public static void main(String[] args) throws Exception {
// 创建服务器端连接器
SocketAcceptor acceptor = new NioSocketAcceptor();
acceptor.setReuseAddress(true);
// 获取默认过滤器
DefaultIoFilterChainBuilder chain = acceptor.getFilterChain();
// 设置加密过滤器
SslFilter sslFilter = new SslFilter(BogusSslContextFactory.getInstance(true));
// 设置客户连接时需要验证客户端证书
sslFilter.setNeedClientAuth(true);
chain.addLast("sslFilter", sslFilter);
// 设置编码过滤器和按行读取数据模式
chain.addLast(
"codec", new ProtocolCodecFilter(new TextLineCodecFactory(Charset.forName("UTF-8"))));
// 设置事件处理器
acceptor.setHandler(new TLSServerHandler());
// 服务绑定到此端口号
acceptor.bind(new InetSocketAddress(PORT));
logger.debug("服务器在 [PORT] 等待连接...", PORT);
}
public void startTLS(boolean clientMode, String remoteServer, ClientAuth authentication)
throws Exception {
boolean c2s = (remoteServer == null);
KeyStore ksKeys = SSLConfig.getKeyStore();
String keypass = SSLConfig.getKeyPassword();
KeyStore ksTrust = (c2s ? SSLConfig.getc2sTrustStore() : SSLConfig.gets2sTrustStore());
String trustpass = (c2s ? SSLConfig.getc2sTrustPassword() : SSLConfig.gets2sTrustPassword());
if (c2s) Log.debug("NIOConnection: startTLS: using c2s");
else Log.debug("NIOConnection: startTLS: using s2s");
// KeyManager's decide which key material to use.
KeyManager[] km = SSLJiveKeyManagerFactory.getKeyManagers(ksKeys, keypass);
// TrustManager's decide whether to allow connections.
TrustManager[] tm = SSLJiveTrustManagerFactory.getTrustManagers(ksTrust, trustpass);
if (clientMode || authentication == ClientAuth.needed || authentication == ClientAuth.wanted) {
// We might need to verify a certificate from our peer, so get different TrustManager[]'s
if (c2s) {
// Check if we can trust certificates presented by the client
tm = new TrustManager[] {new ClientTrustManager(ksTrust)};
} else {
// Check if we can trust certificates presented by the server
tm = new TrustManager[] {new ServerTrustManager(remoteServer, ksTrust, this)};
}
}
String algorithm = JiveGlobals.getProperty(ConnectionSettings.Client.TLS_ALGORITHM, "TLS");
SSLContext tlsContext = SSLContext.getInstance(algorithm);
tlsContext.init(km, tm, null);
SslFilter filter = new SslFilter(tlsContext);
filter.setUseClientMode(clientMode);
// Disable SSLv3 due to POODLE vulnerability.
filter.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"});
if (authentication == ClientAuth.needed) {
filter.setNeedClientAuth(true);
} else if (authentication == ClientAuth.wanted) {
// Just indicate that we would like to authenticate the client but if client
// certificates are self-signed or have no certificate chain then we are still
// good
filter.setWantClientAuth(true);
}
ioSession.getFilterChain().addAfter(EXECUTOR_FILTER_NAME, TLS_FILTER_NAME, filter);
ioSession.setAttribute(SslFilter.DISABLE_ENCRYPTION_ONCE, Boolean.TRUE);
if (!clientMode) {
// Indicate the client that the server is ready to negotiate TLS
deliverRawText("<proceed xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"/>");
}
}