protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers) {
SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
SSLHostConfigCertificate certificate = selectCertificate(sslHostConfig, clientRequestedCiphers);
SSLContextWrapper sslContextWrapper = certificate.getSslContextWrapper();
if (sslContextWrapper == null) {
throw new IllegalStateException(sm.getString("endpoint.jsse.noSslContext", sniHostName));
}
SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine();
switch (sslHostConfig.getCertificateVerification()) {
case NONE:
engine.setNeedClientAuth(false);
engine.setWantClientAuth(false);
break;
case OPTIONAL:
case OPTIONAL_NO_CA:
engine.setWantClientAuth(true);
break;
case REQUIRED:
engine.setNeedClientAuth(true);
break;
}
engine.setUseClientMode(false);
engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());
SSLParameters sslParameters = engine.getSSLParameters();
sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
// In case the getter returns a defensive copy
engine.setSSLParameters(sslParameters);
return engine;
}
/**
* Creates a new <code>TLSWrapper</code> instance.
*
* @param sslc
* @param eventHandler
* @param clientMode
*/
public TLSWrapper(
SSLContext sslc, TLSEventHandler eventHandler, String[] sslProtocols, boolean clientMode) {
tlsEngine = sslc.createSSLEngine();
tlsEngine.setUseClientMode(clientMode);
if (tls_jdk_nss_workaround) {
// Workaround for TLS/SSL bug in new JDK used with new version of
// nss library see also:
// http://stackoverflow.com/q/10687200/427545
// http://bugs.sun.com/bugdatabase/view_bug.do;jsessionid=b509d9cb5d8164d90e6731f5fc44?bug_id=6928796
tlsEngine.setEnabledCipherSuites(tls_workaround_ciphers);
}
if (sslProtocols != null) {
tlsEngine.setEnabledProtocols(sslProtocols);
}
netBuffSize = tlsEngine.getSession().getPacketBufferSize();
appBuffSize = tlsEngine.getSession().getApplicationBufferSize();
this.eventHandler = eventHandler;
if (!clientMode) {
tlsEngine.setWantClientAuth(true);
}
}
protected SSLEngine initSocketSSLEngine(Socket socket) throws SSLException {
SSLEngine engine = super.initSocketSSLEngine(socket);
engine.setUseClientMode(false);
switch (this.getSSLConfiguration().getClientAuthentication()) {
case NONE:
engine.setNeedClientAuth(false);
engine.setWantClientAuth(false);
break;
case REQUEST:
engine.setWantClientAuth(true);
break;
case REQUIRE:
engine.setNeedClientAuth(true);
break;
}
return engine;
}
private SSLEngine createSSLEngine(LDAPConnectionHandlerCfg config, SSLContext sslContext)
throws DirectoryException {
try {
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
final Set<String> protocols = config.getSSLProtocol();
if (!protocols.isEmpty()) {
sslEngine.setEnabledProtocols(protocols.toArray(new String[0]));
}
final Set<String> ciphers = config.getSSLCipherSuite();
if (!ciphers.isEmpty()) {
sslEngine.setEnabledCipherSuites(ciphers.toArray(new String[0]));
}
switch (config.getSSLClientAuthPolicy()) {
case DISABLED:
sslEngine.setNeedClientAuth(false);
sslEngine.setWantClientAuth(false);
break;
case REQUIRED:
sslEngine.setWantClientAuth(true);
sslEngine.setNeedClientAuth(true);
break;
case OPTIONAL:
default:
sslEngine.setNeedClientAuth(false);
sslEngine.setWantClientAuth(true);
break;
}
return sslEngine;
} catch (Exception e) {
logger.traceException(e);
ResultCode resCode = DirectoryServer.getServerErrorResultCode();
LocalizableMessage message =
ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e));
throw new DirectoryException(resCode, message, e);
}
}
private SSLEngine makeSSLEngine(TLSParams p, SSLContext ctx) {
SSLEngine eng = ctx.createSSLEngine();
if (p.getCiphers() != null) {
eng.setEnabledCipherSuites(p.getCiphers().toArray(new String[p.getCiphers().size()]));
}
if (p.isClientAuthRequired()) {
eng.setNeedClientAuth(true);
} else if (p.isClientAuthRequested()) {
eng.setWantClientAuth(true);
}
eng.setUseClientMode(false);
return eng;
}
public void initalize(final SSLEngine sslengine) throws SSLException {
if (clientAuth != null) {
switch (clientAuth) {
case OPTIONAL:
sslengine.setWantClientAuth(true);
break;
case REQUIRED:
sslengine.setNeedClientAuth(true);
}
}
// set handshake protocols if they are specified in transport
// configuration.
if (httpsProtocols != null) {
sslengine.setEnabledProtocols(httpsProtocols);
}
}
/** {@inheritDoc} */
@Override
public <T> T setOption(final Option<T> option, final T value)
throws IllegalArgumentException, IOException {
if (option == Options.SSL_CLIENT_AUTH_MODE) {
try {
return option.cast(
engine.getNeedClientAuth()
? SslClientAuthMode.REQUIRED
: engine.getWantClientAuth()
? SslClientAuthMode.REQUESTED
: SslClientAuthMode.NOT_REQUESTED);
} finally {
engine.setNeedClientAuth(value == SslClientAuthMode.REQUIRED);
engine.setWantClientAuth(value == SslClientAuthMode.REQUESTED);
}
} else if (option == Options.SECURE) {
throw new IllegalArgumentException();
} else {
return delegate.setOption(option, value);
}
}
