/**
* Create a new SSL context, configured from an option map and the given parameters.
*
* @param keyManagers the key managers to use, or {@code null} to configure from the option map
* @param trustManagers the trust managers to use, or {@code null} to configure from the option
* map
* @param secureRandom the secure RNG to use, or {@code null} to choose a system default
* @param optionMap the SSL context options
* @return a new context
* @throws NoSuchProviderException if there is no matching provider
* @throws NoSuchAlgorithmException if there is no matching algorithm
* @throws KeyManagementException if the context initialization fails
*/
public static SSLContext createSSLContext(
KeyManager[] keyManagers,
TrustManager[] trustManagers,
SecureRandom secureRandom,
OptionMap optionMap)
throws NoSuchAlgorithmException, NoSuchProviderException, KeyManagementException {
final String provider = optionMap.get(Options.SSL_PROVIDER);
final String protocol = optionMap.get(Options.SSL_PROTOCOL);
final SSLContext sslContext;
if (protocol == null) {
// Default context is initialized automatically
return SSLContext.getDefault();
} else if (provider == null) {
sslContext = SSLContext.getInstance(protocol);
} else {
sslContext = SSLContext.getInstance(protocol, provider);
}
if (keyManagers == null) {
final Sequence<Class<? extends KeyManager>> keyManagerClasses =
optionMap.get(Options.SSL_JSSE_KEY_MANAGER_CLASSES);
if (keyManagerClasses != null) {
final int size = keyManagerClasses.size();
keyManagers = new KeyManager[size];
for (int i = 0; i < size; i++) {
keyManagers[i] = instantiate(keyManagerClasses.get(i));
}
}
}
if (trustManagers == null) {
final Sequence<Class<? extends TrustManager>> trustManagerClasses =
optionMap.get(Options.SSL_JSSE_TRUST_MANAGER_CLASSES);
if (trustManagerClasses != null) {
final int size = trustManagerClasses.size();
trustManagers = new TrustManager[size];
for (int i = 0; i < size; i++) {
trustManagers[i] = instantiate(trustManagerClasses.get(i));
}
}
}
sslContext.init(keyManagers, trustManagers, secureRandom);
sslContext
.getClientSessionContext()
.setSessionCacheSize(optionMap.get(Options.SSL_CLIENT_SESSION_CACHE_SIZE, 0));
sslContext
.getClientSessionContext()
.setSessionTimeout(optionMap.get(Options.SSL_CLIENT_SESSION_TIMEOUT, 0));
sslContext
.getServerSessionContext()
.setSessionCacheSize(optionMap.get(Options.SSL_SERVER_SESSION_CACHE_SIZE, 0));
sslContext
.getServerSessionContext()
.setSessionTimeout(optionMap.get(Options.SSL_SERVER_SESSION_TIMEOUT, 0));
return sslContext;
}
public void testSessionTimeout() throws Exception {
SSLContextParameters scp = new SSLContextParameters();
scp.setSessionTimeout("60");
SSLContext context = scp.createSSLContext();
assertEquals(60, context.getClientSessionContext().getSessionTimeout());
assertEquals(60, context.getServerSessionContext().getSessionTimeout());
scp.setSessionTimeout("0");
context = scp.createSSLContext();
assertEquals(0, context.getClientSessionContext().getSessionTimeout());
assertEquals(0, context.getServerSessionContext().getSessionTimeout());
}
@Override
protected void configureSSLContext(SSLContext context) throws GeneralSecurityException {
LOG.debug("Configuring server-side SSLContext parameters...");
if (this.getSessionTimeout() != null) {
LOG.debug("Configuring server-side SSLContext session timeout: " + this.getSessionTimeout());
this.configureSessionContext(context.getServerSessionContext(), this.getSessionTimeout());
}
LOG.debug("Configured server-side SSLContext parameters.");
}
private static void trustAllHttpsCertificates() throws Exception {
javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
javax.net.ssl.TrustManager tm = new TrustAllTrustManager();
trustAllCerts[0] = tm;
javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext();
sslsc.setSessionTimeout(0);
sc.init(null, trustAllCerts, null);
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
/**
* Trust all certificates - must modify for production mode
*
* @throws Exception
*/
public static void trustAllHttpsCertificates() throws Exception {
// Create the TrustManager
javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
javax.net.ssl.TrustManager tm = new TrustAllManager();
trustAllCerts[0] = tm;
// Create the SSL context
javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
// create the session context
javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext();
// Initialize the contexts; the session context takes the trust nanager
sslsc.setSessionTimeout(0);
sc.init(null, trustAllCerts, null);
// use the default socket factory to create teh socket for teh secure connection
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
// set the default host name verifier to enable the connection
}
/** Reads the keystore and initializes the SSL socket factory. */
void init() throws IOException {
try {
String clientAuthStr = endpoint.getClientAuth();
if ("true".equalsIgnoreCase(clientAuthStr) || "yes".equalsIgnoreCase(clientAuthStr)) {
requireClientAuth = true;
} else if ("want".equalsIgnoreCase(clientAuthStr)) {
wantClientAuth = true;
}
SSLContext context = createSSLContext();
context.init(getKeyManagers(), getTrustManagers(), null);
// Configure SSL session cache
SSLSessionContext sessionContext = context.getServerSessionContext();
if (sessionContext != null) {
configureSessionContext(sessionContext);
}
// create proxy
sslProxy = context.getServerSocketFactory();
// Determine which cipher suites to enable
enabledCiphers = getEnableableCiphers(context);
enabledProtocols = getEnableableProtocols(context);
allowUnsafeLegacyRenegotiation = "true".equals(endpoint.getAllowUnsafeLegacyRenegotiation());
// Check the SSL config is OK
checkConfig();
} catch (Exception e) {
if (e instanceof IOException) throw (IOException) e;
throw new IOException(e.getMessage(), e);
}
}
public SSLContext newInstance() throws Exception {
KeyManagerFactory kmf = this.keyManagerFactory;
TrustManagerFactory tmf = this.trustManagerFactory;
if (kmf == null) {
String algorithm = keyManagerFactoryAlgorithm;
if (algorithm == null && keyManagerFactoryAlgorithmUseDefault) {
algorithm = KeyManagerFactory.getDefaultAlgorithm();
}
if (algorithm != null) {
if (keyManagerFactoryProvider == null) {
kmf = KeyManagerFactory.getInstance(algorithm);
} else {
kmf = KeyManagerFactory.getInstance(algorithm, keyManagerFactoryProvider);
}
}
}
if (tmf == null) {
String algorithm = trustManagerFactoryAlgorithm;
if (algorithm == null && trustManagerFactoryAlgorithmUseDefault) {
algorithm = TrustManagerFactory.getDefaultAlgorithm();
}
if (algorithm != null) {
if (trustManagerFactoryProvider == null) {
tmf = TrustManagerFactory.getInstance(algorithm);
} else {
tmf = TrustManagerFactory.getInstance(algorithm, trustManagerFactoryProvider);
}
}
}
KeyManager[] keyManagers = null;
if (kmf != null) {
kmf.init(keyManagerFactoryKeyStore, keyManagerFactoryKeyStorePassword);
keyManagers = kmf.getKeyManagers();
}
TrustManager[] trustManagers = null;
if (tmf != null) {
if (trustManagerFactoryParameters != null) {
tmf.init(trustManagerFactoryParameters);
} else {
tmf.init(trustManagerFactoryKeyStore);
}
trustManagers = tmf.getTrustManagers();
}
SSLContext context = null;
if (provider == null) {
context = SSLContext.getInstance(protocol);
} else {
context = SSLContext.getInstance(protocol, provider);
}
context.init(keyManagers, trustManagers, secureRandom);
if (clientSessionCacheSize >= 0) {
context.getClientSessionContext().setSessionCacheSize(clientSessionCacheSize);
}
if (clientSessionTimeout >= 0) {
context.getClientSessionContext().setSessionTimeout(clientSessionTimeout);
}
if (serverSessionCacheSize >= 0) {
context.getServerSessionContext().setSessionCacheSize(serverSessionCacheSize);
}
if (serverSessionTimeout >= 0) {
context.getServerSessionContext().setSessionTimeout(serverSessionTimeout);
}
return context;
}
public void testClientParameters() throws Exception {
SSLContext controlContext = SSLContext.getInstance("TLS");
controlContext.init(null, null, null);
SSLEngine controlEngine = controlContext.createSSLEngine();
SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
SSLServerSocket controlServerSocket =
(SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();
SSLContextParameters scp = new SSLContextParameters();
SSLContextClientParameters sccp = new SSLContextClientParameters();
scp.setClientParameters(sccp);
SSLContext context = scp.createSSLContext();
SSLEngine engine = context.createSSLEngine();
SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
SSLServerSocket serverSocket =
(SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// No csp or filter on client params passes through shared config
scp.setCipherSuites(new CipherSuitesParameters());
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(0, socket.getEnabledCipherSuites().length);
// Csp on client params
scp.setCipherSuites(null);
CipherSuitesParameters csp = new CipherSuitesParameters();
sccp.setCipherSuites(csp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertEquals(0, socket.getEnabledCipherSuites().length);
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// Cipher suites filter on client params
FilterParameters filter = new FilterParameters();
filter.getExclude().add(".*");
sccp.setCipherSuites(null);
sccp.setCipherSuitesFilter(filter);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertEquals(0, socket.getEnabledCipherSuites().length);
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// Csp on client overrides cipher suites filter on client
filter.getInclude().add(".*");
filter.getExclude().clear();
sccp.setCipherSuites(csp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertEquals(0, socket.getEnabledCipherSuites().length);
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// Sspp on client params
SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
sccp.setSecureSocketProtocols(sspp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertEquals(0, socket.getEnabledProtocols().length);
checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
// Secure socket protocols filter on client params
filter = new FilterParameters();
filter.getExclude().add(".*");
sccp.setSecureSocketProtocols(null);
sccp.setSecureSocketProtocolsFilter(filter);
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertEquals(0, socket.getEnabledProtocols().length);
checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
// Sspp on client params overrides secure socket protocols filter on client
filter.getInclude().add(".*");
filter.getExclude().clear();
sccp.setSecureSocketProtocols(sspp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertEquals(0, socket.getEnabledProtocols().length);
checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
// Client session timeout only affects client session configuration
sccp.setSessionTimeout("12345");
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(
controlContext.getServerSessionContext().getSessionTimeout(),
context.getServerSessionContext().getSessionTimeout());
assertEquals(12345, context.getClientSessionContext().getSessionTimeout());
}
