Exemplo n.º 1
0
  protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers) {
    SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);

    SSLHostConfigCertificate certificate = selectCertificate(sslHostConfig, clientRequestedCiphers);

    SSLContextWrapper sslContextWrapper = certificate.getSslContextWrapper();
    if (sslContextWrapper == null) {
      throw new IllegalStateException(sm.getString("endpoint.jsse.noSslContext", sniHostName));
    }

    SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine();
    switch (sslHostConfig.getCertificateVerification()) {
      case NONE:
        engine.setNeedClientAuth(false);
        engine.setWantClientAuth(false);
        break;
      case OPTIONAL:
      case OPTIONAL_NO_CA:
        engine.setWantClientAuth(true);
        break;
      case REQUIRED:
        engine.setNeedClientAuth(true);
        break;
    }
    engine.setUseClientMode(false);
    engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
    engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());

    SSLParameters sslParameters = engine.getSSLParameters();
    sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
    // In case the getter returns a defensive copy
    engine.setSSLParameters(sslParameters);

    return engine;
  }
Exemplo n.º 2
0
  /**
   * Creates a new <code>TLSWrapper</code> instance.
   *
   * @param sslc
   * @param eventHandler
   * @param clientMode
   */
  public TLSWrapper(
      SSLContext sslc, TLSEventHandler eventHandler, String[] sslProtocols, boolean clientMode) {
    tlsEngine = sslc.createSSLEngine();
    tlsEngine.setUseClientMode(clientMode);

    if (tls_jdk_nss_workaround) {
      // Workaround for TLS/SSL bug in new JDK used with new version of
      // nss library see also:
      // http://stackoverflow.com/q/10687200/427545
      // http://bugs.sun.com/bugdatabase/view_bug.do;jsessionid=b509d9cb5d8164d90e6731f5fc44?bug_id=6928796
      tlsEngine.setEnabledCipherSuites(tls_workaround_ciphers);
    }

    if (sslProtocols != null) {
      tlsEngine.setEnabledProtocols(sslProtocols);
    }

    netBuffSize = tlsEngine.getSession().getPacketBufferSize();
    appBuffSize = tlsEngine.getSession().getApplicationBufferSize();
    this.eventHandler = eventHandler;

    if (!clientMode) {
      tlsEngine.setWantClientAuth(true);
    }
  }
Exemplo n.º 3
0
  protected SSLEngine initSocketSSLEngine(Socket socket) throws SSLException {
    SSLEngine engine = super.initSocketSSLEngine(socket);
    engine.setUseClientMode(false);

    switch (this.getSSLConfiguration().getClientAuthentication()) {
      case NONE:
        engine.setNeedClientAuth(false);
        engine.setWantClientAuth(false);
        break;
      case REQUEST:
        engine.setWantClientAuth(true);
        break;
      case REQUIRE:
        engine.setNeedClientAuth(true);
        break;
    }

    return engine;
  }
Exemplo n.º 4
0
  private SSLEngine createSSLEngine(LDAPConnectionHandlerCfg config, SSLContext sslContext)
      throws DirectoryException {
    try {
      SSLEngine sslEngine = sslContext.createSSLEngine();
      sslEngine.setUseClientMode(false);

      final Set<String> protocols = config.getSSLProtocol();
      if (!protocols.isEmpty()) {
        sslEngine.setEnabledProtocols(protocols.toArray(new String[0]));
      }

      final Set<String> ciphers = config.getSSLCipherSuite();
      if (!ciphers.isEmpty()) {
        sslEngine.setEnabledCipherSuites(ciphers.toArray(new String[0]));
      }

      switch (config.getSSLClientAuthPolicy()) {
        case DISABLED:
          sslEngine.setNeedClientAuth(false);
          sslEngine.setWantClientAuth(false);
          break;
        case REQUIRED:
          sslEngine.setWantClientAuth(true);
          sslEngine.setNeedClientAuth(true);
          break;
        case OPTIONAL:
        default:
          sslEngine.setNeedClientAuth(false);
          sslEngine.setWantClientAuth(true);
          break;
      }

      return sslEngine;
    } catch (Exception e) {
      logger.traceException(e);
      ResultCode resCode = DirectoryServer.getServerErrorResultCode();
      LocalizableMessage message =
          ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e));
      throw new DirectoryException(resCode, message, e);
    }
  }
Exemplo n.º 5
0
 private SSLEngine makeSSLEngine(TLSParams p, SSLContext ctx) {
   SSLEngine eng = ctx.createSSLEngine();
   if (p.getCiphers() != null) {
     eng.setEnabledCipherSuites(p.getCiphers().toArray(new String[p.getCiphers().size()]));
   }
   if (p.isClientAuthRequired()) {
     eng.setNeedClientAuth(true);
   } else if (p.isClientAuthRequested()) {
     eng.setWantClientAuth(true);
   }
   eng.setUseClientMode(false);
   return eng;
 }
 public void initalize(final SSLEngine sslengine) throws SSLException {
   if (clientAuth != null) {
     switch (clientAuth) {
       case OPTIONAL:
         sslengine.setWantClientAuth(true);
         break;
       case REQUIRED:
         sslengine.setNeedClientAuth(true);
     }
   }
   // set handshake protocols if they are specified in transport
   // configuration.
   if (httpsProtocols != null) {
     sslengine.setEnabledProtocols(httpsProtocols);
   }
 }
Exemplo n.º 7
0
 /** {@inheritDoc} */
 @Override
 public <T> T setOption(final Option<T> option, final T value)
     throws IllegalArgumentException, IOException {
   if (option == Options.SSL_CLIENT_AUTH_MODE) {
     try {
       return option.cast(
           engine.getNeedClientAuth()
               ? SslClientAuthMode.REQUIRED
               : engine.getWantClientAuth()
                   ? SslClientAuthMode.REQUESTED
                   : SslClientAuthMode.NOT_REQUESTED);
     } finally {
       engine.setNeedClientAuth(value == SslClientAuthMode.REQUIRED);
       engine.setWantClientAuth(value == SslClientAuthMode.REQUESTED);
     }
   } else if (option == Options.SECURE) {
     throw new IllegalArgumentException();
   } else {
     return delegate.setOption(option, value);
   }
 }