@ThreadSafe public class SSLConnectionSocketFactory extends Object implements LayeredConnectionSocketFactory
SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.
SSLSocketFactory will enable server authentication when supplied with
a trust-store
file containing one or several trusted certificates. The client
secure socket will reject the connection during the SSL session handshake if the target HTTPS
server attempts to authenticate itself with a non-trusted certificate.
Use JDK keytool utility to import a trusted certificate and generate a trust-store file:
keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
In special cases the standard trust verification process can be bypassed by using a custom
TrustStrategy
. This interface is primarily intended for allowing self-signed
certificates to be accepted as trusted without having to add them to the trust-store file.
SSLSocketFactory will enable client authentication when supplied with
a key-store
file containing a private key/public certificate
pair. The client secure socket will use the private key to authenticate
itself to the target HTTPS server during the SSL session handshake if
requested to do so by the server.
The target HTTPS server will in its turn verify the certificate presented
by the client in order to establish client's authenticity.
Use the following sequence of actions to generate a key-store file
Use JDK keytool utility to generate a new key
keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystoreFor simplicity use the same password for the key as that of the key-store
Issue a certificate signing request (CSR)
keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore
Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.
Import the trusted CA root certificate
keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore
Import the PKCS#7 file containg the complete certificate chain
keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore
Verify the content the resultant keystore file
keytool -list -v -keystore my.keystore
Modifier and Type | Field and Description |
---|---|
static X509HostnameVerifier |
ALLOW_ALL_HOSTNAME_VERIFIER |
static X509HostnameVerifier |
BROWSER_COMPATIBLE_HOSTNAME_VERIFIER |
static String |
SSL |
static String |
SSLV2 |
static X509HostnameVerifier |
STRICT_HOSTNAME_VERIFIER |
static String |
TLS |
Constructor and Description |
---|
SSLConnectionSocketFactory(SSLContext sslContext) |
SSLConnectionSocketFactory(SSLContext sslContext,
String[] supportedProtocols,
String[] supportedCipherSuites,
X509HostnameVerifier hostnameVerifier) |
SSLConnectionSocketFactory(SSLContext sslContext,
X509HostnameVerifier hostnameVerifier) |
SSLConnectionSocketFactory(SSLSocketFactory socketfactory,
String[] supportedProtocols,
String[] supportedCipherSuites,
X509HostnameVerifier hostnameVerifier) |
SSLConnectionSocketFactory(SSLSocketFactory socketfactory,
X509HostnameVerifier hostnameVerifier) |
Modifier and Type | Method and Description |
---|---|
Socket |
connectSocket(int connectTimeout,
Socket socket,
HttpHost host,
InetSocketAddress remoteAddress,
InetSocketAddress localAddress,
HttpContext context)
Connects the socket to the target host with the given resolved remote address.
|
Socket |
createLayeredSocket(Socket socket,
String target,
int port,
HttpContext context)
Returns a socket connected to the given host that is layered over an
existing socket.
|
Socket |
createSocket(HttpContext context)
Creates new, unconnected socket.
|
static SSLConnectionSocketFactory |
getSocketFactory()
Obtains default SSL socket factory with an SSL context based on the standard JSSE
trust material (
cacerts file in the security properties directory). |
static SSLConnectionSocketFactory |
getSystemSocketFactory()
Obtains default SSL socket factory with an SSL context based on system properties
as described in
"JavaTM Secure Socket Extension (JSSE) Reference Guide for the JavaTM 2 Platform
Standard Edition 5
|
protected void |
prepareSocket(SSLSocket socket)
Performs any custom initialization for a newly created SSLSocket
(before the SSL handshake happens).
|
public static final String TLS
public static final String SSL
public static final String SSLV2
public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER
public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER
public SSLConnectionSocketFactory(SSLContext sslContext)
public SSLConnectionSocketFactory(SSLContext sslContext, X509HostnameVerifier hostnameVerifier)
public SSLConnectionSocketFactory(SSLContext sslContext, String[] supportedProtocols, String[] supportedCipherSuites, X509HostnameVerifier hostnameVerifier)
public SSLConnectionSocketFactory(SSLSocketFactory socketfactory, X509HostnameVerifier hostnameVerifier)
public SSLConnectionSocketFactory(SSLSocketFactory socketfactory, String[] supportedProtocols, String[] supportedCipherSuites, X509HostnameVerifier hostnameVerifier)
public static SSLConnectionSocketFactory getSocketFactory() throws SSLInitializationException
cacerts
file in the security properties directory).
System properties are not taken into consideration.SSLInitializationException
public static SSLConnectionSocketFactory getSystemSocketFactory() throws SSLInitializationException
SSLInitializationException
protected void prepareSocket(SSLSocket socket) throws IOException
SSLSocket.setEnabledCipherSuites(String[])
.IOException
public Socket createSocket(HttpContext context) throws IOException
ConnectionSocketFactory
connectSocket
method.createSocket
in interface ConnectionSocketFactory
IOException
- if an I/O error occurs while creating the socketpublic Socket connectSocket(int connectTimeout, Socket socket, HttpHost host, InetSocketAddress remoteAddress, InetSocketAddress localAddress, HttpContext context) throws IOException
ConnectionSocketFactory
connectSocket
in interface ConnectionSocketFactory
connectTimeout
- connect timeout.socket
- the socket to connect, as obtained from ConnectionSocketFactory.createSocket(HttpContext)
.
null
indicates that a new socket should be created and connected.host
- target host as specified by the caller (end user).remoteAddress
- the resolved remote address to connect to.localAddress
- the local address to bind the socket to, or null
for any.context
- the actual HTTP context.sock
argument if this factory supports
a layered protocol.IOException
- if an I/O error occurspublic Socket createLayeredSocket(Socket socket, String target, int port, HttpContext context) throws IOException
LayeredConnectionSocketFactory
createLayeredSocket
in interface LayeredConnectionSocketFactory
socket
- the existing sockettarget
- the name of the target host.port
- the port to connect to on the target host.context
- the actual HTTP context.IOException
- if an I/O error occurs while creating the socketCopyright © 1999–2013 The Apache Software Foundation. All rights reserved.