/**
   * Creates a new <code>TLSWrapper</code> instance.
   *
   * @param sslc
   * @param eventHandler
   * @param clientMode
   */
  public TLSWrapper(
      SSLContext sslc, TLSEventHandler eventHandler, String[] sslProtocols, boolean clientMode) {
    tlsEngine = sslc.createSSLEngine();
    tlsEngine.setUseClientMode(clientMode);

    if (tls_jdk_nss_workaround) {
      // Workaround for TLS/SSL bug in new JDK used with new version of
      // nss library see also:
      // http://stackoverflow.com/q/10687200/427545
      // http://bugs.sun.com/bugdatabase/view_bug.do;jsessionid=b509d9cb5d8164d90e6731f5fc44?bug_id=6928796
      tlsEngine.setEnabledCipherSuites(tls_workaround_ciphers);
    }

    if (sslProtocols != null) {
      tlsEngine.setEnabledProtocols(sslProtocols);
    }

    netBuffSize = tlsEngine.getSession().getPacketBufferSize();
    appBuffSize = tlsEngine.getSession().getApplicationBufferSize();
    this.eventHandler = eventHandler;

    if (!clientMode) {
      tlsEngine.setWantClientAuth(true);
    }
  }
Example #2
0
  protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers) {
    SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);

    SSLHostConfigCertificate certificate = selectCertificate(sslHostConfig, clientRequestedCiphers);

    SSLContextWrapper sslContextWrapper = certificate.getSslContextWrapper();
    if (sslContextWrapper == null) {
      throw new IllegalStateException(sm.getString("endpoint.jsse.noSslContext", sniHostName));
    }

    SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine();
    switch (sslHostConfig.getCertificateVerification()) {
      case NONE:
        engine.setNeedClientAuth(false);
        engine.setWantClientAuth(false);
        break;
      case OPTIONAL:
      case OPTIONAL_NO_CA:
        engine.setWantClientAuth(true);
        break;
      case REQUIRED:
        engine.setNeedClientAuth(true);
        break;
    }
    engine.setUseClientMode(false);
    engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
    engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());

    SSLParameters sslParameters = engine.getSSLParameters();
    sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
    // In case the getter returns a defensive copy
    engine.setSSLParameters(sslParameters);

    return engine;
  }
Example #3
0
  /** Notify all the handshake futures about the failure during the handshake. */
  private void setHandshakeFailure(Throwable cause) {
    // Release all resources such as internal buffers that SSLEngine
    // is managing.
    engine.closeOutbound();

    try {
      engine.closeInbound();
    } catch (SSLException e) {
      // only log in debug mode as it most likely harmless and latest chrome still trigger
      // this all the time.
      //
      // See https://github.com/netty/netty/issues/1340
      String msg = e.getMessage();
      if (msg == null || !msg.contains("possible truncation attack")) {
        logger.debug("SSLEngine.closeInbound() raised an exception.", e);
      }
    }
    notifyHandshakeFailure(cause);
    for (; ; ) {
      PendingWrite write = pendingUnencryptedWrites.poll();
      if (write == null) {
        break;
      }
      write.failAndRecycle(cause);
    }
  }
 private void wrap(ByteBuffer data) throws IOException {
   SSLEngineResult result;
   do {
     result = engine.wrap(data, outToken);
     switch (result.getStatus()) {
       case BUFFER_UNDERFLOW:
         throw new RuntimeException();
       case BUFFER_OVERFLOW:
         ByteBuffer buffer =
             ByteBuffer.allocate(outToken.capacity() + engine.getSession().getPacketBufferSize());
         outToken.flip();
         buffer.put(outToken);
         outToken = buffer;
         break;
       case OK:
         if (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.FINISHED) {
           subject = createSubject();
         }
         break;
       case CLOSED:
         throw new EOFException();
     }
   } while (result.getStatus() != SSLEngineResult.Status.OK);
   if (data.hasRemaining()) {
     throw new RuntimeException("SSLEngine did not wrap all data.");
   }
 }
  public ChannelPipeline getPipeline() throws Exception {
    ChannelPipeline pipeline = pipeline();

    // Add SSL handler first to encrypt and decrypt everything.
    // In this example, we use a bogus certificate in the server side
    // and accept any invalid certificates in the client side.
    // You will need something more complicated to identify both
    // and server in the real world.
    //
    // Read SecureChatSslContextFactory
    // if you need client certificate authentication.

    SSLEngine engine = SecureChatSslContextFactory.getServerContext().createSSLEngine();
    engine.setUseClientMode(false);

    pipeline.addLast("ssl", new SslHandler(engine));

    // On top of the SSL handler, add the text line codec.
    pipeline.addLast("framer", new DelimiterBasedFrameDecoder(8192, Delimiters.lineDelimiter()));
    pipeline.addLast("decoder", new StringDecoder());
    pipeline.addLast("encoder", new StringEncoder());

    // and then business logic.
    pipeline.addLast("handler", new SecureChatServerHandler());

    return pipeline;
  }
  /**
   * Method description
   *
   * @param app
   * @param net
   * @throws SSLException
   */
  public void wrap(ByteBuffer app, ByteBuffer net) throws SSLException {
    tlsEngineResult = tlsEngine.wrap(app, net);

    if (log.isLoggable(Level.FINEST)) {
      log.log(
          Level.FINEST,
          "{0}, tlsEngineRsult.getStatus() = {1}, tlsEngineRsult.getHandshakeStatus() = {2}",
          new Object[] {
            debugId, tlsEngineResult.getStatus(), tlsEngineResult.getHandshakeStatus()
          });
    }

    if (tlsEngineResult.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.FINISHED) {
      if (eventHandler != null) {
        eventHandler.handshakeCompleted(this);
      }
    }

    if (tlsEngineResult.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
      doTasks();

      if (log.isLoggable(Level.FINEST)) {
        log.log(
            Level.FINEST,
            "doTasks(): {0}, {1}",
            new Object[] {tlsEngine.getHandshakeStatus(), debugId});
      }
    }
  }
Example #7
0
 public SSLSession getSSLSession() {
   SSLEngine e = connection.getSSLEngine();
   if (e == null) {
     return null;
   }
   return e.getSession();
 }
Example #8
0
  /*
   * Begin the shutdown process.
   * <P>
   * Close out the SSLEngine if not already done so, then
   * wrap our outgoing close_notify message and try to send it on.
   * <P>
   * Return true when we're done passing the shutdown messsages.
   */
  boolean shutdown() throws IOException {

    if (!shutdown) {
      sslEngine.closeOutbound();
      shutdown = true;
    }

    if (outNetBB.hasRemaining() && tryFlush(outNetBB)) {
      return false;
    }

    /*
     * By RFC 2616, we can "fire and forget" our close_notify
     * message, so that's what we'll do here.
     */
    outNetBB.clear();
    SSLEngineResult result = sslEngine.wrap(hsBB, outNetBB);
    if (result.getStatus() != Status.CLOSED) {
      throw new SSLException("Improper close state");
    }
    outNetBB.flip();

    /*
     * We won't wait for a select here, but if this doesn't work,
     * we'll cycle back through on the next select.
     */
    if (outNetBB.hasRemaining()) {
      tryFlush(outNetBB);
    }

    return (!outNetBB.hasRemaining() && (result.getHandshakeStatus() != HandshakeStatus.NEED_WRAP));
  }
Example #9
0
  /** Notify all the handshake futures about the failure during the handshake. */
  private void setHandshakeFailure(Throwable cause) {
    // Release all resources such as internal buffers that SSLEngine
    // is managing.
    engine.closeOutbound();
    try {
      engine.closeInbound();
    } catch (SSLException e) {
      if (logger.isDebugEnabled()) {
        logger.debug(
            "SSLEngine.closeInbound() raised an exception after " + "a handshake failure.", e);
      }
    }

    if (cause == null) {
      cause = new ClosedChannelException();
    }

    for (; ; ) {
      ChannelFuture f = handshakeFutures.poll();
      if (f == null) {
        break;
      }
      f.setFailure(cause);
    }

    flush0(ctx, 0, cause);
  }
Example #10
0
 /**
  * Wraps data with the specified engine.
  *
  * @param engine - SSLEngine that wraps data.
  * @param wrapper - Set wrapper id, e.g. "server" of "client". Used for logging only.
  * @param maxPacketSize - Max packet size to check that MFLN extension works or zero for no check.
  * @param app - Buffer with data to wrap.
  * @param wantedStatus - Specifies expected result status of wrapping.
  * @param result - Array which first element will be used to output wrap result object.
  * @return - Buffer with wrapped data.
  * @throws SSLException - thrown on engine errors.
  */
 public static ByteBuffer doWrap(
     SSLEngine engine,
     String wrapper,
     int maxPacketSize,
     ByteBuffer app,
     SSLEngineResult.Status wantedStatus,
     SSLEngineResult[] result)
     throws SSLException {
   ByteBuffer net = ByteBuffer.allocate(engine.getSession().getPacketBufferSize());
   SSLEngineResult r = engine.wrap(app, net);
   net.flip();
   int length = net.remaining();
   System.out.println(wrapper + " wrapped " + length + " bytes.");
   System.out.println(wrapper + " handshake status is " + engine.getHandshakeStatus());
   if (maxPacketSize < length && maxPacketSize != 0) {
     throw new AssertionError(
         "Handshake wrapped net buffer length "
             + length
             + " exceeds maximum packet size "
             + maxPacketSize);
   }
   checkResult(r, wantedStatus);
   if (result != null && result.length > 0) {
     result[0] = r;
   }
   return net;
 }
  public ChannelPipeline getPipeline() throws Exception {
    log.debug("Creating client channel pipeline");

    ChannelPipeline pipeline = Channels.pipeline();

    SSLEngine engine = sslContext.createSSLEngine();
    engine.setUseClientMode(true);

    SslHandler sslHandler = new SslHandler(engine);
    sslHandler.setCloseOnSSLException(true);
    pipeline.addLast("ssl", sslHandler);

    pipeline.addLast("chunker", new ChunkedWriteHandler());

    pipeline.addLast(
        "framer",
        new DelimiterBasedFrameDecoder(protocol.maxHeaderLength(), protocol.headerDelimiter()));
    pipeline.addLast("stringDecoder", new StringDecoder(protocol.headerCharset()));
    pipeline.addLast("stringEncoder", new StringEncoder(protocol.headerCharset()));

    HeaderCodec headerCodec = new HeaderCodec(protocol);
    pipeline.addLast("headerDecoder", headerCodec.decoder());
    pipeline.addLast("headerEncoder", headerCodec.encoder());

    pipeline.addLast("client", new ClientHandler(store));

    return pipeline;
  }
Example #12
0
  @Override
  public void channelDisconnected(ChannelHandlerContext ctx, ChannelStateEvent e) throws Exception {

    // Make sure the handshake future is notified when a connection has
    // been closed during handshake.
    synchronized (handshakeLock) {
      if (handshaking) {
        handshakeFuture.setFailure(new ClosedChannelException());
      }
    }

    try {
      super.channelDisconnected(ctx, e);
    } finally {
      unwrap(ctx, e.getChannel(), ChannelBuffers.EMPTY_BUFFER, 0, 0);
      engine.closeOutbound();
      if (!sentCloseNotify.get() && handshaken) {
        try {
          engine.closeInbound();
        } catch (SSLException ex) {
          logger.debug("Failed to clean up SSLEngine.", ex);
        }
      }
    }
  }
Example #13
0
  protected boolean handleSSLHandshake2() throws IOException {
    // We need to make sure the handshake process finished as a whole
    //		boolean proceed = false;
    SSLEngineResult engineResult = null;
    isHanshakeDone = false;
    while (true) {
      switch (engine.getHandshakeStatus()) {
        case NOT_HANDSHAKING:
        case FINISHED:
          isHanshakeDone = true;
          return true;
        case NEED_TASK:
          Executor exec = Executors.newSingleThreadExecutor();
          Runnable task;
          while ((task = engine.getDelegatedTask()) != null) {
            exec.execute(task);
          }
          continue;
        case NEED_WRAP:
          // We need to call a wrap on the engine
          appSendBuffer.flip();
          engineResult = engine.wrap(appSendBuffer, netSendBuffer);
          appSendBuffer.compact();
          if (engineResult.getStatus() == Status.BUFFER_OVERFLOW
              || engineResult.getStatus()
                  == Status
                      .OK) { // The enigne sys we need to flush the current buffer into the network
            // So just set the selector to the write mode
            channel.register(selector, SelectionKey.OP_WRITE);
            selector.wakeup();
            // System.out.println("Handshake wants to do a write ");
            return false;
          } else if (engineResult.getStatus() == Status.CLOSED) {
            throw new IOException("Connection closed");
          } else {
            continue;
          }

        case NEED_UNWRAP:
          // We need to call unwarap method of the engine
          netRecvBuffer.flip();
          engineResult = engine.unwrap(netRecvBuffer, appRecvBuffer);
          netRecvBuffer.compact();
          // System.out.println(engine.isInboundDone());
          if (engineResult.getStatus() == Status.BUFFER_UNDERFLOW) {
            if (!engine.isInboundDone()) {
              channel.register(selector, SelectionKey.OP_READ);
              selector.wakeup();
              // System.out.println("Handshake wants to do a read ");
              return false;
            } else continue;
          } else if (engineResult.getStatus() == Status.CLOSED) {
            throw new IOException("Connection closed");
          } else {
            continue;
          }
      }
    }
  }
Example #14
0
 /** {@inheritDoc} */
 @Override
 public Collection<String> getEnabledSSLProtocols() {
   final SSLEngine engine = sslEngine;
   if (engine != null) {
     return Arrays.asList(engine.getEnabledProtocols());
   }
   return super.getEnabledSSLProtocols();
 }
Example #15
0
  public Channel createChannel(SocketChannel sc, SelectorThread st, ChannelListener l)
      throws IOException, SSLException {
    log.info("Creating SecureChannel. Client mode: " + clientMode);
    SSLEngine engine = sslContext.createSSLEngine();
    engine.setUseClientMode(clientMode);
    engine.setNeedClientAuth(true);

    return new SSLChannel(st, sc, l, engine);
  }
Example #16
0
  /**
   * Perform tasks, if any, during the handshake phase
   *
   * @return The handshake status ( {@link javax.net.ssl.SSLEngineResult.HandshakeStatus})
   */
  private SSLEngineResult.HandshakeStatus tasks() {
    Runnable task = null;
    while ((task = sslEngine.getDelegatedTask()) != null) {
      // Run the task in blocking mode
      task.run();
    }

    return sslEngine.getHandshakeStatus();
  }
Example #17
0
 void close(boolean properly) {
   _engine.closeOutbound();
   try {
     if (properly) {
       wrap(null); // sends a TLS close_notify alert
     }
     _engine.closeInbound();
   } catch (SSLException ignore) {
   }
 }
Example #18
0
 public SSLHandler(SSLEngine engine, SocketChannel channle, Selector selector)
     throws SSLException {
   this.engine = engine;
   this.channel = channle;
   this.selector = selector;
   this.appSendBuffer = ByteBuffer.allocate(engine.getSession().getApplicationBufferSize());
   this.netSendBuffer = ByteBuffer.allocate(engine.getSession().getPacketBufferSize());
   this.appRecvBuffer = ByteBuffer.allocate(engine.getSession().getApplicationBufferSize());
   this.netRecvBuffer = ByteBuffer.allocate(engine.getSession().getPacketBufferSize());
   engine.beginHandshake();
 }
Example #19
0
 private static void runDelegatedTasks(SSLEngine engine) {
   Runnable runnable;
   System.out.println("Running delegated tasks...");
   while ((runnable = engine.getDelegatedTask()) != null) {
     runnable.run();
   }
   HandshakeStatus hs = engine.getHandshakeStatus();
   if (hs == HandshakeStatus.NEED_TASK) {
     throw new Error("Handshake shouldn't need additional tasks.");
   }
 }
 @Override
 protected Connection newConnection(SelectableChannel channel, EndPoint endpoint) {
   SSLEngine engine = __sslCtxFactory.newSSLEngine();
   engine.setUseClientMode(false);
   SslConnection sslConnection =
       new SslConnection(__byteBufferPool, _threadPool, endpoint, engine);
   sslConnection.setRenegotiationAllowed(__sslCtxFactory.isRenegotiationAllowed());
   Connection appConnection = super.newConnection(channel, sslConnection.getDecryptedEndPoint());
   sslConnection.getDecryptedEndPoint().setConnection(appConnection);
   return sslConnection;
 }
Example #21
0
 @Override
 public void initChannel(SocketChannel ch) throws Exception {
   ChannelPipeline pipeline = ch.pipeline();
   SSLContext sslContext = Utils.createSSLContext();
   SSLEngine engine = sslContext.createSSLEngine();
   engine.setUseClientMode(true);
   pipeline.addLast("ssl", new SslHandler(engine));
   pipeline.addLast("framer", new LineBasedFrameDecoder(1000 * 1000 * 10, true, false));
   pipeline.addLast("decoder", new StringDecoder(CharsetUtil.UTF_8));
   pipeline.addLast("encoder", new StringEncoder(CharsetUtil.UTF_8));
   pipeline.addLast("handler", connection);
 }
 protected void decode(ChannelHandlerContext context, ByteBuf buffer) throws Exception {
   ChannelPipeline pipeline = context.pipeline();
   if (detectSsl && SslHandler.isEncrypted(buffer)) {
     SSLEngine engine = SSL_SERVER_CONTEXT.getValue().createSSLEngine();
     engine.setUseClientMode(false);
     pipeline.addLast(
         new SslHandler(engine),
         new ChunkedWriteHandler(),
         new PortUnificationServerHandler(delegatingHttpRequestHandler, false, detectGzip));
   } else {
     int magic1 = buffer.getUnsignedByte(buffer.readerIndex());
     int magic2 = buffer.getUnsignedByte(buffer.readerIndex() + 1);
     if (detectGzip && magic1 == 31 && magic2 == 139) {
       pipeline.addLast(
           new JZlibEncoder(ZlibWrapper.GZIP),
           new JdkZlibDecoder(ZlibWrapper.GZIP),
           new PortUnificationServerHandler(delegatingHttpRequestHandler, detectSsl, false));
     } else if (isHttp(magic1, magic2)) {
       NettyUtil.initHttpHandlers(pipeline);
       pipeline.addLast(delegatingHttpRequestHandler);
       if (BuiltInServer.LOG.isDebugEnabled()) {
         pipeline.addLast(
             new ChannelOutboundHandlerAdapter() {
               @Override
               public void write(
                   ChannelHandlerContext context, Object message, ChannelPromise promise)
                   throws Exception {
                 if (message instanceof HttpResponse) {
                   //                BuiltInServer.LOG.debug("OUT HTTP:\n" + message);
                   HttpResponse response = (HttpResponse) message;
                   BuiltInServer.LOG.debug(
                       "OUT HTTP: "
                           + response.getStatus().code()
                           + " "
                           + response.headers().get("Content-type"));
                 }
                 super.write(context, message, promise);
               }
             });
       }
     } else if (magic1 == 'C' && magic2 == 'H') {
       buffer.skipBytes(2);
       pipeline.addLast(new CustomHandlerDelegator());
     } else {
       BuiltInServer.LOG.warn("unknown request, first two bytes " + magic1 + " " + magic2);
       context.close();
     }
   }
   // must be after new channels handlers addition (netty bug?)
   ensureThatExceptionHandlerIsLast(pipeline);
   pipeline.remove(this);
   context.fireChannelRead(buffer);
 }
Example #23
0
  /*
   * Read the channel for more information, then unwrap the
   * (hopefully application) data we get.
   * <P>
   * If we run out of data, we'll return to our caller (possibly using
   * a Selector) to get notification that more is available.
   * <P>
   * Each call to this method will perform at most one underlying read().
   */
  int read() throws IOException {
    SSLEngineResult result;

    if (!initialHSComplete) {
      throw new IllegalStateException();
    }

    int pos = requestBB.position();

    if (sc.read(inNetBB) == -1) {
      sslEngine.closeInbound(); // probably throws exception
      return -1;
    }

    do {
      resizeRequestBB(); // expected room for unwrap
      inNetBB.flip();
      result = sslEngine.unwrap(inNetBB, requestBB);
      inNetBB.compact();

      /*
       * Could check here for a renegotation, but we're only
       * doing a simple read/write, and won't have enough state
       * transitions to do a complete handshake, so ignore that
       * possibility.
       */
      switch (result.getStatus()) {
        case BUFFER_OVERFLOW:
          // Reset the application buffer size.
          appBBSize = sslEngine.getSession().getApplicationBufferSize();
          break;

        case BUFFER_UNDERFLOW:
          // Resize buffer if needed.
          netBBSize = sslEngine.getSession().getPacketBufferSize();
          if (netBBSize > inNetBB.capacity()) {
            resizeResponseBB();

            break; // break, next read will support larger buffer.
          }
        case OK:
          if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
            doTasks();
          }
          break;

        default:
          throw new IOException("sslEngine error during data read: " + result.getStatus());
      }
    } while ((inNetBB.position() != 0) && result.getStatus() != Status.BUFFER_UNDERFLOW);

    return (requestBB.position() - pos);
  }
 /** {@inheritDoc} */
 @Override
 public <T> T getOption(final Option<T> option) throws IOException {
   if (option == Options.SSL_CLIENT_AUTH_MODE) {
     return option.cast(
         engine.getNeedClientAuth()
             ? SslClientAuthMode.REQUIRED
             : engine.getWantClientAuth()
                 ? SslClientAuthMode.REQUESTED
                 : SslClientAuthMode.NOT_REQUESTED);
   } else {
     return option == Options.SECURE ? (T) Boolean.TRUE : delegate.getOption(option);
   }
 }
Example #25
0
 private SSLEngine makeSSLEngine(TLSParams p, SSLContext ctx) {
   SSLEngine eng = ctx.createSSLEngine();
   if (p.getCiphers() != null) {
     eng.setEnabledCipherSuites(p.getCiphers().toArray(new String[p.getCiphers().size()]));
   }
   if (p.isClientAuthRequired()) {
     eng.setNeedClientAuth(true);
   } else if (p.isClientAuthRequested()) {
     eng.setWantClientAuth(true);
   }
   eng.setUseClientMode(false);
   return eng;
 }
 public SSLSocketChannelWrapper(SSLContext sslContext, SocketChannel sc, boolean client)
     throws Exception {
   super(sc);
   sslEngine = sslContext.createSSLEngine();
   sslEngine.setUseClientMode(client);
   sslEngine.setEnableSessionCreation(true);
   SSLSession session = sslEngine.getSession();
   in = ByteBuffer.allocate(64 * 1024);
   emptyBuffer = ByteBuffer.allocate(0);
   int netBufferMax = session.getPacketBufferSize();
   netOutBuffer = ByteBuffer.allocate(netBufferMax);
   netInBuffer = ByteBuffer.allocate(netBufferMax);
 }
Example #27
0
  /*
   * Do all the outstanding handshake tasks in the current Thread.
   */
  private SSLEngineResult.HandshakeStatus doTasks() {

    Runnable runnable;

    /*
     * We could run this in a separate thread, but
     * do in the current for now.
     */
    while ((runnable = sslEngine.getDelegatedTask()) != null) {
      runnable.run();
    }
    return sslEngine.getHandshakeStatus();
  }
Example #28
0
  private SSLEngineConfigurator createSSLEngineConfigurator(HTTPConnectionHandlerCfg config)
      throws DirectoryException {
    if (!config.isUseSSL()) {
      return null;
    }

    try {
      SSLContext sslContext = createSSLContext(config);
      SSLEngineConfigurator configurator = new SSLEngineConfigurator(sslContext);
      configurator.setClientMode(false);

      // configure with defaults from the JVM
      final SSLEngine defaults = sslContext.createSSLEngine();
      configurator.setEnabledProtocols(defaults.getEnabledProtocols());
      configurator.setEnabledCipherSuites(defaults.getEnabledCipherSuites());

      final Set<String> protocols = config.getSSLProtocol();
      if (!protocols.isEmpty()) {
        configurator.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
      }

      final Set<String> ciphers = config.getSSLCipherSuite();
      if (!ciphers.isEmpty()) {
        configurator.setEnabledCipherSuites(ciphers.toArray(new String[ciphers.size()]));
      }

      switch (config.getSSLClientAuthPolicy()) {
        case DISABLED:
          configurator.setNeedClientAuth(false);
          configurator.setWantClientAuth(false);
          break;
        case REQUIRED:
          configurator.setNeedClientAuth(true);
          configurator.setWantClientAuth(true);
          break;
        case OPTIONAL:
        default:
          configurator.setNeedClientAuth(false);
          configurator.setWantClientAuth(true);
          break;
      }

      return configurator;
    } catch (Exception e) {
      logger.traceException(e);
      ResultCode resCode = DirectoryServer.getServerErrorResultCode();
      throw new DirectoryException(
          resCode, ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e)), e);
    }
  }
Example #29
0
  /**
   * Returns client ssl engine.
   *
   * @param context - SSLContext to get SSLEngine from.
   * @param useSNI - flag used to enable or disable using SNI extension. Needed for Kerberos.
   */
  public static SSLEngine getClientSSLEngine(SSLContext context, boolean useSNI) {

    SSLEngine clientEngine = context.createSSLEngine(HOST, 80);
    clientEngine.setUseClientMode(true);
    if (useSNI) {
      SNIHostName serverName = new SNIHostName(SERVER_NAME);
      List<SNIServerName> serverNames = new ArrayList<>();
      serverNames.add(serverName);
      SSLParameters params = clientEngine.getSSLParameters();
      params.setServerNames(serverNames);
      clientEngine.setSSLParameters(params);
    }
    return clientEngine;
  }
Example #30
0
  /**
   * Returns server ssl engine.
   *
   * @param context - SSLContext to get SSLEngine from.
   * @param useSNI - flag used to enable or disable using SNI extension. Needed for Kerberos.
   */
  public static SSLEngine getServerSSLEngine(SSLContext context, boolean useSNI) {

    SSLEngine serverEngine = context.createSSLEngine();
    serverEngine.setUseClientMode(false);
    if (useSNI) {
      SNIMatcher matcher = SNIHostName.createSNIMatcher(SNI_PATTERN);
      List<SNIMatcher> matchers = new ArrayList<>();
      matchers.add(matcher);
      SSLParameters params = serverEngine.getSSLParameters();
      params.setSNIMatchers(matchers);
      serverEngine.setSSLParameters(params);
    }
    return serverEngine;
  }