     @Deprecated
251     public String getProtocol()
252     {
253         return _sslContextFactory.getProtocol();
254     }
255 
256     /* ------------------------------------------------------------ */
257     /**
258      * @see org.eclipse.jetty.server.ssl.SslConnector#setProtocol(java.lang.String)
259      * @deprecated
260      */
261     @Deprecated
262     public void setProtocol(String protocol)
263     {
264         _sslContextFactory.setProtocol(protocol);
265     }
266 
267     /* ------------------------------------------------------------ */
268     /**
269      * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystore(java.lang.String)
270      * @deprecated
271      */
272     @Deprecated
273     public void setKeystore(String keystore)
274     {
275         _sslContextFactory.setKeyStorePath(keystore);
276     }
277 
278     /* ------------------------------------------------------------ */
279     /**
280      * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystore()
281      * @deprecated
282      */
283     @Deprecated
284     public String getKeystore()
285     {
286         return _sslContextFactory.getKeyStorePath();
287     }
288 
289     /* ------------------------------------------------------------ */
290     /**
291      * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystoreType()
292      * @deprecated
293      */
294     @Deprecated
295     public String getKeystoreType()
296     {
297         return _sslContextFactory.getKeyStoreType();
298     }
299 
300     /* ------------------------------------------------------------ */
301     /**
302      * @see org.eclipse.jetty.server.ssl.SslConnector#getNeedClientAuth()
303      * @deprecated
304      */
305     @Deprecated
306     public boolean getNeedClientAuth()
307     {
308         return _sslContextFactory.getNeedClientAuth();
309     }
310 
311     /* ------------------------------------------------------------ */
312     /**
313      * @see org.eclipse.jetty.server.ssl.SslConnector#getWantClientAuth()
314      * @deprecated
315      */
316     @Deprecated
317     public boolean getWantClientAuth()
318     {
319         return _sslContextFactory.getWantClientAuth();
320     }
321 
322     /* ------------------------------------------------------------ */
323     /**
324      * @see org.eclipse.jetty.server.ssl.SslConnector#setNeedClientAuth(boolean)
325      * @deprecated
326      */
327     @Deprecated
328     public void setNeedClientAuth(boolean needClientAuth)
329     {
330         _sslContextFactory.setNeedClientAuth(needClientAuth);
331     }
332 
333     /* ------------------------------------------------------------ */
334     /**
335      * @see org.eclipse.jetty.server.ssl.SslConnector#setWantClientAuth(boolean)
336      * @deprecated
337      */
338     @Deprecated
339     public void setWantClientAuth(boolean wantClientAuth)
340     {
341         _sslContextFactory.setWantClientAuth(wantClientAuth);
342     }
343 
344     /* ------------------------------------------------------------ */
345     /**
346      * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystoreType(java.lang.String)
347      * @deprecated
348      */
349     @Deprecated
350     public void setKeystoreType(String keystoreType)
351     {
352         _sslContextFactory.setKeyStoreType(keystoreType);
353     }
354 
355     /* ------------------------------------------------------------ */
356     /**
357      * @see org.eclipse.jetty.server.ssl.SslConnector#getProvider()
358      * @deprecated
359      */
360     @Deprecated
361     public String getProvider()
362     {
363         return _sslContextFactory.getProvider();
364     }
365 
366     /* ------------------------------------------------------------ */
367     /**
368      * @see org.eclipse.jetty.server.ssl.SslConnector#getSecureRandomAlgorithm()
369      * @deprecated
370      */
371     @Deprecated
372     public String getSecureRandomAlgorithm()
373     {
374         return _sslContextFactory.getSecureRandomAlgorithm();
375     }
376 
377     /* ------------------------------------------------------------ */
378     /**
379      * @see org.eclipse.jetty.server.ssl.SslConnector#getSslKeyManagerFactoryAlgorithm()
380      * @deprecated
381      */
382     @Deprecated
383     public String getSslKeyManagerFactoryAlgorithm()
384     {
385         return _sslContextFactory.getSslKeyManagerFactoryAlgorithm();
386     }
387 
388     /* ------------------------------------------------------------ */
389     /**
390      * @see org.eclipse.jetty.server.ssl.SslConnector#getSslTrustManagerFactoryAlgorithm()
391      * @deprecated
392      */
393     @Deprecated
394     public String getSslTrustManagerFactoryAlgorithm()
395     {
396         return _sslContextFactory.getTrustManagerFactoryAlgorithm();
397     }
398 
399     /* ------------------------------------------------------------ */
400     /**
401      * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststore()
402      * @deprecated
403      */
404     @Deprecated
405     public String getTruststore()
406     {
407         return _sslContextFactory.getTrustStore();
408     }
409 
410     /* ------------------------------------------------------------ */
411     /**
412      * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststoreType()
413      * @deprecated
414      */
415     @Deprecated
416     public String getTruststoreType()
417     {
418         return _sslContextFactory.getTrustStoreType();
419     }
420 
421     /* ------------------------------------------------------------ */
422     /**
423      * @see org.eclipse.jetty.server.ssl.SslConnector#setProvider(java.lang.String)
424      * @deprecated
425      */
426     @Deprecated
427     public void setProvider(String provider)
428     {
429         _sslContextFactory.setProvider(provider);
430     }
431 
432     /* ------------------------------------------------------------ */
433     /**
434      * @see org.eclipse.jetty.server.ssl.SslConnector#setSecureRandomAlgorithm(java.lang.String)
435      * @deprecated
436      */
437     @Deprecated
438     public void setSecureRandomAlgorithm(String algorithm)
439     {
440         _sslContextFactory.setSecureRandomAlgorithm(algorithm);
441     }
442 
443     /* ------------------------------------------------------------ */
444     /**
445      * @see org.eclipse.jetty.server.ssl.SslConnector#setSslKeyManagerFactoryAlgorithm(java.lang.String)
446      * @deprecated
447      */
448     @Deprecated
449     public void setSslKeyManagerFactoryAlgorithm(String algorithm)
450     {
451         _sslContextFactory.setSslKeyManagerFactoryAlgorithm(algorithm);
452     }
453 
454     /* ------------------------------------------------------------ */
455     /**
456      * @see org.eclipse.jetty.server.ssl.SslConnector#setSslTrustManagerFactoryAlgorithm(java.lang.String)
457      * @deprecated
458      */
459     @Deprecated
460     public void setSslTrustManagerFactoryAlgorithm(String algorithm)
461     {
462         _sslContextFactory.setTrustManagerFactoryAlgorithm(algorithm);
463     }
464 
465     /* ------------------------------------------------------------ */
466     /**
467      * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststore(java.lang.String)
468      * @deprecated
469      */
470     @Deprecated
471     public void setTruststore(String truststore)
472     {
473         _sslContextFactory.setTrustStore(truststore);
474     }
475 
476     /* ------------------------------------------------------------ */
477     /**
478      * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststoreType(java.lang.String)
479      * @deprecated
480      */
481     @Deprecated
482     public void setTruststoreType(String truststoreType)
483     {
484         _sslContextFactory.setTrustStoreType(truststoreType);
485     }
486 
487     /* ------------------------------------------------------------ */
488     /**
489      * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
490      * @deprecated
491      */
492     @Deprecated
493     public void setSslContext(SSLContext sslContext)
494     {
495         _sslContextFactory.setSslContext(sslContext);
496     }
497 
498     /* ------------------------------------------------------------ */
499     /**
500      * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
501      * @deprecated
502      */
503     @Deprecated
504     public SSLContext getSslContext()
505     {
506         return _sslContextFactory.getSslContext();
507     }
508 
509     /* ------------------------------------------------------------ */
510     /**
511      * @see org.eclipse.jetty.server.ssl.SslConnector#getSslContextFactory()
512      */
513     public SslContextFactory getSslContextFactory()
514     {
515         return _sslContextFactory;
516     }
517 
518     /* ------------------------------------------------------------ */
519     /**
520      * By default, we're confidential, given we speak SSL. But, if we've been
521      * told about an confidential port, and said port is not our port, then
522      * we're not. This allows separation of listeners providing INTEGRAL versus
523      * CONFIDENTIAL constraints, such as one SSL listener configured to require
524      * client certs providing CONFIDENTIAL, whereas another SSL listener not
525      * requiring client certs providing mere INTEGRAL constraints.
526      */
527     @Override
528     public boolean isConfidential(Request request)
529     {
530         final int confidentialPort=getConfidentialPort();
531         return confidentialPort==0||confidentialPort==request.getServerPort();
532     }
533 
534     /* ------------------------------------------------------------ */
535     /**
536      * By default, we're integral, given we speak SSL. But, if we've been told
537      * about an integral port, and said port is not our port, then we're not.
538      * This allows separation of listeners providing INTEGRAL versus
539      * CONFIDENTIAL constraints, such as one SSL listener configured to require
540      * client certs providing CONFIDENTIAL, whereas another SSL listener not
541      * requiring client certs providing mere INTEGRAL constraints.
542      */
543     @Override
544     public boolean isIntegral(Request request)
545     {
546         final int integralPort=getIntegralPort();
547         return integralPort==0||integralPort==request.getServerPort();
548     }
549 
550     /* ------------------------------------------------------------------------------- */
551     @Override
552     protected AsyncConnection newConnection(SocketChannel channel, AsyncEndPoint endpoint)
553     {
554         try
555         {
556             SSLEngine engine = createSSLEngine(channel);
557             SslConnection connection = newSslConnection(endpoint, engine);
558             AsyncConnection delegate = newPlainConnection(channel, connection.getSslEndPoint());
559             connection.getSslEndPoint().setConnection(delegate);
560             connection.setAllowRenegotiate(_sslContextFactory.isAllowRenegotiate());
561             return connection;
562         }
563         catch (IOException e)
564         {
565             throw new RuntimeIOException(e);
566         }
567     }
568 
569     protected AsyncConnection newPlainConnection(SocketChannel channel, AsyncEndPoint endPoint)
570     {
571         return super.newConnection(channel, endPoint);
572     }
573 
574     protected SslConnection newSslConnection(AsyncEndPoint endpoint, SSLEngine engine)
575     {
576         return new SslConnection(engine, endpoint);
577     }
578 
579     /* ------------------------------------------------------------ */
580     /**
581      * @param channel A channel which if passed is used as to extract remote
582      * host and port for the purposes of SSL session caching
583      * @return A SSLEngine for a new or cached SSL Session
584      * @throws IOException if the SSLEngine cannot be created
585      */
586     protected SSLEngine createSSLEngine(SocketChannel channel) throws IOException
587     {
588         SSLEngine engine;
589         if (channel != null)
590         {
591             String peerHost = channel.socket().getInetAddress().getHostAddress();
592             int peerPort = channel.socket().getPort();
593             engine = _sslContextFactory.newSslEngine(peerHost, peerPort);
594         }
595         else
596         {
597             engine = _sslContextFactory.newSslEngine();
598         }
599 
600         engine.setUseClientMode(false);
601         return engine;
602     }
603 
604     /* ------------------------------------------------------------ */
605     /**
606      * @see org.eclipse.jetty.server.nio.SelectChannelConnector#doStart()
607      */
608     @Override
609     protected void doStart() throws Exception
610     {
611         _sslContextFactory.checkKeyStore();
612         _sslContextFactory.start();
613 
614         SSLEngine sslEngine = _sslContextFactory.newSslEngine();
615 
616         sslEngine.setUseClientMode(false);
617 
618         SSLSession sslSession = sslEngine.getSession();
619 
620         _sslBuffers = BuffersFactory.newBuffers(
621                 getUseDirectBuffers()?Type.DIRECT:Type.INDIRECT,sslSession.getApplicationBufferSize(),
622                 getUseDirectBuffers()?Type.DIRECT:Type.INDIRECT,sslSession.getApplicationBufferSize(),
623                 getUseDirectBuffers()?Type.DIRECT:Type.INDIRECT,getMaxBuffers()
624         );
625 
626         if (getRequestHeaderSize()<sslSession.getApplicationBufferSize())
627             setRequestHeaderSize(sslSession.getApplicationBufferSize());
628         if (getRequestBufferSize()<sslSession.getApplicationBufferSize())
629             setRequestBufferSize(sslSession.getApplicationBufferSize());
630 
631         super.doStart();
632     }
633 
634     /* ------------------------------------------------------------ */
635     /**
636      * @see org.eclipse.jetty.server.nio.SelectChannelConnector#doStop()
637      */
638     @Override
639     protected void doStop() throws Exception
640     {
641         _sslBuffers=null;
642         super.doStop();
643     }
644 
645     /* ------------------------------------------------------------ */
646     /**
647      * @return SSL buffers
648      */
649     public Buffers getSslBuffers()
650     {
651         return _sslBuffers;
652     }
653 }