Class SslContextFactory

All Implemented Interfaces:
Container, Destroyable, Dumpable, Dumpable.DumpableContainer, LifeCycle
Direct Known Subclasses:
SslContextFactory.Client, SslContextFactory.Server

@ManagedObject public abstract class SslContextFactory extends ContainerLifeCycle implements Dumpable

SslContextFactory is used to configure SSL parameters to be used by server and client connectors.

Use SslContextFactory.Server to configure server-side connectors, and SslContextFactory.Client to configure HTTP or WebSocket clients.

  • Field Details

    • TRUST_ALL_CERTS

      public static final TrustManager[] TRUST_ALL_CERTS
    • DEFAULT_KEYMANAGERFACTORY_ALGORITHM

      public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM
    • DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM

      public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
    • KEYPASSWORD_PROPERTY

      public static final String KEYPASSWORD_PROPERTY
      String name of key password property.
      See Also:
    • PASSWORD_PROPERTY

      public static final String PASSWORD_PROPERTY
      String name of keystore password property.
      See Also:
  • Constructor Details

    • SslContextFactory

      protected SslContextFactory()
      Construct an instance of SslContextFactory with the default configuration.
    • SslContextFactory

      public SslContextFactory(boolean trustAll)
      Construct an instance of SslContextFactory that trusts all certificates
      Parameters:
      trustAll - whether to blindly trust all certificates
      See Also:
  • Method Details

    • doStart

      protected void doStart() throws Exception
      Creates the SSLContext object and starts the lifecycle
      Overrides:
      doStart in class ContainerLifeCycle
      Throws:
      AbstractLifeCycle.StopException - If thrown, the lifecycle will immediately be stopped.
      Exception - If there was a problem starting. Will cause a transition to FAILED state
    • checkConfiguration

      protected void checkConfiguration()
    • checkTrustAll

      protected void checkTrustAll()
    • checkEndPointIdentificationAlgorithm

      protected void checkEndPointIdentificationAlgorithm()
    • checkProtocols

      protected void checkProtocols(SSLParameters supported)
    • checkCiphers

      protected void checkCiphers(SSLParameters supported)
    • dump

      public String dump()
      Specified by:
      dump in interface Dumpable
      Overrides:
      dump in class ContainerLifeCycle
    • dump

      public void dump(Appendable out, String indent) throws IOException
      Description copied from interface: Dumpable
      Dump this object (and children) into an Appendable using the provided indent after any new lines. The indent should not be applied to the first object dumped.
      Specified by:
      dump in interface Dumpable
      Overrides:
      dump in class ContainerLifeCycle
      Parameters:
      out - The appendable to dump to
      indent - The indent to apply after any new lines.
      Throws:
      IOException - if unable to write to Appendable
    • doStop

      protected void doStop() throws Exception
      Description copied from class: ContainerLifeCycle
      Stops the managed lifecycle beans in the reverse order they were added.
      Overrides:
      doStop in class ContainerLifeCycle
      Throws:
      Exception - If there was a problem stopping. Will cause a transition to FAILED state
    • getSelectedProtocols

      @ManagedAttribute(value="The selected TLS protocol versions", readonly=true) public String[] getSelectedProtocols()
    • getSelectedCipherSuites

      @ManagedAttribute(value="The selected cipher suites", readonly=true) public String[] getSelectedCipherSuites()
    • getCipherComparator

      public Comparator<String> getCipherComparator()
    • setCipherComparator

      public void setCipherComparator(Comparator<String> cipherComparator)
    • getAliases

      public Set<String> getAliases()
    • getX509

      public X509 getX509(String alias)
    • getExcludeProtocols

      @ManagedAttribute("The excluded TLS protocols") public String[] getExcludeProtocols()
      Returns:
      The array of protocol names to exclude from SSLEngine.setEnabledProtocols(String[])
    • setExcludeProtocols

      public void setExcludeProtocols(String... protocols)
      You can either use the exact Protocol name or a a regular expression.
      Parameters:
      protocols - The array of protocol names to exclude from SSLEngine.setEnabledProtocols(String[])
    • addExcludeProtocols

      public void addExcludeProtocols(String... protocol)
      You can either use the exact Protocol name or a a regular expression.
      Parameters:
      protocol - Protocol name patterns to add to SSLEngine.setEnabledProtocols(String[])
    • getIncludeProtocols

      @ManagedAttribute("The included TLS protocols") public String[] getIncludeProtocols()
      Returns:
      The array of protocol name patterns to include in SSLEngine.setEnabledProtocols(String[])
    • setIncludeProtocols

      public void setIncludeProtocols(String... protocols)
      You can either use the exact Protocol name or a a regular expression.
      Parameters:
      protocols - The array of protocol name patterns to include in SSLEngine.setEnabledProtocols(String[])
    • getExcludeCipherSuites

      @ManagedAttribute("The excluded cipher suites") public String[] getExcludeCipherSuites()
      Returns:
      The array of cipher suite name patterns to exclude from SSLEngine.setEnabledCipherSuites(String[])
    • setExcludeCipherSuites

      public void setExcludeCipherSuites(String... cipherSuites)
      You can either use the exact Cipher suite name or a a regular expression.
      Parameters:
      cipherSuites - The array of cipher suite names to exclude from SSLEngine.setEnabledCipherSuites(String[])
    • addExcludeCipherSuites

      public void addExcludeCipherSuites(String... cipher)
      You can either use the exact Cipher suite name or a a regular expression.
      Parameters:
      cipher - Cipher names to add to SSLEngine.setEnabledCipherSuites(String[])
    • getIncludeCipherSuites

      @ManagedAttribute("The included cipher suites") public String[] getIncludeCipherSuites()
      Returns:
      The array of Cipher suite names to include in SSLEngine.setEnabledCipherSuites(String[])
    • setIncludeCipherSuites

      public void setIncludeCipherSuites(String... cipherSuites)
      You can either use the exact Cipher suite name or a a regular expression.
      Parameters:
      cipherSuites - The array of cipher suite names to include in SSLEngine.setEnabledCipherSuites(String[])
    • isUseCipherSuitesOrder

      @ManagedAttribute("Whether to respect the cipher suites order") public boolean isUseCipherSuitesOrder()
    • setUseCipherSuitesOrder

      public void setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
    • getKeyStorePath

      @ManagedAttribute("The keyStore path") public String getKeyStorePath()
      Returns:
      The file or URL of the SSL Key store.
    • setKeyStorePath

      public void setKeyStorePath(String keyStorePath)
      Parameters:
      keyStorePath - The file or URL of the SSL Key store.
    • getKeyStoreProvider

      @ManagedAttribute("The keyStore provider name") public String getKeyStoreProvider()
      Returns:
      The provider of the key store
    • setKeyStoreProvider

      public void setKeyStoreProvider(String keyStoreProvider)
      Parameters:
      keyStoreProvider - The provider of the key store
    • getKeyStoreType

      @ManagedAttribute("The keyStore type") public String getKeyStoreType()
      Returns:
      The type of the key store (default "PKCS12")
    • setKeyStoreType

      public void setKeyStoreType(String keyStoreType)
      Parameters:
      keyStoreType - The type of the key store
    • getCertAlias

      @ManagedAttribute("The certificate alias") public String getCertAlias()
      Returns:
      Alias of SSL certificate for the connector
    • setCertAlias

      public void setCertAlias(String certAlias)
      Set the default certificate Alias.

      This can be used if there are multiple non-SNI certificates to specify the certificate that should be used, or with SNI certificates to set a certificate to try if no others match

      Parameters:
      certAlias - Alias of SSL certificate for the connector
    • getTrustStorePath

      @ManagedAttribute("The trustStore path") public String getTrustStorePath()
    • setTrustStorePath

      public void setTrustStorePath(String trustStorePath)
      Parameters:
      trustStorePath - The file name or URL of the trust store location
    • getTrustStoreProvider

      @ManagedAttribute("The trustStore provider name") public String getTrustStoreProvider()
      Returns:
      The provider of the trust store
    • setTrustStoreProvider

      public void setTrustStoreProvider(String trustStoreProvider)
      Parameters:
      trustStoreProvider - The provider of the trust store
    • getTrustStoreType

      @ManagedAttribute("The trustStore type") public String getTrustStoreType()
      Returns:
      The type of the trust store
    • setTrustStoreType

      public void setTrustStoreType(String trustStoreType)
      Parameters:
      trustStoreType - The type of the trust store
    • isValidateCerts

      @ManagedAttribute("Whether certificates are validated") public boolean isValidateCerts()
      Returns:
      true if SSL certificate has to be validated
    • setValidateCerts

      public void setValidateCerts(boolean validateCerts)
      Set true if SSL certificates have to be validated.
      Parameters:
      validateCerts - true if SSL certificates have to be validated
    • isValidatePeerCerts

      @ManagedAttribute("Whether peer certificates are validated") public boolean isValidatePeerCerts()
      Returns:
      true if SSL certificates of the peer have to be validated
    • setValidatePeerCerts

      public void setValidatePeerCerts(boolean validatePeerCerts)
      Set true if SSL certificates of the peer have to be validated.
      Parameters:
      validatePeerCerts - true if SSL certificates of the peer have to be validated
    • getKeyStorePassword

      public String getKeyStorePassword()
    • setKeyStorePassword

      public void setKeyStorePassword(String password)
      Parameters:
      password - The password for the key store. If null is passed then getCredential(String) is used to obtain a password from the "org.eclipse.jetty.ssl.password" system property.
    • getKeyManagerPassword

      public String getKeyManagerPassword()
    • setKeyManagerPassword

      public void setKeyManagerPassword(String password)
      Parameters:
      password - The password (if any) for the specific key within the key store. If null is passed then getCredential(String) is used to obtain a password from the "org.eclipse.jetty.ssl.keypassword" system property.
    • setTrustStorePassword

      public void setTrustStorePassword(String password)
      Parameters:
      password - The password for the truststore. If null is passed then getCredential(String) is used to obtain a password from the "org.eclipse.jetty.ssl.password" system property.
    • getProvider

      @ManagedAttribute("The provider name") public String getProvider()
      Returns:
      The optional Security Provider name.
    • setProvider

      public void setProvider(String provider)
      Parameters:
      provider - The optional Security Provider name.
    • getProtocol

      @ManagedAttribute("The TLS protocol") public String getProtocol()
      Returns:
      The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)
    • setProtocol

      public void setProtocol(String protocol)
      Parameters:
      protocol - The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)
    • getSecureRandomAlgorithm

      @ManagedAttribute("The SecureRandom algorithm") public String getSecureRandomAlgorithm()
      Returns:
      The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
    • setSecureRandomAlgorithm

      public void setSecureRandomAlgorithm(String algorithm)
      Parameters:
      algorithm - The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
    • getKeyManagerFactoryAlgorithm

      @ManagedAttribute("The KeyManagerFactory algorithm") public String getKeyManagerFactoryAlgorithm()
      Returns:
      The algorithm name (default "SunX509") used by the KeyManagerFactory
    • setKeyManagerFactoryAlgorithm

      public void setKeyManagerFactoryAlgorithm(String algorithm)
      Parameters:
      algorithm - The algorithm name (default "SunX509") used by the KeyManagerFactory
    • getTrustManagerFactoryAlgorithm

      @ManagedAttribute("The TrustManagerFactory algorithm") public String getTrustManagerFactoryAlgorithm()
      Returns:
      The algorithm name (default "SunX509") used by the TrustManagerFactory
    • isTrustAll

      @ManagedAttribute("Whether certificates should be trusted even if they are invalid") public boolean isTrustAll()
      Returns:
      True if all certificates should be trusted if there is no KeyStore or TrustStore
    • setTrustAll

      public void setTrustAll(boolean trustAll)
      Parameters:
      trustAll - True if all certificates should be trusted if there is no KeyStore or TrustStore
    • setTrustManagerFactoryAlgorithm

      public void setTrustManagerFactoryAlgorithm(String algorithm)
      Parameters:
      algorithm - The algorithm name (default "SunX509") used by the TrustManagerFactory Use the string "TrustAll" to install a trust manager that trusts all.
    • isRenegotiationAllowed

      @ManagedAttribute("Whether renegotiation is allowed") public boolean isRenegotiationAllowed()
      Returns:
      whether TLS renegotiation is allowed (false by default)
    • setRenegotiationAllowed

      public void setRenegotiationAllowed(boolean renegotiationAllowed)
      Set whether TLS renegotiation is allowed.
      Parameters:
      renegotiationAllowed - whether TLS renegotiation is allowed
    • getRenegotiationLimit

      @ManagedAttribute("The max number of renegotiations allowed") public int getRenegotiationLimit()
      Returns:
      The number of renegotiations allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied.
    • setRenegotiationLimit

      public void setRenegotiationLimit(int renegotiationLimit)
      Parameters:
      renegotiationLimit - The number of renegotions allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied. Default 5.
    • getCrlPath

      @ManagedAttribute("The path to the certificate revocation list file") public String getCrlPath()
      Returns:
      Path to file that contains Certificate Revocation List
    • setCrlPath

      public void setCrlPath(String crlPath)
      Parameters:
      crlPath - Path to file that contains Certificate Revocation List
    • getMaxCertPathLength

      @ManagedAttribute("The maximum number of intermediate certificates") public int getMaxCertPathLength()
      Returns:
      Maximum number of intermediate certificates in the certification path (-1 for unlimited)
    • setMaxCertPathLength

      public void setMaxCertPathLength(int maxCertPathLength)
      Parameters:
      maxCertPathLength - maximum number of intermediate certificates in the certification path (-1 for unlimited)
    • getSslContext

      public SSLContext getSslContext()
      Returns:
      The SSLContext
    • setSslContext

      public void setSslContext(SSLContext sslContext)
      Parameters:
      sslContext - Set a preconfigured SSLContext
    • getEndpointIdentificationAlgorithm

      @ManagedAttribute("The endpoint identification algorithm") public String getEndpointIdentificationAlgorithm()
      Returns:
      the endpoint identification algorithm
    • setEndpointIdentificationAlgorithm

      public void setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
      When set to "HTTPS" hostname verification will be enabled. Deployments can be vulnerable to a man-in-the-middle attack if a EndpointIdentificationAlgorithm is not set.
      Parameters:
      endpointIdentificationAlgorithm - Set the endpointIdentificationAlgorithm
      See Also:
    • getPkixCertPathChecker

      public PKIXCertPathChecker getPkixCertPathChecker()
    • setPkixCertPathChecker

      public void setPkixCertPathChecker(PKIXCertPathChecker pkixCertPatchChecker)
    • loadKeyStore

      protected KeyStore loadKeyStore(Resource resource) throws Exception
      Override this method to provide alternate way to load a keystore.
      Parameters:
      resource - the resource to load the keystore from
      Returns:
      the key store instance
      Throws:
      Exception - if the keystore cannot be loaded
    • loadTrustStore

      protected KeyStore loadTrustStore(Resource resource) throws Exception
      Override this method to provide alternate way to load a truststore.
      Parameters:
      resource - the resource to load the truststore from
      Returns:
      the key store instance
      Throws:
      Exception - if the truststore cannot be loaded
    • loadCRL

      protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
      Loads certificate revocation list (CRL) from a file.

      Required for integrations to be able to override the mechanism used to load CRL in order to provide their own implementation.

      Parameters:
      crlPath - path of certificate revocation list file
      Returns:
      Collection of CRL's
      Throws:
      Exception - if the certificate revocation list cannot be loaded
    • getKeyManagers

      protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
      Throws:
      Exception
    • getTrustManagers

      protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
      Throws:
      Exception
    • newPKIXBuilderParameters

      protected PKIXBuilderParameters newPKIXBuilderParameters(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
      Throws:
      Exception
    • selectProtocols

      public void selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
      Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.
      Parameters:
      enabledProtocols - Array of enabled protocols
      supportedProtocols - Array of supported protocols
    • selectCipherSuites

      protected void selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
      Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.
      Parameters:
      enabledCipherSuites - Array of enabled cipher suites
      supportedCipherSuites - Array of supported cipher suites
    • processIncludeCipherSuites

      @Deprecated protected void processIncludeCipherSuites(String[] supportedCipherSuites, List<String> selectedCiphers)
      Deprecated.
      no replacement
    • removeExcludedCipherSuites

      @Deprecated protected void removeExcludedCipherSuites(List<String> selectedCiphers)
      Deprecated.
      no replacement
    • isEnableCRLDP

      @ManagedAttribute("Whether certificate revocation list distribution points is enabled") public boolean isEnableCRLDP()
      Returns:
      true if CRL Distribution Points support is enabled
    • setEnableCRLDP

      public void setEnableCRLDP(boolean enableCRLDP)
      Enables CRL Distribution Points Support
      Parameters:
      enableCRLDP - true - turn on, false - turns off
    • isEnableOCSP

      @ManagedAttribute("Whether online certificate status protocol support is enabled") public boolean isEnableOCSP()
      Returns:
      true if On-Line Certificate Status Protocol support is enabled
    • setEnableOCSP

      public void setEnableOCSP(boolean enableOCSP)
      Enables On-Line Certificate Status Protocol support
      Parameters:
      enableOCSP - true - turn on, false - turn off
    • getOcspResponderURL

      @ManagedAttribute("The online certificate status protocol URL") public String getOcspResponderURL()
      Returns:
      Location of the OCSP Responder
    • setOcspResponderURL

      public void setOcspResponderURL(String ocspResponderURL)
      Set the location of the OCSP Responder.
      Parameters:
      ocspResponderURL - location of the OCSP Responder
    • setKeyStore

      public void setKeyStore(KeyStore keyStore)
      Set the key store.
      Parameters:
      keyStore - the key store to set
    • getKeyStore

      public KeyStore getKeyStore()
    • setTrustStore

      public void setTrustStore(KeyStore trustStore)
      Set the trust store.
      Parameters:
      trustStore - the trust store to set
    • getTrustStore

      public KeyStore getTrustStore()
    • setKeyStoreResource

      public void setKeyStoreResource(Resource resource)
      Set the key store resource.
      Parameters:
      resource - the key store resource to set
    • getKeyStoreResource

      public Resource getKeyStoreResource()
    • setTrustStoreResource

      public void setTrustStoreResource(Resource resource)
      Set the trust store resource.
      Parameters:
      resource - the trust store resource to set
    • getTrustStoreResource

      public Resource getTrustStoreResource()
    • isSessionCachingEnabled

      @ManagedAttribute("Whether TLS session caching is enabled") public boolean isSessionCachingEnabled()
      Returns:
      true if SSL Session caching is enabled
    • setSessionCachingEnabled

      public void setSessionCachingEnabled(boolean enableSessionCaching)
      Set the flag to enable SSL Session caching. If set to true, then the SSLContext.createSSLEngine(String, int) method is used to pass host and port information as a hint for session reuse. Note that this is only a hint and session may not be reused. Moreover, the hint is typically only used on client side implementations and setting this to false does not stop a server from accepting an offered session ID to reuse.
      Parameters:
      enableSessionCaching - the value of the flag
    • getSslSessionCacheSize

      @ManagedAttribute("The maximum TLS session cache size") public int getSslSessionCacheSize()
      Get SSL session cache size. Passed directly to SSLSessionContext.setSessionCacheSize(int)
      Returns:
      SSL session cache size
    • setSslSessionCacheSize

      public void setSslSessionCacheSize(int sslSessionCacheSize)
      Set SSL session cache size.

      Set the max cache size to be set on SSLSessionContext.setSessionCacheSize(int) when this factory is started.

      Parameters:
      sslSessionCacheSize - SSL session cache size to set. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a max size.
    • getSslSessionTimeout

      @ManagedAttribute("The TLS session cache timeout, in seconds") public int getSslSessionTimeout()
      Get SSL session timeout.
      Returns:
      SSL session timeout
    • setSslSessionTimeout

      public void setSslSessionTimeout(int sslSessionTimeout)
      Set SSL session timeout.

      Set the timeout in seconds to be set on SSLSessionContext.setSessionTimeout(int) when this factory is started.

      Parameters:
      sslSessionTimeout - SSL session timeout to set in seconds. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a timeout in seconds.
    • getHostnameVerifier

      public HostnameVerifier getHostnameVerifier()
      Get the HostnameVerifier used by a client to verify host names in the server certificate.
      Returns:
      the HostnameVerifier used by a client to verify host names in the server certificate
    • setHostnameVerifier

      public void setHostnameVerifier(HostnameVerifier hostnameVerifier)

      Sets a HostnameVerifier used by a client to verify host names in the server certificate.

      The HostnameVerifier works in conjunction with setEndpointIdentificationAlgorithm(String).

      When endpointIdentificationAlgorithm=="HTTPS" (the default) the JDK TLS implementation checks that the host name indication set by the client matches the host names in the server certificate. If this check passes successfully, the HostnameVerifier is invoked and the application can perform additional checks and allow/deny the connection to the server.

      When endpointIdentificationAlgorithm==null the JDK TLS implementation will not check the host names, and any check is therefore performed only by the HostnameVerifier.

      Parameters:
      hostnameVerifier - the HostnameVerifier used by a client to verify host names in the server certificate
    • getPassword

      @Deprecated(since="12.0.13", forRemoval=true) protected Password getPassword(String realm)
      Deprecated, for removal: This API element is subject to removal in a future version.
      use {#link getCredential} instead.
      Returns the password object for the given realm.
      Parameters:
      realm - the realm
      Returns:
      the Password object
    • newPassword

      @Deprecated(since="12.0.13", forRemoval=true) public Password newPassword(String password)
      Deprecated, for removal: This API element is subject to removal in a future version.
      use {#link newCredential} instead.
      Creates a new Password object.
      Parameters:
      password - the password string
      Returns:
      the new Password object
    • getCredential

      protected Credential getCredential(String realm)
      Returns the credential object for the given realm.
      Parameters:
      realm - the realm
      Returns:
      the Credential object
    • newCredential

      public Credential newCredential(String password)
      Creates a new Credential object.
      Parameters:
      password - the password string
      Returns:
      the new Credential object
    • newSslServerSocket

      public SSLServerSocket newSslServerSocket(String host, int port, int backlog) throws IOException
      Throws:
      IOException
    • newSslSocket

      public SSLSocket newSslSocket() throws IOException
      Throws:
      IOException
    • getCertificateFactoryInstance

      protected CertificateFactory getCertificateFactoryInstance(String type) throws CertificateException
      Throws:
      CertificateException
    • getCertStoreInstance

      protected CertStore getCertStoreInstance(Collection<? extends CRL> crls) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException
      Throws:
      InvalidAlgorithmParameterException
      NoSuchAlgorithmException
    • getKeyManagerFactoryInstance

      protected KeyManagerFactory getKeyManagerFactoryInstance() throws NoSuchAlgorithmException
      Throws:
      NoSuchAlgorithmException
    • getSecureRandomInstance

      protected SecureRandom getSecureRandomInstance() throws NoSuchAlgorithmException
      Throws:
      NoSuchAlgorithmException
    • getSSLContextInstance

      protected SSLContext getSSLContextInstance() throws NoSuchAlgorithmException
      Throws:
      NoSuchAlgorithmException
    • getTrustManagerFactoryInstance

      protected TrustManagerFactory getTrustManagerFactoryInstance() throws NoSuchAlgorithmException
      Throws:
      NoSuchAlgorithmException
    • newSSLEngine

      public SSLEngine newSSLEngine()
      Factory method for "scratch" SSLEngines, usually only used for retrieving configuration information such as the application buffer size or the list of protocols/ciphers.

      This method should not be used for creating SSLEngines that are used in actual socket communication.

      Returns:
      a new, "scratch" SSLEngine
    • newSSLEngine

      public SSLEngine newSSLEngine(String host, int port)
      General purpose factory method for creating SSLEngines, although creation of SSLEngines on the server-side should prefer newSSLEngine(InetSocketAddress).
      Parameters:
      host - the remote host
      port - the remote port
      Returns:
      a new SSLEngine
    • newSSLEngine

      public SSLEngine newSSLEngine(InetSocketAddress address)
      Server-side only factory method for creating SSLEngines.

      If the given address is null, it is equivalent to newSSLEngine(), otherwise newSSLEngine(String, int) is called.

      Clients that wish to create SSLEngine instances must use newSSLEngine(String, int).

      Parameters:
      address - the remote peer address
      Returns:
      a new SSLEngine
    • customize

      public void customize(SSLEngine sslEngine)
      Customize an SslEngine instance with the configuration of this factory, by calling customize(SSLParameters)
      Parameters:
      sslEngine - the SSLEngine to customize
    • customize

      public SSLParameters customize(SSLParameters sslParams)
      Customize an SslParameters instance with the configuration of this factory.
      Parameters:
      sslParams - The parameters to customize
      Returns:
      The passed instance of sslParams (returned as a convenience)
    • reload

      public void reload(Consumer<SslContextFactory> consumer) throws Exception
      Throws:
      Exception
    • getX509CertChain

      public X509Certificate[] getX509CertChain(SSLSession sslSession)
      Obtain the X509 Certificate Chain from the provided SSLSession using this SslContextFactory's optional Provider specific CertificateFactory.
      Parameters:
      sslSession - the session to use for active peer certificates
      Returns:
      the certificate chain
    • getCertChain

      public static X509Certificate[] getCertChain(SSLSession sslSession)
      Obtain the X509 Certificate Chain from the provided SSLSession using this SslContextFactory's optional Provider specific CertificateFactory.
      Parameters:
      sslSession - the session to use for active peer certificates
      Returns:
      the certificate chain
    • deduceKeyLength

      public static int deduceKeyLength(String cipherSuite)
      Given the name of a TLS/SSL cipher suite, return an int representing it effective stream cipher key strength. i.e. How much entropy material is in the key material being fed into the encryption routines.

      This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol Version 1.0, Appendix C. CipherSuite definitions:

                               Effective
           Cipher       Type    Key Bits
      
           NULL       * Stream     0
           IDEA_CBC     Block    128
           RC2_CBC_40 * Block     40
           RC4_40     * Stream    40
           RC4_128      Stream   128
           DES40_CBC  * Block     40
           DES_CBC      Block     56
           3DES_EDE_CBC Block    168
       

      For unknown ciphers, any substring of digits bounded by '_' is taken as the key length.

      Parameters:
      cipherSuite - String name of the TLS cipher suite.
      Returns:
      int indicating the effective key entropy bit-length.
    • validateCerts

      public void validateCerts(X509Certificate[] certs) throws Exception
      Throws:
      Exception
    • toString

      public String toString()
      Overrides:
      toString in class AbstractLifeCycle