예제 #1
0
  protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers) {
    SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);

    SSLHostConfigCertificate certificate = selectCertificate(sslHostConfig, clientRequestedCiphers);

    SSLContextWrapper sslContextWrapper = certificate.getSslContextWrapper();
    if (sslContextWrapper == null) {
      throw new IllegalStateException(sm.getString("endpoint.jsse.noSslContext", sniHostName));
    }

    SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine();
    switch (sslHostConfig.getCertificateVerification()) {
      case NONE:
        engine.setNeedClientAuth(false);
        engine.setWantClientAuth(false);
        break;
      case OPTIONAL:
      case OPTIONAL_NO_CA:
        engine.setWantClientAuth(true);
        break;
      case REQUIRED:
        engine.setNeedClientAuth(true);
        break;
    }
    engine.setUseClientMode(false);
    engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
    engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());

    SSLParameters sslParameters = engine.getSSLParameters();
    sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
    // In case the getter returns a defensive copy
    engine.setSSLParameters(sslParameters);

    return engine;
  }
예제 #2
0
  public Channel createChannel(SocketChannel sc, SelectorThread st, ChannelListener l)
      throws IOException, SSLException {
    log.info("Creating SecureChannel. Client mode: " + clientMode);
    SSLEngine engine = sslContext.createSSLEngine();
    engine.setUseClientMode(clientMode);
    engine.setNeedClientAuth(true);

    return new SSLChannel(st, sc, l, engine);
  }
예제 #3
0
  protected SSLEngine initSocketSSLEngine(Socket socket) throws SSLException {
    SSLEngine engine = super.initSocketSSLEngine(socket);
    engine.setUseClientMode(false);

    switch (this.getSSLConfiguration().getClientAuthentication()) {
      case NONE:
        engine.setNeedClientAuth(false);
        engine.setWantClientAuth(false);
        break;
      case REQUEST:
        engine.setWantClientAuth(true);
        break;
      case REQUIRE:
        engine.setNeedClientAuth(true);
        break;
    }

    return engine;
  }
예제 #4
0
  private SSLEngine createSSLEngine(LDAPConnectionHandlerCfg config, SSLContext sslContext)
      throws DirectoryException {
    try {
      SSLEngine sslEngine = sslContext.createSSLEngine();
      sslEngine.setUseClientMode(false);

      final Set<String> protocols = config.getSSLProtocol();
      if (!protocols.isEmpty()) {
        sslEngine.setEnabledProtocols(protocols.toArray(new String[0]));
      }

      final Set<String> ciphers = config.getSSLCipherSuite();
      if (!ciphers.isEmpty()) {
        sslEngine.setEnabledCipherSuites(ciphers.toArray(new String[0]));
      }

      switch (config.getSSLClientAuthPolicy()) {
        case DISABLED:
          sslEngine.setNeedClientAuth(false);
          sslEngine.setWantClientAuth(false);
          break;
        case REQUIRED:
          sslEngine.setWantClientAuth(true);
          sslEngine.setNeedClientAuth(true);
          break;
        case OPTIONAL:
        default:
          sslEngine.setNeedClientAuth(false);
          sslEngine.setWantClientAuth(true);
          break;
      }

      return sslEngine;
    } catch (Exception e) {
      logger.traceException(e);
      ResultCode resCode = DirectoryServer.getServerErrorResultCode();
      LocalizableMessage message =
          ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e));
      throw new DirectoryException(resCode, message, e);
    }
  }
예제 #5
0
 private SSLEngine makeSSLEngine(TLSParams p, SSLContext ctx) {
   SSLEngine eng = ctx.createSSLEngine();
   if (p.getCiphers() != null) {
     eng.setEnabledCipherSuites(p.getCiphers().toArray(new String[p.getCiphers().size()]));
   }
   if (p.isClientAuthRequired()) {
     eng.setNeedClientAuth(true);
   } else if (p.isClientAuthRequested()) {
     eng.setWantClientAuth(true);
   }
   eng.setUseClientMode(false);
   return eng;
 }
예제 #6
0
  /*
   * Using the SSLContext created during object creation,
   * create/configure the SSLEngines we'll use for this test.
   */
  private void createSSLEngines() throws Exception {
    /*
     * Configure the serverEngine to act as a server in the SSL/TLS
     * handshake.  Also, require SSL client authentication.
     */
    serverEngine = sslc.createSSLEngine();
    serverEngine.setUseClientMode(false);
    serverEngine.setNeedClientAuth(true);

    /*
     * Similar to above, but using client mode instead.
     */
    clientEngine = sslc.createSSLEngine("client", 80);
    clientEngine.setUseClientMode(true);
  }
예제 #7
0
 @Override
 public void doClientAuth(SSLSupport sslSupport) {
   SecureNioChannel sslChannel = (SecureNioChannel) getSocket();
   SSLEngine engine = sslChannel.getSslEngine();
   if (!engine.getNeedClientAuth()) {
     // Need to re-negotiate SSL connection
     engine.setNeedClientAuth(true);
     try {
       sslChannel.rehandshake(getEndpoint().getSoTimeout());
       ((JSSESupport) sslSupport).setSession(engine.getSession());
     } catch (IOException ioe) {
       log.warn(sm.getString("socket.sslreneg", ioe));
     }
   }
 }
 public void initalize(final SSLEngine sslengine) throws SSLException {
   if (clientAuth != null) {
     switch (clientAuth) {
       case OPTIONAL:
         sslengine.setWantClientAuth(true);
         break;
       case REQUIRED:
         sslengine.setNeedClientAuth(true);
     }
   }
   // set handshake protocols if they are specified in transport
   // configuration.
   if (httpsProtocols != null) {
     sslengine.setEnabledProtocols(httpsProtocols);
   }
 }
예제 #9
0
 /**
  * Start a new handshake operation for this channel.
  *
  * @see #handshake()
  * @throws SSLException
  */
 protected void reHandshake() throws SSLException {
   if (sslEngine.getWantClientAuth()) {
     CoyoteLogger.UTIL_LOGGER.debug("No client cert sent for want");
   } else {
     if (!sslEngine.getNeedClientAuth()) {
       sslEngine.setNeedClientAuth(true);
     } else {
       CoyoteLogger.UTIL_LOGGER.debug("Already need client cert");
     }
   }
   handshakeComplete = false;
   handshakeStatus = sslEngine.getHandshakeStatus();
   try {
     doHandshake();
   } catch (Exception e) {
     throw new SSLException(e);
   }
 }
예제 #10
0
 /** {@inheritDoc} */
 @Override
 public <T> T setOption(final Option<T> option, final T value)
     throws IllegalArgumentException, IOException {
   if (option == Options.SSL_CLIENT_AUTH_MODE) {
     try {
       return option.cast(
           engine.getNeedClientAuth()
               ? SslClientAuthMode.REQUIRED
               : engine.getWantClientAuth()
                   ? SslClientAuthMode.REQUESTED
                   : SslClientAuthMode.NOT_REQUESTED);
     } finally {
       engine.setNeedClientAuth(value == SslClientAuthMode.REQUIRED);
       engine.setWantClientAuth(value == SslClientAuthMode.REQUESTED);
     }
   } else if (option == Options.SECURE) {
     throw new IllegalArgumentException();
   } else {
     return delegate.setOption(option, value);
   }
 }