Package org.eclipse.jetty.util.ssl
Class SslContextFactory.Server
- java.lang.Object
-
- org.eclipse.jetty.util.component.AbstractLifeCycle
-
- org.eclipse.jetty.util.ssl.SslContextFactory
-
- org.eclipse.jetty.util.ssl.SslContextFactory.Server
-
- All Implemented Interfaces:
Dumpable
,LifeCycle
,SniX509ExtendedKeyManager.SniSelector
- Enclosing class:
- SslContextFactory
@ManagedObject public static class SslContextFactory.Server extends SslContextFactory implements SniX509ExtendedKeyManager.SniSelector
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from class org.eclipse.jetty.util.ssl.SslContextFactory
SslContextFactory.Client, SslContextFactory.Server, SslContextFactory.X509ExtendedKeyManagerWrapper, SslContextFactory.X509ExtendedTrustManagerWrapper
-
Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
AbstractLifeCycle.AbstractLifeCycleListener
-
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle
LifeCycle.Listener
-
-
Field Summary
-
Fields inherited from class org.eclipse.jetty.util.ssl.SslContextFactory
DEFAULT_KEYMANAGERFACTORY_ALGORITHM, DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM, KEYPASSWORD_PROPERTY, PASSWORD_PROPERTY, TRUST_ALL_CERTS
-
Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
FAILED, RUNNING, STARTED, STARTING, STOPPED, STOPPING
-
Fields inherited from interface org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager.SniSelector
DELEGATE
-
-
Constructor Summary
Constructors Constructor Description Server()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
getNeedClientAuth()
SniX509ExtendedKeyManager.SniSelector
getSNISelector()
boolean
getWantClientAuth()
boolean
isSniRequired()
Does the defaultsniSelect(String, Principal[], SSLSession, String, Collection)
implementation require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected at the HTTP level for incorrect SNI (see SecureRequestCustomizer).void
setNeedClientAuth(boolean needClientAuth)
void
setSniRequired(boolean sniRequired)
Set if the defaultsniSelect(String, Principal[], SSLSession, String, Collection)
implementation require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected at the HTTP level for incorrect SNI (see SecureRequestCustomizer).void
setSNISelector(SniX509ExtendedKeyManager.SniSelector sniSelector)
Sets a custom function to select certificates based on SNI information.void
setWantClientAuth(boolean wantClientAuth)
java.lang.String
sniSelect(java.lang.String keyType, java.security.Principal[] issuers, javax.net.ssl.SSLSession session, java.lang.String sniHost, java.util.Collection<X509> certificates)
Selects a certificate based on SNI information.-
Methods inherited from class org.eclipse.jetty.util.ssl.SslContextFactory
addExcludeCipherSuites, addExcludeProtocols, customize, customize, deduceKeyLength, dump, dump, getAliases, getCertAlias, getCertChain, getCipherComparator, getCrlPath, getEndpointIdentificationAlgorithm, getExcludeCipherSuites, getExcludeProtocols, getHostnameVerifier, getIncludeCipherSuites, getIncludeProtocols, getKeyManagerFactoryAlgorithm, getKeyStore, getKeyStorePath, getKeyStoreProvider, getKeyStoreResource, getKeyStoreType, getMaxCertPathLength, getOcspResponderURL, getPkixCertPathChecker, getProtocol, getProvider, getRenegotiationLimit, getSecureRandomAlgorithm, getSelectedCipherSuites, getSelectedProtocols, getSslContext, getSslSessionCacheSize, getSslSessionTimeout, getTrustManagerFactoryAlgorithm, getTrustStore, getTrustStorePath, getTrustStoreProvider, getTrustStoreResource, getTrustStoreType, getX509, getX509CertChain, isEnableCRLDP, isEnableOCSP, isRenegotiationAllowed, isSessionCachingEnabled, isTrustAll, isUseCipherSuitesOrder, isValidateCerts, isValidatePeerCerts, newPassword, newSSLEngine, newSSLEngine, newSSLEngine, newSslServerSocket, newSslSocket, reload, selectProtocols, setCertAlias, setCipherComparator, setCrlPath, setEnableCRLDP, setEnableOCSP, setEndpointIdentificationAlgorithm, setExcludeCipherSuites, setExcludeProtocols, setHostnameVerifier, setIncludeCipherSuites, setIncludeProtocols, setKeyManagerFactoryAlgorithm, setKeyManagerPassword, setKeyStore, setKeyStorePassword, setKeyStorePath, setKeyStoreProvider, setKeyStoreResource, setKeyStoreType, setMaxCertPathLength, setOcspResponderURL, setPkixCertPathChecker, setProtocol, setProvider, setRenegotiationAllowed, setRenegotiationLimit, setSecureRandomAlgorithm, setSessionCachingEnabled, setSslContext, setSslSessionCacheSize, setSslSessionTimeout, setTrustAll, setTrustManagerFactoryAlgorithm, setTrustStore, setTrustStorePassword, setTrustStorePath, setTrustStoreProvider, setTrustStoreResource, setTrustStoreType, setUseCipherSuitesOrder, setValidateCerts, setValidatePeerCerts, toString
-
Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, setStopTimeout, start, stop
-
-
-
-
Method Detail
-
getWantClientAuth
public boolean getWantClientAuth()
- Overrides:
getWantClientAuth
in classSslContextFactory
- Returns:
- True if SSL wants client authentication.
- See Also:
SSLEngine.getWantClientAuth()
-
setWantClientAuth
public void setWantClientAuth(boolean wantClientAuth)
- Overrides:
setWantClientAuth
in classSslContextFactory
- Parameters:
wantClientAuth
- True if SSL wants client authentication.- See Also:
SSLEngine.getWantClientAuth()
-
getNeedClientAuth
public boolean getNeedClientAuth()
- Overrides:
getNeedClientAuth
in classSslContextFactory
- Returns:
- True if SSL needs client authentication.
- See Also:
SSLEngine.getNeedClientAuth()
-
setNeedClientAuth
public void setNeedClientAuth(boolean needClientAuth)
- Overrides:
setNeedClientAuth
in classSslContextFactory
- Parameters:
needClientAuth
- True if SSL needs client authentication.- See Also:
SSLEngine.getNeedClientAuth()
-
isSniRequired
@ManagedAttribute("Whether the TLS handshake is rejected if there is no SNI host match") public boolean isSniRequired()
Does the defaultsniSelect(String, Principal[], SSLSession, String, Collection)
implementation require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected at the HTTP level for incorrect SNI (see SecureRequestCustomizer).- Returns:
- true if no SNI match is handled as no certificate match, false if no SNI match is handled by delegation to the non SNI matching methods.
-
setSniRequired
public void setSniRequired(boolean sniRequired)
Set if the defaultsniSelect(String, Principal[], SSLSession, String, Collection)
implementation require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected at the HTTP level for incorrect SNI (see SecureRequestCustomizer). This setting may have no effect ifsniSelect(String, Principal[], SSLSession, String, Collection)
is overridden or a non null function is passed tosetSNISelector(SniX509ExtendedKeyManager.SniSelector)
.- Parameters:
sniRequired
- true if no SNI match is handled as no certificate match, false if no SNI match is handled by delegation to the non SNI matching methods.
-
getSNISelector
public SniX509ExtendedKeyManager.SniSelector getSNISelector()
- Returns:
- the custom function to select certificates based on SNI information
-
setSNISelector
public void setSNISelector(SniX509ExtendedKeyManager.SniSelector sniSelector)
Sets a custom function to select certificates based on SNI information.
- Parameters:
sniSelector
- the selection function
-
sniSelect
public java.lang.String sniSelect(java.lang.String keyType, java.security.Principal[] issuers, javax.net.ssl.SSLSession session, java.lang.String sniHost, java.util.Collection<X509> certificates) throws javax.net.ssl.SSLHandshakeException
Description copied from interface:SniX509ExtendedKeyManager.SniSelector
Selects a certificate based on SNI information.
This method may be invoked multiple times during the TLS handshake, with different parameters. For example, the
keyType
could be different, and subsequently the collection of certificates (because they need to match thekeyType
.- Specified by:
sniSelect
in interfaceSniX509ExtendedKeyManager.SniSelector
- Parameters:
keyType
- the key algorithm type nameissuers
- the list of acceptable CA issuer subject names or null if it does not matter which issuers are usedsession
- the TLS handshake session or null if not known.sniHost
- the server name indication sent by the client, or null if the client did not send the server name indicationcertificates
- the list of certificates matchingkeyType
andissuers
known to this SslContextFactory- Returns:
- the alias of the certificate to return to the client, from the
certificates
list, orSniX509ExtendedKeyManager.SniSelector.DELEGATE
if the certificate choice should be delegated to the nested key manager or null for no match. - Throws:
javax.net.ssl.SSLHandshakeException
- if the TLS handshake should be aborted
-
-