Package org.eclipse.jetty.util.ssl

Class SslContextFactory

java.lang.Object

org.eclipse.jetty.util.component.AbstractLifeCycle

org.eclipse.jetty.util.ssl.SslContextFactory

All Implemented Interfaces:

Dumpable, LifeCycle

@ManagedObject
public class SslContextFactory
extends AbstractLifeCycle
implements Dumpable

SslContextFactory is used to configure SSL connectors as well as HttpClient. It holds all SSL parameters and creates SSL context based on these parameters to be used by the SSL connectors.

Nested Class Summary

Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

AbstractLifeCycle.AbstractLifeCycleListener

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle

LifeCycle.Listener

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	DEFAULT_KEYMANAGERFACTORY_ALGORITHM
static java.lang.String	DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
static java.lang.String	KEYPASSWORD_PROPERTY	String name of key password property.
static java.lang.String	PASSWORD_PROPERTY	String name of keystore password property.
static javax.net.ssl.TrustManager[]	TRUST_ALL_CERTS

Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

FAILED, RUNNING, STARTED, STARTING, STOP_ON_FAILURE, STOPPED, STOPPING

Constructor Summary

Constructors

Constructor	Description
SslContextFactory()	Construct an instance of SslContextFactory Default constructor for use in XmlConfiguration files
SslContextFactory(boolean trustAll)	Construct an instance of SslContextFactory Default constructor for use in XmlConfiguration files
SslContextFactory(java.lang.String keyStorePath)	Construct an instance of SslContextFactory

Method Summary

Modifier and Type	Method	Description
void	addExcludeCipherSuites(java.lang.String... cipher)
void	addExcludeProtocols(java.lang.String... protocol)
void	customize(javax.net.ssl.SSLEngine sslEngine)	Customize an SslEngine instance with the configuration of this factory, by calling customize(SSLParameters)
javax.net.ssl.SSLParameters	customize(javax.net.ssl.SSLParameters sslParams)	Customize an SslParameters instance with the configuration of this factory.
static int	deduceKeyLength(java.lang.String cipherSuite)	Given the name of a TLS/SSL cipher suite, return an int representing it effective stream cipher key strength.
protected void	doStart()	Creates the SSLContext object and starts the lifecycle
protected void	doStop()
java.lang.String	dump()
void	dump(java.lang.Appendable out, java.lang.String indent)
java.util.Set<java.lang.String>	getAliases()
java.lang.String	getCertAlias()
static java.security.cert.X509Certificate[]	getCertChain(javax.net.ssl.SSLSession sslSession)
java.util.Comparator<java.lang.String>	getCipherComparator()
java.lang.String	getCrlPath()
java.lang.String	getEndpointIdentificationAlgorithm()
java.lang.String[]	getExcludeCipherSuites()
java.lang.String[]	getExcludeProtocols()
java.lang.String[]	getIncludeCipherSuites()
java.lang.String[]	getIncludeProtocols()
java.lang.String	getKeyManagerFactoryAlgorithm()
protected javax.net.ssl.KeyManager[]	getKeyManagers(java.security.KeyStore keyStore)
java.security.KeyStore	getKeyStore()
java.lang.String	getKeyStorePath()
java.lang.String	getKeyStoreProvider()
Resource	getKeyStoreResource()
java.lang.String	getKeyStoreType()
int	getMaxCertPathLength()
boolean	getNeedClientAuth()
java.lang.String	getOcspResponderURL()
protected Password	getPassword(java.lang.String realm)	Returns the password object for the given realm.
java.security.cert.PKIXCertPathChecker	getPkixCertPathChecker()
java.lang.String	getProtocol()
java.lang.String	getProvider()
int	getRenegotiationLimit()
java.lang.String	getSecureRandomAlgorithm()
java.lang.String[]	getSelectedCipherSuites()
java.lang.String[]	getSelectedProtocols()
javax.net.ssl.SSLContext	getSslContext()
int	getSslSessionCacheSize()	Get SSL session cache size.
int	getSslSessionTimeout()	Get SSL session timeout.
java.lang.String	getTrustManagerFactoryAlgorithm()
protected javax.net.ssl.TrustManager[]	getTrustManagers(java.security.KeyStore trustStore, java.util.Collection<? extends java.security.cert.CRL> crls)
java.security.KeyStore	getTrustStore()
java.lang.String	getTrustStorePath()
java.lang.String	getTrustStoreProvider()
Resource	getTrustStoreResource()
java.lang.String	getTrustStoreType()
boolean	getWantClientAuth()
X509	getX509(java.lang.String alias)
boolean	isEnableCRLDP()
boolean	isEnableOCSP()
boolean	isRenegotiationAllowed()
boolean	isSessionCachingEnabled()
boolean	isTrustAll()
boolean	isUseCipherSuitesOrder()
boolean	isValidateCerts()
boolean	isValidatePeerCerts()
protected java.util.Collection<? extends java.security.cert.CRL>	loadCRL(java.lang.String crlPath)	Loads certificate revocation list (CRL) from a file.
protected java.security.KeyStore	loadKeyStore(Resource resource)	Override this method to provide alternate way to load a keystore.
protected java.security.KeyStore	loadTrustStore(Resource resource)	Override this method to provide alternate way to load a truststore.
Password	newPassword(java.lang.String password)	Creates a new Password object.
protected java.security.cert.PKIXBuilderParameters	newPKIXBuilderParameters(java.security.KeyStore trustStore, java.util.Collection<? extends java.security.cert.CRL> crls)
javax.net.ssl.SSLEngine	newSSLEngine()	Factory method for "scratch" SSLEngines, usually only used for retrieving configuration information such as the application buffer size or the list of protocols/ciphers.
javax.net.ssl.SSLEngine	newSSLEngine(java.lang.String host, int port)	General purpose factory method for creating SSLEngines, although creation of SSLEngines on the server-side should prefer newSSLEngine(InetSocketAddress).
javax.net.ssl.SSLEngine	newSSLEngine(java.net.InetSocketAddress address)	Server-side only factory method for creating SSLEngines.
javax.net.ssl.SSLServerSocket	newSslServerSocket(java.lang.String host, int port, int backlog)
javax.net.ssl.SSLSocket	newSslSocket()
protected void	processIncludeCipherSuites(java.lang.String[] supportedCipherSuites, java.util.List<java.lang.String> selected_ciphers)
void	reload(java.util.function.Consumer<SslContextFactory> consumer)
protected void	removeExcludedCipherSuites(java.util.List<java.lang.String> selected_ciphers)
protected void	selectCipherSuites(java.lang.String[] enabledCipherSuites, java.lang.String[] supportedCipherSuites)	Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.
void	selectProtocols(java.lang.String[] enabledProtocols, java.lang.String[] supportedProtocols)	Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.
void	setCertAlias(java.lang.String certAlias)	Set the default certificate Alias.
void	setCipherComparator(java.util.Comparator<java.lang.String> cipherComparator)
void	setCrlPath(java.lang.String crlPath)
void	setEnableCRLDP(boolean enableCRLDP)	Enables CRL Distribution Points Support
void	setEnableOCSP(boolean enableOCSP)	Enables On-Line Certificate Status Protocol support
void	setEndpointIdentificationAlgorithm(java.lang.String endpointIdentificationAlgorithm)	When set to "HTTPS" hostname verification will be enabled
void	setExcludeCipherSuites(java.lang.String... cipherSuites)	You can either use the exact cipher suite name or a a regular expression.
void	setExcludeProtocols(java.lang.String... protocols)
void	setIncludeCipherSuites(java.lang.String... cipherSuites)	You can either use the exact cipher suite name or a a regular expression.
void	setIncludeProtocols(java.lang.String... protocols)
void	setKeyManagerFactoryAlgorithm(java.lang.String algorithm)
void	setKeyManagerPassword(java.lang.String password)
void	setKeyStore(java.security.KeyStore keyStore)	Set the key store.
void	setKeyStorePassword(java.lang.String password)
void	setKeyStorePath(java.lang.String keyStorePath)
void	setKeyStoreProvider(java.lang.String keyStoreProvider)
void	setKeyStoreResource(Resource resource)	Set the key store resource.
void	setKeyStoreType(java.lang.String keyStoreType)
void	setMaxCertPathLength(int maxCertPathLength)
void	setNeedClientAuth(boolean needClientAuth)
void	setOcspResponderURL(java.lang.String ocspResponderURL)	Set the location of the OCSP Responder.
void	setPkixCertPathChecker(java.security.cert.PKIXCertPathChecker pkixCertPatchChecker)
void	setProtocol(java.lang.String protocol)
void	setProvider(java.lang.String provider)
void	setRenegotiationAllowed(boolean renegotiationAllowed)
void	setRenegotiationLimit(int renegotiationLimit)
void	setSecureRandomAlgorithm(java.lang.String algorithm)
void	setSessionCachingEnabled(boolean enableSessionCaching)	Set the flag to enable SSL Session caching.
void	setSslContext(javax.net.ssl.SSLContext sslContext)
void	setSslSessionCacheSize(int sslSessionCacheSize)	Set SSL session cache size.
void	setSslSessionTimeout(int sslSessionTimeout)	Set SSL session timeout.
void	setTrustAll(boolean trustAll)
void	setTrustManagerFactoryAlgorithm(java.lang.String algorithm)
void	setTrustStore(java.security.KeyStore trustStore)	Set the trust store.
void	setTrustStorePassword(java.lang.String password)
void	setTrustStorePath(java.lang.String trustStorePath)
void	setTrustStoreProvider(java.lang.String trustStoreProvider)
void	setTrustStoreResource(Resource resource)	Set the trust store resource.
void	setTrustStoreType(java.lang.String trustStoreType)
void	setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
void	setValidateCerts(boolean validateCerts)
void	setValidatePeerCerts(boolean validatePeerCerts)
void	setWantClientAuth(boolean wantClientAuth)
java.lang.String	toString()

Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, setStopTimeout, start, stop

Methods inherited from interface org.eclipse.jetty.util.component.LifeCycle

start, stop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

TRUST_ALL_CERTS

public static final javax.net.ssl.TrustManager[] TRUST_ALL_CERTS

DEFAULT_KEYMANAGERFACTORY_ALGORITHM

public static final java.lang.String DEFAULT_KEYMANAGERFACTORY_ALGORITHM

DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM

public static final java.lang.String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM

KEYPASSWORD_PROPERTY

public static final java.lang.String KEYPASSWORD_PROPERTY

String name of key password property.

See Also:

Constant Field Values

PASSWORD_PROPERTY

public static final java.lang.String PASSWORD_PROPERTY

String name of keystore password property.

See Also:

Constant Field Values

Constructor Detail

SslContextFactory

public SslContextFactory()

Construct an instance of SslContextFactory Default constructor for use in XmlConfiguration files

SslContextFactory

public SslContextFactory(boolean trustAll)

Construct an instance of SslContextFactory Default constructor for use in XmlConfiguration files

Parameters:

trustAll - whether to blindly trust all certificates

See Also:

setTrustAll(boolean)

SslContextFactory

public SslContextFactory(java.lang.String keyStorePath)

Construct an instance of SslContextFactory

Parameters:

keyStorePath - default keystore location

Method Detail

doStart

protected void doStart()
                throws java.lang.Exception

Creates the SSLContext object and starts the lifecycle

Overrides:

doStart in class AbstractLifeCycle

Throws:

java.lang.Exception

dump

public java.lang.String dump()

Specified by:

dump in interface Dumpable

dump

public void dump(java.lang.Appendable out,
                 java.lang.String indent)
          throws java.io.IOException

Specified by:

dump in interface Dumpable

Throws:

java.io.IOException

doStop

protected void doStop()
               throws java.lang.Exception

Overrides:

doStop in class AbstractLifeCycle

Throws:

java.lang.Exception

getSelectedProtocols

@ManagedAttribute(value="The selected TLS protocol versions",
                  readonly=true)
public java.lang.String[] getSelectedProtocols()

getSelectedCipherSuites

@ManagedAttribute(value="The selected cipher suites",
                  readonly=true)
public java.lang.String[] getSelectedCipherSuites()

getCipherComparator

public java.util.Comparator<java.lang.String> getCipherComparator()

setCipherComparator

public void setCipherComparator(java.util.Comparator<java.lang.String> cipherComparator)

getAliases

public java.util.Set<java.lang.String> getAliases()

getX509

public X509 getX509(java.lang.String alias)

getExcludeProtocols

@ManagedAttribute("The excluded TLS protocols")
public java.lang.String[] getExcludeProtocols()

Returns:

The array of protocol names to exclude from SSLEngine.setEnabledProtocols(String[])

setExcludeProtocols

public void setExcludeProtocols(java.lang.String... protocols)

Parameters:

protocols - The array of protocol names to exclude from SSLEngine.setEnabledProtocols(String[])

addExcludeProtocols

public void addExcludeProtocols(java.lang.String... protocol)

Parameters:

protocol - Protocol names to add to SSLEngine.setEnabledProtocols(String[])

getIncludeProtocols

@ManagedAttribute("The included TLS protocols")
public java.lang.String[] getIncludeProtocols()

Returns:

The array of protocol names to include in SSLEngine.setEnabledProtocols(String[])

setIncludeProtocols

public void setIncludeProtocols(java.lang.String... protocols)

Parameters:

protocols - The array of protocol names to include in SSLEngine.setEnabledProtocols(String[])

getExcludeCipherSuites

@ManagedAttribute("The excluded cipher suites")
public java.lang.String[] getExcludeCipherSuites()

Returns:

The array of cipher suite names to exclude from SSLEngine.setEnabledCipherSuites(String[])

setExcludeCipherSuites

public void setExcludeCipherSuites(java.lang.String... cipherSuites)

You can either use the exact cipher suite name or a a regular expression.

Parameters:

cipherSuites - The array of cipher suite names to exclude from SSLEngine.setEnabledCipherSuites(String[])

addExcludeCipherSuites

public void addExcludeCipherSuites(java.lang.String... cipher)

Parameters:

cipher - Cipher names to add to SSLEngine.setEnabledCipherSuites(String[])

getIncludeCipherSuites

@ManagedAttribute("The included cipher suites")
public java.lang.String[] getIncludeCipherSuites()

Returns:

The array of cipher suite names to include in SSLEngine.setEnabledCipherSuites(String[])

setIncludeCipherSuites

public void setIncludeCipherSuites(java.lang.String... cipherSuites)

You can either use the exact cipher suite name or a a regular expression.

Parameters:

cipherSuites - The array of cipher suite names to include in SSLEngine.setEnabledCipherSuites(String[])

isUseCipherSuitesOrder

@ManagedAttribute("Whether to respect the cipher suites order")
public boolean isUseCipherSuitesOrder()

setUseCipherSuitesOrder

public void setUseCipherSuitesOrder(boolean useCipherSuitesOrder)

getKeyStorePath

@ManagedAttribute("The keyStore path")
public java.lang.String getKeyStorePath()

Returns:

The file or URL of the SSL Key store.

setKeyStorePath

public void setKeyStorePath(java.lang.String keyStorePath)

Parameters:

keyStorePath - The file or URL of the SSL Key store.

getKeyStoreProvider

@ManagedAttribute("The keyStore provider name")
public java.lang.String getKeyStoreProvider()

Returns:

The provider of the key store

setKeyStoreProvider

public void setKeyStoreProvider(java.lang.String keyStoreProvider)

Parameters:

keyStoreProvider - The provider of the key store

getKeyStoreType

@ManagedAttribute("The keyStore type")
public java.lang.String getKeyStoreType()

Returns:

The type of the key store (default "JKS")

setKeyStoreType

public void setKeyStoreType(java.lang.String keyStoreType)

Parameters:

keyStoreType - The type of the key store (default "JKS")

getCertAlias

@ManagedAttribute("The certificate alias")
public java.lang.String getCertAlias()

Returns:

Alias of SSL certificate for the connector

setCertAlias

public void setCertAlias(java.lang.String certAlias)

Set the default certificate Alias.

This can be used if there are multiple non-SNI certificates to specify the certificate that should be used, or with SNI certificates to set a certificate to try if no others match

Parameters:

certAlias - Alias of SSL certificate for the connector

getTrustStorePath

@ManagedAttribute("The trustStore path")
public java.lang.String getTrustStorePath()

setTrustStorePath

public void setTrustStorePath(java.lang.String trustStorePath)

Parameters:

trustStorePath - The file name or URL of the trust store location

getTrustStoreProvider

@ManagedAttribute("The trustStore provider name")
public java.lang.String getTrustStoreProvider()

Returns:

The provider of the trust store

setTrustStoreProvider

public void setTrustStoreProvider(java.lang.String trustStoreProvider)

Parameters:

trustStoreProvider - The provider of the trust store

getTrustStoreType

@ManagedAttribute("The trustStore type")
public java.lang.String getTrustStoreType()

Returns:

The type of the trust store

setTrustStoreType

public void setTrustStoreType(java.lang.String trustStoreType)

Parameters:

trustStoreType - The type of the trust store

getNeedClientAuth

@ManagedAttribute("Whether client authentication is needed")
public boolean getNeedClientAuth()

Returns:

True if SSL needs client authentication.

See Also:

SSLEngine.getNeedClientAuth()

setNeedClientAuth

public void setNeedClientAuth(boolean needClientAuth)

Parameters:

needClientAuth - True if SSL needs client authentication.

See Also:

SSLEngine.getNeedClientAuth()

getWantClientAuth

@ManagedAttribute("Whether client authentication is wanted")
public boolean getWantClientAuth()

Returns:

True if SSL wants client authentication.

See Also:

SSLEngine.getWantClientAuth()

setWantClientAuth

public void setWantClientAuth(boolean wantClientAuth)

Parameters:

wantClientAuth - True if SSL wants client authentication.

See Also:

SSLEngine.getWantClientAuth()

isValidateCerts

@ManagedAttribute("Whether certificates are validated")
public boolean isValidateCerts()

Returns:

true if SSL certificate has to be validated

setValidateCerts

public void setValidateCerts(boolean validateCerts)

Parameters:

validateCerts - true if SSL certificates have to be validated

isValidatePeerCerts

@ManagedAttribute("Whether peer certificates are validated")
public boolean isValidatePeerCerts()

Returns:

true if SSL certificates of the peer have to be validated

setValidatePeerCerts

public void setValidatePeerCerts(boolean validatePeerCerts)

Parameters:

validatePeerCerts - true if SSL certificates of the peer have to be validated

setKeyStorePassword

public void setKeyStorePassword(java.lang.String password)

Parameters:

password - The password for the key store. If null is passed and a keystore is set, then the getPassword(String) is used to obtain a password either from the system property or by prompting for manual entry.

setKeyManagerPassword

public void setKeyManagerPassword(java.lang.String password)

Parameters:

password - The password (if any) for the specific key within the key store. If null is passed and the system property is set, then the getPassword(String) is used to obtain a password from the system property.

setTrustStorePassword

public void setTrustStorePassword(java.lang.String password)

Parameters:

password - The password for the truststore. If null is passed and a truststore is set that is different from the keystore, then the getPassword(String) is used to obtain a password either from the system property or by prompting for manual entry.

getProvider

@ManagedAttribute("The provider name")
public java.lang.String getProvider()

Returns:

The SSL provider name, which if set is passed to SSLContext.getInstance(String, String)

setProvider

public void setProvider(java.lang.String provider)

Parameters:

provider - The SSL provider name, which if set is passed to SSLContext.getInstance(String, String)

getProtocol

@ManagedAttribute("The TLS protocol")
public java.lang.String getProtocol()

Returns:

The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)

setProtocol

public void setProtocol(java.lang.String protocol)

Parameters:

protocol - The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)

getSecureRandomAlgorithm

@ManagedAttribute("The SecureRandom algorithm")
public java.lang.String getSecureRandomAlgorithm()

Returns:

The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)

setSecureRandomAlgorithm

public void setSecureRandomAlgorithm(java.lang.String algorithm)

Parameters:

algorithm - The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)

getKeyManagerFactoryAlgorithm

@ManagedAttribute("The KeyManagerFactory algorithm")
public java.lang.String getKeyManagerFactoryAlgorithm()

Returns:

The algorithm name (default "SunX509") used by the KeyManagerFactory

setKeyManagerFactoryAlgorithm

public void setKeyManagerFactoryAlgorithm(java.lang.String algorithm)

Parameters:

algorithm - The algorithm name (default "SunX509") used by the KeyManagerFactory

getTrustManagerFactoryAlgorithm

@ManagedAttribute("The TrustManagerFactory algorithm")
public java.lang.String getTrustManagerFactoryAlgorithm()

Returns:

The algorithm name (default "SunX509") used by the TrustManagerFactory

isTrustAll

@ManagedAttribute("Whether certificates should be trusted even if they are invalid")
public boolean isTrustAll()

Returns:

True if all certificates should be trusted if there is no KeyStore or TrustStore

setTrustAll

public void setTrustAll(boolean trustAll)

Parameters:

trustAll - True if all certificates should be trusted if there is no KeyStore or TrustStore

setTrustManagerFactoryAlgorithm

public void setTrustManagerFactoryAlgorithm(java.lang.String algorithm)

Parameters:

algorithm - The algorithm name (default "SunX509") used by the TrustManagerFactory Use the string "TrustAll" to install a trust manager that trusts all.

isRenegotiationAllowed

@ManagedAttribute("Whether renegotiation is allowed")
public boolean isRenegotiationAllowed()

Returns:

whether TLS renegotiation is allowed (true by default)

setRenegotiationAllowed

public void setRenegotiationAllowed(boolean renegotiationAllowed)

Parameters:

renegotiationAllowed - whether TLS renegotiation is allowed

getRenegotiationLimit

@ManagedAttribute("The max number of renegotiations allowed")
public int getRenegotiationLimit()

Returns:

The number of renegotiations allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied.

setRenegotiationLimit

public void setRenegotiationLimit(int renegotiationLimit)

Parameters:

renegotiationLimit - The number of renegotions allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied. Default 5.

getCrlPath

@ManagedAttribute("The path to the certificate revocation list file")
public java.lang.String getCrlPath()

Returns:

Path to file that contains Certificate Revocation List

setCrlPath

public void setCrlPath(java.lang.String crlPath)

Parameters:

crlPath - Path to file that contains Certificate Revocation List

getMaxCertPathLength

@ManagedAttribute("The maximum number of intermediate certificates")
public int getMaxCertPathLength()

Returns:

Maximum number of intermediate certificates in the certification path (-1 for unlimited)

setMaxCertPathLength

public void setMaxCertPathLength(int maxCertPathLength)

Parameters:

maxCertPathLength - maximum number of intermediate certificates in the certification path (-1 for unlimited)

getSslContext

public javax.net.ssl.SSLContext getSslContext()

Returns:

The SSLContext

setSslContext

public void setSslContext(javax.net.ssl.SSLContext sslContext)

Parameters:

sslContext - Set a preconfigured SSLContext

getEndpointIdentificationAlgorithm

@ManagedAttribute("The endpoint identification algorithm")
public java.lang.String getEndpointIdentificationAlgorithm()

Returns:

the endpoint identification algorithm

setEndpointIdentificationAlgorithm

public void setEndpointIdentificationAlgorithm(java.lang.String endpointIdentificationAlgorithm)

When set to "HTTPS" hostname verification will be enabled

Parameters:

endpointIdentificationAlgorithm - Set the endpointIdentificationAlgorithm

getPkixCertPathChecker

public java.security.cert.PKIXCertPathChecker getPkixCertPathChecker()

setPkixCertPathChecker

public void setPkixCertPathChecker(java.security.cert.PKIXCertPathChecker pkixCertPatchChecker)

loadKeyStore

protected java.security.KeyStore loadKeyStore(Resource resource)
                                       throws java.lang.Exception

Override this method to provide alternate way to load a keystore.

Parameters:

resource - the resource to load the keystore from

Returns:

the key store instance

Throws:

java.lang.Exception - if the keystore cannot be loaded

loadTrustStore

protected java.security.KeyStore loadTrustStore(Resource resource)
                                         throws java.lang.Exception

Override this method to provide alternate way to load a truststore.

Parameters:

resource - the resource to load the truststore from

Returns:

the key store instance

Throws:

java.lang.Exception - if the truststore cannot be loaded

loadCRL

protected java.util.Collection<? extends java.security.cert.CRL> loadCRL(java.lang.String crlPath)
                                                                  throws java.lang.Exception

Loads certificate revocation list (CRL) from a file.

Required for integrations to be able to override the mechanism used to load CRL in order to provide their own implementation.

Parameters:

crlPath - path of certificate revocation list file

Returns:

Collection of CRL's

Throws:

java.lang.Exception - if the certificate revocation list cannot be loaded

getKeyManagers

protected javax.net.ssl.KeyManager[] getKeyManagers(java.security.KeyStore keyStore)
                                             throws java.lang.Exception

Throws:

java.lang.Exception

getTrustManagers

protected javax.net.ssl.TrustManager[] getTrustManagers(java.security.KeyStore trustStore,
                                                        java.util.Collection<? extends java.security.cert.CRL> crls)
                                                 throws java.lang.Exception

Throws:

java.lang.Exception

newPKIXBuilderParameters

protected java.security.cert.PKIXBuilderParameters newPKIXBuilderParameters(java.security.KeyStore trustStore,
                                                                            java.util.Collection<? extends java.security.cert.CRL> crls)
                                                                     throws java.lang.Exception

Throws:

java.lang.Exception

selectProtocols

public void selectProtocols(java.lang.String[] enabledProtocols,
                            java.lang.String[] supportedProtocols)

Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.

Parameters:

enabledProtocols - Array of enabled protocols

supportedProtocols - Array of supported protocols

selectCipherSuites

protected void selectCipherSuites(java.lang.String[] enabledCipherSuites,
                                  java.lang.String[] supportedCipherSuites)

Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.

Parameters:

enabledCipherSuites - Array of enabled cipher suites

supportedCipherSuites - Array of supported cipher suites

processIncludeCipherSuites

protected void processIncludeCipherSuites(java.lang.String[] supportedCipherSuites,
                                          java.util.List<java.lang.String> selected_ciphers)

removeExcludedCipherSuites

protected void removeExcludedCipherSuites(java.util.List<java.lang.String> selected_ciphers)

isEnableCRLDP

@ManagedAttribute("Whether certificate revocation list distribution points is enabled")
public boolean isEnableCRLDP()

Returns:

true if CRL Distribution Points support is enabled

setEnableCRLDP

public void setEnableCRLDP(boolean enableCRLDP)

Enables CRL Distribution Points Support

Parameters:

enableCRLDP - true - turn on, false - turns off

isEnableOCSP

@ManagedAttribute("Whether online certificate status protocol support is enabled")
public boolean isEnableOCSP()

Returns:

true if On-Line Certificate Status Protocol support is enabled

setEnableOCSP

public void setEnableOCSP(boolean enableOCSP)

Enables On-Line Certificate Status Protocol support

Parameters:

enableOCSP - true - turn on, false - turn off

getOcspResponderURL

@ManagedAttribute("The online certificate status protocol URL")
public java.lang.String getOcspResponderURL()

Returns:

Location of the OCSP Responder

setOcspResponderURL

public void setOcspResponderURL(java.lang.String ocspResponderURL)

Set the location of the OCSP Responder.

Parameters:

ocspResponderURL - location of the OCSP Responder

setKeyStore

public void setKeyStore(java.security.KeyStore keyStore)

Set the key store.

Parameters:

keyStore - the key store to set

getKeyStore

public java.security.KeyStore getKeyStore()

setTrustStore

public void setTrustStore(java.security.KeyStore trustStore)

Set the trust store.

Parameters:

trustStore - the trust store to set

getTrustStore

public java.security.KeyStore getTrustStore()

setKeyStoreResource

public void setKeyStoreResource(Resource resource)

Set the key store resource.

Parameters:

resource - the key store resource to set

getKeyStoreResource

public Resource getKeyStoreResource()

setTrustStoreResource

public void setTrustStoreResource(Resource resource)

Set the trust store resource.

Parameters:

resource - the trust store resource to set

getTrustStoreResource

public Resource getTrustStoreResource()

isSessionCachingEnabled

@ManagedAttribute("Whether TLS session caching is enabled")
public boolean isSessionCachingEnabled()

Returns:

true if SSL Session caching is enabled

setSessionCachingEnabled

public void setSessionCachingEnabled(boolean enableSessionCaching)

Set the flag to enable SSL Session caching. If set to true, then the SSLContext.createSSLEngine(String, int) method is used to pass host and port information as a hint for session reuse. Note that this is only a hint and session may not be reused. Moreover, the hint is typically only used on client side implementations and setting this to false does not stop a server from accepting an offered session ID to reuse.

Parameters:

enableSessionCaching - the value of the flag

getSslSessionCacheSize

@ManagedAttribute("The maximum TLS session cache size")
public int getSslSessionCacheSize()

Get SSL session cache size. Passed directly to SSLSessionContext.setSessionCacheSize(int)

Returns:

SSL session cache size

setSslSessionCacheSize

public void setSslSessionCacheSize(int sslSessionCacheSize)

Set SSL session cache size.

Set the max cache size to be set on SSLSessionContext.setSessionCacheSize(int) when this factory is started.

Parameters:

sslSessionCacheSize - SSL session cache size to set. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a max size.

getSslSessionTimeout

@ManagedAttribute("The TLS session cache timeout, in seconds")
public int getSslSessionTimeout()

Get SSL session timeout.

Returns:

SSL session timeout

setSslSessionTimeout

public void setSslSessionTimeout(int sslSessionTimeout)

Set SSL session timeout.

Set the timeout in seconds to be set on SSLSessionContext.setSessionTimeout(int) when this factory is started.

Parameters:

sslSessionTimeout - SSL session timeout to set in seconds. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a timeout in seconds.

getPassword

protected Password getPassword(java.lang.String realm)

Returns the password object for the given realm.

Parameters:

realm - the realm

Returns:

the Password object

newPassword

public Password newPassword(java.lang.String password)

Creates a new Password object.

Parameters:

password - the password string

Returns:

the new Password object

newSslServerSocket

public javax.net.ssl.SSLServerSocket newSslServerSocket(java.lang.String host,
                                                        int port,
                                                        int backlog)
                                                 throws java.io.IOException

Throws:

java.io.IOException

newSslSocket

public javax.net.ssl.SSLSocket newSslSocket()
                                     throws java.io.IOException

Throws:

java.io.IOException

newSSLEngine

public javax.net.ssl.SSLEngine newSSLEngine()

Factory method for "scratch" SSLEngines, usually only used for retrieving configuration information such as the application buffer size or the list of protocols/ciphers.

This method should not be used for creating SSLEngines that are used in actual socket communication.

Returns:

a new, "scratch" SSLEngine

newSSLEngine

public javax.net.ssl.SSLEngine newSSLEngine(java.lang.String host,
                                            int port)

General purpose factory method for creating SSLEngines, although creation of SSLEngines on the server-side should prefer newSSLEngine(InetSocketAddress).

Parameters:

host - the remote host

port - the remote port

Returns:

a new SSLEngine

newSSLEngine

public javax.net.ssl.SSLEngine newSSLEngine(java.net.InetSocketAddress address)

Server-side only factory method for creating SSLEngines.

If the given address is null, it is equivalent to newSSLEngine(), otherwise newSSLEngine(String, int) is called.

Clients that wish to create SSLEngine instances must use newSSLEngine(String, int).

Parameters:

address - the remote peer address

Returns:

a new SSLEngine

customize

public void customize(javax.net.ssl.SSLEngine sslEngine)

Customize an SslEngine instance with the configuration of this factory, by calling customize(SSLParameters)

Parameters:

sslEngine - the SSLEngine to customize

customize

public javax.net.ssl.SSLParameters customize(javax.net.ssl.SSLParameters sslParams)

Customize an SslParameters instance with the configuration of this factory.

Parameters:

sslParams - The parameters to customize

Returns:

The passed instance of sslParams (returned as a convenience)

reload

public void reload(java.util.function.Consumer<SslContextFactory> consumer)
            throws java.lang.Exception

Throws:

java.lang.Exception

getCertChain

public static java.security.cert.X509Certificate[] getCertChain(javax.net.ssl.SSLSession sslSession)

deduceKeyLength

public static int deduceKeyLength(java.lang.String cipherSuite)

Given the name of a TLS/SSL cipher suite, return an int representing it effective stream cipher key strength. i.e. How much entropy material is in the key material being fed into the encryption routines.

This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol Version 1.0, Appendix C. CipherSuite definitions:

                         Effective
     Cipher       Type    Key Bits

     NULL       * Stream     0
     IDEA_CBC     Block    128
     RC2_CBC_40 * Block     40
     RC4_40     * Stream    40
     RC4_128      Stream   128
     DES40_CBC  * Block     40
     DES_CBC      Block     56
     3DES_EDE_CBC Block    168
 

Parameters:

cipherSuite - String name of the TLS cipher suite.

Returns:

int indicating the effective key entropy bit-length.

toString

public java.lang.String toString()

Overrides:

toString in class java.lang.Object