public class SslContextFactory extends AbstractLifeCycle
AbstractLifeCycle.AbstractLifeCycleListener
LifeCycle.Listener
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_KEYMANAGERFACTORY_ALGORITHM |
static String |
DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM |
static String |
KEYPASSWORD_PROPERTY
String name of key password property.
|
static String |
PASSWORD_PROPERTY
String name of keystore password property.
|
static TrustManager[] |
TRUST_ALL_CERTS |
Constructor and Description |
---|
SslContextFactory()
Construct an instance of SslContextFactory
Default constructor for use in XmlConfiguration files
|
SslContextFactory(boolean trustAll)
Construct an instance of SslContextFactory
Default constructor for use in XmlConfiguration files
|
SslContextFactory(String keyStorePath)
Construct an instance of SslContextFactory
|
Modifier and Type | Method and Description |
---|---|
void |
addExcludeCipherSuites(String... cipher) |
void |
addExcludeProtocols(String... protocol) |
void |
checkKeyStore()
Check KeyStore Configuration.
|
protected void |
checkNotStarted()
Check if the lifecycle has been started and throw runtime exception
|
void |
customize(SSLEngine sslEngine) |
static int |
deduceKeyLength(String cipherSuite)
Given the name of a TLS/SSL cipher suite, return an int representing it effective stream
cipher key strength.
|
protected void |
doStart()
Create the SSLContext object and start the lifecycle
|
protected void |
doStop() |
String |
getCertAlias() |
static X509Certificate[] |
getCertChain(SSLSession sslSession) |
String |
getCrlPath() |
String[] |
getExcludeCipherSuites() |
String[] |
getExcludeProtocols() |
String[] |
getIncludeCipherSuites() |
String[] |
getIncludeProtocols() |
protected KeyManager[] |
getKeyManagers(KeyStore keyStore) |
String |
getKeyStorePath() |
String |
getKeyStoreProvider() |
String |
getKeyStoreType() |
int |
getMaxCertPathLength() |
boolean |
getNeedClientAuth() |
String |
getOcspResponderURL() |
String |
getProtocol() |
String |
getProvider() |
String |
getSecureRandomAlgorithm() |
SSLContext |
getSslContext() |
String |
getSslKeyManagerFactoryAlgorithm() |
int |
getSslSessionCacheSize()
Get SSL session cache size.
|
int |
getSslSessionTimeout()
Get SSL session timeout.
|
String |
getTrustManagerFactoryAlgorithm() |
protected TrustManager[] |
getTrustManagers(KeyStore trustStore,
Collection<? extends CRL> crls) |
String |
getTrustStore() |
String |
getTrustStoreProvider() |
String |
getTrustStoreType() |
boolean |
getWantClientAuth() |
boolean |
isEnableCRLDP() |
boolean |
isEnableOCSP() |
boolean |
isRenegotiationAllowed() |
boolean |
isSessionCachingEnabled() |
boolean |
isTrustAll() |
boolean |
isValidateCerts() |
boolean |
isValidatePeerCerts() |
protected Collection<? extends CRL> |
loadCRL(String crlPath)
Loads certificate revocation list (CRL) from a file.
|
protected KeyStore |
loadKeyStore()
Override this method to provide alternate way to load a keystore.
|
protected KeyStore |
loadTrustStore()
Override this method to provide alternate way to load a truststore.
|
SSLEngine |
newSSLEngine()
Factory method for "scratch"
SSLEngine s, usually only used for retrieving configuration
information such as the application buffer size or the list of protocols/ciphers. |
SSLEngine |
newSSLEngine(InetSocketAddress address)
Server-side only factory method for creating
SSLEngine s. |
SSLEngine |
newSSLEngine(String host,
int port)
General purpose factory method for creating
SSLEngine s, although creation of
SSLEngine s on the server-side should prefer newSSLEngine(InetSocketAddress) . |
SSLServerSocket |
newSslServerSocket(String host,
int port,
int backlog) |
SSLSocket |
newSslSocket() |
String[] |
selectCipherSuites(String[] enabledCipherSuites,
String[] supportedCipherSuites)
Select cipher suites to be used by the connector
based on configured inclusion and exclusion lists
as well as enabled and supported cipher suite lists.
|
String[] |
selectProtocols(String[] enabledProtocols,
String[] supportedProtocols)
Select protocols to be used by the connector
based on configured inclusion and exclusion lists
as well as enabled and supported protocols.
|
void |
setCertAlias(String certAlias) |
void |
setCrlPath(String crlPath) |
void |
setEnableCRLDP(boolean enableCRLDP)
Enables CRL Distribution Points Support
|
void |
setEnableOCSP(boolean enableOCSP)
Enables On-Line Certificate Status Protocol support
|
void |
setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
When set to "HTTPS" hostname verification will be enabled
|
void |
setExcludeCipherSuites(String... cipherSuites)
You can either use the exact cipher suite name or a a regular expression.
|
void |
setExcludeProtocols(String... protocols) |
void |
setIncludeCipherSuites(String... cipherSuites)
You can either use the exact cipher suite name or a a regular expression.
|
void |
setIncludeProtocols(String... protocols) |
void |
setKeyManagerPassword(String password) |
void |
setKeyStore(KeyStore keyStore)
Set the key store.
|
void |
setKeyStorePassword(String password) |
void |
setKeyStorePath(String keyStorePath) |
void |
setKeyStoreProvider(String keyStoreProvider) |
void |
setKeyStoreResource(Resource resource)
Set the key store resource.
|
void |
setKeyStoreType(String keyStoreType) |
void |
setMaxCertPathLength(int maxCertPathLength) |
void |
setNeedClientAuth(boolean needClientAuth) |
void |
setOcspResponderURL(String ocspResponderURL)
Set the location of the OCSP Responder.
|
void |
setProtocol(String protocol) |
void |
setProvider(String provider) |
void |
setRenegotiationAllowed(boolean renegotiationAllowed) |
void |
setSecureRandomAlgorithm(String algorithm) |
void |
setSessionCachingEnabled(boolean enableSessionCaching)
Set the flag to enable SSL Session caching.
|
void |
setSslContext(SSLContext sslContext) |
void |
setSslKeyManagerFactoryAlgorithm(String algorithm) |
void |
setSslSessionCacheSize(int sslSessionCacheSize)
SEt SSL session cache size.
|
void |
setSslSessionTimeout(int sslSessionTimeout)
Set SSL session timeout.
|
void |
setTrustAll(boolean trustAll) |
void |
setTrustManagerFactoryAlgorithm(String algorithm) |
void |
setTrustStore(KeyStore trustStore)
Set the trust store.
|
void |
setTrustStorePassword(String password) |
void |
setTrustStorePath(String trustStorePath) |
void |
setTrustStoreProvider(String trustStoreProvider) |
void |
setTrustStoreResource(Resource resource)
Set the trust store resource.
|
void |
setTrustStoreType(String trustStoreType) |
void |
setValidateCerts(boolean validateCerts) |
void |
setValidatePeerCerts(boolean validatePeerCerts) |
void |
setWantClientAuth(boolean wantClientAuth) |
String |
toString() |
addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, setStopTimeout, start, stop
public static final TrustManager[] TRUST_ALL_CERTS
public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM
public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
public static final String KEYPASSWORD_PROPERTY
public static final String PASSWORD_PROPERTY
public SslContextFactory()
public SslContextFactory(boolean trustAll)
trustAll
- whether to blindly trust all certificatessetTrustAll(boolean)
public SslContextFactory(String keyStorePath)
keyStorePath
- default keystore locationprotected void doStart() throws Exception
doStart
in class AbstractLifeCycle
Exception
AbstractLifeCycle.doStart()
protected void doStop() throws Exception
doStop
in class AbstractLifeCycle
Exception
public String[] getExcludeProtocols()
SSLEngine.setEnabledProtocols(String[])
public void setExcludeProtocols(String... protocols)
protocols
- The array of protocol names to exclude from
SSLEngine.setEnabledProtocols(String[])
public void addExcludeProtocols(String... protocol)
protocol
- Protocol names to add to SSLEngine.setEnabledProtocols(String[])
public String[] getIncludeProtocols()
SSLEngine.setEnabledProtocols(String[])
public void setIncludeProtocols(String... protocols)
protocols
- The array of protocol names to include in
SSLEngine.setEnabledProtocols(String[])
public String[] getExcludeCipherSuites()
SSLEngine.setEnabledCipherSuites(String[])
public void setExcludeCipherSuites(String... cipherSuites)
cipherSuites
- The array of cipher suite names to exclude from
SSLEngine.setEnabledCipherSuites(String[])
public void addExcludeCipherSuites(String... cipher)
cipher
- Cipher names to add to SSLEngine.setEnabledCipherSuites(String[])
public String[] getIncludeCipherSuites()
SSLEngine.setEnabledCipherSuites(String[])
public void setIncludeCipherSuites(String... cipherSuites)
cipherSuites
- The array of cipher suite names to include in
SSLEngine.setEnabledCipherSuites(String[])
public String getKeyStorePath()
public void setKeyStorePath(String keyStorePath)
keyStorePath
- The file or URL of the SSL Key store.public String getKeyStoreProvider()
public void setKeyStoreProvider(String keyStoreProvider)
keyStoreProvider
- The provider of the key storepublic String getKeyStoreType()
public void setKeyStoreType(String keyStoreType)
keyStoreType
- The type of the key store (default "JKS")public String getCertAlias()
public void setCertAlias(String certAlias)
certAlias
- Alias of SSL certificate for the connectorpublic String getTrustStore()
public void setTrustStorePath(String trustStorePath)
trustStorePath
- The file name or URL of the trust store locationpublic String getTrustStoreProvider()
public void setTrustStoreProvider(String trustStoreProvider)
trustStoreProvider
- The provider of the trust storepublic String getTrustStoreType()
public void setTrustStoreType(String trustStoreType)
trustStoreType
- The type of the trust store (default "JKS")public boolean getNeedClientAuth()
SSLEngine.getNeedClientAuth()
public void setNeedClientAuth(boolean needClientAuth)
needClientAuth
- True if SSL needs client authentication.SSLEngine.getNeedClientAuth()
public boolean getWantClientAuth()
SSLEngine.getWantClientAuth()
public void setWantClientAuth(boolean wantClientAuth)
wantClientAuth
- True if SSL wants client authentication.SSLEngine.getWantClientAuth()
public boolean isValidateCerts()
public void setValidateCerts(boolean validateCerts)
validateCerts
- true if SSL certificates have to be validatedpublic boolean isValidatePeerCerts()
public void setValidatePeerCerts(boolean validatePeerCerts)
validatePeerCerts
- true if SSL certificates of the peer have to be validatedpublic void setKeyStorePassword(String password)
password
- The password for the key storepublic void setKeyManagerPassword(String password)
password
- The password (if any) for the specific key within the key storepublic void setTrustStorePassword(String password)
password
- The password for the trust storepublic String getProvider()
SSLContext.getInstance(String, String)
public void setProvider(String provider)
provider
- The SSL provider name, which if set is passed to
SSLContext.getInstance(String, String)
public String getProtocol()
SSLContext.getInstance(String, String)
public void setProtocol(String protocol)
protocol
- The SSL protocol (default "TLS") passed to
SSLContext.getInstance(String, String)
public String getSecureRandomAlgorithm()
SecureRandom.getInstance(String)
to obtain the SecureRandom
instance passed to
SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
public void setSecureRandomAlgorithm(String algorithm)
algorithm
- The algorithm name, which if set is passed to
SecureRandom.getInstance(String)
to obtain the SecureRandom
instance passed to
SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
public String getSslKeyManagerFactoryAlgorithm()
KeyManagerFactory
public void setSslKeyManagerFactoryAlgorithm(String algorithm)
algorithm
- The algorithm name (default "SunX509") used by the KeyManagerFactory
public String getTrustManagerFactoryAlgorithm()
TrustManagerFactory
public boolean isTrustAll()
public void setTrustAll(boolean trustAll)
trustAll
- True if all certificates should be trusted if there is no KeyStore or TrustStorepublic void setTrustManagerFactoryAlgorithm(String algorithm)
algorithm
- The algorithm name (default "SunX509") used by the TrustManagerFactory
Use the string "TrustAll" to install a trust manager that trusts all.public boolean isRenegotiationAllowed()
public void setRenegotiationAllowed(boolean renegotiationAllowed)
renegotiationAllowed
- whether TLS renegotiation is allowedpublic String getCrlPath()
public void setCrlPath(String crlPath)
crlPath
- Path to file that contains Certificate Revocation Listpublic int getMaxCertPathLength()
public void setMaxCertPathLength(int maxCertPathLength)
maxCertPathLength
- maximum number of intermediate certificates in
the certification path (-1 for unlimited)public SSLContext getSslContext()
public void setSslContext(SSLContext sslContext)
sslContext
- Set a preconfigured SSLContextpublic void setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
endpointIdentificationAlgorithm
- Set the endpointIdentificationAlgorithmprotected KeyStore loadKeyStore() throws Exception
Exception
- if the keystore cannot be loadedprotected KeyStore loadTrustStore() throws Exception
Exception
- if the truststore cannot be loadedprotected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
crlPath
- path of certificate revocation list fileException
- if the certificate revocation list cannot be loadedprotected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
Exception
protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
Exception
public void checkKeyStore()
IllegalStateException
- if SslContextFactory configuration can't be used.public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
enabledProtocols
- Array of enabled protocolssupportedProtocols
- Array of supported protocolspublic String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
enabledCipherSuites
- Array of enabled cipher suitessupportedCipherSuites
- Array of supported cipher suitesprotected void checkNotStarted()
public boolean isEnableCRLDP()
public void setEnableCRLDP(boolean enableCRLDP)
enableCRLDP
- true - turn on, false - turns offpublic boolean isEnableOCSP()
public void setEnableOCSP(boolean enableOCSP)
enableOCSP
- true - turn on, false - turn offpublic String getOcspResponderURL()
public void setOcspResponderURL(String ocspResponderURL)
ocspResponderURL
- location of the OCSP Responderpublic void setKeyStore(KeyStore keyStore)
keyStore
- the key store to setpublic void setTrustStore(KeyStore trustStore)
trustStore
- the trust store to setpublic void setKeyStoreResource(Resource resource)
resource
- the key store resource to setpublic void setTrustStoreResource(Resource resource)
resource
- the trust store resource to setpublic boolean isSessionCachingEnabled()
public void setSessionCachingEnabled(boolean enableSessionCaching)
enableSessionCaching
- the value of the flagpublic int getSslSessionCacheSize()
public void setSslSessionCacheSize(int sslSessionCacheSize)
sslSessionCacheSize
- SSL session cache size to setpublic int getSslSessionTimeout()
public void setSslSessionTimeout(int sslSessionTimeout)
sslSessionTimeout
- SSL session timeout to setpublic SSLServerSocket newSslServerSocket(String host, int port, int backlog) throws IOException
IOException
public SSLSocket newSslSocket() throws IOException
IOException
public SSLEngine newSSLEngine()
SSLEngine
s, usually only used for retrieving configuration
information such as the application buffer size or the list of protocols/ciphers.
This method should not be used for creating SSLEngine
s that are used in actual socket
communication.SSLEngine
public SSLEngine newSSLEngine(String host, int port)
SSLEngine
s, although creation of
SSLEngine
s on the server-side should prefer newSSLEngine(InetSocketAddress)
.host
- the remote hostport
- the remote portSSLEngine
public SSLEngine newSSLEngine(InetSocketAddress address)
SSLEngine
s.
If the given address
is null, it is equivalent to newSSLEngine()
, otherwise
newSSLEngine(String, int)
is called.
If getNeedClientAuth()
is true
, then the host name is passed to
newSSLEngine(String, int)
, possibly incurring in a reverse DNS lookup, which takes time
and may hang the selector (since this method is usually called by the selector thread).
Otherwise, the host address is passed to newSSLEngine(String, int)
without DNS lookup
penalties.
Clients that wish to create SSLEngine
instances must use newSSLEngine(String, int)
.address
- the remote peer addressSSLEngine
public void customize(SSLEngine sslEngine)
public static X509Certificate[] getCertChain(SSLSession sslSession)
public static int deduceKeyLength(String cipherSuite)
This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol Version 1.0, Appendix C. CipherSuite definitions:
Effective Cipher Type Key Bits NULL * Stream 0 IDEA_CBC Block 128 RC2_CBC_40 * Block 40 RC4_40 * Stream 40 RC4_128 Stream 128 DES40_CBC * Block 40 DES_CBC Block 56 3DES_EDE_CBC Block 168
cipherSuite
- String name of the TLS cipher suite.Copyright © 1995-2015 Webtide. All Rights Reserved.