Package org.eclipse.jetty.util.ssl

Class SslContextFactory

  • All Implemented Interfaces:
    Dumpable, LifeCycle
    public class SslContextFactory
extends AbstractLifeCycle
implements Dumpable
    SslContextFactory is used to configure SSL connectors as well as HttpClient. It holds all SSL parameters and creates SSL context based on these parameters to be used by the SSL connectors.

    • Field Detail

      • TRUST_ALL_CERTS

        public static final TrustManager[] TRUST_ALL_CERTS

      • DEFAULT_KEYMANAGERFACTORY_ALGORITHM

        public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM

      • DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM

        public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM

      • KEYPASSWORD_PROPERTY

        public static final String KEYPASSWORD_PROPERTY
        String name of key password property.
        See Also:
        Constant Field Values

      • PASSWORD_PROPERTY

        public static final String PASSWORD_PROPERTY
        String name of keystore password property.
        See Also:
        Constant Field Values

    • Constructor Detail

      • SslContextFactory

        public SslContextFactory()
        Construct an instance of SslContextFactory Default constructor for use in XmlConfiguration files

      • SslContextFactory

        public SslContextFactory​(boolean trustAll)
        Construct an instance of SslContextFactory Default constructor for use in XmlConfiguration files
        Parameters:
        trustAll - whether to blindly trust all certificates
        See Also:
        setTrustAll(boolean)

      • SslContextFactory

        public SslContextFactory​(String keyStorePath)
        Construct an instance of SslContextFactory
        Parameters:
        keyStorePath - default keystore location

    • Method Detail

      • getSelectedProtocols

        public String[] getSelectedProtocols()

      • getSelectedCipherSuites

        public String[] getSelectedCipherSuites()

      • setCipherComparator

        public void setCipherComparator​(Comparator<String> cipherComparator)

      • getAliases

        public Set<String> getAliases()

      • setExcludeCipherSuites

        public void setExcludeCipherSuites​(String... cipherSuites)
        You can either use the exact cipher suite name or a a regular expression.
        Parameters:
        cipherSuites - The array of cipher suite names to exclude from SSLEngine.setEnabledCipherSuites(String[])

      • setIncludeCipherSuites

        public void setIncludeCipherSuites​(String... cipherSuites)
        You can either use the exact cipher suite name or a a regular expression.
        Parameters:
        cipherSuites - The array of cipher suite names to include in SSLEngine.setEnabledCipherSuites(String[])

      • isUseCipherSuitesOrder

        public boolean isUseCipherSuitesOrder()

      • setUseCipherSuitesOrder

        public void setUseCipherSuitesOrder​(boolean useCipherSuitesOrder)

      • getKeyStorePath

        public String getKeyStorePath()
        Returns:
        The file or URL of the SSL Key store.

      • setKeyStorePath

        public void setKeyStorePath​(String keyStorePath)
        Parameters:
        keyStorePath - The file or URL of the SSL Key store.

      • getKeyStoreProvider

        public String getKeyStoreProvider()
        Returns:
        The provider of the key store

      • setKeyStoreProvider

        public void setKeyStoreProvider​(String keyStoreProvider)
        Parameters:
        keyStoreProvider - The provider of the key store

      • getKeyStoreType

        public String getKeyStoreType()
        Returns:
        The type of the key store (default "JKS")

      • setKeyStoreType

        public void setKeyStoreType​(String keyStoreType)
        Parameters:
        keyStoreType - The type of the key store (default "JKS")

      • getCertAlias

        public String getCertAlias()
        Returns:
        Alias of SSL certificate for the connector

      • setCertAlias

        public void setCertAlias​(String certAlias)
        Set the default certificate Alias.

        This can be used if there are multiple non-SNI certificates to specify the certificate that should be used, or with SNI certificates to set a certificate to try if no others match

        Parameters:
        certAlias - Alias of SSL certificate for the connector

      • setTrustStorePath

        public void setTrustStorePath​(String trustStorePath)
        Parameters:
        trustStorePath - The file name or URL of the trust store location

      • getTrustStoreProvider

        public String getTrustStoreProvider()
        Returns:
        The provider of the trust store

      • setTrustStoreProvider

        public void setTrustStoreProvider​(String trustStoreProvider)
        Parameters:
        trustStoreProvider - The provider of the trust store

      • getTrustStoreType

        public String getTrustStoreType()
        Returns:
        The type of the trust store (default "JKS")

      • setTrustStoreType

        public void setTrustStoreType​(String trustStoreType)
        Parameters:
        trustStoreType - The type of the trust store (default "JKS")

      • getNeedClientAuth

        public boolean getNeedClientAuth()
        Returns:
        True if SSL needs client authentication.
        See Also:
        SSLEngine.getNeedClientAuth()

      • setNeedClientAuth

        public void setNeedClientAuth​(boolean needClientAuth)
        Parameters:
        needClientAuth - True if SSL needs client authentication.
        See Also:
        SSLEngine.getNeedClientAuth()

      • getWantClientAuth

        public boolean getWantClientAuth()
        Returns:
        True if SSL wants client authentication.
        See Also:
        SSLEngine.getWantClientAuth()

      • setWantClientAuth

        public void setWantClientAuth​(boolean wantClientAuth)
        Parameters:
        wantClientAuth - True if SSL wants client authentication.
        See Also:
        SSLEngine.getWantClientAuth()

      • isValidateCerts

        public boolean isValidateCerts()
        Returns:
        true if SSL certificate has to be validated

      • setValidateCerts

        public void setValidateCerts​(boolean validateCerts)
        Parameters:
        validateCerts - true if SSL certificates have to be validated

      • isValidatePeerCerts

        public boolean isValidatePeerCerts()
        Returns:
        true if SSL certificates of the peer have to be validated

      • setValidatePeerCerts

        public void setValidatePeerCerts​(boolean validatePeerCerts)
        Parameters:
        validatePeerCerts - true if SSL certificates of the peer have to be validated

      • getKeyManagerFactoryAlgorithm

        public String getKeyManagerFactoryAlgorithm()
        Returns:
        The algorithm name (default "SunX509") used by the KeyManagerFactory

      • setKeyManagerFactoryAlgorithm

        public void setKeyManagerFactoryAlgorithm​(String algorithm)
        Parameters:
        algorithm - The algorithm name (default "SunX509") used by the KeyManagerFactory

      • getTrustManagerFactoryAlgorithm

        public String getTrustManagerFactoryAlgorithm()
        Returns:
        The algorithm name (default "SunX509") used by the TrustManagerFactory

      • isTrustAll

        public boolean isTrustAll()
        Returns:
        True if all certificates should be trusted if there is no KeyStore or TrustStore

      • setTrustAll

        public void setTrustAll​(boolean trustAll)
        Parameters:
        trustAll - True if all certificates should be trusted if there is no KeyStore or TrustStore

      • setTrustManagerFactoryAlgorithm

        public void setTrustManagerFactoryAlgorithm​(String algorithm)
        Parameters:
        algorithm - The algorithm name (default "SunX509") used by the TrustManagerFactory Use the string "TrustAll" to install a trust manager that trusts all.

      • isRenegotiationAllowed

        public boolean isRenegotiationAllowed()
        Returns:
        whether TLS renegotiation is allowed (true by default)

      • setRenegotiationAllowed

        public void setRenegotiationAllowed​(boolean renegotiationAllowed)
        Parameters:
        renegotiationAllowed - whether TLS renegotiation is allowed

      • getRenegotiationLimit

        public int getRenegotiationLimit()
        Returns:
        The number of renegotions allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied.

      • setRenegotiationLimit

        public void setRenegotiationLimit​(int renegotiationLimit)
        Parameters:
        renegotiationLimit - The number of renegotions allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied. Default 5.

      • getCrlPath

        public String getCrlPath()
        Returns:
        Path to file that contains Certificate Revocation List

      • setCrlPath

        public void setCrlPath​(String crlPath)
        Parameters:
        crlPath - Path to file that contains Certificate Revocation List

      • getMaxCertPathLength

        public int getMaxCertPathLength()
        Returns:
        Maximum number of intermediate certificates in the certification path (-1 for unlimited)

      • setMaxCertPathLength

        public void setMaxCertPathLength​(int maxCertPathLength)
        Parameters:
        maxCertPathLength - maximum number of intermediate certificates in the certification path (-1 for unlimited)

      • getSslContext

        public SSLContext getSslContext()
        Returns:
        The SSLContext

      • setSslContext

        public void setSslContext​(SSLContext sslContext)
        Parameters:
        sslContext - Set a preconfigured SSLContext

      • getEndpointIdentificationAlgorithm

        public String getEndpointIdentificationAlgorithm()
        Returns:
        the endpoint identification algorithm

      • setEndpointIdentificationAlgorithm

        public void setEndpointIdentificationAlgorithm​(String endpointIdentificationAlgorithm)
        When set to "HTTPS" hostname verification will be enabled
        Parameters:
        endpointIdentificationAlgorithm - Set the endpointIdentificationAlgorithm

      • loadKeyStore

        protected KeyStore loadKeyStore​(Resource resource)
                         throws Exception
        Override this method to provide alternate way to load a keystore.
        Parameters:
        resource - the resource to load the keystore from
        Returns:
        the key store instance
        Throws:
        Exception - if the keystore cannot be loaded

      • loadTrustStore

        protected KeyStore loadTrustStore​(Resource resource)
                           throws Exception
        Override this method to provide alternate way to load a truststore.
        Parameters:
        resource - the resource to load the truststore from
        Returns:
        the key store instance
        Throws:
        Exception - if the truststore cannot be loaded

      • loadCRL

        protected Collection<? extends CRL> loadCRL​(String crlPath)
                                     throws Exception
        Loads certificate revocation list (CRL) from a file.

        Required for integrations to be able to override the mechanism used to load CRL in order to provide their own implementation.

        Parameters:
        crlPath - path of certificate revocation list file
        Returns:
        Collection of CRL's
        Throws:
        Exception - if the certificate revocation list cannot be loaded

      • selectProtocols

        public void selectProtocols​(String[] enabledProtocols,
                            String[] supportedProtocols)
        Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.
        Parameters:
        enabledProtocols - Array of enabled protocols
        supportedProtocols - Array of supported protocols

      • selectCipherSuites

        protected void selectCipherSuites​(String[] enabledCipherSuites,
                                  String[] supportedCipherSuites)
        Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.
        Parameters:
        enabledCipherSuites - Array of enabled cipher suites
        supportedCipherSuites - Array of supported cipher suites

      • processIncludeCipherSuites

        protected void processIncludeCipherSuites​(String[] supportedCipherSuites,
                                          List<String> selected_ciphers)

      • removeExcludedCipherSuites

        protected void removeExcludedCipherSuites​(List<String> selected_ciphers)

      • isEnableCRLDP

        public boolean isEnableCRLDP()
        Returns:
        true if CRL Distribution Points support is enabled

      • setEnableCRLDP

        public void setEnableCRLDP​(boolean enableCRLDP)
        Enables CRL Distribution Points Support
        Parameters:
        enableCRLDP - true - turn on, false - turns off

      • isEnableOCSP

        public boolean isEnableOCSP()
        Returns:
        true if On-Line Certificate Status Protocol support is enabled

      • setEnableOCSP

        public void setEnableOCSP​(boolean enableOCSP)
        Enables On-Line Certificate Status Protocol support
        Parameters:
        enableOCSP - true - turn on, false - turn off

      • getOcspResponderURL

        public String getOcspResponderURL()
        Returns:
        Location of the OCSP Responder

      • setOcspResponderURL

        public void setOcspResponderURL​(String ocspResponderURL)
        Set the location of the OCSP Responder.
        Parameters:
        ocspResponderURL - location of the OCSP Responder

      • setKeyStore

        public void setKeyStore​(KeyStore keyStore)
        Set the key store.
        Parameters:
        keyStore - the key store to set

      • getKeyStore

        public KeyStore getKeyStore()

      • setTrustStore

        public void setTrustStore​(KeyStore trustStore)
        Set the trust store.
        Parameters:
        trustStore - the trust store to set

      • getTrustStore

        public KeyStore getTrustStore()

      • setKeyStoreResource

        public void setKeyStoreResource​(Resource resource)
        Set the key store resource.
        Parameters:
        resource - the key store resource to set

      • getKeyStoreResource

        public Resource getKeyStoreResource()

      • setTrustStoreResource

        public void setTrustStoreResource​(Resource resource)
        Set the trust store resource.
        Parameters:
        resource - the trust store resource to set

      • getTrustStoreResource

        public Resource getTrustStoreResource()

      • isSessionCachingEnabled

        public boolean isSessionCachingEnabled()
        Returns:
        true if SSL Session caching is enabled

      • setSessionCachingEnabled

        public void setSessionCachingEnabled​(boolean enableSessionCaching)
        Set the flag to enable SSL Session caching. If set to true, then the SSLContext.createSSLEngine(String, int) method is used to pass host and port information as a hint for session reuse. Note that this is only a hint and session may not be reused. Moreover, the hint is typically only used on client side implementations and setting this to false does not stop a server from accepting an offered session ID to reuse.
        Parameters:
        enableSessionCaching - the value of the flag

      • setSslSessionCacheSize

        public void setSslSessionCacheSize​(int sslSessionCacheSize)
        Set SSL session cache size.

        Set the max cache size to be set on SSLSessionContext.setSessionCacheSize(int) when this factory is started.

        Parameters:
        sslSessionCacheSize - SSL session cache size to set. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a max size.

      • getSslSessionTimeout

        public int getSslSessionTimeout()
        Get SSL session timeout.
        Returns:
        SSL session timeout

      • setSslSessionTimeout

        public void setSslSessionTimeout​(int sslSessionTimeout)
        Set SSL session timeout.

        Set the timeout in seconds to be set on SSLSessionContext.setSessionTimeout(int) when this factory is started.

        Parameters:
        sslSessionTimeout - SSL session timeout to set in seconds. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a timeout in seconds.

      • newSSLEngine

        public SSLEngine newSSLEngine()
        Factory method for "scratch" SSLEngines, usually only used for retrieving configuration information such as the application buffer size or the list of protocols/ciphers.

        This method should not be used for creating SSLEngines that are used in actual socket communication.

        Returns:
        a new, "scratch" SSLEngine

      • customize

        public void customize​(SSLEngine sslEngine)
        Customize an SslEngine instance with the configuration of this factory, by calling customize(SSLParameters)
        Parameters:
        sslEngine - the SSLEngine to customize

      • customize

        public SSLParameters customize​(SSLParameters sslParams)
        Customize an SslParameters instance with the configuration of this factory.
        Parameters:
        sslParams - The parameters to customize
        Returns:
        The passed instance of sslParams (returned as a convenience)

      • deduceKeyLength

        public static int deduceKeyLength​(String cipherSuite)
        Given the name of a TLS/SSL cipher suite, return an int representing it effective stream cipher key strength. i.e. How much entropy material is in the key material being fed into the encryption routines.

        This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol Version 1.0, Appendix C. CipherSuite definitions: 

                                 Effective
     Cipher       Type    Key Bits

     NULL       * Stream     0
     IDEA_CBC     Block    128
     RC2_CBC_40 * Block     40
     RC4_40     * Stream    40
     RC4_128      Stream   128
     DES40_CBC  * Block     40
     DES_CBC      Block     56
     3DES_EDE_CBC Block    168
        Parameters:
        cipherSuite - String name of the TLS cipher suite.
        Returns:
        int indicating the effective key entropy bit-length.