Package org.eclipse.jetty.util.ssl

Class SslContextFactory.Server

java.lang.Object
org.eclipse.jetty.util.component.AbstractLifeCycle
org.eclipse.jetty.util.ssl.SslContextFactory
org.eclipse.jetty.util.ssl.SslContextFactory.Server
All Implemented Interfaces:
Dumpable, LifeCycle, SniX509ExtendedKeyManager.SniSelector
Enclosing class:
SslContextFactory
@ManagedObject public static class SslContextFactory.Server extends SslContextFactory implements SniX509ExtendedKeyManager.SniSelector

  • Field Details

  • Constructor Details

    • Server

      public Server()

  • Method Details

    • getNeedClientAuth

      @ManagedAttribute("Whether client authentication is needed") public boolean getNeedClientAuth()
      Returns:
      True if SSL needs client authentication.
      See Also:

    • setNeedClientAuth

      public void setNeedClientAuth(boolean needClientAuth)
      Parameters:
      needClientAuth - True if SSL needs client authentication.
      See Also:

    • getWantClientAuth

      @ManagedAttribute("Whether client authentication is wanted") public boolean getWantClientAuth()
      Returns:
      True if SSL wants client authentication.
      See Also:

    • setWantClientAuth

      public void setWantClientAuth(boolean wantClientAuth)
      Parameters:
      wantClientAuth - True if SSL wants client authentication.
      See Also:

    • isSniRequired

      @ManagedAttribute("Whether the TLS handshake is rejected if there is no SNI host match") public boolean isSniRequired()

      Returns whether an SNI match is required when choosing the alias that identifies the certificate to send to the client.

      The exact logic to choose an alias given the SNI is configurable via setSNISelector(SniX509ExtendedKeyManager.SniSelector).

      The default implementation is sniSelect(String, Principal[], SSLSession, String, Collection) and if SNI is not required it will delegate the TLS implementation to choose an alias (typically the first alias in the KeyStore).

      Note that if a non SNI handshake is accepted, requests may still be rejected at the HTTP level for incorrect SNI (see SecureRequestCustomizer).

      Returns:
      whether an SNI match is required when choosing the alias that identifies the certificate

    • setSniRequired

      public void setSniRequired(boolean sniRequired)

      Sets whether an SNI match is required when choosing the alias that identifies the certificate to send to the client.

      This setting may have no effect if sniSelect(String, Principal[], SSLSession, String, Collection) is overridden or a custom function is passed to setSNISelector(SniX509ExtendedKeyManager.SniSelector).

      Parameters:
      sniRequired - whether an SNI match is required when choosing the alias that identifies the certificate

    • getKeyManagers

      protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
      Overrides:
      getKeyManagers in class SslContextFactory
      Throws:
      Exception

    • getSNISelector

      public SniX509ExtendedKeyManager.SniSelector getSNISelector()
      Returns:
      the custom function to select certificates based on SNI information

    • setSNISelector

      public void setSNISelector(SniX509ExtendedKeyManager.SniSelector sniSelector)

      Sets a custom function to select certificates based on SNI information.

      Parameters:
      sniSelector - the selection function

    • sniSelect

      public String sniSelect(String keyType, Principal[] issuers, SSLSession session, String sniHost, Collection<X509> certificates)
      Description copied from interface: SniX509ExtendedKeyManager.SniSelector

      Selects a certificate based on SNI information.

      This method may be invoked multiple times during the TLS handshake, with different parameters. For example, the keyType could be different, and subsequently the collection of certificates (because they need to match the keyType).

      Specified by:
      sniSelect in interface SniX509ExtendedKeyManager.SniSelector
      Parameters:
      keyType - the key algorithm type name
      issuers - the list of acceptable CA issuer subject names or null if it does not matter which issuers are used
      session - the TLS handshake session or null if not known.
      sniHost - the server name indication sent by the client, or null if the client did not send the server name indication
      certificates - the list of certificates matching keyType and issuers known to this SslContextFactory
      Returns:
      the alias of the certificate to return to the client, from the certificates list, or SniX509ExtendedKeyManager.SniSelector.DELEGATE if the certificate choice should be delegated to the nested key manager or null for no match.

    • newSniX509ExtendedKeyManager

      protected X509ExtendedKeyManager newSniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager)