protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers) {
SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
SSLHostConfigCertificate certificate = selectCertificate(sslHostConfig, clientRequestedCiphers);
SSLContextWrapper sslContextWrapper = certificate.getSslContextWrapper();
if (sslContextWrapper == null) {
throw new IllegalStateException(sm.getString("endpoint.jsse.noSslContext", sniHostName));
}
SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine();
switch (sslHostConfig.getCertificateVerification()) {
case NONE:
engine.setNeedClientAuth(false);
engine.setWantClientAuth(false);
break;
case OPTIONAL:
case OPTIONAL_NO_CA:
engine.setWantClientAuth(true);
break;
case REQUIRED:
engine.setNeedClientAuth(true);
break;
}
engine.setUseClientMode(false);
engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());
SSLParameters sslParameters = engine.getSSLParameters();
sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
// In case the getter returns a defensive copy
engine.setSSLParameters(sslParameters);
return engine;
}
public Channel createChannel(SocketChannel sc, SelectorThread st, ChannelListener l)
throws IOException, SSLException {
log.info("Creating SecureChannel. Client mode: " + clientMode);
SSLEngine engine = sslContext.createSSLEngine();
engine.setUseClientMode(clientMode);
engine.setNeedClientAuth(true);
return new SSLChannel(st, sc, l, engine);
}
protected SSLEngine initSocketSSLEngine(Socket socket) throws SSLException {
SSLEngine engine = super.initSocketSSLEngine(socket);
engine.setUseClientMode(false);
switch (this.getSSLConfiguration().getClientAuthentication()) {
case NONE:
engine.setNeedClientAuth(false);
engine.setWantClientAuth(false);
break;
case REQUEST:
engine.setWantClientAuth(true);
break;
case REQUIRE:
engine.setNeedClientAuth(true);
break;
}
return engine;
}
private SSLEngine createSSLEngine(LDAPConnectionHandlerCfg config, SSLContext sslContext)
throws DirectoryException {
try {
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
final Set<String> protocols = config.getSSLProtocol();
if (!protocols.isEmpty()) {
sslEngine.setEnabledProtocols(protocols.toArray(new String[0]));
}
final Set<String> ciphers = config.getSSLCipherSuite();
if (!ciphers.isEmpty()) {
sslEngine.setEnabledCipherSuites(ciphers.toArray(new String[0]));
}
switch (config.getSSLClientAuthPolicy()) {
case DISABLED:
sslEngine.setNeedClientAuth(false);
sslEngine.setWantClientAuth(false);
break;
case REQUIRED:
sslEngine.setWantClientAuth(true);
sslEngine.setNeedClientAuth(true);
break;
case OPTIONAL:
default:
sslEngine.setNeedClientAuth(false);
sslEngine.setWantClientAuth(true);
break;
}
return sslEngine;
} catch (Exception e) {
logger.traceException(e);
ResultCode resCode = DirectoryServer.getServerErrorResultCode();
LocalizableMessage message =
ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e));
throw new DirectoryException(resCode, message, e);
}
}
private SSLEngine makeSSLEngine(TLSParams p, SSLContext ctx) {
SSLEngine eng = ctx.createSSLEngine();
if (p.getCiphers() != null) {
eng.setEnabledCipherSuites(p.getCiphers().toArray(new String[p.getCiphers().size()]));
}
if (p.isClientAuthRequired()) {
eng.setNeedClientAuth(true);
} else if (p.isClientAuthRequested()) {
eng.setWantClientAuth(true);
}
eng.setUseClientMode(false);
return eng;
}
/*
* Using the SSLContext created during object creation,
* create/configure the SSLEngines we'll use for this test.
*/
private void createSSLEngines() throws Exception {
/*
* Configure the serverEngine to act as a server in the SSL/TLS
* handshake. Also, require SSL client authentication.
*/
serverEngine = sslc.createSSLEngine();
serverEngine.setUseClientMode(false);
serverEngine.setNeedClientAuth(true);
/*
* Similar to above, but using client mode instead.
*/
clientEngine = sslc.createSSLEngine("client", 80);
clientEngine.setUseClientMode(true);
}
@Override
public void doClientAuth(SSLSupport sslSupport) {
SecureNioChannel sslChannel = (SecureNioChannel) getSocket();
SSLEngine engine = sslChannel.getSslEngine();
if (!engine.getNeedClientAuth()) {
// Need to re-negotiate SSL connection
engine.setNeedClientAuth(true);
try {
sslChannel.rehandshake(getEndpoint().getSoTimeout());
((JSSESupport) sslSupport).setSession(engine.getSession());
} catch (IOException ioe) {
log.warn(sm.getString("socket.sslreneg", ioe));
}
}
}
public void initalize(final SSLEngine sslengine) throws SSLException {
if (clientAuth != null) {
switch (clientAuth) {
case OPTIONAL:
sslengine.setWantClientAuth(true);
break;
case REQUIRED:
sslengine.setNeedClientAuth(true);
}
}
// set handshake protocols if they are specified in transport
// configuration.
if (httpsProtocols != null) {
sslengine.setEnabledProtocols(httpsProtocols);
}
}
/**
* Start a new handshake operation for this channel.
*
* @see #handshake()
* @throws SSLException
*/
protected void reHandshake() throws SSLException {
if (sslEngine.getWantClientAuth()) {
CoyoteLogger.UTIL_LOGGER.debug("No client cert sent for want");
} else {
if (!sslEngine.getNeedClientAuth()) {
sslEngine.setNeedClientAuth(true);
} else {
CoyoteLogger.UTIL_LOGGER.debug("Already need client cert");
}
}
handshakeComplete = false;
handshakeStatus = sslEngine.getHandshakeStatus();
try {
doHandshake();
} catch (Exception e) {
throw new SSLException(e);
}
}
/** {@inheritDoc} */
@Override
public <T> T setOption(final Option<T> option, final T value)
throws IllegalArgumentException, IOException {
if (option == Options.SSL_CLIENT_AUTH_MODE) {
try {
return option.cast(
engine.getNeedClientAuth()
? SslClientAuthMode.REQUIRED
: engine.getWantClientAuth()
? SslClientAuthMode.REQUESTED
: SslClientAuthMode.NOT_REQUESTED);
} finally {
engine.setNeedClientAuth(value == SslClientAuthMode.REQUIRED);
engine.setWantClientAuth(value == SslClientAuthMode.REQUESTED);
}
} else if (option == Options.SECURE) {
throw new IllegalArgumentException();
} else {
return delegate.setOption(option, value);
}
}