protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers) {
SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
SSLHostConfigCertificate certificate = selectCertificate(sslHostConfig, clientRequestedCiphers);
SSLContextWrapper sslContextWrapper = certificate.getSslContextWrapper();
if (sslContextWrapper == null) {
throw new IllegalStateException(sm.getString("endpoint.jsse.noSslContext", sniHostName));
}
SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine();
switch (sslHostConfig.getCertificateVerification()) {
case NONE:
engine.setNeedClientAuth(false);
engine.setWantClientAuth(false);
break;
case OPTIONAL:
case OPTIONAL_NO_CA:
engine.setWantClientAuth(true);
break;
case REQUIRED:
engine.setNeedClientAuth(true);
break;
}
engine.setUseClientMode(false);
engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());
SSLParameters sslParameters = engine.getSSLParameters();
sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
// In case the getter returns a defensive copy
engine.setSSLParameters(sslParameters);
return engine;
}
private SSLHostConfigCertificate selectCertificate(
SSLHostConfig sslHostConfig, List<Cipher> clientCiphers) {
Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates(true);
if (certificates.size() == 1) {
return certificates.iterator().next();
}
LinkedHashSet<Cipher> serverCiphers = sslHostConfig.getCipherList();
List<Cipher> candidateCiphers = new ArrayList<>();
if (sslHostConfig.getHonorCipherOrder()) {
candidateCiphers.addAll(serverCiphers);
candidateCiphers.retainAll(clientCiphers);
} else {
candidateCiphers.addAll(clientCiphers);
candidateCiphers.retainAll(serverCiphers);
}
Iterator<Cipher> candidateIter = candidateCiphers.iterator();
while (candidateIter.hasNext()) {
Cipher candidate = candidateIter.next();
for (SSLHostConfigCertificate certificate : certificates) {
if (certificate.getType().isCompatibleWith(candidate.getAu())) {
return certificate;
}
}
}
// No matches. Just return the first certificate. The handshake will
// then fail due to no matching ciphers.
return certificates.iterator().next();
}
@Override
public void unbind() throws Exception {
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) {
certificate.setSslContextWrapper(null);
}
}
}
protected void initialiseSsl() throws Exception {
if (isSSLEnabled()) {
sslImplementation = SSLImplementation.getInstance(getSslImplementationName());
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) {
SSLUtil sslUtil = sslImplementation.getSSLUtil(sslHostConfig, certificate);
SSLContext sslContext = sslUtil.createSSLContext(negotiableProtocols);
sslContext.init(sslUtil.getKeyManagers(), sslUtil.getTrustManagers(), null);
SSLSessionContext sessionContext = sslContext.getServerSessionContext();
if (sessionContext != null) {
sslUtil.configureSessionContext(sessionContext);
}
SSLContextWrapper sslContextWrapper = new SSLContextWrapper(sslContext, sslUtil);
certificate.setSslContextWrapper(sslContextWrapper);
}
}
}
}