Class SslContextFactory
- java.lang.Object
-
- org.eclipse.jetty.util.component.AbstractLifeCycle
-
- org.eclipse.jetty.util.ssl.SslContextFactory
-
- Direct Known Subclasses:
SslContextFactory.Client
,SslContextFactory.Server
@ManagedObject public class SslContextFactory extends AbstractLifeCycle implements Dumpable
SslContextFactory is used to configure SSL parameters to be used by server and client connectors.
Use
SslContextFactory.Server
to configure server-side connectors, andSslContextFactory.Client
to configure HTTP or WebSocket clients.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
SslContextFactory.Client
static class
SslContextFactory.Server
static class
SslContextFactory.X509ExtendedKeyManagerWrapper
A wrapper that delegates to another (if notnull
) X509ExtendedKeyManager.static class
SslContextFactory.X509ExtendedTrustManagerWrapper
A wrapper that delegates to another (if notnull
) X509ExtendedTrustManager.-
Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
AbstractLifeCycle.AbstractLifeCycleListener
-
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Dumpable
Dumpable.DumpableContainer
-
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle
LifeCycle.Listener
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
DEFAULT_KEYMANAGERFACTORY_ALGORITHM
static java.lang.String
DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
static java.lang.String
KEYPASSWORD_PROPERTY
String name of key password property.static java.lang.String
PASSWORD_PROPERTY
String name of keystore password property.static javax.net.ssl.TrustManager[]
TRUST_ALL_CERTS
-
Constructor Summary
Constructors Constructor Description SslContextFactory()
SslContextFactory(boolean trustAll)
Deprecated.useClient(boolean)
insteadSslContextFactory(java.lang.String keyStorePath)
Deprecated.usesetKeyStorePath(String)
instead
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description void
addExcludeCipherSuites(java.lang.String... cipher)
You can either use the exact Cipher suite name or a a regular expression.void
addExcludeProtocols(java.lang.String... protocol)
You can either use the exact Protocol name or a a regular expression.protected void
checkCiphers(javax.net.ssl.SSLParameters supported)
protected void
checkConfiguration()
protected void
checkEndPointIdentificationAlgorithm()
protected void
checkProtocols(javax.net.ssl.SSLParameters supported)
protected void
checkTrustAll()
void
customize(javax.net.ssl.SSLEngine sslEngine)
Customize an SslEngine instance with the configuration of this factory, by callingcustomize(SSLParameters)
javax.net.ssl.SSLParameters
customize(javax.net.ssl.SSLParameters sslParams)
Customize an SslParameters instance with the configuration of this factory.static int
deduceKeyLength(java.lang.String cipherSuite)
Given the name of a TLS/SSL cipher suite, return an int representing it effective stream cipher key strength.protected void
doStart()
Creates the SSLContext object and starts the lifecycleprotected void
doStop()
java.lang.String
dump()
void
dump(java.lang.Appendable out, java.lang.String indent)
Dump this object (and children) into an Appendable using the provided indent after any new lines.java.util.Set<java.lang.String>
getAliases()
java.lang.String
getCertAlias()
static java.security.cert.X509Certificate[]
getCertChain(javax.net.ssl.SSLSession sslSession)
Obtain the X509 Certificate Chain from the provided SSLSession using the defaultCertificateFactory
behaviorsprotected java.security.cert.CertificateFactory
getCertificateFactoryInstance(java.lang.String type)
protected java.security.cert.CertStore
getCertStoreInstance(java.util.Collection<? extends java.security.cert.CRL> crls)
java.util.Comparator<java.lang.String>
getCipherComparator()
java.lang.String
getCrlPath()
java.lang.String
getEndpointIdentificationAlgorithm()
java.lang.String[]
getExcludeCipherSuites()
java.lang.String[]
getExcludeProtocols()
javax.net.ssl.HostnameVerifier
getHostnameVerifier()
java.lang.String[]
getIncludeCipherSuites()
java.lang.String[]
getIncludeProtocols()
java.lang.String
getKeyManagerFactoryAlgorithm()
protected javax.net.ssl.KeyManagerFactory
getKeyManagerFactoryInstance()
protected javax.net.ssl.KeyManager[]
getKeyManagers(java.security.KeyStore keyStore)
java.security.KeyStore
getKeyStore()
java.lang.String
getKeyStorePath()
java.lang.String
getKeyStoreProvider()
Resource
getKeyStoreResource()
java.lang.String
getKeyStoreType()
int
getMaxCertPathLength()
boolean
getNeedClientAuth()
Deprecated.useSslContextFactory.Server.getNeedClientAuth()
insteadjava.lang.String
getOcspResponderURL()
protected Password
getPassword(java.lang.String realm)
Returns the password object for the given realm.java.security.cert.PKIXCertPathChecker
getPkixCertPathChecker()
java.lang.String
getProtocol()
java.lang.String
getProvider()
Get the optional Security Provider name.int
getRenegotiationLimit()
java.lang.String
getSecureRandomAlgorithm()
protected java.security.SecureRandom
getSecureRandomInstance()
java.lang.String[]
getSelectedCipherSuites()
java.lang.String[]
getSelectedProtocols()
javax.net.ssl.SSLContext
getSslContext()
protected javax.net.ssl.SSLContext
getSSLContextInstance()
int
getSslSessionCacheSize()
Get SSL session cache size.int
getSslSessionTimeout()
Get SSL session timeout.java.lang.String
getTrustManagerFactoryAlgorithm()
protected javax.net.ssl.TrustManagerFactory
getTrustManagerFactoryInstance()
protected javax.net.ssl.TrustManager[]
getTrustManagers(java.security.KeyStore trustStore, java.util.Collection<? extends java.security.cert.CRL> crls)
java.security.KeyStore
getTrustStore()
java.lang.String
getTrustStorePath()
java.lang.String
getTrustStoreProvider()
Resource
getTrustStoreResource()
java.lang.String
getTrustStoreType()
boolean
getWantClientAuth()
Deprecated.useSslContextFactory.Server.getWantClientAuth()
insteadX509
getX509(java.lang.String alias)
java.security.cert.X509Certificate[]
getX509CertChain(javax.net.ssl.SSLSession sslSession)
Obtain the X509 Certificate Chain from the provided SSLSession using this SslContextFactory's optional Provider specificCertificateFactory
.boolean
isEnableCRLDP()
boolean
isEnableOCSP()
boolean
isRenegotiationAllowed()
boolean
isSessionCachingEnabled()
boolean
isTrustAll()
boolean
isUseCipherSuitesOrder()
boolean
isValidateCerts()
boolean
isValidatePeerCerts()
protected java.util.Collection<? extends java.security.cert.CRL>
loadCRL(java.lang.String crlPath)
Loads certificate revocation list (CRL) from a file.protected java.security.KeyStore
loadKeyStore(Resource resource)
Override this method to provide alternate way to load a keystore.protected java.security.KeyStore
loadTrustStore(Resource resource)
Override this method to provide alternate way to load a truststore.Password
newPassword(java.lang.String password)
Creates a new Password object.protected java.security.cert.PKIXBuilderParameters
newPKIXBuilderParameters(java.security.KeyStore trustStore, java.util.Collection<? extends java.security.cert.CRL> crls)
protected javax.net.ssl.X509ExtendedKeyManager
newSniX509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager keyManager)
Deprecated.javax.net.ssl.SSLEngine
newSSLEngine()
Factory method for "scratch"SSLEngine
s, usually only used for retrieving configuration information such as the application buffer size or the list of protocols/ciphers.javax.net.ssl.SSLEngine
newSSLEngine(java.lang.String host, int port)
General purpose factory method for creatingSSLEngine
s, although creation ofSSLEngine
s on the server-side should prefernewSSLEngine(InetSocketAddress)
.javax.net.ssl.SSLEngine
newSSLEngine(java.net.InetSocketAddress address)
Server-side only factory method for creatingSSLEngine
s.javax.net.ssl.SSLServerSocket
newSslServerSocket(java.lang.String host, int port, int backlog)
javax.net.ssl.SSLSocket
newSslSocket()
protected void
processIncludeCipherSuites(java.lang.String[] supportedCipherSuites, java.util.List<java.lang.String> selectedCiphers)
Deprecated.no replacementvoid
reload(java.util.function.Consumer<SslContextFactory> consumer)
protected void
removeExcludedCipherSuites(java.util.List<java.lang.String> selectedCiphers)
Deprecated.no replacementprotected void
selectCipherSuites(java.lang.String[] enabledCipherSuites, java.lang.String[] supportedCipherSuites)
Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.void
selectProtocols(java.lang.String[] enabledProtocols, java.lang.String[] supportedProtocols)
Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.void
setCertAlias(java.lang.String certAlias)
Set the default certificate Alias.void
setCipherComparator(java.util.Comparator<java.lang.String> cipherComparator)
void
setCrlPath(java.lang.String crlPath)
void
setEnableCRLDP(boolean enableCRLDP)
Enables CRL Distribution Points Supportvoid
setEnableOCSP(boolean enableOCSP)
Enables On-Line Certificate Status Protocol supportvoid
setEndpointIdentificationAlgorithm(java.lang.String endpointIdentificationAlgorithm)
When set to "HTTPS" hostname verification will be enabled.void
setExcludeCipherSuites(java.lang.String... cipherSuites)
You can either use the exact Cipher suite name or a a regular expression.void
setExcludeProtocols(java.lang.String... protocols)
You can either use the exact Protocol name or a a regular expression.void
setHostnameVerifier(javax.net.ssl.HostnameVerifier hostnameVerifier)
Sets aHostnameVerifier
used by a client to verify host names in the server certificate.void
setIncludeCipherSuites(java.lang.String... cipherSuites)
You can either use the exact Cipher suite name or a a regular expression.void
setIncludeProtocols(java.lang.String... protocols)
You can either use the exact Protocol name or a a regular expression.void
setKeyManagerFactoryAlgorithm(java.lang.String algorithm)
void
setKeyManagerPassword(java.lang.String password)
void
setKeyStore(java.security.KeyStore keyStore)
Set the key store.void
setKeyStorePassword(java.lang.String password)
void
setKeyStorePath(java.lang.String keyStorePath)
void
setKeyStoreProvider(java.lang.String keyStoreProvider)
void
setKeyStoreResource(Resource resource)
Set the key store resource.void
setKeyStoreType(java.lang.String keyStoreType)
void
setMaxCertPathLength(int maxCertPathLength)
void
setNeedClientAuth(boolean needClientAuth)
Deprecated.void
setOcspResponderURL(java.lang.String ocspResponderURL)
Set the location of the OCSP Responder.void
setPkixCertPathChecker(java.security.cert.PKIXCertPathChecker pkixCertPatchChecker)
void
setProtocol(java.lang.String protocol)
void
setProvider(java.lang.String provider)
Set the optional Security Provider name.void
setRenegotiationAllowed(boolean renegotiationAllowed)
void
setRenegotiationLimit(int renegotiationLimit)
void
setSecureRandomAlgorithm(java.lang.String algorithm)
void
setSessionCachingEnabled(boolean enableSessionCaching)
Set the flag to enable SSL Session caching.void
setSslContext(javax.net.ssl.SSLContext sslContext)
void
setSslSessionCacheSize(int sslSessionCacheSize)
Set SSL session cache size.void
setSslSessionTimeout(int sslSessionTimeout)
Set SSL session timeout.void
setTrustAll(boolean trustAll)
void
setTrustManagerFactoryAlgorithm(java.lang.String algorithm)
void
setTrustStore(java.security.KeyStore trustStore)
Set the trust store.void
setTrustStorePassword(java.lang.String password)
void
setTrustStorePath(java.lang.String trustStorePath)
void
setTrustStoreProvider(java.lang.String trustStoreProvider)
void
setTrustStoreResource(Resource resource)
Set the trust store resource.void
setTrustStoreType(java.lang.String trustStoreType)
void
setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
void
setValidateCerts(boolean validateCerts)
void
setValidatePeerCerts(boolean validatePeerCerts)
void
setWantClientAuth(boolean wantClientAuth)
Deprecated.java.lang.String
toString()
-
Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, setStopTimeout, start, stop
-
-
-
-
Field Detail
-
TRUST_ALL_CERTS
public static final javax.net.ssl.TrustManager[] TRUST_ALL_CERTS
-
DEFAULT_KEYMANAGERFACTORY_ALGORITHM
public static final java.lang.String DEFAULT_KEYMANAGERFACTORY_ALGORITHM
-
DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
public static final java.lang.String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
-
KEYPASSWORD_PROPERTY
public static final java.lang.String KEYPASSWORD_PROPERTY
String name of key password property.- See Also:
- Constant Field Values
-
PASSWORD_PROPERTY
public static final java.lang.String PASSWORD_PROPERTY
String name of keystore password property.- See Also:
- Constant Field Values
-
-
Constructor Detail
-
SslContextFactory
@Deprecated public SslContextFactory()
Construct an instance of SslContextFactory with the default configuration.
-
SslContextFactory
@Deprecated public SslContextFactory(boolean trustAll)
Deprecated.useClient(boolean)
insteadConstruct an instance of SslContextFactory Default constructor for use in XmlConfiguration files- Parameters:
trustAll
- whether to blindly trust all certificates- See Also:
setTrustAll(boolean)
-
SslContextFactory
@Deprecated public SslContextFactory(java.lang.String keyStorePath)
Deprecated.usesetKeyStorePath(String)
insteadConstruct an instance of SslContextFactory- Parameters:
keyStorePath
- default keystore location
-
-
Method Detail
-
doStart
protected void doStart() throws java.lang.Exception
Creates the SSLContext object and starts the lifecycle- Overrides:
doStart
in classAbstractLifeCycle
- Throws:
java.lang.Exception
-
checkConfiguration
protected void checkConfiguration()
-
checkTrustAll
protected void checkTrustAll()
-
checkEndPointIdentificationAlgorithm
protected void checkEndPointIdentificationAlgorithm()
-
checkProtocols
protected void checkProtocols(javax.net.ssl.SSLParameters supported)
-
checkCiphers
protected void checkCiphers(javax.net.ssl.SSLParameters supported)
-
dump
public void dump(java.lang.Appendable out, java.lang.String indent) throws java.io.IOException
Description copied from interface:Dumpable
Dump this object (and children) into an Appendable using the provided indent after any new lines. The indent should not be applied to the first object dumped.
-
doStop
protected void doStop() throws java.lang.Exception
- Overrides:
doStop
in classAbstractLifeCycle
- Throws:
java.lang.Exception
-
getSelectedProtocols
@ManagedAttribute(value="The selected TLS protocol versions", readonly=true) public java.lang.String[] getSelectedProtocols()
-
getSelectedCipherSuites
@ManagedAttribute(value="The selected cipher suites", readonly=true) public java.lang.String[] getSelectedCipherSuites()
-
getCipherComparator
public java.util.Comparator<java.lang.String> getCipherComparator()
-
setCipherComparator
public void setCipherComparator(java.util.Comparator<java.lang.String> cipherComparator)
-
getAliases
public java.util.Set<java.lang.String> getAliases()
-
getX509
public X509 getX509(java.lang.String alias)
-
getExcludeProtocols
@ManagedAttribute("The excluded TLS protocols") public java.lang.String[] getExcludeProtocols()
- Returns:
- The array of protocol names to exclude from
SSLEngine.setEnabledProtocols(String[])
-
setExcludeProtocols
public void setExcludeProtocols(java.lang.String... protocols)
You can either use the exact Protocol name or a a regular expression.- Parameters:
protocols
- The array of protocol names to exclude fromSSLEngine.setEnabledProtocols(String[])
-
addExcludeProtocols
public void addExcludeProtocols(java.lang.String... protocol)
You can either use the exact Protocol name or a a regular expression.- Parameters:
protocol
- Protocol name patterns to add toSSLEngine.setEnabledProtocols(String[])
-
getIncludeProtocols
@ManagedAttribute("The included TLS protocols") public java.lang.String[] getIncludeProtocols()
- Returns:
- The array of protocol name patterns to include in
SSLEngine.setEnabledProtocols(String[])
-
setIncludeProtocols
public void setIncludeProtocols(java.lang.String... protocols)
You can either use the exact Protocol name or a a regular expression.- Parameters:
protocols
- The array of protocol name patterns to include inSSLEngine.setEnabledProtocols(String[])
-
getExcludeCipherSuites
@ManagedAttribute("The excluded cipher suites") public java.lang.String[] getExcludeCipherSuites()
- Returns:
- The array of cipher suite name patterns to exclude from
SSLEngine.setEnabledCipherSuites(String[])
-
setExcludeCipherSuites
public void setExcludeCipherSuites(java.lang.String... cipherSuites)
You can either use the exact Cipher suite name or a a regular expression.- Parameters:
cipherSuites
- The array of cipher suite names to exclude fromSSLEngine.setEnabledCipherSuites(String[])
-
addExcludeCipherSuites
public void addExcludeCipherSuites(java.lang.String... cipher)
You can either use the exact Cipher suite name or a a regular expression.- Parameters:
cipher
- Cipher names to add toSSLEngine.setEnabledCipherSuites(String[])
-
getIncludeCipherSuites
@ManagedAttribute("The included cipher suites") public java.lang.String[] getIncludeCipherSuites()
- Returns:
- The array of Cipher suite names to include in
SSLEngine.setEnabledCipherSuites(String[])
-
setIncludeCipherSuites
public void setIncludeCipherSuites(java.lang.String... cipherSuites)
You can either use the exact Cipher suite name or a a regular expression.- Parameters:
cipherSuites
- The array of cipher suite names to include inSSLEngine.setEnabledCipherSuites(String[])
-
isUseCipherSuitesOrder
@ManagedAttribute("Whether to respect the cipher suites order") public boolean isUseCipherSuitesOrder()
-
setUseCipherSuitesOrder
public void setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
-
getKeyStorePath
@ManagedAttribute("The keyStore path") public java.lang.String getKeyStorePath()
- Returns:
- The file or URL of the SSL Key store.
-
setKeyStorePath
public void setKeyStorePath(java.lang.String keyStorePath)
- Parameters:
keyStorePath
- The file or URL of the SSL Key store.
-
getKeyStoreProvider
@ManagedAttribute("The keyStore provider name") public java.lang.String getKeyStoreProvider()
- Returns:
- The provider of the key store
-
setKeyStoreProvider
public void setKeyStoreProvider(java.lang.String keyStoreProvider)
- Parameters:
keyStoreProvider
- The provider of the key store
-
getKeyStoreType
@ManagedAttribute("The keyStore type") public java.lang.String getKeyStoreType()
- Returns:
- The type of the key store (default "JKS")
-
setKeyStoreType
public void setKeyStoreType(java.lang.String keyStoreType)
- Parameters:
keyStoreType
- The type of the key store (default "JKS")
-
getCertAlias
@ManagedAttribute("The certificate alias") public java.lang.String getCertAlias()
- Returns:
- Alias of SSL certificate for the connector
-
setCertAlias
public void setCertAlias(java.lang.String certAlias)
Set the default certificate Alias.This can be used if there are multiple non-SNI certificates to specify the certificate that should be used, or with SNI certificates to set a certificate to try if no others match
- Parameters:
certAlias
- Alias of SSL certificate for the connector
-
getTrustStorePath
@ManagedAttribute("The trustStore path") public java.lang.String getTrustStorePath()
-
setTrustStorePath
public void setTrustStorePath(java.lang.String trustStorePath)
- Parameters:
trustStorePath
- The file name or URL of the trust store location
-
getTrustStoreProvider
@ManagedAttribute("The trustStore provider name") public java.lang.String getTrustStoreProvider()
- Returns:
- The provider of the trust store
-
setTrustStoreProvider
public void setTrustStoreProvider(java.lang.String trustStoreProvider)
- Parameters:
trustStoreProvider
- The provider of the trust store
-
getTrustStoreType
@ManagedAttribute("The trustStore type") public java.lang.String getTrustStoreType()
- Returns:
- The type of the trust store
-
setTrustStoreType
public void setTrustStoreType(java.lang.String trustStoreType)
- Parameters:
trustStoreType
- The type of the trust store
-
getNeedClientAuth
@ManagedAttribute("Whether client authentication is needed") @Deprecated public boolean getNeedClientAuth()
Deprecated.useSslContextFactory.Server.getNeedClientAuth()
instead- Returns:
- True if SSL needs client authentication.
- See Also:
SSLEngine.getNeedClientAuth()
-
setNeedClientAuth
@Deprecated public void setNeedClientAuth(boolean needClientAuth)
Deprecated.- Parameters:
needClientAuth
- True if SSL needs client authentication.- See Also:
SSLEngine.getNeedClientAuth()
-
getWantClientAuth
@ManagedAttribute("Whether client authentication is wanted") @Deprecated public boolean getWantClientAuth()
Deprecated.useSslContextFactory.Server.getWantClientAuth()
instead- Returns:
- True if SSL wants client authentication.
- See Also:
SSLEngine.getWantClientAuth()
-
setWantClientAuth
@Deprecated public void setWantClientAuth(boolean wantClientAuth)
Deprecated.- Parameters:
wantClientAuth
- True if SSL wants client authentication.- See Also:
SSLEngine.getWantClientAuth()
-
isValidateCerts
@ManagedAttribute("Whether certificates are validated") public boolean isValidateCerts()
- Returns:
- true if SSL certificate has to be validated
-
setValidateCerts
public void setValidateCerts(boolean validateCerts)
- Parameters:
validateCerts
- true if SSL certificates have to be validated
-
isValidatePeerCerts
@ManagedAttribute("Whether peer certificates are validated") public boolean isValidatePeerCerts()
- Returns:
- true if SSL certificates of the peer have to be validated
-
setValidatePeerCerts
public void setValidatePeerCerts(boolean validatePeerCerts)
- Parameters:
validatePeerCerts
- true if SSL certificates of the peer have to be validated
-
setKeyStorePassword
public void setKeyStorePassword(java.lang.String password)
- Parameters:
password
- The password for the key store. If null is passed and a keystore is set, then thegetPassword(String)
is used to obtain a password either from the "org.eclipse.jetty.ssl.password" system property or by prompting for manual entry.
-
setKeyManagerPassword
public void setKeyManagerPassword(java.lang.String password)
- Parameters:
password
- The password (if any) for the specific key within the key store. If null is passed and the "org.eclipse.jetty.ssl.keypassword" system property is set, then thegetPassword(String)
is used to obtain a password from the "org.eclipse.jetty.ssl.keypassword" system property.
-
setTrustStorePassword
public void setTrustStorePassword(java.lang.String password)
- Parameters:
password
- The password for the truststore. If null is passed and a truststore is set that is different from the keystore, then thegetPassword(String)
is used to obtain a password either from the "org.eclipse.jetty.ssl.password" system property or by prompting for manual entry.
-
getProvider
@ManagedAttribute("The provider name") public java.lang.String getProvider()
Get the optional Security Provider name.
Security Provider name used with:
SecureRandom.getInstance(String, String)
SSLContext.getInstance(String, String)
TrustManagerFactory.getInstance(String, String)
KeyManagerFactory.getInstance(String, String)
CertStore.getInstance(String, CertStoreParameters, String)
CertificateFactory.getInstance(String, String)
- Returns:
- The optional Security Provider name.
-
setProvider
public void setProvider(java.lang.String provider)
Set the optional Security Provider name.
Security Provider name used with:
SecureRandom.getInstance(String, String)
SSLContext.getInstance(String, String)
TrustManagerFactory.getInstance(String, String)
KeyManagerFactory.getInstance(String, String)
CertStore.getInstance(String, CertStoreParameters, String)
CertificateFactory.getInstance(String, String)
- Parameters:
provider
- The optional Security Provider name.
-
getProtocol
@ManagedAttribute("The TLS protocol") public java.lang.String getProtocol()
- Returns:
- The SSL protocol (default "TLS") passed to
SSLContext.getInstance(String, String)
-
setProtocol
public void setProtocol(java.lang.String protocol)
- Parameters:
protocol
- The SSL protocol (default "TLS") passed toSSLContext.getInstance(String, String)
-
getSecureRandomAlgorithm
@ManagedAttribute("The SecureRandom algorithm") public java.lang.String getSecureRandomAlgorithm()
- Returns:
- The algorithm name, which if set is passed to
SecureRandom.getInstance(String)
to obtain theSecureRandom
instance passed toSSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
-
setSecureRandomAlgorithm
public void setSecureRandomAlgorithm(java.lang.String algorithm)
- Parameters:
algorithm
- The algorithm name, which if set is passed toSecureRandom.getInstance(String)
to obtain theSecureRandom
instance passed toSSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
-
getKeyManagerFactoryAlgorithm
@ManagedAttribute("The KeyManagerFactory algorithm") public java.lang.String getKeyManagerFactoryAlgorithm()
- Returns:
- The algorithm name (default "SunX509") used by the
KeyManagerFactory
-
setKeyManagerFactoryAlgorithm
public void setKeyManagerFactoryAlgorithm(java.lang.String algorithm)
- Parameters:
algorithm
- The algorithm name (default "SunX509") used by theKeyManagerFactory
-
getTrustManagerFactoryAlgorithm
@ManagedAttribute("The TrustManagerFactory algorithm") public java.lang.String getTrustManagerFactoryAlgorithm()
- Returns:
- The algorithm name (default "SunX509") used by the
TrustManagerFactory
-
isTrustAll
@ManagedAttribute("Whether certificates should be trusted even if they are invalid") public boolean isTrustAll()
- Returns:
- True if all certificates should be trusted if there is no KeyStore or TrustStore
-
setTrustAll
public void setTrustAll(boolean trustAll)
- Parameters:
trustAll
- True if all certificates should be trusted if there is no KeyStore or TrustStore
-
setTrustManagerFactoryAlgorithm
public void setTrustManagerFactoryAlgorithm(java.lang.String algorithm)
- Parameters:
algorithm
- The algorithm name (default "SunX509") used by theTrustManagerFactory
Use the string "TrustAll" to install a trust manager that trusts all.
-
isRenegotiationAllowed
@ManagedAttribute("Whether renegotiation is allowed") public boolean isRenegotiationAllowed()
- Returns:
- whether TLS renegotiation is allowed (true by default)
-
setRenegotiationAllowed
public void setRenegotiationAllowed(boolean renegotiationAllowed)
- Parameters:
renegotiationAllowed
- whether TLS renegotiation is allowed
-
getRenegotiationLimit
@ManagedAttribute("The max number of renegotiations allowed") public int getRenegotiationLimit()
- Returns:
- The number of renegotiations allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied.
-
setRenegotiationLimit
public void setRenegotiationLimit(int renegotiationLimit)
- Parameters:
renegotiationLimit
- The number of renegotions allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied. Default 5.
-
getCrlPath
@ManagedAttribute("The path to the certificate revocation list file") public java.lang.String getCrlPath()
- Returns:
- Path to file that contains Certificate Revocation List
-
setCrlPath
public void setCrlPath(java.lang.String crlPath)
- Parameters:
crlPath
- Path to file that contains Certificate Revocation List
-
getMaxCertPathLength
@ManagedAttribute("The maximum number of intermediate certificates") public int getMaxCertPathLength()
- Returns:
- Maximum number of intermediate certificates in the certification path (-1 for unlimited)
-
setMaxCertPathLength
public void setMaxCertPathLength(int maxCertPathLength)
- Parameters:
maxCertPathLength
- maximum number of intermediate certificates in the certification path (-1 for unlimited)
-
getSslContext
public javax.net.ssl.SSLContext getSslContext()
- Returns:
- The SSLContext
-
setSslContext
public void setSslContext(javax.net.ssl.SSLContext sslContext)
- Parameters:
sslContext
- Set a preconfigured SSLContext
-
getEndpointIdentificationAlgorithm
@ManagedAttribute("The endpoint identification algorithm") public java.lang.String getEndpointIdentificationAlgorithm()
- Returns:
- the endpoint identification algorithm
-
setEndpointIdentificationAlgorithm
public void setEndpointIdentificationAlgorithm(java.lang.String endpointIdentificationAlgorithm)
When set to "HTTPS" hostname verification will be enabled. Deployments can be vulnerable to a man-in-the-middle attack if a EndpointIndentificationAlgorithm is not set.- Parameters:
endpointIdentificationAlgorithm
- Set the endpointIdentificationAlgorithm- See Also:
setHostnameVerifier(HostnameVerifier)
-
getPkixCertPathChecker
public java.security.cert.PKIXCertPathChecker getPkixCertPathChecker()
-
setPkixCertPathChecker
public void setPkixCertPathChecker(java.security.cert.PKIXCertPathChecker pkixCertPatchChecker)
-
loadKeyStore
protected java.security.KeyStore loadKeyStore(Resource resource) throws java.lang.Exception
Override this method to provide alternate way to load a keystore.- Parameters:
resource
- the resource to load the keystore from- Returns:
- the key store instance
- Throws:
java.lang.Exception
- if the keystore cannot be loaded
-
loadTrustStore
protected java.security.KeyStore loadTrustStore(Resource resource) throws java.lang.Exception
Override this method to provide alternate way to load a truststore.- Parameters:
resource
- the resource to load the truststore from- Returns:
- the key store instance
- Throws:
java.lang.Exception
- if the truststore cannot be loaded
-
loadCRL
protected java.util.Collection<? extends java.security.cert.CRL> loadCRL(java.lang.String crlPath) throws java.lang.Exception
Loads certificate revocation list (CRL) from a file.Required for integrations to be able to override the mechanism used to load CRL in order to provide their own implementation.
- Parameters:
crlPath
- path of certificate revocation list file- Returns:
- Collection of CRL's
- Throws:
java.lang.Exception
- if the certificate revocation list cannot be loaded
-
getKeyManagers
protected javax.net.ssl.KeyManager[] getKeyManagers(java.security.KeyStore keyStore) throws java.lang.Exception
- Throws:
java.lang.Exception
-
newSniX509ExtendedKeyManager
@Deprecated protected javax.net.ssl.X509ExtendedKeyManager newSniX509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager keyManager)
Deprecated.
-
getTrustManagers
protected javax.net.ssl.TrustManager[] getTrustManagers(java.security.KeyStore trustStore, java.util.Collection<? extends java.security.cert.CRL> crls) throws java.lang.Exception
- Throws:
java.lang.Exception
-
newPKIXBuilderParameters
protected java.security.cert.PKIXBuilderParameters newPKIXBuilderParameters(java.security.KeyStore trustStore, java.util.Collection<? extends java.security.cert.CRL> crls) throws java.lang.Exception
- Throws:
java.lang.Exception
-
selectProtocols
public void selectProtocols(java.lang.String[] enabledProtocols, java.lang.String[] supportedProtocols)
Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.- Parameters:
enabledProtocols
- Array of enabled protocolssupportedProtocols
- Array of supported protocols
-
selectCipherSuites
protected void selectCipherSuites(java.lang.String[] enabledCipherSuites, java.lang.String[] supportedCipherSuites)
Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.- Parameters:
enabledCipherSuites
- Array of enabled cipher suitessupportedCipherSuites
- Array of supported cipher suites
-
processIncludeCipherSuites
@Deprecated protected void processIncludeCipherSuites(java.lang.String[] supportedCipherSuites, java.util.List<java.lang.String> selectedCiphers)
Deprecated.no replacement
-
removeExcludedCipherSuites
@Deprecated protected void removeExcludedCipherSuites(java.util.List<java.lang.String> selectedCiphers)
Deprecated.no replacement
-
isEnableCRLDP
@ManagedAttribute("Whether certificate revocation list distribution points is enabled") public boolean isEnableCRLDP()
- Returns:
- true if CRL Distribution Points support is enabled
-
setEnableCRLDP
public void setEnableCRLDP(boolean enableCRLDP)
Enables CRL Distribution Points Support- Parameters:
enableCRLDP
- true - turn on, false - turns off
-
isEnableOCSP
@ManagedAttribute("Whether online certificate status protocol support is enabled") public boolean isEnableOCSP()
- Returns:
- true if On-Line Certificate Status Protocol support is enabled
-
setEnableOCSP
public void setEnableOCSP(boolean enableOCSP)
Enables On-Line Certificate Status Protocol support- Parameters:
enableOCSP
- true - turn on, false - turn off
-
getOcspResponderURL
@ManagedAttribute("The online certificate status protocol URL") public java.lang.String getOcspResponderURL()
- Returns:
- Location of the OCSP Responder
-
setOcspResponderURL
public void setOcspResponderURL(java.lang.String ocspResponderURL)
Set the location of the OCSP Responder.- Parameters:
ocspResponderURL
- location of the OCSP Responder
-
setKeyStore
public void setKeyStore(java.security.KeyStore keyStore)
Set the key store.- Parameters:
keyStore
- the key store to set
-
getKeyStore
public java.security.KeyStore getKeyStore()
-
setTrustStore
public void setTrustStore(java.security.KeyStore trustStore)
Set the trust store.- Parameters:
trustStore
- the trust store to set
-
getTrustStore
public java.security.KeyStore getTrustStore()
-
setKeyStoreResource
public void setKeyStoreResource(Resource resource)
Set the key store resource.- Parameters:
resource
- the key store resource to set
-
getKeyStoreResource
public Resource getKeyStoreResource()
-
setTrustStoreResource
public void setTrustStoreResource(Resource resource)
Set the trust store resource.- Parameters:
resource
- the trust store resource to set
-
getTrustStoreResource
public Resource getTrustStoreResource()
-
isSessionCachingEnabled
@ManagedAttribute("Whether TLS session caching is enabled") public boolean isSessionCachingEnabled()
- Returns:
- true if SSL Session caching is enabled
-
setSessionCachingEnabled
public void setSessionCachingEnabled(boolean enableSessionCaching)
Set the flag to enable SSL Session caching. If set to true, then theSSLContext.createSSLEngine(String, int)
method is used to pass host and port information as a hint for session reuse. Note that this is only a hint and session may not be reused. Moreover, the hint is typically only used on client side implementations and setting this to false does not stop a server from accepting an offered session ID to reuse.- Parameters:
enableSessionCaching
- the value of the flag
-
getSslSessionCacheSize
@ManagedAttribute("The maximum TLS session cache size") public int getSslSessionCacheSize()
Get SSL session cache size. Passed directly toSSLSessionContext.setSessionCacheSize(int)
- Returns:
- SSL session cache size
-
setSslSessionCacheSize
public void setSslSessionCacheSize(int sslSessionCacheSize)
Set SSL session cache size.Set the max cache size to be set on
SSLSessionContext.setSessionCacheSize(int)
when this factory is started.- Parameters:
sslSessionCacheSize
- SSL session cache size to set. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a max size.
-
getSslSessionTimeout
@ManagedAttribute("The TLS session cache timeout, in seconds") public int getSslSessionTimeout()
Get SSL session timeout.- Returns:
- SSL session timeout
-
setSslSessionTimeout
public void setSslSessionTimeout(int sslSessionTimeout)
Set SSL session timeout.Set the timeout in seconds to be set on
SSLSessionContext.setSessionTimeout(int)
when this factory is started.- Parameters:
sslSessionTimeout
- SSL session timeout to set in seconds. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a timeout in seconds.
-
getHostnameVerifier
public javax.net.ssl.HostnameVerifier getHostnameVerifier()
- Returns:
- the HostnameVerifier used by a client to verify host names in the server certificate
-
setHostnameVerifier
public void setHostnameVerifier(javax.net.ssl.HostnameVerifier hostnameVerifier)
Sets a
HostnameVerifier
used by a client to verify host names in the server certificate.The
HostnameVerifier
works in conjunction withsetEndpointIdentificationAlgorithm(String)
.When
endpointIdentificationAlgorithm=="HTTPS"
(the default) the JDK TLS implementation checks that the host name indication set by the client matches the host names in the server certificate. If this check passes successfully, theHostnameVerifier
is invoked and the application can perform additional checks and allow/deny the connection to the server.When
endpointIdentificationAlgorithm==null
the JDK TLS implementation will not check the host names, and any check is therefore performed only by theHostnameVerifier.
- Parameters:
hostnameVerifier
- the HostnameVerifier used by a client to verify host names in the server certificate
-
getPassword
protected Password getPassword(java.lang.String realm)
Returns the password object for the given realm.- Parameters:
realm
- the realm- Returns:
- the Password object
-
newPassword
public Password newPassword(java.lang.String password)
Creates a new Password object.- Parameters:
password
- the password string- Returns:
- the new Password object
-
newSslServerSocket
public javax.net.ssl.SSLServerSocket newSslServerSocket(java.lang.String host, int port, int backlog) throws java.io.IOException
- Throws:
java.io.IOException
-
newSslSocket
public javax.net.ssl.SSLSocket newSslSocket() throws java.io.IOException
- Throws:
java.io.IOException
-
getCertificateFactoryInstance
protected java.security.cert.CertificateFactory getCertificateFactoryInstance(java.lang.String type) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
getCertStoreInstance
protected java.security.cert.CertStore getCertStoreInstance(java.util.Collection<? extends java.security.cert.CRL> crls) throws java.security.InvalidAlgorithmParameterException, java.security.NoSuchAlgorithmException
- Throws:
java.security.InvalidAlgorithmParameterException
java.security.NoSuchAlgorithmException
-
getKeyManagerFactoryInstance
protected javax.net.ssl.KeyManagerFactory getKeyManagerFactoryInstance() throws java.security.NoSuchAlgorithmException
- Throws:
java.security.NoSuchAlgorithmException
-
getSecureRandomInstance
protected java.security.SecureRandom getSecureRandomInstance() throws java.security.NoSuchAlgorithmException
- Throws:
java.security.NoSuchAlgorithmException
-
getSSLContextInstance
protected javax.net.ssl.SSLContext getSSLContextInstance() throws java.security.NoSuchAlgorithmException
- Throws:
java.security.NoSuchAlgorithmException
-
getTrustManagerFactoryInstance
protected javax.net.ssl.TrustManagerFactory getTrustManagerFactoryInstance() throws java.security.NoSuchAlgorithmException
- Throws:
java.security.NoSuchAlgorithmException
-
newSSLEngine
public javax.net.ssl.SSLEngine newSSLEngine()
Factory method for "scratch"SSLEngine
s, usually only used for retrieving configuration information such as the application buffer size or the list of protocols/ciphers.This method should not be used for creating
SSLEngine
s that are used in actual socket communication.- Returns:
- a new, "scratch"
SSLEngine
-
newSSLEngine
public javax.net.ssl.SSLEngine newSSLEngine(java.lang.String host, int port)
General purpose factory method for creatingSSLEngine
s, although creation ofSSLEngine
s on the server-side should prefernewSSLEngine(InetSocketAddress)
.- Parameters:
host
- the remote hostport
- the remote port- Returns:
- a new
SSLEngine
-
newSSLEngine
public javax.net.ssl.SSLEngine newSSLEngine(java.net.InetSocketAddress address)
Server-side only factory method for creatingSSLEngine
s.If the given
address
is null, it is equivalent tonewSSLEngine()
, otherwisenewSSLEngine(String, int)
is called.Clients that wish to create
SSLEngine
instances must usenewSSLEngine(String, int)
.- Parameters:
address
- the remote peer address- Returns:
- a new
SSLEngine
-
customize
public void customize(javax.net.ssl.SSLEngine sslEngine)
Customize an SslEngine instance with the configuration of this factory, by callingcustomize(SSLParameters)
- Parameters:
sslEngine
- the SSLEngine to customize
-
customize
public javax.net.ssl.SSLParameters customize(javax.net.ssl.SSLParameters sslParams)
Customize an SslParameters instance with the configuration of this factory.- Parameters:
sslParams
- The parameters to customize- Returns:
- The passed instance of sslParams (returned as a convenience)
-
reload
public void reload(java.util.function.Consumer<SslContextFactory> consumer) throws java.lang.Exception
- Throws:
java.lang.Exception
-
getX509CertChain
public java.security.cert.X509Certificate[] getX509CertChain(javax.net.ssl.SSLSession sslSession)
Obtain the X509 Certificate Chain from the provided SSLSession using this SslContextFactory's optional Provider specificCertificateFactory
.- Parameters:
sslSession
- the session to use for active peer certificates- Returns:
- the certificate chain
-
getCertChain
public static java.security.cert.X509Certificate[] getCertChain(javax.net.ssl.SSLSession sslSession)
Obtain the X509 Certificate Chain from the provided SSLSession using the defaultCertificateFactory
behaviors- Parameters:
sslSession
- the session to use for active peer certificates- Returns:
- the certificate chain
-
deduceKeyLength
public static int deduceKeyLength(java.lang.String cipherSuite)
Given the name of a TLS/SSL cipher suite, return an int representing it effective stream cipher key strength. i.e. How much entropy material is in the key material being fed into the encryption routines.This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol Version 1.0, Appendix C. CipherSuite definitions:
Effective Cipher Type Key Bits NULL * Stream 0 IDEA_CBC Block 128 RC2_CBC_40 * Block 40 RC4_40 * Stream 40 RC4_128 Stream 128 DES40_CBC * Block 40 DES_CBC Block 56 3DES_EDE_CBC Block 168
- Parameters:
cipherSuite
- String name of the TLS cipher suite.- Returns:
- int indicating the effective key entropy bit-length.
-
toString
public java.lang.String toString()
- Overrides:
toString
in classAbstractLifeCycle
-
-