Пример #1
0
  protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers) {
    SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);

    SSLHostConfigCertificate certificate = selectCertificate(sslHostConfig, clientRequestedCiphers);

    SSLContextWrapper sslContextWrapper = certificate.getSslContextWrapper();
    if (sslContextWrapper == null) {
      throw new IllegalStateException(sm.getString("endpoint.jsse.noSslContext", sniHostName));
    }

    SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine();
    switch (sslHostConfig.getCertificateVerification()) {
      case NONE:
        engine.setNeedClientAuth(false);
        engine.setWantClientAuth(false);
        break;
      case OPTIONAL:
      case OPTIONAL_NO_CA:
        engine.setWantClientAuth(true);
        break;
      case REQUIRED:
        engine.setNeedClientAuth(true);
        break;
    }
    engine.setUseClientMode(false);
    engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
    engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());

    SSLParameters sslParameters = engine.getSSLParameters();
    sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
    // In case the getter returns a defensive copy
    engine.setSSLParameters(sslParameters);

    return engine;
  }
Пример #2
0
  private SSLHostConfigCertificate selectCertificate(
      SSLHostConfig sslHostConfig, List<Cipher> clientCiphers) {

    Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates(true);
    if (certificates.size() == 1) {
      return certificates.iterator().next();
    }

    LinkedHashSet<Cipher> serverCiphers = sslHostConfig.getCipherList();

    List<Cipher> candidateCiphers = new ArrayList<>();
    if (sslHostConfig.getHonorCipherOrder()) {
      candidateCiphers.addAll(serverCiphers);
      candidateCiphers.retainAll(clientCiphers);
    } else {
      candidateCiphers.addAll(clientCiphers);
      candidateCiphers.retainAll(serverCiphers);
    }

    Iterator<Cipher> candidateIter = candidateCiphers.iterator();
    while (candidateIter.hasNext()) {
      Cipher candidate = candidateIter.next();
      for (SSLHostConfigCertificate certificate : certificates) {
        if (certificate.getType().isCompatibleWith(candidate.getAu())) {
          return certificate;
        }
      }
    }

    // No matches. Just return the first certificate. The handshake will
    // then fail due to no matching ciphers.
    return certificates.iterator().next();
  }
Пример #3
0
 @Override
 public void unbind() throws Exception {
   for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
     for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) {
       certificate.setSslContextWrapper(null);
     }
   }
 }
Пример #4
0
  protected void initialiseSsl() throws Exception {
    if (isSSLEnabled()) {
      sslImplementation = SSLImplementation.getInstance(getSslImplementationName());

      for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
        for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) {
          SSLUtil sslUtil = sslImplementation.getSSLUtil(sslHostConfig, certificate);

          SSLContext sslContext = sslUtil.createSSLContext(negotiableProtocols);
          sslContext.init(sslUtil.getKeyManagers(), sslUtil.getTrustManagers(), null);

          SSLSessionContext sessionContext = sslContext.getServerSessionContext();
          if (sessionContext != null) {
            sslUtil.configureSessionContext(sessionContext);
          }
          SSLContextWrapper sslContextWrapper = new SSLContextWrapper(sslContext, sslUtil);
          certificate.setSslContextWrapper(sslContextWrapper);
        }
      }
    }
  }