Class SslContextFactory

    • Field Detail

      • TRUST_ALL_CERTS

        public static final javax.net.ssl.TrustManager[] TRUST_ALL_CERTS
      • DEFAULT_KEYMANAGERFACTORY_ALGORITHM

        public static final java.lang.String DEFAULT_KEYMANAGERFACTORY_ALGORITHM
      • DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM

        public static final java.lang.String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM
      • KEYPASSWORD_PROPERTY

        public static final java.lang.String KEYPASSWORD_PROPERTY
        String name of key password property.
        See Also:
        Constant Field Values
      • PASSWORD_PROPERTY

        public static final java.lang.String PASSWORD_PROPERTY
        String name of keystore password property.
        See Also:
        Constant Field Values
    • Constructor Detail

      • SslContextFactory

        @Deprecated
        public SslContextFactory()
        Deprecated.
        use Client() or Server() instead
        Construct an instance of SslContextFactory with the default configuration.
      • SslContextFactory

        @Deprecated
        public SslContextFactory​(boolean trustAll)
        Deprecated.
        use Client(boolean) instead
        Construct an instance of SslContextFactory Default constructor for use in XmlConfiguration files
        Parameters:
        trustAll - whether to blindly trust all certificates
        See Also:
        setTrustAll(boolean)
      • SslContextFactory

        @Deprecated
        public SslContextFactory​(java.lang.String keyStorePath)
        Deprecated.
        Construct an instance of SslContextFactory
        Parameters:
        keyStorePath - default keystore location
    • Method Detail

      • doStart

        protected void doStart()
                        throws java.lang.Exception
        Creates the SSLContext object and starts the lifecycle
        Overrides:
        doStart in class AbstractLifeCycle
        Throws:
        java.lang.Exception
      • checkConfiguration

        protected void checkConfiguration()
      • checkTrustAll

        protected void checkTrustAll()
      • checkEndPointIdentificationAlgorithm

        protected void checkEndPointIdentificationAlgorithm()
      • checkProtocols

        protected void checkProtocols​(javax.net.ssl.SSLParameters supported)
      • checkCiphers

        protected void checkCiphers​(javax.net.ssl.SSLParameters supported)
      • dump

        public java.lang.String dump()
        Specified by:
        dump in interface Dumpable
      • dump

        public void dump​(java.lang.Appendable out,
                         java.lang.String indent)
                  throws java.io.IOException
        Description copied from interface: Dumpable
        Dump this object (and children) into an Appendable using the provided indent after any new lines. The indent should not be applied to the first object dumped.
        Specified by:
        dump in interface Dumpable
        Parameters:
        out - The appendable to dump to
        indent - The indent to apply after any new lines.
        Throws:
        java.io.IOException - if unable to write to Appendable
      • doStop

        protected void doStop()
                       throws java.lang.Exception
        Overrides:
        doStop in class AbstractLifeCycle
        Throws:
        java.lang.Exception
      • getSelectedProtocols

        @ManagedAttribute(value="The selected TLS protocol versions",
                          readonly=true)
        public java.lang.String[] getSelectedProtocols()
      • getCipherComparator

        public java.util.Comparator<java.lang.String> getCipherComparator()
      • setCipherComparator

        public void setCipherComparator​(java.util.Comparator<java.lang.String> cipherComparator)
      • getAliases

        public java.util.Set<java.lang.String> getAliases()
      • getX509

        public X509 getX509​(java.lang.String alias)
      • getExcludeProtocols

        @ManagedAttribute("The excluded TLS protocols")
        public java.lang.String[] getExcludeProtocols()
        Returns:
        The array of protocol names to exclude from SSLEngine.setEnabledProtocols(String[])
      • setExcludeProtocols

        public void setExcludeProtocols​(java.lang.String... protocols)
        You can either use the exact Protocol name or a a regular expression.
        Parameters:
        protocols - The array of protocol names to exclude from SSLEngine.setEnabledProtocols(String[])
      • addExcludeProtocols

        public void addExcludeProtocols​(java.lang.String... protocol)
        You can either use the exact Protocol name or a a regular expression.
        Parameters:
        protocol - Protocol name patterns to add to SSLEngine.setEnabledProtocols(String[])
      • getIncludeProtocols

        @ManagedAttribute("The included TLS protocols")
        public java.lang.String[] getIncludeProtocols()
        Returns:
        The array of protocol name patterns to include in SSLEngine.setEnabledProtocols(String[])
      • setIncludeProtocols

        public void setIncludeProtocols​(java.lang.String... protocols)
        You can either use the exact Protocol name or a a regular expression.
        Parameters:
        protocols - The array of protocol name patterns to include in SSLEngine.setEnabledProtocols(String[])
      • getExcludeCipherSuites

        @ManagedAttribute("The excluded cipher suites")
        public java.lang.String[] getExcludeCipherSuites()
        Returns:
        The array of cipher suite name patterns to exclude from SSLEngine.setEnabledCipherSuites(String[])
      • setExcludeCipherSuites

        public void setExcludeCipherSuites​(java.lang.String... cipherSuites)
        You can either use the exact Cipher suite name or a a regular expression.
        Parameters:
        cipherSuites - The array of cipher suite names to exclude from SSLEngine.setEnabledCipherSuites(String[])
      • addExcludeCipherSuites

        public void addExcludeCipherSuites​(java.lang.String... cipher)
        You can either use the exact Cipher suite name or a a regular expression.
        Parameters:
        cipher - Cipher names to add to SSLEngine.setEnabledCipherSuites(String[])
      • getIncludeCipherSuites

        @ManagedAttribute("The included cipher suites")
        public java.lang.String[] getIncludeCipherSuites()
        Returns:
        The array of Cipher suite names to include in SSLEngine.setEnabledCipherSuites(String[])
      • setIncludeCipherSuites

        public void setIncludeCipherSuites​(java.lang.String... cipherSuites)
        You can either use the exact Cipher suite name or a a regular expression.
        Parameters:
        cipherSuites - The array of cipher suite names to include in SSLEngine.setEnabledCipherSuites(String[])
      • isUseCipherSuitesOrder

        @ManagedAttribute("Whether to respect the cipher suites order")
        public boolean isUseCipherSuitesOrder()
      • setUseCipherSuitesOrder

        public void setUseCipherSuitesOrder​(boolean useCipherSuitesOrder)
      • getKeyStorePath

        @ManagedAttribute("The keyStore path")
        public java.lang.String getKeyStorePath()
        Returns:
        The file or URL of the SSL Key store.
      • setKeyStorePath

        public void setKeyStorePath​(java.lang.String keyStorePath)
        Parameters:
        keyStorePath - The file or URL of the SSL Key store.
      • getKeyStoreProvider

        @ManagedAttribute("The keyStore provider name")
        public java.lang.String getKeyStoreProvider()
        Returns:
        The provider of the key store
      • setKeyStoreProvider

        public void setKeyStoreProvider​(java.lang.String keyStoreProvider)
        Parameters:
        keyStoreProvider - The provider of the key store
      • getKeyStoreType

        @ManagedAttribute("The keyStore type")
        public java.lang.String getKeyStoreType()
        Returns:
        The type of the key store (default "JKS")
      • setKeyStoreType

        public void setKeyStoreType​(java.lang.String keyStoreType)
        Parameters:
        keyStoreType - The type of the key store (default "JKS")
      • getCertAlias

        @ManagedAttribute("The certificate alias")
        public java.lang.String getCertAlias()
        Returns:
        Alias of SSL certificate for the connector
      • setCertAlias

        public void setCertAlias​(java.lang.String certAlias)
        Set the default certificate Alias.

        This can be used if there are multiple non-SNI certificates to specify the certificate that should be used, or with SNI certificates to set a certificate to try if no others match

        Parameters:
        certAlias - Alias of SSL certificate for the connector
      • getTrustStorePath

        @ManagedAttribute("The trustStore path")
        public java.lang.String getTrustStorePath()
      • setTrustStorePath

        public void setTrustStorePath​(java.lang.String trustStorePath)
        Parameters:
        trustStorePath - The file name or URL of the trust store location
      • getTrustStoreProvider

        @ManagedAttribute("The trustStore provider name")
        public java.lang.String getTrustStoreProvider()
        Returns:
        The provider of the trust store
      • setTrustStoreProvider

        public void setTrustStoreProvider​(java.lang.String trustStoreProvider)
        Parameters:
        trustStoreProvider - The provider of the trust store
      • getTrustStoreType

        @ManagedAttribute("The trustStore type")
        public java.lang.String getTrustStoreType()
        Returns:
        The type of the trust store
      • setTrustStoreType

        public void setTrustStoreType​(java.lang.String trustStoreType)
        Parameters:
        trustStoreType - The type of the trust store
      • setNeedClientAuth

        @Deprecated
        public void setNeedClientAuth​(boolean needClientAuth)
        Parameters:
        needClientAuth - True if SSL needs client authentication.
        See Also:
        SSLEngine.getNeedClientAuth()
      • setWantClientAuth

        @Deprecated
        public void setWantClientAuth​(boolean wantClientAuth)
        Parameters:
        wantClientAuth - True if SSL wants client authentication.
        See Also:
        SSLEngine.getWantClientAuth()
      • isValidateCerts

        @ManagedAttribute("Whether certificates are validated")
        public boolean isValidateCerts()
        Returns:
        true if SSL certificate has to be validated
      • setValidateCerts

        public void setValidateCerts​(boolean validateCerts)
        Parameters:
        validateCerts - true if SSL certificates have to be validated
      • isValidatePeerCerts

        @ManagedAttribute("Whether peer certificates are validated")
        public boolean isValidatePeerCerts()
        Returns:
        true if SSL certificates of the peer have to be validated
      • setValidatePeerCerts

        public void setValidatePeerCerts​(boolean validatePeerCerts)
        Parameters:
        validatePeerCerts - true if SSL certificates of the peer have to be validated
      • setKeyStorePassword

        public void setKeyStorePassword​(java.lang.String password)
        Parameters:
        password - The password for the key store. If null is passed and a keystore is set, then the getPassword(String) is used to obtain a password either from the "org.eclipse.jetty.ssl.password" system property or by prompting for manual entry.
      • setTrustStorePassword

        public void setTrustStorePassword​(java.lang.String password)
        Parameters:
        password - The password for the truststore. If null is passed and a truststore is set that is different from the keystore, then the getPassword(String) is used to obtain a password either from the "org.eclipse.jetty.ssl.password" system property or by prompting for manual entry.
      • getProvider

        @ManagedAttribute("The provider name")
        public java.lang.String getProvider()

        Get the optional Security Provider name.

        Security Provider name used with:

        • SecureRandom.getInstance(String, String)
        • SSLContext.getInstance(String, String)
        • TrustManagerFactory.getInstance(String, String)
        • KeyManagerFactory.getInstance(String, String)
        • CertStore.getInstance(String, CertStoreParameters, String)
        • CertificateFactory.getInstance(String, String)
        Returns:
        The optional Security Provider name.
      • setProvider

        public void setProvider​(java.lang.String provider)

        Set the optional Security Provider name.

        Security Provider name used with:

        • SecureRandom.getInstance(String, String)
        • SSLContext.getInstance(String, String)
        • TrustManagerFactory.getInstance(String, String)
        • KeyManagerFactory.getInstance(String, String)
        • CertStore.getInstance(String, CertStoreParameters, String)
        • CertificateFactory.getInstance(String, String)
        Parameters:
        provider - The optional Security Provider name.
      • getProtocol

        @ManagedAttribute("The TLS protocol")
        public java.lang.String getProtocol()
        Returns:
        The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)
      • setProtocol

        public void setProtocol​(java.lang.String protocol)
        Parameters:
        protocol - The SSL protocol (default "TLS") passed to SSLContext.getInstance(String, String)
      • getSecureRandomAlgorithm

        @ManagedAttribute("The SecureRandom algorithm")
        public java.lang.String getSecureRandomAlgorithm()
        Returns:
        The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
      • setSecureRandomAlgorithm

        public void setSecureRandomAlgorithm​(java.lang.String algorithm)
        Parameters:
        algorithm - The algorithm name, which if set is passed to SecureRandom.getInstance(String) to obtain the SecureRandom instance passed to SSLContext.init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)
      • getKeyManagerFactoryAlgorithm

        @ManagedAttribute("The KeyManagerFactory algorithm")
        public java.lang.String getKeyManagerFactoryAlgorithm()
        Returns:
        The algorithm name (default "SunX509") used by the KeyManagerFactory
      • setKeyManagerFactoryAlgorithm

        public void setKeyManagerFactoryAlgorithm​(java.lang.String algorithm)
        Parameters:
        algorithm - The algorithm name (default "SunX509") used by the KeyManagerFactory
      • getTrustManagerFactoryAlgorithm

        @ManagedAttribute("The TrustManagerFactory algorithm")
        public java.lang.String getTrustManagerFactoryAlgorithm()
        Returns:
        The algorithm name (default "SunX509") used by the TrustManagerFactory
      • isTrustAll

        @ManagedAttribute("Whether certificates should be trusted even if they are invalid")
        public boolean isTrustAll()
        Returns:
        True if all certificates should be trusted if there is no KeyStore or TrustStore
      • setTrustAll

        public void setTrustAll​(boolean trustAll)
        Parameters:
        trustAll - True if all certificates should be trusted if there is no KeyStore or TrustStore
      • setTrustManagerFactoryAlgorithm

        public void setTrustManagerFactoryAlgorithm​(java.lang.String algorithm)
        Parameters:
        algorithm - The algorithm name (default "SunX509") used by the TrustManagerFactory Use the string "TrustAll" to install a trust manager that trusts all.
      • isRenegotiationAllowed

        @ManagedAttribute("Whether renegotiation is allowed")
        public boolean isRenegotiationAllowed()
        Returns:
        whether TLS renegotiation is allowed (true by default)
      • setRenegotiationAllowed

        public void setRenegotiationAllowed​(boolean renegotiationAllowed)
        Parameters:
        renegotiationAllowed - whether TLS renegotiation is allowed
      • getRenegotiationLimit

        @ManagedAttribute("The max number of renegotiations allowed")
        public int getRenegotiationLimit()
        Returns:
        The number of renegotiations allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied.
      • setRenegotiationLimit

        public void setRenegotiationLimit​(int renegotiationLimit)
        Parameters:
        renegotiationLimit - The number of renegotions allowed for this connection. When the limit is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied. Default 5.
      • getCrlPath

        @ManagedAttribute("The path to the certificate revocation list file")
        public java.lang.String getCrlPath()
        Returns:
        Path to file that contains Certificate Revocation List
      • setCrlPath

        public void setCrlPath​(java.lang.String crlPath)
        Parameters:
        crlPath - Path to file that contains Certificate Revocation List
      • getMaxCertPathLength

        @ManagedAttribute("The maximum number of intermediate certificates")
        public int getMaxCertPathLength()
        Returns:
        Maximum number of intermediate certificates in the certification path (-1 for unlimited)
      • setMaxCertPathLength

        public void setMaxCertPathLength​(int maxCertPathLength)
        Parameters:
        maxCertPathLength - maximum number of intermediate certificates in the certification path (-1 for unlimited)
      • getSslContext

        public javax.net.ssl.SSLContext getSslContext()
        Returns:
        The SSLContext
      • setSslContext

        public void setSslContext​(javax.net.ssl.SSLContext sslContext)
        Parameters:
        sslContext - Set a preconfigured SSLContext
      • getEndpointIdentificationAlgorithm

        @ManagedAttribute("The endpoint identification algorithm")
        public java.lang.String getEndpointIdentificationAlgorithm()
        Returns:
        the endpoint identification algorithm
      • setEndpointIdentificationAlgorithm

        public void setEndpointIdentificationAlgorithm​(java.lang.String endpointIdentificationAlgorithm)
        When set to "HTTPS" hostname verification will be enabled. Deployments can be vulnerable to a man-in-the-middle attack if a EndpointIndentificationAlgorithm is not set.
        Parameters:
        endpointIdentificationAlgorithm - Set the endpointIdentificationAlgorithm
        See Also:
        setHostnameVerifier(HostnameVerifier)
      • getPkixCertPathChecker

        public java.security.cert.PKIXCertPathChecker getPkixCertPathChecker()
      • setPkixCertPathChecker

        public void setPkixCertPathChecker​(java.security.cert.PKIXCertPathChecker pkixCertPatchChecker)
      • loadKeyStore

        protected java.security.KeyStore loadKeyStore​(Resource resource)
                                               throws java.lang.Exception
        Override this method to provide alternate way to load a keystore.
        Parameters:
        resource - the resource to load the keystore from
        Returns:
        the key store instance
        Throws:
        java.lang.Exception - if the keystore cannot be loaded
      • loadTrustStore

        protected java.security.KeyStore loadTrustStore​(Resource resource)
                                                 throws java.lang.Exception
        Override this method to provide alternate way to load a truststore.
        Parameters:
        resource - the resource to load the truststore from
        Returns:
        the key store instance
        Throws:
        java.lang.Exception - if the truststore cannot be loaded
      • loadCRL

        protected java.util.Collection<? extends java.security.cert.CRL> loadCRL​(java.lang.String crlPath)
                                                                          throws java.lang.Exception
        Loads certificate revocation list (CRL) from a file.

        Required for integrations to be able to override the mechanism used to load CRL in order to provide their own implementation.

        Parameters:
        crlPath - path of certificate revocation list file
        Returns:
        Collection of CRL's
        Throws:
        java.lang.Exception - if the certificate revocation list cannot be loaded
      • getKeyManagers

        protected javax.net.ssl.KeyManager[] getKeyManagers​(java.security.KeyStore keyStore)
                                                     throws java.lang.Exception
        Throws:
        java.lang.Exception
      • getTrustManagers

        protected javax.net.ssl.TrustManager[] getTrustManagers​(java.security.KeyStore trustStore,
                                                                java.util.Collection<? extends java.security.cert.CRL> crls)
                                                         throws java.lang.Exception
        Throws:
        java.lang.Exception
      • newPKIXBuilderParameters

        protected java.security.cert.PKIXBuilderParameters newPKIXBuilderParameters​(java.security.KeyStore trustStore,
                                                                                    java.util.Collection<? extends java.security.cert.CRL> crls)
                                                                             throws java.lang.Exception
        Throws:
        java.lang.Exception
      • selectProtocols

        public void selectProtocols​(java.lang.String[] enabledProtocols,
                                    java.lang.String[] supportedProtocols)
        Select protocols to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported protocols.
        Parameters:
        enabledProtocols - Array of enabled protocols
        supportedProtocols - Array of supported protocols
      • selectCipherSuites

        protected void selectCipherSuites​(java.lang.String[] enabledCipherSuites,
                                          java.lang.String[] supportedCipherSuites)
        Select cipher suites to be used by the connector based on configured inclusion and exclusion lists as well as enabled and supported cipher suite lists.
        Parameters:
        enabledCipherSuites - Array of enabled cipher suites
        supportedCipherSuites - Array of supported cipher suites
      • processIncludeCipherSuites

        @Deprecated
        protected void processIncludeCipherSuites​(java.lang.String[] supportedCipherSuites,
                                                  java.util.List<java.lang.String> selectedCiphers)
        Deprecated.
        no replacement
      • removeExcludedCipherSuites

        @Deprecated
        protected void removeExcludedCipherSuites​(java.util.List<java.lang.String> selectedCiphers)
        Deprecated.
        no replacement
      • isEnableCRLDP

        @ManagedAttribute("Whether certificate revocation list distribution points is enabled")
        public boolean isEnableCRLDP()
        Returns:
        true if CRL Distribution Points support is enabled
      • setEnableCRLDP

        public void setEnableCRLDP​(boolean enableCRLDP)
        Enables CRL Distribution Points Support
        Parameters:
        enableCRLDP - true - turn on, false - turns off
      • isEnableOCSP

        @ManagedAttribute("Whether online certificate status protocol support is enabled")
        public boolean isEnableOCSP()
        Returns:
        true if On-Line Certificate Status Protocol support is enabled
      • setEnableOCSP

        public void setEnableOCSP​(boolean enableOCSP)
        Enables On-Line Certificate Status Protocol support
        Parameters:
        enableOCSP - true - turn on, false - turn off
      • getOcspResponderURL

        @ManagedAttribute("The online certificate status protocol URL")
        public java.lang.String getOcspResponderURL()
        Returns:
        Location of the OCSP Responder
      • setOcspResponderURL

        public void setOcspResponderURL​(java.lang.String ocspResponderURL)
        Set the location of the OCSP Responder.
        Parameters:
        ocspResponderURL - location of the OCSP Responder
      • setKeyStore

        public void setKeyStore​(java.security.KeyStore keyStore)
        Set the key store.
        Parameters:
        keyStore - the key store to set
      • getKeyStore

        public java.security.KeyStore getKeyStore()
      • setTrustStore

        public void setTrustStore​(java.security.KeyStore trustStore)
        Set the trust store.
        Parameters:
        trustStore - the trust store to set
      • getTrustStore

        public java.security.KeyStore getTrustStore()
      • setKeyStoreResource

        public void setKeyStoreResource​(Resource resource)
        Set the key store resource.
        Parameters:
        resource - the key store resource to set
      • getKeyStoreResource

        public Resource getKeyStoreResource()
      • setTrustStoreResource

        public void setTrustStoreResource​(Resource resource)
        Set the trust store resource.
        Parameters:
        resource - the trust store resource to set
      • getTrustStoreResource

        public Resource getTrustStoreResource()
      • isSessionCachingEnabled

        @ManagedAttribute("Whether TLS session caching is enabled")
        public boolean isSessionCachingEnabled()
        Returns:
        true if SSL Session caching is enabled
      • setSessionCachingEnabled

        public void setSessionCachingEnabled​(boolean enableSessionCaching)
        Set the flag to enable SSL Session caching. If set to true, then the SSLContext.createSSLEngine(String, int) method is used to pass host and port information as a hint for session reuse. Note that this is only a hint and session may not be reused. Moreover, the hint is typically only used on client side implementations and setting this to false does not stop a server from accepting an offered session ID to reuse.
        Parameters:
        enableSessionCaching - the value of the flag
      • getSslSessionCacheSize

        @ManagedAttribute("The maximum TLS session cache size")
        public int getSslSessionCacheSize()
        Get SSL session cache size. Passed directly to SSLSessionContext.setSessionCacheSize(int)
        Returns:
        SSL session cache size
      • setSslSessionCacheSize

        public void setSslSessionCacheSize​(int sslSessionCacheSize)
        Set SSL session cache size.

        Set the max cache size to be set on SSLSessionContext.setSessionCacheSize(int) when this factory is started.

        Parameters:
        sslSessionCacheSize - SSL session cache size to set. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a max size.
      • getSslSessionTimeout

        @ManagedAttribute("The TLS session cache timeout, in seconds")
        public int getSslSessionTimeout()
        Get SSL session timeout.
        Returns:
        SSL session timeout
      • setSslSessionTimeout

        public void setSslSessionTimeout​(int sslSessionTimeout)
        Set SSL session timeout.

        Set the timeout in seconds to be set on SSLSessionContext.setSessionTimeout(int) when this factory is started.

        Parameters:
        sslSessionTimeout - SSL session timeout to set in seconds. A value of -1 (default) uses the JVM default, 0 means unlimited and positive number is a timeout in seconds.
      • getHostnameVerifier

        public javax.net.ssl.HostnameVerifier getHostnameVerifier()
        Returns:
        the HostnameVerifier used by a client to verify host names in the server certificate
      • setHostnameVerifier

        public void setHostnameVerifier​(javax.net.ssl.HostnameVerifier hostnameVerifier)

        Sets a HostnameVerifier used by a client to verify host names in the server certificate.

        The HostnameVerifier works in conjunction with setEndpointIdentificationAlgorithm(String).

        When endpointIdentificationAlgorithm=="HTTPS" (the default) the JDK TLS implementation checks that the host name indication set by the client matches the host names in the server certificate. If this check passes successfully, the HostnameVerifier is invoked and the application can perform additional checks and allow/deny the connection to the server.

        When endpointIdentificationAlgorithm==null the JDK TLS implementation will not check the host names, and any check is therefore performed only by the HostnameVerifier.

        Parameters:
        hostnameVerifier - the HostnameVerifier used by a client to verify host names in the server certificate
      • getPassword

        protected Password getPassword​(java.lang.String realm)
        Returns the password object for the given realm.
        Parameters:
        realm - the realm
        Returns:
        the Password object
      • newPassword

        public Password newPassword​(java.lang.String password)
        Creates a new Password object.
        Parameters:
        password - the password string
        Returns:
        the new Password object
      • newSslServerSocket

        public javax.net.ssl.SSLServerSocket newSslServerSocket​(java.lang.String host,
                                                                int port,
                                                                int backlog)
                                                         throws java.io.IOException
        Throws:
        java.io.IOException
      • newSslSocket

        public javax.net.ssl.SSLSocket newSslSocket()
                                             throws java.io.IOException
        Throws:
        java.io.IOException
      • getCertificateFactoryInstance

        protected java.security.cert.CertificateFactory getCertificateFactoryInstance​(java.lang.String type)
                                                                               throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • getCertStoreInstance

        protected java.security.cert.CertStore getCertStoreInstance​(java.util.Collection<? extends java.security.cert.CRL> crls)
                                                             throws java.security.InvalidAlgorithmParameterException,
                                                                    java.security.NoSuchAlgorithmException
        Throws:
        java.security.InvalidAlgorithmParameterException
        java.security.NoSuchAlgorithmException
      • getKeyManagerFactoryInstance

        protected javax.net.ssl.KeyManagerFactory getKeyManagerFactoryInstance()
                                                                        throws java.security.NoSuchAlgorithmException
        Throws:
        java.security.NoSuchAlgorithmException
      • getSecureRandomInstance

        protected java.security.SecureRandom getSecureRandomInstance()
                                                              throws java.security.NoSuchAlgorithmException
        Throws:
        java.security.NoSuchAlgorithmException
      • getSSLContextInstance

        protected javax.net.ssl.SSLContext getSSLContextInstance()
                                                          throws java.security.NoSuchAlgorithmException
        Throws:
        java.security.NoSuchAlgorithmException
      • getTrustManagerFactoryInstance

        protected javax.net.ssl.TrustManagerFactory getTrustManagerFactoryInstance()
                                                                            throws java.security.NoSuchAlgorithmException
        Throws:
        java.security.NoSuchAlgorithmException
      • newSSLEngine

        public javax.net.ssl.SSLEngine newSSLEngine()
        Factory method for "scratch" SSLEngines, usually only used for retrieving configuration information such as the application buffer size or the list of protocols/ciphers.

        This method should not be used for creating SSLEngines that are used in actual socket communication.

        Returns:
        a new, "scratch" SSLEngine
      • newSSLEngine

        public javax.net.ssl.SSLEngine newSSLEngine​(java.lang.String host,
                                                    int port)
        General purpose factory method for creating SSLEngines, although creation of SSLEngines on the server-side should prefer newSSLEngine(InetSocketAddress).
        Parameters:
        host - the remote host
        port - the remote port
        Returns:
        a new SSLEngine
      • newSSLEngine

        public javax.net.ssl.SSLEngine newSSLEngine​(java.net.InetSocketAddress address)
        Server-side only factory method for creating SSLEngines.

        If the given address is null, it is equivalent to newSSLEngine(), otherwise newSSLEngine(String, int) is called.

        Clients that wish to create SSLEngine instances must use newSSLEngine(String, int).

        Parameters:
        address - the remote peer address
        Returns:
        a new SSLEngine
      • customize

        public void customize​(javax.net.ssl.SSLEngine sslEngine)
        Customize an SslEngine instance with the configuration of this factory, by calling customize(SSLParameters)
        Parameters:
        sslEngine - the SSLEngine to customize
      • customize

        public javax.net.ssl.SSLParameters customize​(javax.net.ssl.SSLParameters sslParams)
        Customize an SslParameters instance with the configuration of this factory.
        Parameters:
        sslParams - The parameters to customize
        Returns:
        The passed instance of sslParams (returned as a convenience)
      • reload

        public void reload​(java.util.function.Consumer<SslContextFactory> consumer)
                    throws java.lang.Exception
        Throws:
        java.lang.Exception
      • getX509CertChain

        public java.security.cert.X509Certificate[] getX509CertChain​(javax.net.ssl.SSLSession sslSession)
        Obtain the X509 Certificate Chain from the provided SSLSession using this SslContextFactory's optional Provider specific CertificateFactory.
        Parameters:
        sslSession - the session to use for active peer certificates
        Returns:
        the certificate chain
      • getCertChain

        public static java.security.cert.X509Certificate[] getCertChain​(javax.net.ssl.SSLSession sslSession)
        Obtain the X509 Certificate Chain from the provided SSLSession using the default CertificateFactory behaviors
        Parameters:
        sslSession - the session to use for active peer certificates
        Returns:
        the certificate chain
      • deduceKeyLength

        public static int deduceKeyLength​(java.lang.String cipherSuite)
        Given the name of a TLS/SSL cipher suite, return an int representing it effective stream cipher key strength. i.e. How much entropy material is in the key material being fed into the encryption routines.

        This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol Version 1.0, Appendix C. CipherSuite definitions:

                                 Effective
             Cipher       Type    Key Bits
        
             NULL       * Stream     0
             IDEA_CBC     Block    128
             RC2_CBC_40 * Block     40
             RC4_40     * Stream    40
             RC4_128      Stream   128
             DES40_CBC  * Block     40
             DES_CBC      Block     56
             3DES_EDE_CBC Block    168
         
        Parameters:
        cipherSuite - String name of the TLS cipher suite.
        Returns:
        int indicating the effective key entropy bit-length.