@ManagedObject public static class SslContextFactory.Server extends SslContextFactory implements SniX509ExtendedKeyManager.SniSelector
SslContextFactory.Client, SslContextFactory.Server, SslContextFactory.X509ExtendedKeyManagerWrapper, SslContextFactory.X509ExtendedTrustManagerWrapper
AbstractLifeCycle.AbstractLifeCycleListener
LifeCycle.Listener
DEFAULT_KEYMANAGERFACTORY_ALGORITHM, DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM, KEYPASSWORD_PROPERTY, PASSWORD_PROPERTY, TRUST_ALL_CERTS
FAILED, RUNNING, STARTED, STARTING, STOPPED, STOPPING
DELEGATE
Constructor and Description |
---|
Server() |
Modifier and Type | Method and Description |
---|---|
boolean |
getNeedClientAuth() |
SniX509ExtendedKeyManager.SniSelector |
getSNISelector() |
boolean |
getWantClientAuth() |
boolean |
isSniRequired()
Does the default
sniSelect(String, Principal[], SSLSession, String, Collection) implementation
require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected
at the HTTP level for incorrect SNI (see SecureRequestCustomizer). |
void |
setNeedClientAuth(boolean needClientAuth) |
void |
setSniRequired(boolean sniRequired)
Set if the default
sniSelect(String, Principal[], SSLSession, String, Collection) implementation
require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected
at the HTTP level for incorrect SNI (see SecureRequestCustomizer). |
void |
setSNISelector(SniX509ExtendedKeyManager.SniSelector sniSelector)
Sets a custom function to select certificates based on SNI information.
|
void |
setWantClientAuth(boolean wantClientAuth) |
String |
sniSelect(String keyType,
Principal[] issuers,
SSLSession session,
String sniHost,
Collection<X509> certificates)
Selects a certificate based on SNI information.
|
addExcludeCipherSuites, addExcludeProtocols, customize, customize, deduceKeyLength, dump, dump, getAliases, getCertAlias, getCertChain, getCipherComparator, getCrlPath, getEndpointIdentificationAlgorithm, getExcludeCipherSuites, getExcludeProtocols, getHostnameVerifier, getIncludeCipherSuites, getIncludeProtocols, getKeyManagerFactoryAlgorithm, getKeyStore, getKeyStorePath, getKeyStoreProvider, getKeyStoreResource, getKeyStoreType, getMaxCertPathLength, getOcspResponderURL, getPkixCertPathChecker, getProtocol, getProvider, getRenegotiationLimit, getSecureRandomAlgorithm, getSelectedCipherSuites, getSelectedProtocols, getSslContext, getSslSessionCacheSize, getSslSessionTimeout, getTrustManagerFactoryAlgorithm, getTrustStore, getTrustStorePath, getTrustStoreProvider, getTrustStoreResource, getTrustStoreType, getX509, getX509CertChain, isEnableCRLDP, isEnableOCSP, isRenegotiationAllowed, isSessionCachingEnabled, isTrustAll, isUseCipherSuitesOrder, isValidateCerts, isValidatePeerCerts, newPassword, newSSLEngine, newSSLEngine, newSSLEngine, newSslServerSocket, newSslSocket, reload, selectProtocols, setCertAlias, setCipherComparator, setCrlPath, setEnableCRLDP, setEnableOCSP, setEndpointIdentificationAlgorithm, setExcludeCipherSuites, setExcludeProtocols, setHostnameVerifier, setIncludeCipherSuites, setIncludeProtocols, setKeyManagerFactoryAlgorithm, setKeyManagerPassword, setKeyStore, setKeyStorePassword, setKeyStorePath, setKeyStoreProvider, setKeyStoreResource, setKeyStoreType, setMaxCertPathLength, setOcspResponderURL, setPkixCertPathChecker, setProtocol, setProvider, setRenegotiationAllowed, setRenegotiationLimit, setSecureRandomAlgorithm, setSessionCachingEnabled, setSslContext, setSslSessionCacheSize, setSslSessionTimeout, setTrustAll, setTrustManagerFactoryAlgorithm, setTrustStore, setTrustStorePassword, setTrustStorePath, setTrustStoreProvider, setTrustStoreResource, setTrustStoreType, setUseCipherSuitesOrder, setValidateCerts, setValidatePeerCerts, toString
addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, setStopTimeout, start, stop
equals, getClass, hashCode, notify, notifyAll, wait, wait, wait
dump, dumpContainer, dumpIterable, dumpMapEntries, dumpObject, dumpObjects, dumpSelf, named
public boolean getWantClientAuth()
getWantClientAuth
in class SslContextFactory
SSLEngine.getWantClientAuth()
public void setWantClientAuth(boolean wantClientAuth)
setWantClientAuth
in class SslContextFactory
wantClientAuth
- True if SSL wants client authentication.SSLEngine.getWantClientAuth()
public boolean getNeedClientAuth()
getNeedClientAuth
in class SslContextFactory
SSLEngine.getNeedClientAuth()
public void setNeedClientAuth(boolean needClientAuth)
setNeedClientAuth
in class SslContextFactory
needClientAuth
- True if SSL needs client authentication.SSLEngine.getNeedClientAuth()
@ManagedAttribute(value="Whether the TLS handshake is rejected if there is no SNI host match") public boolean isSniRequired()
sniSelect(String, Principal[], SSLSession, String, Collection)
implementation
require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected
at the HTTP level for incorrect SNI (see SecureRequestCustomizer).public void setSniRequired(boolean sniRequired)
sniSelect(String, Principal[], SSLSession, String, Collection)
implementation
require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected
at the HTTP level for incorrect SNI (see SecureRequestCustomizer).
This setting may have no effect if sniSelect(String, Principal[], SSLSession, String, Collection)
is
overridden or a non null function is passed to setSNISelector(SniX509ExtendedKeyManager.SniSelector)
.sniRequired
- true if no SNI match is handled as no certificate match, false if no SNI match is handled by
delegation to the non SNI matching methods.public SniX509ExtendedKeyManager.SniSelector getSNISelector()
public void setSNISelector(SniX509ExtendedKeyManager.SniSelector sniSelector)
Sets a custom function to select certificates based on SNI information.
sniSelector
- the selection functionpublic String sniSelect(String keyType, Principal[] issuers, SSLSession session, String sniHost, Collection<X509> certificates) throws SSLHandshakeException
SniX509ExtendedKeyManager.SniSelector
Selects a certificate based on SNI information.
This method may be invoked multiple times during the TLS handshake, with different parameters.
For example, the keyType
could be different, and subsequently the collection of certificates
(because they need to match the keyType
.
sniSelect
in interface SniX509ExtendedKeyManager.SniSelector
keyType
- the key algorithm type nameissuers
- the list of acceptable CA issuer subject names or null if it does not matter which issuers are usedsession
- the TLS handshake session or null if not known.sniHost
- the server name indication sent by the client, or null if the client did not send the server name indicationcertificates
- the list of certificates matching keyType
and issuers
known to this SslContextFactorycertificates
list,
or SniX509ExtendedKeyManager.SniSelector.DELEGATE
if the certificate choice should be delegated to the
nested key manager or null for no match.SSLHandshakeException
- if the TLS handshake should be abortedCopyright © 2010 - 2020 Adobe. All Rights Reserved