/**
   * Creates a new <code>TLSWrapper</code> instance.
   *
   * @param sslc
   * @param eventHandler
   * @param clientMode
   */
  public TLSWrapper(
      SSLContext sslc, TLSEventHandler eventHandler, String[] sslProtocols, boolean clientMode) {
    tlsEngine = sslc.createSSLEngine();
    tlsEngine.setUseClientMode(clientMode);

    if (tls_jdk_nss_workaround) {
      // Workaround for TLS/SSL bug in new JDK used with new version of
      // nss library see also:
      // http://stackoverflow.com/q/10687200/427545
      // http://bugs.sun.com/bugdatabase/view_bug.do;jsessionid=b509d9cb5d8164d90e6731f5fc44?bug_id=6928796
      tlsEngine.setEnabledCipherSuites(tls_workaround_ciphers);
    }

    if (sslProtocols != null) {
      tlsEngine.setEnabledProtocols(sslProtocols);
    }

    netBuffSize = tlsEngine.getSession().getPacketBufferSize();
    appBuffSize = tlsEngine.getSession().getApplicationBufferSize();
    this.eventHandler = eventHandler;

    if (!clientMode) {
      tlsEngine.setWantClientAuth(true);
    }
  }
Example #2
0
 /**
  * Create a new client mode SSL engine, configured from an option map.
  *
  * @param sslContext the SSL context
  * @param optionMap the SSL options
  * @param peerAddress the peer address of the connection
  * @return the configured SSL engine
  */
 public static SSLEngine createSSLEngine(
     SSLContext sslContext, OptionMap optionMap, InetSocketAddress peerAddress) {
   final SSLEngine engine =
       sslContext.createSSLEngine(
           optionMap.get(Options.SSL_PEER_HOST_NAME, getHostNameNoResolve(peerAddress)),
           optionMap.get(Options.SSL_PEER_PORT, peerAddress.getPort()));
   engine.setUseClientMode(true);
   engine.setEnableSessionCreation(optionMap.get(Options.SSL_ENABLE_SESSION_CREATION, true));
   final Sequence<String> cipherSuites = optionMap.get(Options.SSL_ENABLED_CIPHER_SUITES);
   if (cipherSuites != null) {
     final Set<String> supported =
         new HashSet<String>(Arrays.asList(engine.getSupportedCipherSuites()));
     final List<String> finalList = new ArrayList<String>();
     for (String name : cipherSuites) {
       if (supported.contains(name)) {
         finalList.add(name);
       }
     }
     engine.setEnabledCipherSuites(finalList.toArray(new String[finalList.size()]));
   }
   final Sequence<String> protocols = optionMap.get(Options.SSL_ENABLED_PROTOCOLS);
   if (protocols != null) {
     final Set<String> supported =
         new HashSet<String>(Arrays.asList(engine.getSupportedProtocols()));
     final List<String> finalList = new ArrayList<String>();
     for (String name : protocols) {
       if (supported.contains(name)) {
         finalList.add(name);
       }
     }
     engine.setEnabledProtocols(finalList.toArray(new String[finalList.size()]));
   }
   return engine;
 }
Example #3
0
  protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers) {
    SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);

    SSLHostConfigCertificate certificate = selectCertificate(sslHostConfig, clientRequestedCiphers);

    SSLContextWrapper sslContextWrapper = certificate.getSslContextWrapper();
    if (sslContextWrapper == null) {
      throw new IllegalStateException(sm.getString("endpoint.jsse.noSslContext", sniHostName));
    }

    SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine();
    switch (sslHostConfig.getCertificateVerification()) {
      case NONE:
        engine.setNeedClientAuth(false);
        engine.setWantClientAuth(false);
        break;
      case OPTIONAL:
      case OPTIONAL_NO_CA:
        engine.setWantClientAuth(true);
        break;
      case REQUIRED:
        engine.setNeedClientAuth(true);
        break;
    }
    engine.setUseClientMode(false);
    engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
    engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());

    SSLParameters sslParameters = engine.getSSLParameters();
    sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
    // In case the getter returns a defensive copy
    engine.setSSLParameters(sslParameters);

    return engine;
  }
 public void initalize(final SSLEngine sslengine) throws SSLException {
   if (clientAuth != null) {
     switch (clientAuth) {
       case OPTIONAL:
         sslengine.setWantClientAuth(true);
         break;
       case REQUIRED:
         sslengine.setNeedClientAuth(true);
     }
   }
   // set handshake protocols if they are specified in transport
   // configuration.
   if (httpsProtocols != null) {
     sslengine.setEnabledProtocols(httpsProtocols);
   }
 }
Example #5
0
  private SSLEngine createSSLEngine(LDAPConnectionHandlerCfg config, SSLContext sslContext)
      throws DirectoryException {
    try {
      SSLEngine sslEngine = sslContext.createSSLEngine();
      sslEngine.setUseClientMode(false);

      final Set<String> protocols = config.getSSLProtocol();
      if (!protocols.isEmpty()) {
        sslEngine.setEnabledProtocols(protocols.toArray(new String[0]));
      }

      final Set<String> ciphers = config.getSSLCipherSuite();
      if (!ciphers.isEmpty()) {
        sslEngine.setEnabledCipherSuites(ciphers.toArray(new String[0]));
      }

      switch (config.getSSLClientAuthPolicy()) {
        case DISABLED:
          sslEngine.setNeedClientAuth(false);
          sslEngine.setWantClientAuth(false);
          break;
        case REQUIRED:
          sslEngine.setWantClientAuth(true);
          sslEngine.setNeedClientAuth(true);
          break;
        case OPTIONAL:
        default:
          sslEngine.setNeedClientAuth(false);
          sslEngine.setWantClientAuth(true);
          break;
      }

      return sslEngine;
    } catch (Exception e) {
      logger.traceException(e);
      ResultCode resCode = DirectoryServer.getServerErrorResultCode();
      LocalizableMessage message =
          ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e));
      throw new DirectoryException(resCode, message, e);
    }
  }