Class SslContextFactory
- All Implemented Interfaces:
Container
,Destroyable
,Dumpable
,Dumpable.DumpableContainer
,LifeCycle
- Direct Known Subclasses:
SslContextFactory.Client
,SslContextFactory.Server
SslContextFactory is used to configure SSL parameters to be used by server and client connectors.
Use SslContextFactory.Server
to configure server-side connectors,
and SslContextFactory.Client
to configure HTTP or WebSocket clients.
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
static class
static class
A wrapper that delegates to another (if notnull
) X509ExtendedKeyManager.static class
A wrapper that delegates to another (if notnull
) X509ExtendedTrustManager.Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
AbstractLifeCycle.AbstractLifeCycleListener, AbstractLifeCycle.StopException
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Container
Container.InheritedListener, Container.Listener
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Dumpable
Dumpable.DumpableContainer
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle
LifeCycle.Listener
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
static final String
static final String
String name of key password property.static final String
String name of keystore password property.static final TrustManager[]
-
Constructor Summary
ModifierConstructorDescriptionprotected
Construct an instance of SslContextFactory with the default configuration.SslContextFactory
(boolean trustAll) Construct an instance of SslContextFactory that trusts all certificates -
Method Summary
Modifier and TypeMethodDescriptionvoid
addExcludeCipherSuites
(String... cipher) You can either use the exact Cipher suite name or a a regular expression.void
addExcludeProtocols
(String... protocol) You can either use the exact Protocol name or a a regular expression.protected void
checkCiphers
(SSLParameters supported) protected void
protected void
protected void
checkProtocols
(SSLParameters supported) protected void
void
Customize an SslEngine instance with the configuration of this factory, by callingcustomize(SSLParameters)
customize
(SSLParameters sslParams) Customize an SslParameters instance with the configuration of this factory.static int
deduceKeyLength
(String cipherSuite) Given the name of a TLS/SSL cipher suite, return an int representing it effective stream cipher key strength.protected void
doStart()
Creates the SSLContext object and starts the lifecycleprotected void
doStop()
Stops the managed lifecycle beans in the reverse order they were added.dump()
void
dump
(Appendable out, String indent) Dump this object (and children) into an Appendable using the provided indent after any new lines.static X509Certificate[]
getCertChain
(SSLSession sslSession) Obtain the X509 Certificate Chain from the provided SSLSession using this SslContextFactory's optional Provider specificCertificateFactory
.protected CertificateFactory
protected CertStore
getCertStoreInstance
(Collection<? extends CRL> crls) protected Credential
getCredential
(String realm) Returns the credential object for the given realm.String[]
String[]
Get the HostnameVerifier used by a client to verify host names in the server certificate.String[]
String[]
protected KeyManagerFactory
protected KeyManager[]
getKeyManagers
(KeyStore keyStore) int
protected Password
getPassword
(String realm) Deprecated, for removal: This API element is subject to removal in a future version.use {#link getCredential} instead.Get the optional Security Provider name.int
protected SecureRandom
String[]
String[]
protected SSLContext
int
Get SSL session cache size.int
Get SSL session timeout.protected TrustManagerFactory
protected TrustManager[]
getTrustManagers
(KeyStore trustStore, Collection<? extends CRL> crls) getX509CertChain
(SSLSession sslSession) Obtain the X509 Certificate Chain from the provided SSLSession using this SslContextFactory's optional Provider specificCertificateFactory
.boolean
boolean
boolean
boolean
boolean
boolean
boolean
boolean
protected Collection<? extends CRL>
Loads certificate revocation list (CRL) from a file.protected KeyStore
loadKeyStore
(Resource resource) Override this method to provide alternate way to load a keystore.protected KeyStore
loadTrustStore
(Resource resource) Override this method to provide alternate way to load a truststore.newCredential
(String password) Creates a new Credential object.newPassword
(String password) Deprecated, for removal: This API element is subject to removal in a future version.use {#link newCredential} instead.protected PKIXBuilderParameters
newPKIXBuilderParameters
(KeyStore trustStore, Collection<? extends CRL> crls) Factory method for "scratch"SSLEngine
s, usually only used for retrieving configuration information such as the application buffer size or the list of protocols/ciphers.newSSLEngine
(String host, int port) General purpose factory method for creatingSSLEngine
s, although creation ofSSLEngine
s on the server-side should prefernewSSLEngine(InetSocketAddress)
.newSSLEngine
(InetSocketAddress address) Server-side only factory method for creatingSSLEngine
s.newSslServerSocket
(String host, int port, int backlog) protected void
processIncludeCipherSuites
(String[] supportedCipherSuites, List<String> selectedCiphers) Deprecated.no replacementvoid
reload
(Consumer<SslContextFactory> consumer) protected void
removeExcludedCipherSuites
(List<String> selectedCiphers) Deprecated.no replacementprotected void
selectCipherSuites
(String[] enabledCipherSuites, String[] supportedCipherSuites) Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.void
selectProtocols
(String[] enabledProtocols, String[] supportedProtocols) Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.void
setCertAlias
(String certAlias) Set the default certificate Alias.void
setCipherComparator
(Comparator<String> cipherComparator) void
setCrlPath
(String crlPath) void
setEnableCRLDP
(boolean enableCRLDP) Enables CRL Distribution Points Supportvoid
setEnableOCSP
(boolean enableOCSP) Enables On-Line Certificate Status Protocol supportvoid
setEndpointIdentificationAlgorithm
(String endpointIdentificationAlgorithm) When set to "HTTPS" hostname verification will be enabled.void
setExcludeCipherSuites
(String... cipherSuites) You can either use the exact Cipher suite name or a a regular expression.void
setExcludeProtocols
(String... protocols) You can either use the exact Protocol name or a a regular expression.void
setHostnameVerifier
(HostnameVerifier hostnameVerifier) Sets aHostnameVerifier
used by a client to verify host names in the server certificate.void
setIncludeCipherSuites
(String... cipherSuites) You can either use the exact Cipher suite name or a a regular expression.void
setIncludeProtocols
(String... protocols) You can either use the exact Protocol name or a a regular expression.void
setKeyManagerFactoryAlgorithm
(String algorithm) void
setKeyManagerPassword
(String password) void
setKeyStore
(KeyStore keyStore) Set the key store.void
setKeyStorePassword
(String password) void
setKeyStorePath
(String keyStorePath) void
setKeyStoreProvider
(String keyStoreProvider) void
setKeyStoreResource
(Resource resource) Set the key store resource.void
setKeyStoreType
(String keyStoreType) void
setMaxCertPathLength
(int maxCertPathLength) void
setOcspResponderURL
(String ocspResponderURL) Set the location of the OCSP Responder.void
setPkixCertPathChecker
(PKIXCertPathChecker pkixCertPatchChecker) void
setProtocol
(String protocol) void
setProvider
(String provider) Set the optional Security Provider name.void
setRenegotiationAllowed
(boolean renegotiationAllowed) Set whether TLS renegotiation is allowed.void
setRenegotiationLimit
(int renegotiationLimit) void
setSecureRandomAlgorithm
(String algorithm) void
setSessionCachingEnabled
(boolean enableSessionCaching) Set the flag to enable SSL Session caching.void
setSslContext
(SSLContext sslContext) void
setSslSessionCacheSize
(int sslSessionCacheSize) Set SSL session cache size.void
setSslSessionTimeout
(int sslSessionTimeout) Set SSL session timeout.void
setTrustAll
(boolean trustAll) void
setTrustManagerFactoryAlgorithm
(String algorithm) void
setTrustStore
(KeyStore trustStore) Set the trust store.void
setTrustStorePassword
(String password) void
setTrustStorePath
(String trustStorePath) void
setTrustStoreProvider
(String trustStoreProvider) void
setTrustStoreResource
(Resource resource) Set the trust store resource.void
setTrustStoreType
(String trustStoreType) void
setUseCipherSuitesOrder
(boolean useCipherSuitesOrder) void
setValidateCerts
(boolean validateCerts) Set true if SSL certificates have to be validated.void
setValidatePeerCerts
(boolean validatePeerCerts) Set true if SSL certificates of the peer have to be validated.toString()
void
validateCerts
(X509Certificate[] certs) Methods inherited from class org.eclipse.jetty.util.component.ContainerLifeCycle
addBean, addBean, addEventListener, addManaged, contains, destroy, dump, dumpObjects, dumpStdErr, getBean, getBeans, getBeans, getContainedBeans, getContainedBeans, installBean, installBean, isAuto, isManaged, isUnmanaged, manage, removeBean, removeBeans, removeEventListener, setBeans, start, stop, unmanage, updateBean, updateBean, updateBeans, updateBeans
Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
getEventListeners, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, setEventListeners, start, stop
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface org.eclipse.jetty.util.component.Container
getCachedBeans, getEventListeners
Methods inherited from interface org.eclipse.jetty.util.component.Dumpable.DumpableContainer
isDumpable
-
Field Details
-
TRUST_ALL_CERTS
-
DEFAULT_KEYMANAGERFACTORY_ALGORITHM
-
DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
-
KEYPASSWORD_PROPERTY
String name of key password property.- See Also:
-
PASSWORD_PROPERTY
String name of keystore password property.- See Also:
-
-
Constructor Details
-
SslContextFactory
protected SslContextFactory()Construct an instance of SslContextFactory with the default configuration. -
SslContextFactory
public SslContextFactory(boolean trustAll) Construct an instance of SslContextFactory that trusts all certificates- Parameters:
trustAll
- whether to blindly trust all certificates- See Also:
-
-
Method Details
-
doStart
Creates the SSLContext object and starts the lifecycle- Overrides:
doStart
in classContainerLifeCycle
- Throws:
AbstractLifeCycle.StopException
- If thrown, the lifecycle will immediately be stopped.Exception
- If there was a problem starting. Will cause a transition to FAILED state
-
checkConfiguration
protected void checkConfiguration() -
checkTrustAll
protected void checkTrustAll() -
checkEndPointIdentificationAlgorithm
protected void checkEndPointIdentificationAlgorithm() -
checkProtocols
-
checkCiphers
-
dump
- Specified by:
dump
in interfaceDumpable
- Overrides:
dump
in classContainerLifeCycle
-
dump
Description copied from interface:Dumpable
Dump this object (and children) into an Appendable using the provided indent after any new lines. The indent should not be applied to the first object dumped.- Specified by:
dump
in interfaceDumpable
- Overrides:
dump
in classContainerLifeCycle
- Parameters:
out
- The appendable to dump toindent
- The indent to apply after any new lines.- Throws:
IOException
- if unable to write to Appendable
-
doStop
Description copied from class:ContainerLifeCycle
Stops the managed lifecycle beans in the reverse order they were added.- Overrides:
doStop
in classContainerLifeCycle
- Throws:
Exception
- If there was a problem stopping. Will cause a transition to FAILED state
-
getSelectedProtocols
@ManagedAttribute(value="The selected TLS protocol versions", readonly=true) public String[] getSelectedProtocols() -
getSelectedCipherSuites
@ManagedAttribute(value="The selected cipher suites", readonly=true) public String[] getSelectedCipherSuites() -
getCipherComparator
-
setCipherComparator
-
getAliases
-
getX509
-
getExcludeProtocols
- Returns:
- The array of protocol names to exclude from
SSLEngine.setEnabledProtocols(String[])
-
setExcludeProtocols
You can either use the exact Protocol name or a a regular expression.- Parameters:
protocols
- The array of protocol names to exclude fromSSLEngine.setEnabledProtocols(String[])
-
addExcludeProtocols
You can either use the exact Protocol name or a a regular expression.- Parameters:
protocol
- Protocol name patterns to add toSSLEngine.setEnabledProtocols(String[])
-
getIncludeProtocols
- Returns:
- The array of protocol name patterns to include in
SSLEngine.setEnabledProtocols(String[])
-
setIncludeProtocols
You can either use the exact Protocol name or a a regular expression.- Parameters:
protocols
- The array of protocol name patterns to include inSSLEngine.setEnabledProtocols(String[])
-
getExcludeCipherSuites
- Returns:
- The array of cipher suite name patterns to exclude from
SSLEngine.setEnabledCipherSuites(String[])
-
setExcludeCipherSuites
You can either use the exact Cipher suite name or a a regular expression.- Parameters:
cipherSuites
- The array of cipher suite names to exclude fromSSLEngine.setEnabledCipherSuites(String[])
-
addExcludeCipherSuites
You can either use the exact Cipher suite name or a a regular expression.- Parameters:
cipher
- Cipher names to add toSSLEngine.setEnabledCipherSuites(String[])
-
getIncludeCipherSuites
- Returns:
- The array of Cipher suite names to include in
SSLEngine.setEnabledCipherSuites(String[])
-
setIncludeCipherSuites
You can either use the exact Cipher suite name or a a regular expression.- Parameters:
cipherSuites
- The array of cipher suite names to include inSSLEngine.setEnabledCipherSuites(String[])
-
isUseCipherSuitesOrder
@ManagedAttribute("Whether to respect the cipher suites order") public boolean isUseCipherSuitesOrder() -
setUseCipherSuitesOrder
public void setUseCipherSuitesOrder(boolean useCipherSuitesOrder) -
getKeyStorePath
- Returns:
- The file or URL of the SSL Key store.
-
setKeyStorePath
- Parameters:
keyStorePath
- The file or URL of the SSL Key store.
-
getKeyStoreProvider
- Returns:
- The provider of the key store
-
setKeyStoreProvider
- Parameters:
keyStoreProvider
- The provider of the key store
-
getKeyStoreType
- Returns:
- The type of the key store (default "PKCS12")
-
setKeyStoreType
- Parameters:
keyStoreType
- The type of the key store
-
getCertAlias
- Returns:
- Alias of SSL certificate for the connector
-
setCertAlias
Set the default certificate Alias.This can be used if there are multiple non-SNI certificates to specify the certificate that should be used, or with SNI certificates to set a certificate to try if no others match
- Parameters:
certAlias
- Alias of SSL certificate for the connector
-
getTrustStorePath
-
setTrustStorePath
- Parameters:
trustStorePath
- The file name or URL of the trust store location
-
getTrustStoreProvider
- Returns:
- The provider of the trust store
-
setTrustStoreProvider
- Parameters:
trustStoreProvider
- The provider of the trust store
-
getTrustStoreType
- Returns:
- The type of the trust store
-
setTrustStoreType
- Parameters:
trustStoreType
- The type of the trust store
-
isValidateCerts
- Returns:
- true if SSL certificate has to be validated
-
setValidateCerts
public void setValidateCerts(boolean validateCerts) Set true if SSL certificates have to be validated.- Parameters:
validateCerts
- true if SSL certificates have to be validated
-
isValidatePeerCerts
- Returns:
- true if SSL certificates of the peer have to be validated
-
setValidatePeerCerts
public void setValidatePeerCerts(boolean validatePeerCerts) Set true if SSL certificates of the peer have to be validated.- Parameters:
validatePeerCerts
- true if SSL certificates of the peer have to be validated
-
getKeyStorePassword
-
setKeyStorePassword
- Parameters:
password
- The password for the key store. If null is passed thengetCredential(String)
is used to obtain a password from the "org.eclipse.jetty.ssl.password" system property.
-
getKeyManagerPassword
-
setKeyManagerPassword
- Parameters:
password
- The password (if any) for the specific key within the key store. If null is passed thengetCredential(String)
is used to obtain a password from the "org.eclipse.jetty.ssl.keypassword" system property.
-
setTrustStorePassword
- Parameters:
password
- The password for the truststore. If null is passed thengetCredential(String)
is used to obtain a password from the "org.eclipse.jetty.ssl.password" system property.
-
getProvider
Get the optional Security Provider name.
Security Provider name used with:
- Returns:
- The optional Security Provider name.
-
setProvider
Set the optional Security Provider name.
Security Provider name used with:
- Parameters:
provider
- The optional Security Provider name.
-
getProtocol
- Returns:
- The SSL protocol (default "TLS") passed to
SSLContext.getInstance(String, String)
-
setProtocol
- Parameters:
protocol
- The SSL protocol (default "TLS") passed toSSLContext.getInstance(String, String)
-
getSecureRandomAlgorithm
- Returns:
- The algorithm name, which if set is passed to
SecureRandom.getInstance(String)
to obtain theSecureRandom
instance passed toSSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
-
setSecureRandomAlgorithm
- Parameters:
algorithm
- The algorithm name, which if set is passed toSecureRandom.getInstance(String)
to obtain theSecureRandom
instance passed toSSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
-
getKeyManagerFactoryAlgorithm
- Returns:
- The algorithm name (default "SunX509") used by the
KeyManagerFactory
-
setKeyManagerFactoryAlgorithm
- Parameters:
algorithm
- The algorithm name (default "SunX509") used by theKeyManagerFactory
-
getTrustManagerFactoryAlgorithm
@ManagedAttribute("The TrustManagerFactory algorithm") public String getTrustManagerFactoryAlgorithm()- Returns:
- The algorithm name (default "SunX509") used by the
TrustManagerFactory
-
isTrustAll
@ManagedAttribute("Whether certificates should be trusted even if they are invalid") public boolean isTrustAll()- Returns:
- True if all certificates should be trusted if there is no KeyStore or TrustStore
-
setTrustAll
public void setTrustAll(boolean trustAll) - Parameters:
trustAll
- True if all certificates should be trusted if there is no KeyStore or TrustStore
-
setTrustManagerFactoryAlgorithm
- Parameters:
algorithm
- The algorithm name (default "SunX509") used by theTrustManagerFactory
Use the string "TrustAll" to install a trust manager that trusts all.
-
isRenegotiationAllowed
- Returns:
- whether TLS renegotiation is allowed (
false
by default)
-
setRenegotiationAllowed
public void setRenegotiationAllowed(boolean renegotiationAllowed) Set whether TLS renegotiation is allowed.- Parameters:
renegotiationAllowed
- whether TLS renegotiation is allowed
-
getRenegotiationLimit
- Returns:
- The number of renegotiations allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied.
-
setRenegotiationLimit
public void setRenegotiationLimit(int renegotiationLimit) - Parameters:
renegotiationLimit
- The number of renegotions allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied. Default 5.
-
getCrlPath
- Returns:
- Path to file that contains Certificate Revocation List
-
setCrlPath
- Parameters:
crlPath
- Path to file that contains Certificate Revocation List
-
getMaxCertPathLength
@ManagedAttribute("The maximum number of intermediate certificates") public int getMaxCertPathLength()- Returns:
- Maximum number of intermediate certificates in the certification path (-1 for unlimited)
-
setMaxCertPathLength
public void setMaxCertPathLength(int maxCertPathLength) - Parameters:
maxCertPathLength
- maximum number of intermediate certificates in the certification path (-1 for unlimited)
-
getSslContext
- Returns:
- The SSLContext
-
setSslContext
- Parameters:
sslContext
- Set a preconfigured SSLContext
-
getEndpointIdentificationAlgorithm
@ManagedAttribute("The endpoint identification algorithm") public String getEndpointIdentificationAlgorithm()- Returns:
- the endpoint identification algorithm
-
setEndpointIdentificationAlgorithm
When set to "HTTPS" hostname verification will be enabled. Deployments can be vulnerable to a man-in-the-middle attack if a EndpointIdentificationAlgorithm is not set.- Parameters:
endpointIdentificationAlgorithm
- Set the endpointIdentificationAlgorithm- See Also:
-
getPkixCertPathChecker
-
setPkixCertPathChecker
-
loadKeyStore
Override this method to provide alternate way to load a keystore.- Parameters:
resource
- the resource to load the keystore from- Returns:
- the key store instance
- Throws:
Exception
- if the keystore cannot be loaded
-
loadTrustStore
Override this method to provide alternate way to load a truststore.- Parameters:
resource
- the resource to load the truststore from- Returns:
- the key store instance
- Throws:
Exception
- if the truststore cannot be loaded
-
loadCRL
Loads certificate revocation list (CRL) from a file.Required for integrations to be able to override the mechanism used to load CRL in order to provide their own implementation.
- Parameters:
crlPath
- path of certificate revocation list file- Returns:
- Collection of CRL's
- Throws:
Exception
- if the certificate revocation list cannot be loaded
-
getKeyManagers
- Throws:
Exception
-
getTrustManagers
protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception - Throws:
Exception
-
newPKIXBuilderParameters
protected PKIXBuilderParameters newPKIXBuilderParameters(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception - Throws:
Exception
-
selectProtocols
Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.- Parameters:
enabledProtocols
- Array of enabled protocolssupportedProtocols
- Array of supported protocols
-
selectCipherSuites
Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.- Parameters:
enabledCipherSuites
- Array of enabled cipher suitessupportedCipherSuites
- Array of supported cipher suites
-
processIncludeCipherSuites
@Deprecated protected void processIncludeCipherSuites(String[] supportedCipherSuites, List<String> selectedCiphers) Deprecated.no replacement -
removeExcludedCipherSuites
Deprecated.no replacement -
isEnableCRLDP
@ManagedAttribute("Whether certificate revocation list distribution points is enabled") public boolean isEnableCRLDP()- Returns:
- true if CRL Distribution Points support is enabled
-
setEnableCRLDP
public void setEnableCRLDP(boolean enableCRLDP) Enables CRL Distribution Points Support- Parameters:
enableCRLDP
- true - turn on, false - turns off
-
isEnableOCSP
@ManagedAttribute("Whether online certificate status protocol support is enabled") public boolean isEnableOCSP()- Returns:
- true if On-Line Certificate Status Protocol support is enabled
-
setEnableOCSP
public void setEnableOCSP(boolean enableOCSP) Enables On-Line Certificate Status Protocol support- Parameters:
enableOCSP
- true - turn on, false - turn off
-
getOcspResponderURL
- Returns:
- Location of the OCSP Responder
-
setOcspResponderURL
Set the location of the OCSP Responder.- Parameters:
ocspResponderURL
- location of the OCSP Responder
-
setKeyStore
Set the key store.- Parameters:
keyStore
- the key store to set
-
getKeyStore
-
setTrustStore
Set the trust store.- Parameters:
trustStore
- the trust store to set
-
getTrustStore
-
setKeyStoreResource
Set the key store resource.- Parameters:
resource
- the key store resource to set
-
getKeyStoreResource
-
setTrustStoreResource
Set the trust store resource.- Parameters:
resource
- the trust store resource to set
-
getTrustStoreResource
-
isSessionCachingEnabled
@ManagedAttribute("Whether TLS session caching is enabled") public boolean isSessionCachingEnabled()- Returns:
- true if SSL Session caching is enabled
-
setSessionCachingEnabled
public void setSessionCachingEnabled(boolean enableSessionCaching) Set the flag to enable SSL Session caching. If set to true, then theSSLContext.createSSLEngine(String, int)
method is used to pass host and port information as a hint for session reuse. Note that this is only a hint and session may not be reused. Moreover, the hint is typically only used on client side implementations and setting this to false does not stop a server from accepting an offered session ID to reuse.- Parameters:
enableSessionCaching
- the value of the flag
-
getSslSessionCacheSize
Get SSL session cache size. Passed directly toSSLSessionContext.setSessionCacheSize(int)
- Returns:
- SSL session cache size
-
setSslSessionCacheSize
public void setSslSessionCacheSize(int sslSessionCacheSize) Set SSL session cache size.Set the max cache size to be set on
SSLSessionContext.setSessionCacheSize(int)
when this factory is started.- Parameters:
sslSessionCacheSize
- SSL session cache size to set. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a max size.
-
getSslSessionTimeout
Get SSL session timeout.- Returns:
- SSL session timeout
-
setSslSessionTimeout
public void setSslSessionTimeout(int sslSessionTimeout) Set SSL session timeout.Set the timeout in seconds to be set on
SSLSessionContext.setSessionTimeout(int)
when this factory is started.- Parameters:
sslSessionTimeout
- SSL session timeout to set in seconds. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a timeout in seconds.
-
getHostnameVerifier
Get the HostnameVerifier used by a client to verify host names in the server certificate.- Returns:
- the HostnameVerifier used by a client to verify host names in the server certificate
-
setHostnameVerifier
Sets a
HostnameVerifier
used by a client to verify host names in the server certificate.The
HostnameVerifier
works in conjunction withsetEndpointIdentificationAlgorithm(String)
.When
endpointIdentificationAlgorithm=="HTTPS"
(the default) the JDK TLS implementation checks that the host name indication set by the client matches the host names in the server certificate. If this check passes successfully, theHostnameVerifier
is invoked and the application can perform additional checks and allow/deny the connection to the server.When
endpointIdentificationAlgorithm==null
the JDK TLS implementation will not check the host names, and any check is therefore performed only by theHostnameVerifier.
- Parameters:
hostnameVerifier
- the HostnameVerifier used by a client to verify host names in the server certificate
-
getPassword
Deprecated, for removal: This API element is subject to removal in a future version.use {#link getCredential} instead.Returns the password object for the given realm.- Parameters:
realm
- the realm- Returns:
- the Password object
-
newPassword
Deprecated, for removal: This API element is subject to removal in a future version.use {#link newCredential} instead.Creates a new Password object.- Parameters:
password
- the password string- Returns:
- the new Password object
-
getCredential
Returns the credential object for the given realm.- Parameters:
realm
- the realm- Returns:
- the Credential object
-
newCredential
Creates a new Credential object.- Parameters:
password
- the password string- Returns:
- the new Credential object
-
newSslServerSocket
- Throws:
IOException
-
newSslSocket
- Throws:
IOException
-
getCertificateFactoryInstance
- Throws:
CertificateException
-
getCertStoreInstance
protected CertStore getCertStoreInstance(Collection<? extends CRL> crls) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException -
getKeyManagerFactoryInstance
- Throws:
NoSuchAlgorithmException
-
getSecureRandomInstance
- Throws:
NoSuchAlgorithmException
-
getSSLContextInstance
- Throws:
NoSuchAlgorithmException
-
getTrustManagerFactoryInstance
- Throws:
NoSuchAlgorithmException
-
newSSLEngine
Factory method for "scratch"SSLEngine
s, usually only used for retrieving configuration information such as the application buffer size or the list of protocols/ciphers.This method should not be used for creating
SSLEngine
s that are used in actual socket communication.- Returns:
- a new, "scratch"
SSLEngine
-
newSSLEngine
General purpose factory method for creatingSSLEngine
s, although creation ofSSLEngine
s on the server-side should prefernewSSLEngine(InetSocketAddress)
.- Parameters:
host
- the remote hostport
- the remote port- Returns:
- a new
SSLEngine
-
newSSLEngine
Server-side only factory method for creatingSSLEngine
s.If the given
address
is null, it is equivalent tonewSSLEngine()
, otherwisenewSSLEngine(String, int)
is called.Clients that wish to create
SSLEngine
instances must usenewSSLEngine(String, int)
.- Parameters:
address
- the remote peer address- Returns:
- a new
SSLEngine
-
customize
Customize an SslEngine instance with the configuration of this factory, by callingcustomize(SSLParameters)
- Parameters:
sslEngine
- the SSLEngine to customize
-
customize
Customize an SslParameters instance with the configuration of this factory.- Parameters:
sslParams
- The parameters to customize- Returns:
- The passed instance of sslParams (returned as a convenience)
-
reload
- Throws:
Exception
-
getX509CertChain
Obtain the X509 Certificate Chain from the provided SSLSession using this SslContextFactory's optional Provider specificCertificateFactory
.- Parameters:
sslSession
- the session to use for active peer certificates- Returns:
- the certificate chain
-
getCertChain
Obtain the X509 Certificate Chain from the provided SSLSession using this SslContextFactory's optional Provider specificCertificateFactory
.- Parameters:
sslSession
- the session to use for active peer certificates- Returns:
- the certificate chain
-
deduceKeyLength
Given the name of a TLS/SSL cipher suite, return an int representing it effective stream cipher key strength. i.e. How much entropy material is in the key material being fed into the encryption routines.This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol Version 1.0, Appendix C. CipherSuite definitions:
Effective Cipher Type Key Bits NULL * Stream 0 IDEA_CBC Block 128 RC2_CBC_40 * Block 40 RC4_40 * Stream 40 RC4_128 Stream 128 DES40_CBC * Block 40 DES_CBC Block 56 3DES_EDE_CBC Block 168
For unknown ciphers, any substring of digits bounded by '_' is taken as the key length.
- Parameters:
cipherSuite
- String name of the TLS cipher suite.- Returns:
- int indicating the effective key entropy bit-length.
-
validateCerts
- Throws:
Exception
-
toString
- Overrides:
toString
in classAbstractLifeCycle
-