/**
* SSL/TLS negotiation. Acquires an SSL socket of a control connection and carries out handshake
* processing.
*
* @throws IOException If server negotiation fails
*/
protected void sslNegotiation() throws IOException {
plainSocket = _socket_;
initSslContext();
SSLSocketFactory ssf = context.getSocketFactory();
String ip = _socket_.getInetAddress().getHostAddress();
int port = _socket_.getPort();
SSLSocket socket = (SSLSocket) ssf.createSocket(_socket_, ip, port, false);
socket.setEnableSessionCreation(isCreation);
socket.setUseClientMode(isClientMode);
// server mode
if (!isClientMode) {
socket.setNeedClientAuth(isNeedClientAuth);
socket.setWantClientAuth(isWantClientAuth);
}
if (protocols != null) {
socket.setEnabledProtocols(protocols);
}
if (suites != null) {
socket.setEnabledCipherSuites(suites);
}
socket.startHandshake();
_socket_ = socket;
_controlInput_ =
new BufferedReader(new InputStreamReader(socket.getInputStream(), getControlEncoding()));
_controlOutput_ =
new BufferedWriter(new OutputStreamWriter(socket.getOutputStream(), getControlEncoding()));
}
/**
* Returns a socket of the data connection. Wrapped as an {@link SSLSocket}, which carries out
* handshake processing.
*
* @param command The textual representation of the FTP command to send.
* @param arg The arguments to the FTP command. If this parameter is set to null, then the command
* is sent with no arguments.
* @return corresponding to the established data connection. Null is returned if an FTP protocol
* error is reported at any point during the establishment and initialization of the
* connection.
* @throws IOException If there is any problem with the connection.
* @see FTPClient#_openDataConnection_(int, String)
* @since 3.2
*/
@Override
protected Socket _openDataConnection_(String command, String arg) throws IOException {
Socket socket = super._openDataConnection_(command, arg);
_prepareDataSocket_(socket);
if (socket instanceof SSLSocket) {
SSLSocket sslSocket = (SSLSocket) socket;
sslSocket.setUseClientMode(isClientMode);
sslSocket.setEnableSessionCreation(isCreation);
// server mode
if (!isClientMode) {
sslSocket.setNeedClientAuth(isNeedClientAuth);
sslSocket.setWantClientAuth(isWantClientAuth);
}
if (suites != null) {
sslSocket.setEnabledCipherSuites(suites);
}
if (protocols != null) {
sslSocket.setEnabledProtocols(protocols);
}
sslSocket.startHandshake();
}
return socket;
}
/**
* Generates an SSL-enabled socket.
*
* @return the new socket
* @throws GeneralSecurityException on error building the socket
* @throws IOException on error loading the KeyStore
*/
private SSLSocket getSslSocket(RemoteDevice target)
throws GeneralSecurityException, IOException {
// Build a new key store based on the key store manager.
KeyManager[] keyManagers = coreService.getKeyStoreManager().getKeyManagers();
TrustManager[] trustManagers = coreService.getKeyStoreManager().getTrustManagers();
if (keyManagers.length == 0) {
throw new IllegalStateException("No key managers");
}
// Create a new SSLContext, using the new KeyManagers and TrustManagers
// as the sources of keys and trust decisions, respectively.
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, trustManagers, null);
// Finally, build a new SSLSocketFactory from the SSLContext, and
// then generate a new SSLSocket from it.
SSLSocketFactory factory = sslContext.getSocketFactory();
SSLSocket sock = (SSLSocket) factory.createSocket();
sock.setNeedClientAuth(true);
sock.setUseClientMode(true);
sock.setKeepAlive(true);
sock.setTcpNoDelay(true);
InetSocketAddress fullAddr = new InetSocketAddress(target.getAddress(), target.getPort());
sock.connect(fullAddr, SOCKET_CREATION_TIMEOUT_MS);
sock.startHandshake();
return sock;
}
public Socket createSocket(String host, int port) throws IOException {
Socket s = this.factory.createSocket(host, port);
if (s instanceof SSLSocket) {
SSLSocket ssl = (SSLSocket) s;
ssl.setUseClientMode(false); // client offers to authenticate itself
ssl.setNeedClientAuth(true);
}
return s;
}
public Socket createSocket(
InetAddress address, int port, InetAddress clientAddress, int clientPort) throws IOException {
Socket s = this.factory.createSocket(address, port, clientAddress, clientPort);
if (s instanceof SSLSocket) {
SSLSocket ssl = (SSLSocket) s;
ssl.setUseClientMode(false); // client offers to authenticate itself
ssl.setNeedClientAuth(true);
}
return s;
}
public void handShake() throws IOException, RemoteException {
try {
if (ssl.getWantClientAuth()) {
log.debug(sm.getString("jsseSupport.noCertWant"));
} else {
ssl.setNeedClientAuth(true);
}
if (ssl.getEnabledCipherSuites().length == 0) {
// Handshake is never going to be successful.
// Assume this is because handshakes are disabled
log.warn(sm.getString("jsseSupport.serverRenegDisabled"));
session.invalidate();
ssl.close();
return;
}
InputStream in = ssl.getInputStream();
int oldTimeout = ssl.getSoTimeout();
ssl.setSoTimeout(1000);
byte[] b = new byte[1];
listener.reset();
ssl.startHandshake();
int maxTries = 60; // 60 * 1000 = example 1 minute time out
for (int i = 0; i < maxTries; i++) {
if (log.isTraceEnabled()) log.trace("Reading for try #" + i);
try {
int read = in.read(b);
if (read > 0) {
// Shouldn't happen as all input should have been swallowed
// before trying to do the handshake. If it does, something
// went wrong so lets bomb out now.
throw new SSLException(sm.getString("jsseSupport.unexpectedData"));
}
} catch (SSLException sslex) {
log.info(sm.getString("jsseSupport.clientCertError"), sslex);
throw sslex;
} catch (IOException e) {
// ignore - presumably the timeout
}
if (listener.isCompleted()) {
break;
}
}
ssl.setSoTimeout(oldTimeout);
if (listener.isCompleted() == false) {
throw new SocketException("SSL Cert handshake timeout");
}
} catch (Exception excp) {
excp.printStackTrace();
}
}
/** Enables the client mode and the client authentication */
protected SSLSocket enableClientAuth(SSLSocket sock) {
sock.setNeedClientAuth(true);
sock.setUseClientMode(true);
return sock;
}
public void setNeedClientAuth(final boolean need) {
delegate.setNeedClientAuth(need);
}
