Package org.eclipse.jetty.util.ssl

Class SslContextFactory

java.lang.Object

org.eclipse.jetty.util.component.AbstractLifeCycle

org.eclipse.jetty.util.ssl.SslContextFactory

All Implemented Interfaces:

Dumpable, LifeCycle

Direct Known Subclasses:

SslContextFactory.Client, SslContextFactory.Server

@ManagedObject
public abstract class SslContextFactory
extends AbstractLifeCycle
implements Dumpable

SslContextFactory is used to configure SSL parameters to be used by server and client connectors.

Use SslContextFactory.Server to configure server-side connectors, and SslContextFactory.Client to configure HTTP or WebSocket clients.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	SslContextFactory.Client
static class	SslContextFactory.Server
static class	SslContextFactory.X509ExtendedKeyManagerWrapper	A wrapper that delegates to another (if not null) X509ExtendedKeyManager.
static class	SslContextFactory.X509ExtendedTrustManagerWrapper	A wrapper that delegates to another (if not null) X509ExtendedTrustManager.

Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

AbstractLifeCycle.AbstractLifeCycleListener, AbstractLifeCycle.StopException

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Dumpable

Dumpable.DumpableContainer

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle

LifeCycle.Listener

Field Summary

Fields

Modifier and Type	Field	Description
static final String	DEFAULT_KEYMANAGERFACTORY_ALGORITHM
static final String	DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
static final String	KEYPASSWORD_PROPERTY	String name of key password property.
static final String	PASSWORD_PROPERTY	String name of keystore password property.
static final TrustManager[]	TRUST_ALL_CERTS

Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

FAILED, STARTED, STARTING, STOPPED, STOPPING

Fields inherited from interface org.eclipse.jetty.util.component.Dumpable

KEY

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	SslContextFactory()	Construct an instance of SslContextFactory with the default configuration.
	SslContextFactory(boolean trustAll)	Construct an instance of SslContextFactory that trusts all certificates

Method Summary

Modifier and Type	Method	Description
void	addExcludeCipherSuites(String... cipher)	You can either use the exact Cipher suite name or a a regular expression.
void	addExcludeProtocols(String... protocol)	You can either use the exact Protocol name or a a regular expression.
protected void	checkCiphers(SSLParameters supported)
protected void	checkConfiguration()
protected void	checkEndPointIdentificationAlgorithm()
protected void	checkProtocols(SSLParameters supported)
protected void	checkTrustAll()
void	customize(SSLEngine sslEngine)	Customize an SslEngine instance with the configuration of this factory, by calling customize(SSLParameters)
SSLParameters	customize(SSLParameters sslParams)	Customize an SslParameters instance with the configuration of this factory.
static int	deduceKeyLength(String cipherSuite)	Given the name of a TLS/SSL cipher suite, return an int representing it effective stream cipher key strength.
protected void	doStart()	Creates the SSLContext object and starts the lifecycle
protected void	doStop()	Method to override to stop the lifecycle
String	dump()
void	dump(Appendable out, String indent)	Dump this object (and children) into an Appendable using the provided indent after any new lines.
Set<String>	getAliases()
String	getCertAlias()
static X509Certificate[]	getCertChain(SSLSession sslSession)	Obtain the X509 Certificate Chain from the provided SSLSession using the default CertificateFactory behaviors
protected CertificateFactory	getCertificateFactoryInstance(String type)
protected CertStore	getCertStoreInstance(Collection<? extends CRL> crls)
Comparator<String>	getCipherComparator()
String	getCrlPath()
String	getEndpointIdentificationAlgorithm()
String[]	getExcludeCipherSuites()
String[]	getExcludeProtocols()
HostnameVerifier	getHostnameVerifier()
String[]	getIncludeCipherSuites()
String[]	getIncludeProtocols()
String	getKeyManagerFactoryAlgorithm()
protected KeyManagerFactory	getKeyManagerFactoryInstance()
String	getKeyManagerPassword()
protected KeyManager[]	getKeyManagers(KeyStore keyStore)
KeyStore	getKeyStore()
String	getKeyStorePassword()
String	getKeyStorePath()
String	getKeyStoreProvider()
Resource	getKeyStoreResource()
String	getKeyStoreType()
int	getMaxCertPathLength()
String	getOcspResponderURL()
protected Password	getPassword(String realm)	Returns the password object for the given realm.
PKIXCertPathChecker	getPkixCertPathChecker()
String	getProtocol()
String	getProvider()	Get the optional Security Provider name.
int	getRenegotiationLimit()
String	getSecureRandomAlgorithm()
protected SecureRandom	getSecureRandomInstance()
String[]	getSelectedCipherSuites()
String[]	getSelectedProtocols()
SSLContext	getSslContext()
protected SSLContext	getSSLContextInstance()
int	getSslSessionCacheSize()	Get SSL session cache size.
int	getSslSessionTimeout()	Get SSL session timeout.
String	getTrustManagerFactoryAlgorithm()
protected TrustManagerFactory	getTrustManagerFactoryInstance()
protected TrustManager[]	getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls)
KeyStore	getTrustStore()
String	getTrustStorePath()
String	getTrustStoreProvider()
Resource	getTrustStoreResource()
String	getTrustStoreType()
X509	getX509(String alias)
X509Certificate[]	getX509CertChain(SSLSession sslSession)	Obtain the X509 Certificate Chain from the provided SSLSession using this SslContextFactory's optional Provider specific CertificateFactory.
boolean	isEnableCRLDP()
boolean	isEnableOCSP()
boolean	isRenegotiationAllowed()
boolean	isSessionCachingEnabled()
boolean	isTrustAll()
boolean	isUseCipherSuitesOrder()
boolean	isValidateCerts()
boolean	isValidatePeerCerts()
protected Collection<? extends CRL>	loadCRL(String crlPath)	Loads certificate revocation list (CRL) from a file.
protected KeyStore	loadKeyStore(Resource resource)	Override this method to provide alternate way to load a keystore.
protected KeyStore	loadTrustStore(Resource resource)	Override this method to provide alternate way to load a truststore.
Password	newPassword(String password)	Creates a new Password object.
protected PKIXBuilderParameters	newPKIXBuilderParameters(KeyStore trustStore, Collection<? extends CRL> crls)
SSLEngine	newSSLEngine()	Factory method for "scratch" SSLEngines, usually only used for retrieving configuration information such as the application buffer size or the list of protocols/ciphers.
SSLEngine	newSSLEngine(String host, int port)	General purpose factory method for creating SSLEngines, although creation of SSLEngines on the server-side should prefer newSSLEngine(InetSocketAddress).
SSLEngine	newSSLEngine(InetSocketAddress address)	Server-side only factory method for creating SSLEngines.
SSLServerSocket	newSslServerSocket(String host, int port, int backlog)
SSLSocket	newSslSocket()
protected void	processIncludeCipherSuites(String[] supportedCipherSuites, List<String> selectedCiphers)	Deprecated. no replacement
void	reload(Consumer<SslContextFactory> consumer)
protected void	removeExcludedCipherSuites(List<String> selectedCiphers)	Deprecated. no replacement
protected void	selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)	Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.
void	selectProtocols(String[] enabledProtocols, String[] supportedProtocols)	Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.
void	setCertAlias(String certAlias)	Set the default certificate Alias.
void	setCipherComparator(Comparator<String> cipherComparator)
void	setCrlPath(String crlPath)
void	setEnableCRLDP(boolean enableCRLDP)	Enables CRL Distribution Points Support
void	setEnableOCSP(boolean enableOCSP)	Enables On-Line Certificate Status Protocol support
void	setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)	When set to "HTTPS" hostname verification will be enabled.
void	setExcludeCipherSuites(String... cipherSuites)	You can either use the exact Cipher suite name or a a regular expression.
void	setExcludeProtocols(String... protocols)	You can either use the exact Protocol name or a a regular expression.
void	setHostnameVerifier(HostnameVerifier hostnameVerifier)	Sets a HostnameVerifier used by a client to verify host names in the server certificate.
void	setIncludeCipherSuites(String... cipherSuites)	You can either use the exact Cipher suite name or a a regular expression.
void	setIncludeProtocols(String... protocols)	You can either use the exact Protocol name or a a regular expression.
void	setKeyManagerFactoryAlgorithm(String algorithm)
void	setKeyManagerPassword(String password)
void	setKeyStore(KeyStore keyStore)	Set the key store.
void	setKeyStorePassword(String password)
void	setKeyStorePath(String keyStorePath)
void	setKeyStoreProvider(String keyStoreProvider)
void	setKeyStoreResource(Resource resource)	Set the key store resource.
void	setKeyStoreType(String keyStoreType)
void	setMaxCertPathLength(int maxCertPathLength)
void	setOcspResponderURL(String ocspResponderURL)	Set the location of the OCSP Responder.
void	setPkixCertPathChecker(PKIXCertPathChecker pkixCertPatchChecker)
void	setProtocol(String protocol)
void	setProvider(String provider)	Set the optional Security Provider name.
void	setRenegotiationAllowed(boolean renegotiationAllowed)
void	setRenegotiationLimit(int renegotiationLimit)
void	setSecureRandomAlgorithm(String algorithm)
void	setSessionCachingEnabled(boolean enableSessionCaching)	Set the flag to enable SSL Session caching.
void	setSslContext(SSLContext sslContext)
void	setSslSessionCacheSize(int sslSessionCacheSize)	Set SSL session cache size.
void	setSslSessionTimeout(int sslSessionTimeout)	Set SSL session timeout.
void	setTrustAll(boolean trustAll)
void	setTrustManagerFactoryAlgorithm(String algorithm)
void	setTrustStore(KeyStore trustStore)	Set the trust store.
void	setTrustStorePassword(String password)
void	setTrustStorePath(String trustStorePath)
void	setTrustStoreProvider(String trustStoreProvider)
void	setTrustStoreResource(Resource resource)	Set the trust store resource.
void	setTrustStoreType(String trustStoreType)
void	setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
void	setValidateCerts(boolean validateCerts)
void	setValidatePeerCerts(boolean validatePeerCerts)
String	toString()
void	validateCerts(X509Certificate[] certs)

Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

addEventListener, getEventListeners, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeEventListener, setEventListeners, start, stop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.eclipse.jetty.util.component.Dumpable

dumpSelf

Field Details

TRUST_ALL_CERTS

public static final TrustManager[] TRUST_ALL_CERTS

DEFAULT_KEYMANAGERFACTORY_ALGORITHM

public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM

DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM

public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM

KEYPASSWORD_PROPERTY

public static final String KEYPASSWORD_PROPERTY

String name of key password property.

See Also:

• Constant Field Values

PASSWORD_PROPERTY

public static final String PASSWORD_PROPERTY

String name of keystore password property.

See Also:

• Constant Field Values

Constructor Details

SslContextFactory

protected SslContextFactory()

Construct an instance of SslContextFactory with the default configuration.

SslContextFactory

public SslContextFactory(boolean trustAll)

Construct an instance of SslContextFactory that trusts all certificates

Parameters:

trustAll - whether to blindly trust all certificates

See Also:

• setTrustAll(boolean)

Method Details

doStart

protected void doStart()
                throws Exception

Creates the SSLContext object and starts the lifecycle

Overrides:

doStart in class AbstractLifeCycle

Throws:

Exception - If there was a problem starting. Will cause a transition to FAILED state

checkConfiguration

protected void checkConfiguration()

checkTrustAll

protected void checkTrustAll()

checkEndPointIdentificationAlgorithm

protected void checkEndPointIdentificationAlgorithm()

checkProtocols

protected void checkProtocols(SSLParameters supported)

checkCiphers

protected void checkCiphers(SSLParameters supported)

dump

public String dump()

Specified by:

dump in interface Dumpable

dump

public void dump(Appendable out,
 String indent)
          throws IOException

Description copied from interface: Dumpable

Dump this object (and children) into an Appendable using the provided indent after any new lines. The indent should not be applied to the first object dumped.

Specified by:

dump in interface Dumpable

Parameters:

out - The appendable to dump to

indent - The indent to apply after any new lines.

Throws:

IOException - if unable to write to Appendable

doStop

protected void doStop()
               throws Exception

Description copied from class: AbstractLifeCycle

Method to override to stop the lifecycle

Overrides:

doStop in class AbstractLifeCycle

Throws:

Exception - If there was a problem stopping. Will cause a transition to FAILED state

getSelectedProtocols

@ManagedAttribute(value="The selected TLS protocol versions",
                  readonly=true)
public String[] getSelectedProtocols()

getSelectedCipherSuites

@ManagedAttribute(value="The selected cipher suites",
                  readonly=true)
public String[] getSelectedCipherSuites()

getCipherComparator

public Comparator<String> getCipherComparator()

setCipherComparator

public void setCipherComparator(Comparator<String> cipherComparator)

getAliases

public Set<String> getAliases()

getX509

public X509 getX509(String alias)

getExcludeProtocols

@ManagedAttribute("The excluded TLS protocols")
public String[] getExcludeProtocols()

Returns:

The array of protocol names to exclude from SSLEngine.setEnabledProtocols(String[])

setExcludeProtocols

public void setExcludeProtocols(String... protocols)

You can either use the exact Protocol name or a a regular expression.

Parameters:

protocols - The array of protocol names to exclude from SSLEngine.setEnabledProtocols(String[])

addExcludeProtocols

public void addExcludeProtocols(String... protocol)

You can either use the exact Protocol name or a a regular expression.

Parameters:

protocol - Protocol name patterns to add to SSLEngine.setEnabledProtocols(String[])

getIncludeProtocols

@ManagedAttribute("The included TLS protocols")
public String[] getIncludeProtocols()

Returns:

The array of protocol name patterns to include in SSLEngine.setEnabledProtocols(String[])

setIncludeProtocols

public void setIncludeProtocols(String... protocols)

You can either use the exact Protocol name or a a regular expression.

Parameters:

protocols - The array of protocol name patterns to include in SSLEngine.setEnabledProtocols(String[])

getExcludeCipherSuites

@ManagedAttribute("The excluded cipher suites")
public String[] getExcludeCipherSuites()

Returns:

The array of cipher suite name patterns to exclude from SSLEngine.setEnabledCipherSuites(String[])

setExcludeCipherSuites

public void setExcludeCipherSuites(String... cipherSuites)

You can either use the exact Cipher suite name or a a regular expression.

Parameters:

cipherSuites - The array of cipher suite names to exclude from SSLEngine.setEnabledCipherSuites(String[])

addExcludeCipherSuites

public void addExcludeCipherSuites(String... cipher)

You can either use the exact Cipher suite name or a a regular expression.

Parameters:

cipher - Cipher names to add to SSLEngine.setEnabledCipherSuites(String[])

getIncludeCipherSuites

@ManagedAttribute("The included cipher suites")
public String[] getIncludeCipherSuites()

Returns:

The array of Cipher suite names to include in SSLEngine.setEnabledCipherSuites(String[])

setIncludeCipherSuites

public void setIncludeCipherSuites(String... cipherSuites)

You can either use the exact Cipher suite name or a a regular expression.

Parameters:

cipherSuites - The array of cipher suite names to include in SSLEngine.setEnabledCipherSuites(String[])

isUseCipherSuitesOrder

@ManagedAttribute("Whether to respect the cipher suites order")
public boolean isUseCipherSuitesOrder()

setUseCipherSuitesOrder

public void setUseCipherSuitesOrder(boolean useCipherSuitesOrder)

getKeyStorePath

@ManagedAttribute("The keyStore path")
public String getKeyStorePath()

Returns:

The file or URL of the SSL Key store.

setKeyStorePath

public void setKeyStorePath(String keyStorePath)

Parameters:

keyStorePath - The file or URL of the SSL Key store.

getKeyStoreProvider

@ManagedAttribute("The keyStore provider name")
public String getKeyStoreProvider()

Returns:

The provider of the key store

setKeyStoreProvider

public void setKeyStoreProvider(String keyStoreProvider)

Parameters:

keyStoreProvider - The provider of the key store

getKeyStoreType

@ManagedAttribute("The keyStore type")
public String getKeyStoreType()

Returns:

The type of the key store (default "PKCS12")

setKeyStoreType

public void setKeyStoreType(String keyStoreType)

Parameters:

keyStoreType - The type of the key store

getCertAlias

@ManagedAttribute("The certificate alias")
public String getCertAlias()

Returns:

Alias of SSL certificate for the connector

setCertAlias

public void setCertAlias(String certAlias)

Set the default certificate Alias.

This can be used if there are multiple non-SNI certificates to specify the certificate that should be used, or with SNI certificates to set a certificate to try if no others match

Parameters:

certAlias - Alias of SSL certificate for the connector

getTrustStorePath

@ManagedAttribute("The trustStore path")
public String getTrustStorePath()

setTrustStorePath

public void setTrustStorePath(String trustStorePath)

Parameters:

trustStorePath - The file name or URL of the trust store location

getTrustStoreProvider

@ManagedAttribute("The trustStore provider name")
public String getTrustStoreProvider()

Returns:

The provider of the trust store

setTrustStoreProvider

public void setTrustStoreProvider(String trustStoreProvider)

Parameters:

trustStoreProvider - The provider of the trust store

getTrustStoreType

@ManagedAttribute("The trustStore type")
public String getTrustStoreType()

Returns:

The type of the trust store

setTrustStoreType

public void setTrustStoreType(String trustStoreType)

Parameters:

trustStoreType - The type of the trust store

isValidateCerts

@ManagedAttribute("Whether certificates are validated")
public boolean isValidateCerts()

Returns:

true if SSL certificate has to be validated

setValidateCerts

public void setValidateCerts(boolean validateCerts)

Parameters:

validateCerts - true if SSL certificates have to be validated

isValidatePeerCerts

@ManagedAttribute("Whether peer certificates are validated")
public boolean isValidatePeerCerts()

Returns:

true if SSL certificates of the peer have to be validated

setValidatePeerCerts

public void setValidatePeerCerts(boolean validatePeerCerts)

Parameters:

validatePeerCerts - true if SSL certificates of the peer have to be validated

getKeyStorePassword

public String getKeyStorePassword()

setKeyStorePassword

public void setKeyStorePassword(String password)

Parameters:

password - The password for the key store. If null is passed and a keystore is set, then the getPassword(String) is used to obtain a password either from the "org.eclipse.jetty.ssl.password" system property.

getKeyManagerPassword

public String getKeyManagerPassword()

setKeyManagerPassword

public void setKeyManagerPassword(String password)

Parameters:

password - The password (if any) for the specific key within the key store. If null is passed and the "org.eclipse.jetty.ssl.keypassword" system property is set, then the getPassword(String) is used to obtain a password from the "org.eclipse.jetty.ssl.keypassword" system property.

setTrustStorePassword

public void setTrustStorePassword(String password)

Parameters:

password - The password for the truststore. If null is passed then the getPassword(String) is used to obtain a password from the "org.eclipse.jetty.ssl.password" system property.

getProvider

@ManagedAttribute("The provider name")
public String getProvider()

Get the optional Security Provider name.

Security Provider name used with:

• SecureRandom.getInstance(String, String)
• SSLContext.getInstance(String, String)
• TrustManagerFactory.getInstance(String, String)
• KeyManagerFactory.getInstance(String, String)
• CertStore.getInstance(String, CertStoreParameters, String)
• CertificateFactory.getInstance(String, String)

Returns:

The optional Security Provider name.

setProvider

public void setProvider(String provider)

Set the optional Security Provider name.

Security Provider name used with:

• SecureRandom.getInstance(String, String)
• SSLContext.getInstance(String, String)
• TrustManagerFactory.getInstance(String, String)
• KeyManagerFactory.getInstance(String, String)
• CertStore.getInstance(String, CertStoreParameters, String)
• CertificateFactory.getInstance(String, String)

Parameters:

provider - The optional Security Provider name.

getProtocol

@ManagedAttribute("The TLS protocol")
public String getProtocol()

Returns:

The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)

setProtocol

public void setProtocol(String protocol)

Parameters:

protocol - The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)

getSecureRandomAlgorithm

@ManagedAttribute("The SecureRandom algorithm")
public String getSecureRandomAlgorithm()

Returns:

The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)

setSecureRandomAlgorithm

public void setSecureRandomAlgorithm(String algorithm)

Parameters:

algorithm - The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)

getKeyManagerFactoryAlgorithm

@ManagedAttribute("The KeyManagerFactory algorithm")
public String getKeyManagerFactoryAlgorithm()

Returns:

The algorithm name (default "SunX509") used by the KeyManagerFactory

setKeyManagerFactoryAlgorithm

public void setKeyManagerFactoryAlgorithm(String algorithm)

Parameters:

algorithm - The algorithm name (default "SunX509") used by the KeyManagerFactory

getTrustManagerFactoryAlgorithm

@ManagedAttribute("The TrustManagerFactory algorithm")
public String getTrustManagerFactoryAlgorithm()

Returns:

The algorithm name (default "SunX509") used by the TrustManagerFactory

isTrustAll

@ManagedAttribute("Whether certificates should be trusted even if they are invalid")
public boolean isTrustAll()

Returns:

True if all certificates should be trusted if there is no KeyStore or TrustStore

setTrustAll

public void setTrustAll(boolean trustAll)

Parameters:

trustAll - True if all certificates should be trusted if there is no KeyStore or TrustStore

setTrustManagerFactoryAlgorithm

public void setTrustManagerFactoryAlgorithm(String algorithm)

Parameters:

algorithm - The algorithm name (default "SunX509") used by the TrustManagerFactory Use the string "TrustAll" to install a trust manager that trusts all.

isRenegotiationAllowed

@ManagedAttribute("Whether renegotiation is allowed")
public boolean isRenegotiationAllowed()

Returns:

whether TLS renegotiation is allowed (true by default)

setRenegotiationAllowed

public void setRenegotiationAllowed(boolean renegotiationAllowed)

Parameters:

renegotiationAllowed - whether TLS renegotiation is allowed

getRenegotiationLimit

@ManagedAttribute("The max number of renegotiations allowed")
public int getRenegotiationLimit()

Returns:

The number of renegotiations allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied.

setRenegotiationLimit

public void setRenegotiationLimit(int renegotiationLimit)

Parameters:

renegotiationLimit - The number of renegotions allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied. Default 5.

getCrlPath

@ManagedAttribute("The path to the certificate revocation list file")
public String getCrlPath()

Returns:

Path to file that contains Certificate Revocation List

setCrlPath

public void setCrlPath(String crlPath)

Parameters:

crlPath - Path to file that contains Certificate Revocation List

getMaxCertPathLength

@ManagedAttribute("The maximum number of intermediate certificates")
public int getMaxCertPathLength()

Returns:

Maximum number of intermediate certificates in the certification path (-1 for unlimited)

setMaxCertPathLength

public void setMaxCertPathLength(int maxCertPathLength)

Parameters:

maxCertPathLength - maximum number of intermediate certificates in the certification path (-1 for unlimited)

getSslContext

public SSLContext getSslContext()

Returns:

The SSLContext

setSslContext

public void setSslContext(SSLContext sslContext)

Parameters:

sslContext - Set a preconfigured SSLContext

getEndpointIdentificationAlgorithm

@ManagedAttribute("The endpoint identification algorithm")
public String getEndpointIdentificationAlgorithm()

Returns:

the endpoint identification algorithm

setEndpointIdentificationAlgorithm

public void setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)

When set to "HTTPS" hostname verification will be enabled. Deployments can be vulnerable to a man-in-the-middle attack if a EndpointIdentificationAlgorithm is not set.

Parameters:

endpointIdentificationAlgorithm - Set the endpointIdentificationAlgorithm

See Also:

• setHostnameVerifier(HostnameVerifier)

getPkixCertPathChecker

public PKIXCertPathChecker getPkixCertPathChecker()

setPkixCertPathChecker

public void setPkixCertPathChecker(PKIXCertPathChecker pkixCertPatchChecker)

loadKeyStore

protected KeyStore loadKeyStore(Resource resource)
                         throws Exception

Override this method to provide alternate way to load a keystore.

Parameters:

resource - the resource to load the keystore from

Returns:

the key store instance

Throws:

Exception - if the keystore cannot be loaded

loadTrustStore

protected KeyStore loadTrustStore(Resource resource)
                           throws Exception

Override this method to provide alternate way to load a truststore.

Parameters:

resource - the resource to load the truststore from

Returns:

the key store instance

Throws:

Exception - if the truststore cannot be loaded

loadCRL

protected Collection<? extends CRL> loadCRL(String crlPath)
                                     throws Exception

Loads certificate revocation list (CRL) from a file.

Required for integrations to be able to override the mechanism used to load CRL in order to provide their own implementation.

Parameters:

crlPath - path of certificate revocation list file

Returns:

Collection of CRL's

Throws:

Exception - if the certificate revocation list cannot be loaded

getKeyManagers

protected KeyManager[] getKeyManagers(KeyStore keyStore)
                               throws Exception

Throws:

Exception

getTrustManagers

protected TrustManager[] getTrustManagers(KeyStore trustStore,
 Collection<? extends CRL> crls)
                                   throws Exception

Throws:

Exception

newPKIXBuilderParameters

protected PKIXBuilderParameters newPKIXBuilderParameters(KeyStore trustStore,
 Collection<? extends CRL> crls)
                                                  throws Exception

Throws:

Exception

selectProtocols

public void selectProtocols(String[] enabledProtocols,
 String[] supportedProtocols)

Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.

Parameters:

enabledProtocols - Array of enabled protocols

supportedProtocols - Array of supported protocols

selectCipherSuites

protected void selectCipherSuites(String[] enabledCipherSuites,
 String[] supportedCipherSuites)

Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.

Parameters:

enabledCipherSuites - Array of enabled cipher suites

supportedCipherSuites - Array of supported cipher suites

processIncludeCipherSuites

@Deprecated
protected void processIncludeCipherSuites(String[] supportedCipherSuites,
 List<String> selectedCiphers)

Deprecated.

no replacement

removeExcludedCipherSuites

@Deprecated
protected void removeExcludedCipherSuites(List<String> selectedCiphers)

Deprecated.

no replacement

isEnableCRLDP

@ManagedAttribute("Whether certificate revocation list distribution points is enabled")
public boolean isEnableCRLDP()

Returns:

true if CRL Distribution Points support is enabled

setEnableCRLDP

public void setEnableCRLDP(boolean enableCRLDP)

Enables CRL Distribution Points Support

Parameters:

enableCRLDP - true - turn on, false - turns off

isEnableOCSP

@ManagedAttribute("Whether online certificate status protocol support is enabled")
public boolean isEnableOCSP()

Returns:

true if On-Line Certificate Status Protocol support is enabled

setEnableOCSP

public void setEnableOCSP(boolean enableOCSP)

Enables On-Line Certificate Status Protocol support

Parameters:

enableOCSP - true - turn on, false - turn off

getOcspResponderURL

@ManagedAttribute("The online certificate status protocol URL")
public String getOcspResponderURL()

Returns:

Location of the OCSP Responder

setOcspResponderURL

public void setOcspResponderURL(String ocspResponderURL)

Set the location of the OCSP Responder.

Parameters:

ocspResponderURL - location of the OCSP Responder

setKeyStore

public void setKeyStore(KeyStore keyStore)

Set the key store.

Parameters:

keyStore - the key store to set

getKeyStore

public KeyStore getKeyStore()

setTrustStore

public void setTrustStore(KeyStore trustStore)

Set the trust store.

Parameters:

trustStore - the trust store to set

getTrustStore

public KeyStore getTrustStore()

setKeyStoreResource

public void setKeyStoreResource(Resource resource)

Set the key store resource.

Parameters:

resource - the key store resource to set

getKeyStoreResource

public Resource getKeyStoreResource()

setTrustStoreResource

public void setTrustStoreResource(Resource resource)

Set the trust store resource.

Parameters:

resource - the trust store resource to set

getTrustStoreResource

public Resource getTrustStoreResource()

isSessionCachingEnabled

@ManagedAttribute("Whether TLS session caching is enabled")
public boolean isSessionCachingEnabled()

Returns:

true if SSL Session caching is enabled

setSessionCachingEnabled

public void setSessionCachingEnabled(boolean enableSessionCaching)

Set the flag to enable SSL Session caching. If set to true, then the SSLContext.createSSLEngine(String, int) method is used to pass host and port information as a hint for session reuse. Note that this is only a hint and session may not be reused. Moreover, the hint is typically only used on client side implementations and setting this to false does not stop a server from accepting an offered session ID to reuse.

Parameters:

enableSessionCaching - the value of the flag

getSslSessionCacheSize

@ManagedAttribute("The maximum TLS session cache size")
public int getSslSessionCacheSize()

Get SSL session cache size. Passed directly to SSLSessionContext.setSessionCacheSize(int)

Returns:

SSL session cache size

setSslSessionCacheSize

public void setSslSessionCacheSize(int sslSessionCacheSize)

Set SSL session cache size.

Set the max cache size to be set on SSLSessionContext.setSessionCacheSize(int) when this factory is started.

Parameters:

sslSessionCacheSize - SSL session cache size to set. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a max size.

getSslSessionTimeout

@ManagedAttribute("The TLS session cache timeout, in seconds")
public int getSslSessionTimeout()

Get SSL session timeout.

Returns:

SSL session timeout

setSslSessionTimeout

public void setSslSessionTimeout(int sslSessionTimeout)

Set SSL session timeout.

Set the timeout in seconds to be set on SSLSessionContext.setSessionTimeout(int) when this factory is started.

Parameters:

sslSessionTimeout - SSL session timeout to set in seconds. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a timeout in seconds.

getHostnameVerifier

public HostnameVerifier getHostnameVerifier()

Returns:

the HostnameVerifier used by a client to verify host names in the server certificate

setHostnameVerifier

public void setHostnameVerifier(HostnameVerifier hostnameVerifier)

Sets a HostnameVerifier used by a client to verify host names in the server certificate.

The HostnameVerifier works in conjunction with setEndpointIdentificationAlgorithm(String).

When endpointIdentificationAlgorithm=="HTTPS" (the default) the JDK TLS implementation checks that the host name indication set by the client matches the host names in the server certificate. If this check passes successfully, the HostnameVerifier is invoked and the application can perform additional checks and allow/deny the connection to the server.

When endpointIdentificationAlgorithm==null the JDK TLS implementation will not check the host names, and any check is therefore performed only by the HostnameVerifier.

Parameters:

hostnameVerifier - the HostnameVerifier used by a client to verify host names in the server certificate

getPassword

protected Password getPassword(String realm)

Returns the password object for the given realm.

Parameters:

realm - the realm

Returns:

the Password object

newPassword

public Password newPassword(String password)

Creates a new Password object.

Parameters:

password - the password string

Returns:

the new Password object

newSslServerSocket

public SSLServerSocket newSslServerSocket(String host,
 int port,
 int backlog)
                                   throws IOException

Throws:

IOException

newSslSocket

public SSLSocket newSslSocket()
                       throws IOException

Throws:

IOException

getCertificateFactoryInstance

protected CertificateFactory getCertificateFactoryInstance(String type)
                                                    throws CertificateException

Throws:

CertificateException

getCertStoreInstance

protected CertStore getCertStoreInstance(Collection<? extends CRL> crls)
                                  throws InvalidAlgorithmParameterException,
NoSuchAlgorithmException

Throws:

InvalidAlgorithmParameterException

NoSuchAlgorithmException

getKeyManagerFactoryInstance

protected KeyManagerFactory getKeyManagerFactoryInstance()
                                                  throws NoSuchAlgorithmException

Throws:

NoSuchAlgorithmException

getSecureRandomInstance

protected SecureRandom getSecureRandomInstance()
                                        throws NoSuchAlgorithmException

Throws:

NoSuchAlgorithmException

getSSLContextInstance

protected SSLContext getSSLContextInstance()
                                    throws NoSuchAlgorithmException

Throws:

NoSuchAlgorithmException

getTrustManagerFactoryInstance

protected TrustManagerFactory getTrustManagerFactoryInstance()
                                                      throws NoSuchAlgorithmException

Throws:

NoSuchAlgorithmException

newSSLEngine

public SSLEngine newSSLEngine()

Factory method for "scratch" SSLEngines, usually only used for retrieving configuration information such as the application buffer size or the list of protocols/ciphers.

This method should not be used for creating SSLEngines that are used in actual socket communication.

Returns:

a new, "scratch" SSLEngine

newSSLEngine

public SSLEngine newSSLEngine(String host,
 int port)

General purpose factory method for creating SSLEngines, although creation of SSLEngines on the server-side should prefer newSSLEngine(InetSocketAddress).

Parameters:

host - the remote host

port - the remote port

Returns:

a new SSLEngine

newSSLEngine

public SSLEngine newSSLEngine(InetSocketAddress address)

Server-side only factory method for creating SSLEngines.

If the given address is null, it is equivalent to newSSLEngine(), otherwise newSSLEngine(String, int) is called.

Clients that wish to create SSLEngine instances must use newSSLEngine(String, int).

Parameters:

address - the remote peer address

Returns:

a new SSLEngine

customize

public void customize(SSLEngine sslEngine)

Customize an SslEngine instance with the configuration of this factory, by calling customize(SSLParameters)

Parameters:

sslEngine - the SSLEngine to customize

customize

public SSLParameters customize(SSLParameters sslParams)

Customize an SslParameters instance with the configuration of this factory.

Parameters:

sslParams - The parameters to customize

Returns:

The passed instance of sslParams (returned as a convenience)

reload

public void reload(Consumer<SslContextFactory> consumer)
            throws Exception

Throws:

Exception

getCertChain

public static X509Certificate[] getCertChain(SSLSession sslSession)

Obtain the X509 Certificate Chain from the provided SSLSession using the default CertificateFactory behaviors

Parameters:

sslSession - the session to use for active peer certificates

Returns:

the certificate chain

getX509CertChain

public X509Certificate[] getX509CertChain(SSLSession sslSession)

Obtain the X509 Certificate Chain from the provided SSLSession using this SslContextFactory's optional Provider specific CertificateFactory.

Parameters:

sslSession - the session to use for active peer certificates

Returns:

the certificate chain

deduceKeyLength

public static int deduceKeyLength(String cipherSuite)

Given the name of a TLS/SSL cipher suite, return an int representing it effective stream cipher key strength. i.e. How much entropy material is in the key material being fed into the encryption routines.

This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol Version 1.0, Appendix C. CipherSuite definitions:

                         Effective
     Cipher       Type    Key Bits

     NULL       * Stream     0
     IDEA_CBC     Block    128
     RC2_CBC_40 * Block     40
     RC4_40     * Stream    40
     RC4_128      Stream   128
     DES40_CBC  * Block     40
     DES_CBC      Block     56
     3DES_EDE_CBC Block    168
 

Parameters:

cipherSuite - String name of the TLS cipher suite.

Returns:

int indicating the effective key entropy bit-length.

validateCerts

public void validateCerts(X509Certificate[] certs)
                   throws Exception

Throws:

Exception

toString

public String toString()

Overrides:

toString in class AbstractLifeCycle