@ManagedObject public class SslContextFactory extends AbstractLifeCycle implements Dumpable
SslContextFactory is used to configure SSL parameters to be used by server and client connectors.
Use SslContextFactory.Server
to configure server-side connectors,
and SslContextFactory.Client
to configure HTTP or WebSocket clients.
Modifier and Type | Class and Description |
---|---|
static class |
SslContextFactory.Client |
static class |
SslContextFactory.Server |
static class |
SslContextFactory.X509ExtendedKeyManagerWrapper
A wrapper that delegates to another (if not
null ) X509ExtendedKeyManager. |
static class |
SslContextFactory.X509ExtendedTrustManagerWrapper
A wrapper that delegates to another (if not
null ) X509ExtendedTrustManager. |
AbstractLifeCycle.AbstractLifeCycleListener
LifeCycle.Listener
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_KEYMANAGERFACTORY_ALGORITHM |
static String |
DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM |
static String |
KEYPASSWORD_PROPERTY
String name of key password property.
|
static String |
PASSWORD_PROPERTY
String name of keystore password property.
|
static TrustManager[] |
TRUST_ALL_CERTS |
Constructor and Description |
---|
SslContextFactory()
Deprecated.
use
Client#Client() or Server#Server() instead |
SslContextFactory(boolean trustAll)
Deprecated.
use
Client#Client(boolean) instead |
SslContextFactory(String keyStorePath)
Deprecated.
use
setKeyStorePath(String) instead |
Modifier and Type | Method and Description |
---|---|
void |
addExcludeCipherSuites(String... cipher) |
void |
addExcludeProtocols(String... protocol) |
void |
customize(SSLEngine sslEngine)
Customize an SslEngine instance with the configuration of this factory,
by calling
customize(SSLParameters) |
SSLParameters |
customize(SSLParameters sslParams)
Customize an SslParameters instance with the configuration of this factory.
|
static int |
deduceKeyLength(String cipherSuite)
Given the name of a TLS/SSL cipher suite, return an int representing it effective stream
cipher key strength.
|
String |
dump() |
void |
dump(Appendable out,
String indent)
Dump this object (and children) into an Appendable using the provided indent after any new lines.
|
Set<String> |
getAliases() |
String |
getCertAlias() |
static X509Certificate[] |
getCertChain(SSLSession sslSession)
Obtain the X509 Certificate Chain from the provided SSLSession using the
default
CertificateFactory behaviors |
Comparator<String> |
getCipherComparator() |
String |
getCrlPath() |
String |
getEndpointIdentificationAlgorithm() |
String[] |
getExcludeCipherSuites() |
String[] |
getExcludeProtocols() |
HostnameVerifier |
getHostnameVerifier() |
String[] |
getIncludeCipherSuites() |
String[] |
getIncludeProtocols() |
String |
getKeyManagerFactoryAlgorithm() |
KeyStore |
getKeyStore() |
String |
getKeyStorePath() |
String |
getKeyStoreProvider() |
Resource |
getKeyStoreResource() |
String |
getKeyStoreType() |
int |
getMaxCertPathLength() |
boolean |
getNeedClientAuth()
Deprecated.
use
SslContextFactory.Server.getNeedClientAuth() instead |
String |
getOcspResponderURL() |
PKIXCertPathChecker |
getPkixCertPathChecker() |
String |
getProtocol() |
String |
getProvider()
Get the optional Security Provider name.
|
int |
getRenegotiationLimit() |
String |
getSecureRandomAlgorithm() |
String[] |
getSelectedCipherSuites() |
String[] |
getSelectedProtocols() |
SSLContext |
getSslContext() |
int |
getSslSessionCacheSize()
Get SSL session cache size.
|
int |
getSslSessionTimeout()
Get SSL session timeout.
|
String |
getTrustManagerFactoryAlgorithm() |
KeyStore |
getTrustStore() |
String |
getTrustStorePath() |
String |
getTrustStoreProvider() |
Resource |
getTrustStoreResource() |
String |
getTrustStoreType() |
boolean |
getWantClientAuth()
Deprecated.
use
SslContextFactory.Server.getWantClientAuth() instead |
X509 |
getX509(String alias) |
X509Certificate[] |
getX509CertChain(SSLSession sslSession)
Obtain the X509 Certificate Chain from the provided SSLSession using this
SslContextFactory's optional Provider specific
CertificateFactory . |
boolean |
isEnableCRLDP() |
boolean |
isEnableOCSP() |
boolean |
isRenegotiationAllowed() |
boolean |
isSessionCachingEnabled() |
boolean |
isTrustAll() |
boolean |
isUseCipherSuitesOrder() |
boolean |
isValidateCerts() |
boolean |
isValidatePeerCerts() |
Password |
newPassword(String password)
Creates a new Password object.
|
SSLEngine |
newSSLEngine()
Factory method for "scratch"
SSLEngine s, usually only used for retrieving configuration
information such as the application buffer size or the list of protocols/ciphers. |
SSLEngine |
newSSLEngine(InetSocketAddress address)
Server-side only factory method for creating
SSLEngine s. |
SSLEngine |
newSSLEngine(String host,
int port)
General purpose factory method for creating
SSLEngine s, although creation of
SSLEngine s on the server-side should prefer newSSLEngine(InetSocketAddress) . |
SSLServerSocket |
newSslServerSocket(String host,
int port,
int backlog) |
SSLSocket |
newSslSocket() |
void |
reload(Consumer<SslContextFactory> consumer) |
void |
selectProtocols(String[] enabledProtocols,
String[] supportedProtocols)
Select protocols to be used by the connector
based on configured inclusion and exclusion lists
as well as enabled and supported protocols.
|
void |
setCertAlias(String certAlias)
Set the default certificate Alias.
|
void |
setCipherComparator(Comparator<String> cipherComparator) |
void |
setCrlPath(String crlPath) |
void |
setEnableCRLDP(boolean enableCRLDP)
Enables CRL Distribution Points Support
|
void |
setEnableOCSP(boolean enableOCSP)
Enables On-Line Certificate Status Protocol support
|
void |
setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
When set to "HTTPS" hostname verification will be enabled.
|
void |
setExcludeCipherSuites(String... cipherSuites)
You can either use the exact cipher suite name or a a regular expression.
|
void |
setExcludeProtocols(String... protocols) |
void |
setHostnameVerifier(HostnameVerifier hostnameVerifier)
Sets a
HostnameVerifier used by a client to verify host names in the server certificate. |
void |
setIncludeCipherSuites(String... cipherSuites)
You can either use the exact cipher suite name or a a regular expression.
|
void |
setIncludeProtocols(String... protocols) |
void |
setKeyManagerFactoryAlgorithm(String algorithm) |
void |
setKeyManagerPassword(String password) |
void |
setKeyStore(KeyStore keyStore)
Set the key store.
|
void |
setKeyStorePassword(String password) |
void |
setKeyStorePath(String keyStorePath) |
void |
setKeyStoreProvider(String keyStoreProvider) |
void |
setKeyStoreResource(Resource resource)
Set the key store resource.
|
void |
setKeyStoreType(String keyStoreType) |
void |
setMaxCertPathLength(int maxCertPathLength) |
void |
setNeedClientAuth(boolean needClientAuth)
Deprecated.
|
void |
setOcspResponderURL(String ocspResponderURL)
Set the location of the OCSP Responder.
|
void |
setPkixCertPathChecker(PKIXCertPathChecker pkixCertPatchChecker) |
void |
setProtocol(String protocol) |
void |
setProvider(String provider)
Set the optional Security Provider name.
|
void |
setRenegotiationAllowed(boolean renegotiationAllowed) |
void |
setRenegotiationLimit(int renegotiationLimit) |
void |
setSecureRandomAlgorithm(String algorithm) |
void |
setSessionCachingEnabled(boolean enableSessionCaching)
Set the flag to enable SSL Session caching.
|
void |
setSslContext(SSLContext sslContext) |
void |
setSslSessionCacheSize(int sslSessionCacheSize)
Set SSL session cache size.
|
void |
setSslSessionTimeout(int sslSessionTimeout)
Set SSL session timeout.
|
void |
setTrustAll(boolean trustAll) |
void |
setTrustManagerFactoryAlgorithm(String algorithm) |
void |
setTrustStore(KeyStore trustStore)
Set the trust store.
|
void |
setTrustStorePassword(String password) |
void |
setTrustStorePath(String trustStorePath) |
void |
setTrustStoreProvider(String trustStoreProvider) |
void |
setTrustStoreResource(Resource resource)
Set the trust store resource.
|
void |
setTrustStoreType(String trustStoreType) |
void |
setUseCipherSuitesOrder(boolean useCipherSuitesOrder) |
void |
setValidateCerts(boolean validateCerts) |
void |
setValidatePeerCerts(boolean validatePeerCerts) |
void |
setWantClientAuth(boolean wantClientAuth)
Deprecated.
|
String |
toString() |
addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, setStopTimeout, start, stop
equals, getClass, hashCode, notify, notifyAll, wait, wait, wait
dump, dumpContainer, dumpIterable, dumpMapEntries, dumpObject, dumpObjects, dumpSelf, named
public static final TrustManager[] TRUST_ALL_CERTS
public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM
public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
public static final String KEYPASSWORD_PROPERTY
public static final String PASSWORD_PROPERTY
@Deprecated public SslContextFactory()
Client#Client()
or Server#Server()
instead@Deprecated public SslContextFactory(boolean trustAll)
Client#Client(boolean)
insteadtrustAll
- whether to blindly trust all certificatessetTrustAll(boolean)
@Deprecated public SslContextFactory(String keyStorePath)
setKeyStorePath(String)
insteadkeyStorePath
- default keystore locationpublic void dump(Appendable out, String indent) throws IOException
Dumpable
dump
in interface Dumpable
out
- The appendable to dump toindent
- The indent to apply after any new lines.IOException
- if unable to write to Appendable@ManagedAttribute(value="The selected TLS protocol versions", readonly=true) public String[] getSelectedProtocols()
@ManagedAttribute(value="The selected cipher suites", readonly=true) public String[] getSelectedCipherSuites()
public Comparator<String> getCipherComparator()
public void setCipherComparator(Comparator<String> cipherComparator)
@ManagedAttribute(value="The excluded TLS protocols") public String[] getExcludeProtocols()
SSLEngine.setEnabledProtocols(String[])
public void setExcludeProtocols(String... protocols)
protocols
- The array of protocol names to exclude from
SSLEngine.setEnabledProtocols(String[])
public void addExcludeProtocols(String... protocol)
protocol
- Protocol names to add to SSLEngine.setEnabledProtocols(String[])
@ManagedAttribute(value="The included TLS protocols") public String[] getIncludeProtocols()
SSLEngine.setEnabledProtocols(String[])
public void setIncludeProtocols(String... protocols)
protocols
- The array of protocol names to include in
SSLEngine.setEnabledProtocols(String[])
@ManagedAttribute(value="The excluded cipher suites") public String[] getExcludeCipherSuites()
SSLEngine.setEnabledCipherSuites(String[])
public void setExcludeCipherSuites(String... cipherSuites)
cipherSuites
- The array of cipher suite names to exclude from
SSLEngine.setEnabledCipherSuites(String[])
public void addExcludeCipherSuites(String... cipher)
cipher
- Cipher names to add to SSLEngine.setEnabledCipherSuites(String[])
@ManagedAttribute(value="The included cipher suites") public String[] getIncludeCipherSuites()
SSLEngine.setEnabledCipherSuites(String[])
public void setIncludeCipherSuites(String... cipherSuites)
cipherSuites
- The array of cipher suite names to include in
SSLEngine.setEnabledCipherSuites(String[])
@ManagedAttribute(value="Whether to respect the cipher suites order") public boolean isUseCipherSuitesOrder()
public void setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
@ManagedAttribute(value="The keyStore path") public String getKeyStorePath()
public void setKeyStorePath(String keyStorePath)
keyStorePath
- The file or URL of the SSL Key store.@ManagedAttribute(value="The keyStore provider name") public String getKeyStoreProvider()
public void setKeyStoreProvider(String keyStoreProvider)
keyStoreProvider
- The provider of the key store@ManagedAttribute(value="The keyStore type") public String getKeyStoreType()
public void setKeyStoreType(String keyStoreType)
keyStoreType
- The type of the key store (default "JKS")@ManagedAttribute(value="The certificate alias") public String getCertAlias()
public void setCertAlias(String certAlias)
This can be used if there are multiple non-SNI certificates to specify the certificate that should be used, or with SNI certificates to set a certificate to try if no others match
certAlias
- Alias of SSL certificate for the connector@ManagedAttribute(value="The trustStore path") public String getTrustStorePath()
public void setTrustStorePath(String trustStorePath)
trustStorePath
- The file name or URL of the trust store location@ManagedAttribute(value="The trustStore provider name") public String getTrustStoreProvider()
public void setTrustStoreProvider(String trustStoreProvider)
trustStoreProvider
- The provider of the trust store@ManagedAttribute(value="The trustStore type") public String getTrustStoreType()
public void setTrustStoreType(String trustStoreType)
trustStoreType
- The type of the trust store@ManagedAttribute(value="Whether client authentication is needed") @Deprecated public boolean getNeedClientAuth()
SslContextFactory.Server.getNeedClientAuth()
insteadSSLEngine.getNeedClientAuth()
@Deprecated public void setNeedClientAuth(boolean needClientAuth)
SslContextFactory.Server.setNeedClientAuth(boolean)
insteadneedClientAuth
- True if SSL needs client authentication.SSLEngine.getNeedClientAuth()
@ManagedAttribute(value="Whether client authentication is wanted") @Deprecated public boolean getWantClientAuth()
SslContextFactory.Server.getWantClientAuth()
insteadSSLEngine.getWantClientAuth()
@Deprecated public void setWantClientAuth(boolean wantClientAuth)
SslContextFactory.Server.setWantClientAuth(boolean)
insteadwantClientAuth
- True if SSL wants client authentication.SSLEngine.getWantClientAuth()
@ManagedAttribute(value="Whether certificates are validated") public boolean isValidateCerts()
public void setValidateCerts(boolean validateCerts)
validateCerts
- true if SSL certificates have to be validated@ManagedAttribute(value="Whether peer certificates are validated") public boolean isValidatePeerCerts()
public void setValidatePeerCerts(boolean validatePeerCerts)
validatePeerCerts
- true if SSL certificates of the peer have to be validatedpublic void setKeyStorePassword(String password)
password
- The password for the key store. If null is passed and
a keystore is set, then
the getPassword(String)
is used to
obtain a password either from the "org.eclipse.jetty.ssl.password"
system property or by prompting for manual entry.public void setKeyManagerPassword(String password)
password
- The password (if any) for the specific key within the key store.
If null is passed and the "org.eclipse.jetty.ssl.keypassword" system property is set,
then the getPassword(String)
is used to
obtain a password from the "org.eclipse.jetty.ssl.keypassword" system property.public void setTrustStorePassword(String password)
password
- The password for the truststore. If null is passed and a truststore is set
that is different from the keystore, then
the getPassword(String)
is used to
obtain a password either from the "org.eclipse.jetty.ssl.password"
system property or by prompting for manual entry.@ManagedAttribute(value="The provider name") public String getProvider()
Get the optional Security Provider name.
Security Provider name used with:
public void setProvider(String provider)
Set the optional Security Provider name.
Security Provider name used with:
provider
- The optional Security Provider name.@ManagedAttribute(value="The TLS protocol") public String getProtocol()
SSLContext.getInstance(String, String)
public void setProtocol(String protocol)
protocol
- The SSL protocol (default "TLS") passed to
SSLContext.getInstance(String, String)
@ManagedAttribute(value="The SecureRandom algorithm") public String getSecureRandomAlgorithm()
SecureRandom.getInstance(String)
to obtain the SecureRandom
instance passed to
SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
public void setSecureRandomAlgorithm(String algorithm)
algorithm
- The algorithm name, which if set is passed to
SecureRandom.getInstance(String)
to obtain the SecureRandom
instance passed to
SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
@ManagedAttribute(value="The KeyManagerFactory algorithm") public String getKeyManagerFactoryAlgorithm()
KeyManagerFactory
public void setKeyManagerFactoryAlgorithm(String algorithm)
algorithm
- The algorithm name (default "SunX509") used by the KeyManagerFactory
@ManagedAttribute(value="The TrustManagerFactory algorithm") public String getTrustManagerFactoryAlgorithm()
TrustManagerFactory
@ManagedAttribute(value="Whether certificates should be trusted even if they are invalid") public boolean isTrustAll()
public void setTrustAll(boolean trustAll)
trustAll
- True if all certificates should be trusted if there is no KeyStore or TrustStorepublic void setTrustManagerFactoryAlgorithm(String algorithm)
algorithm
- The algorithm name (default "SunX509") used by the TrustManagerFactory
Use the string "TrustAll" to install a trust manager that trusts all.@ManagedAttribute(value="Whether renegotiation is allowed") public boolean isRenegotiationAllowed()
public void setRenegotiationAllowed(boolean renegotiationAllowed)
renegotiationAllowed
- whether TLS renegotiation is allowed@ManagedAttribute(value="The max number of renegotiations allowed") public int getRenegotiationLimit()
public void setRenegotiationLimit(int renegotiationLimit)
renegotiationLimit
- The number of renegotions allowed for this connection.
When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied.
Default 5.@ManagedAttribute(value="The path to the certificate revocation list file") public String getCrlPath()
public void setCrlPath(String crlPath)
crlPath
- Path to file that contains Certificate Revocation List@ManagedAttribute(value="The maximum number of intermediate certificates") public int getMaxCertPathLength()
public void setMaxCertPathLength(int maxCertPathLength)
maxCertPathLength
- maximum number of intermediate certificates in
the certification path (-1 for unlimited)public SSLContext getSslContext()
public void setSslContext(SSLContext sslContext)
sslContext
- Set a preconfigured SSLContext@ManagedAttribute(value="The endpoint identification algorithm") public String getEndpointIdentificationAlgorithm()
public void setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
endpointIdentificationAlgorithm
- Set the endpointIdentificationAlgorithmsetHostnameVerifier(HostnameVerifier)
public PKIXCertPathChecker getPkixCertPathChecker()
public void setPkixCertPathChecker(PKIXCertPathChecker pkixCertPatchChecker)
public void selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
enabledProtocols
- Array of enabled protocolssupportedProtocols
- Array of supported protocols@ManagedAttribute(value="Whether certificate revocation list distribution points is enabled") public boolean isEnableCRLDP()
public void setEnableCRLDP(boolean enableCRLDP)
enableCRLDP
- true - turn on, false - turns off@ManagedAttribute(value="Whether online certificate status protocol support is enabled") public boolean isEnableOCSP()
public void setEnableOCSP(boolean enableOCSP)
enableOCSP
- true - turn on, false - turn off@ManagedAttribute(value="The online certificate status protocol URL") public String getOcspResponderURL()
public void setOcspResponderURL(String ocspResponderURL)
ocspResponderURL
- location of the OCSP Responderpublic void setKeyStore(KeyStore keyStore)
keyStore
- the key store to setpublic KeyStore getKeyStore()
public void setTrustStore(KeyStore trustStore)
trustStore
- the trust store to setpublic KeyStore getTrustStore()
public void setKeyStoreResource(Resource resource)
resource
- the key store resource to setpublic Resource getKeyStoreResource()
public void setTrustStoreResource(Resource resource)
resource
- the trust store resource to setpublic Resource getTrustStoreResource()
@ManagedAttribute(value="Whether TLS session caching is enabled") public boolean isSessionCachingEnabled()
public void setSessionCachingEnabled(boolean enableSessionCaching)
SSLContext.createSSLEngine(String, int)
method is
used to pass host and port information as a hint for session reuse. Note that
this is only a hint and session may not be reused. Moreover, the hint is typically
only used on client side implementations and setting this to false does not
stop a server from accepting an offered session ID to reuse.enableSessionCaching
- the value of the flag@ManagedAttribute(value="The maximum TLS session cache size") public int getSslSessionCacheSize()
SSLSessionContext.setSessionCacheSize(int)
public void setSslSessionCacheSize(int sslSessionCacheSize)
Set the max cache size to be set on SSLSessionContext.setSessionCacheSize(int)
when this factory is started.
sslSessionCacheSize
- SSL session cache size to set. A value of -1 (default) uses
the JVM default, 0 means unlimited and positive number is a max size.@ManagedAttribute(value="The TLS session cache timeout, in seconds") public int getSslSessionTimeout()
public void setSslSessionTimeout(int sslSessionTimeout)
Set the timeout in seconds to be set on SSLSessionContext.setSessionTimeout(int)
when this factory is started.
sslSessionTimeout
- SSL session timeout to set in seconds. A value of -1 (default) uses
the JVM default, 0 means unlimited and positive number is a timeout in seconds.public HostnameVerifier getHostnameVerifier()
public void setHostnameVerifier(HostnameVerifier hostnameVerifier)
Sets a HostnameVerifier
used by a client to verify host names in the server certificate.
The HostnameVerifier
works in conjunction with setEndpointIdentificationAlgorithm(String)
.
When endpointIdentificationAlgorithm=="HTTPS"
(the default) the JDK TLS implementation
checks that the host name indication set by the client matches the host names in the server certificate.
If this check passes successfully, the HostnameVerifier
is invoked and the application
can perform additional checks and allow/deny the connection to the server.
When endpointIdentificationAlgorithm==null
the JDK TLS implementation will not check
the host names, and any check is therefore performed only by the HostnameVerifier.
hostnameVerifier
- the HostnameVerifier used by a client to verify host names in the server certificatepublic Password newPassword(String password)
password
- the password stringpublic SSLServerSocket newSslServerSocket(String host, int port, int backlog) throws IOException
IOException
public SSLSocket newSslSocket() throws IOException
IOException
public SSLEngine newSSLEngine()
SSLEngine
s, usually only used for retrieving configuration
information such as the application buffer size or the list of protocols/ciphers.
This method should not be used for creating SSLEngine
s that are used in actual socket
communication.
SSLEngine
public SSLEngine newSSLEngine(String host, int port)
SSLEngine
s, although creation of
SSLEngine
s on the server-side should prefer newSSLEngine(InetSocketAddress)
.host
- the remote hostport
- the remote portSSLEngine
public SSLEngine newSSLEngine(InetSocketAddress address)
SSLEngine
s.
If the given address
is null, it is equivalent to newSSLEngine()
, otherwise
newSSLEngine(String, int)
is called.
Clients that wish to create SSLEngine
instances must use newSSLEngine(String, int)
.
address
- the remote peer addressSSLEngine
public void customize(SSLEngine sslEngine)
customize(SSLParameters)
sslEngine
- the SSLEngine to customizepublic SSLParameters customize(SSLParameters sslParams)
sslParams
- The parameters to customizepublic void reload(Consumer<SslContextFactory> consumer) throws Exception
Exception
public X509Certificate[] getX509CertChain(SSLSession sslSession)
CertificateFactory
.sslSession
- the session to use for active peer certificatespublic static X509Certificate[] getCertChain(SSLSession sslSession)
CertificateFactory
behaviorssslSession
- the session to use for active peer certificatespublic static int deduceKeyLength(String cipherSuite)
This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol Version 1.0, Appendix C. CipherSuite definitions:
Effective Cipher Type Key Bits NULL * Stream 0 IDEA_CBC Block 128 RC2_CBC_40 * Block 40 RC4_40 * Stream 40 RC4_128 Stream 128 DES40_CBC * Block 40 DES_CBC Block 56 3DES_EDE_CBC Block 168
cipherSuite
- String name of the TLS cipher suite.public String toString()
toString
in class AbstractLifeCycle
Copyright © 2010 - 2020 Adobe. All Rights Reserved