Class SslContextFactory.Server
- All Implemented Interfaces:
Container
,Destroyable
,Dumpable
,Dumpable.DumpableContainer
,LifeCycle
,SniX509ExtendedKeyManager.SniSelector
- Enclosing class:
- SslContextFactory
-
Nested Class Summary
Nested classes/interfaces inherited from class org.eclipse.jetty.util.ssl.SslContextFactory
SslContextFactory.Client, SslContextFactory.Server, SslContextFactory.X509ExtendedKeyManagerWrapper, SslContextFactory.X509ExtendedTrustManagerWrapper
Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
AbstractLifeCycle.AbstractLifeCycleListener, AbstractLifeCycle.StopException
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Container
Container.InheritedListener, Container.Listener
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Dumpable
Dumpable.DumpableContainer
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle
LifeCycle.Listener
-
Field Summary
Fields inherited from class org.eclipse.jetty.util.ssl.SslContextFactory
DEFAULT_KEYMANAGERFACTORY_ALGORITHM, DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM, KEYPASSWORD_PROPERTY, PASSWORD_PROPERTY, TRUST_ALL_CERTS
Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
FAILED, STARTED, STARTING, STOPPED, STOPPING
Fields inherited from interface org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager.SniSelector
DELEGATE
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected KeyManager[]
getKeyManagers
(KeyStore keyStore) boolean
boolean
boolean
Returns whether an SNI match is required when choosing the alias that identifies the certificate to send to the client.protected X509ExtendedKeyManager
newSniX509ExtendedKeyManager
(X509ExtendedKeyManager keyManager) void
setNeedClientAuth
(boolean needClientAuth) void
setSniRequired
(boolean sniRequired) Sets whether an SNI match is required when choosing the alias that identifies the certificate to send to the client.void
setSNISelector
(SniX509ExtendedKeyManager.SniSelector sniSelector) Sets a custom function to select certificates based on SNI information.void
setWantClientAuth
(boolean wantClientAuth) sniSelect
(String keyType, Principal[] issuers, SSLSession session, String sniHost, Collection<X509> certificates) Selects a certificate based on SNI information.Methods inherited from class org.eclipse.jetty.util.ssl.SslContextFactory
addExcludeCipherSuites, addExcludeProtocols, checkCiphers, checkConfiguration, checkEndPointIdentificationAlgorithm, checkProtocols, checkTrustAll, customize, customize, deduceKeyLength, doStart, doStop, dump, dump, getAliases, getCertAlias, getCertChain, getCertificateFactoryInstance, getCertStoreInstance, getCipherComparator, getCredential, getCrlPath, getEndpointIdentificationAlgorithm, getExcludeCipherSuites, getExcludeProtocols, getHostnameVerifier, getIncludeCipherSuites, getIncludeProtocols, getKeyManagerFactoryAlgorithm, getKeyManagerFactoryInstance, getKeyManagerPassword, getKeyStore, getKeyStorePassword, getKeyStorePath, getKeyStoreProvider, getKeyStoreResource, getKeyStoreType, getMaxCertPathLength, getOcspResponderURL, getPassword, getPkixCertPathChecker, getProtocol, getProvider, getRenegotiationLimit, getSecureRandomAlgorithm, getSecureRandomInstance, getSelectedCipherSuites, getSelectedProtocols, getSslContext, getSSLContextInstance, getSslSessionCacheSize, getSslSessionTimeout, getTrustManagerFactoryAlgorithm, getTrustManagerFactoryInstance, getTrustManagers, getTrustStore, getTrustStorePath, getTrustStoreProvider, getTrustStoreResource, getTrustStoreType, getX509, getX509CertChain, isEnableCRLDP, isEnableOCSP, isRenegotiationAllowed, isSessionCachingEnabled, isTrustAll, isUseCipherSuitesOrder, isValidateCerts, isValidatePeerCerts, loadCRL, loadKeyStore, loadTrustStore, newCredential, newPassword, newPKIXBuilderParameters, newSSLEngine, newSSLEngine, newSSLEngine, newSslServerSocket, newSslSocket, processIncludeCipherSuites, reload, removeExcludedCipherSuites, selectCipherSuites, selectProtocols, setCertAlias, setCipherComparator, setCrlPath, setEnableCRLDP, setEnableOCSP, setEndpointIdentificationAlgorithm, setExcludeCipherSuites, setExcludeProtocols, setHostnameVerifier, setIncludeCipherSuites, setIncludeProtocols, setKeyManagerFactoryAlgorithm, setKeyManagerPassword, setKeyStore, setKeyStorePassword, setKeyStorePath, setKeyStoreProvider, setKeyStoreResource, setKeyStoreType, setMaxCertPathLength, setOcspResponderURL, setPkixCertPathChecker, setProtocol, setProvider, setRenegotiationAllowed, setRenegotiationLimit, setSecureRandomAlgorithm, setSessionCachingEnabled, setSslContext, setSslSessionCacheSize, setSslSessionTimeout, setTrustAll, setTrustManagerFactoryAlgorithm, setTrustStore, setTrustStorePassword, setTrustStorePath, setTrustStoreProvider, setTrustStoreResource, setTrustStoreType, setUseCipherSuitesOrder, setValidateCerts, setValidatePeerCerts, toString, validateCerts
Methods inherited from class org.eclipse.jetty.util.component.ContainerLifeCycle
addBean, addBean, addEventListener, addManaged, contains, destroy, dump, dumpObjects, dumpStdErr, getBean, getBeans, getBeans, getContainedBeans, getContainedBeans, installBean, installBean, isAuto, isManaged, isUnmanaged, manage, removeBean, removeBeans, removeEventListener, setBeans, start, stop, unmanage, updateBean, updateBean, updateBeans, updateBeans
Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
getEventListeners, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, setEventListeners, start, stop
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface org.eclipse.jetty.util.component.Container
getCachedBeans, getEventListeners
Methods inherited from interface org.eclipse.jetty.util.component.Dumpable.DumpableContainer
isDumpable
-
Field Details
-
SNI_HOST
- See Also:
-
-
Constructor Details
-
Server
public Server()
-
-
Method Details
-
getNeedClientAuth
- Returns:
- True if SSL needs client authentication.
- See Also:
-
setNeedClientAuth
public void setNeedClientAuth(boolean needClientAuth) - Parameters:
needClientAuth
- True if SSL needs client authentication.- See Also:
-
getWantClientAuth
- Returns:
- True if SSL wants client authentication.
- See Also:
-
setWantClientAuth
public void setWantClientAuth(boolean wantClientAuth) - Parameters:
wantClientAuth
- True if SSL wants client authentication.- See Also:
-
isSniRequired
@ManagedAttribute("Whether the TLS handshake is rejected if there is no SNI host match") public boolean isSniRequired()Returns whether an SNI match is required when choosing the alias that identifies the certificate to send to the client.
The exact logic to choose an alias given the SNI is configurable via
setSNISelector(SniX509ExtendedKeyManager.SniSelector)
.The default implementation is
sniSelect(String, Principal[], SSLSession, String, Collection)
and if SNI is not required it will delegate the TLS implementation to choose an alias (typically the first alias in the KeyStore).Note that if a non SNI handshake is accepted, requests may still be rejected at the HTTP level for incorrect SNI (see SecureRequestCustomizer).
- Returns:
- whether an SNI match is required when choosing the alias that identifies the certificate
-
setSniRequired
public void setSniRequired(boolean sniRequired) Sets whether an SNI match is required when choosing the alias that identifies the certificate to send to the client.
This setting may have no effect if
sniSelect(String, Principal[], SSLSession, String, Collection)
is overridden or a custom function is passed tosetSNISelector(SniX509ExtendedKeyManager.SniSelector)
.- Parameters:
sniRequired
- whether an SNI match is required when choosing the alias that identifies the certificate
-
getKeyManagers
- Overrides:
getKeyManagers
in classSslContextFactory
- Throws:
Exception
-
getSNISelector
- Returns:
- the custom function to select certificates based on SNI information
-
setSNISelector
Sets a custom function to select certificates based on SNI information.
- Parameters:
sniSelector
- the selection function
-
sniSelect
public String sniSelect(String keyType, Principal[] issuers, SSLSession session, String sniHost, Collection<X509> certificates) Description copied from interface:SniX509ExtendedKeyManager.SniSelector
Selects a certificate based on SNI information.
This method may be invoked multiple times during the TLS handshake, with different parameters. For example, the
keyType
could be different, and subsequently the collection of certificates (because they need to match thekeyType
).- Specified by:
sniSelect
in interfaceSniX509ExtendedKeyManager.SniSelector
- Parameters:
keyType
- the key algorithm type nameissuers
- the list of acceptable CA issuer subject names or null if it does not matter which issuers are usedsession
- the TLS handshake session or null if not known.sniHost
- the server name indication sent by the client, or null if the client did not send the server name indicationcertificates
- the list of certificates matchingkeyType
andissuers
known to this SslContextFactory- Returns:
- the alias of the certificate to return to the client, from the
certificates
list, orSniX509ExtendedKeyManager.SniSelector.DELEGATE
if the certificate choice should be delegated to the nested key manager or null for no match.
-
newSniX509ExtendedKeyManager
-