ctx = SSLContext.make(protocolOpts, mode); } catch (Exception e) { throw new SSLException("failed to create an SSL_CTX", e); SSLContext.setCipherSuite(ctx, StringUtil.EMPTY_STRING, false); if (tlsv13Supported) { SSLContext.setCipherSuite(ctx, StringUtil.EMPTY_STRING, true); SSLContext.setCipherSuite(ctx, cipherBuilder.toString(), false); if (tlsv13Supported) { SSLContext.setCipherSuite(ctx, cipherTLSv13Builder.toString(), true); int options = SSLContext.getOptions(ctx) | SSL.SSL_OP_NO_SSLv2 | SSL.SSL_OP_NO_SSLv3 | SSLContext.setOptions(ctx, options); SSLContext.setMode(ctx, SSLContext.getMode(ctx) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSLContext.setTmpDHLength(ctx, DH_KEY_LENGTH); SSLContext.setNpnProtos(ctx, appProtocols, selectorBehavior); break; case ALPN: SSLContext.setAlpnProtos(ctx, appProtocols, selectorBehavior); break;
/** * Sets the SSL session ticket keys of this context. */ public void setTicketKeys(OpenSslSessionTicketKey... keys) { ObjectUtil.checkNotNull(keys, "keys"); SessionTicketKey[] ticketKeys = new SessionTicketKey[keys.length]; for (int i = 0; i < ticketKeys.length; i++) { ticketKeys[i] = keys[i].key; } Lock writerLock = context.ctxLock.writeLock(); writerLock.lock(); try { SSLContext.clearOptions(context.ctx, SSL.SSL_OP_NO_TICKET); SSLContext.setSessionTicketKeys(context.ctx, ticketKeys); } finally { writerLock.unlock(); } }
private void destroy() { Lock writerLock = ctxLock.writeLock(); writerLock.lock(); try { if (ctx != 0) { if (enableOcsp) { SSLContext.disableOcsp(ctx); } SSLContext.free(ctx); ctx = 0; OpenSslSessionContext context = sessionContext(); if (context != null) { context.destroy(); } } } finally { writerLock.unlock(); } }
private static boolean doesSupportProtocol(int protocol, int opt) { if (opt == 0) { // If the opt is 0 the protocol is not supported. This is for example the case with BoringSSL and SSLv2. return false; } long sslCtx = -1; try { sslCtx = SSLContext.make(protocol, SSL.SSL_MODE_COMBINED); return true; } catch (Exception ignore) { return false; } finally { if (sslCtx != -1) { SSLContext.free(sslCtx); } } }
private static boolean doesSupportOcsp() { boolean supportsOcsp = false; if (version() >= 0x10002000L) { long sslCtx = -1; try { sslCtx = SSLContext.make(SSL.SSL_PROTOCOL_TLSV1_2, SSL.SSL_MODE_SERVER); SSLContext.enableOcsp(sslCtx, false); supportsOcsp = true; } catch (Exception ignore) { // ignore } finally { if (sslCtx != -1) { SSLContext.free(sslCtx); } } } return supportsOcsp; } private static boolean doesSupportProtocol(int protocol, int opt) {
@Override public boolean isSessionCacheEnabled() { Lock readerLock = context.ctxLock.readLock(); readerLock.lock(); try { return SSLContext.getSessionCacheMode(context.ctx) == SSL.SSL_SESS_CACHE_SERVER; } finally { readerLock.unlock(); } }
@Override public int getSessionTimeout() { Lock readerLock = context.ctxLock.readLock(); readerLock.lock(); try { return (int) SSLContext.getSessionCacheTimeout(context.ctx); } finally { readerLock.unlock(); } }
@Override public int getSessionCacheSize() { Lock readerLock = context.ctxLock.readLock(); readerLock.lock(); try { return (int) SSLContext.getSessionCacheSize(context.ctx); } finally { readerLock.unlock(); } }
/** * Cipher Suite available for negotiation in SSL handshake. * <br> * This complex directive uses a colon-separated cipher-spec string consisting * of OpenSSL cipher specifications to configure the Cipher Suite the client * is permitted to negotiate in the SSL handshake phase. Notice that this * directive can be used both in per-server and per-directory context. * In per-server context it applies to the standard SSL handshake when a * connection is established. In per-directory context it forces a SSL * renegotiation with the reconfigured Cipher Suite after the HTTP request * was read but before the HTTP response is sent. * @param ctx Server or Client context to use. * @param ciphers An SSL cipher specification. * @return {@code true} if successful * @throws Exception if an error happened * @deprecated Use {@link #setCipherSuite(long, String, boolean)}. */ @Deprecated public static boolean setCipherSuite(long ctx, String ciphers) throws Exception { return setCipherSuite(ctx, ciphers, false); }
private static boolean doesSupportOcsp() { boolean supportsOcsp = false; if (version() >= 0x10002000L) { long sslCtx = -1; try { sslCtx = SSLContext.make(SSL.SSL_PROTOCOL_TLSV1_2, SSL.SSL_MODE_SERVER); SSLContext.enableOcsp(sslCtx, false); supportsOcsp = true; } catch (Exception ignore) { // ignore } finally { if (sslCtx != -1) { SSLContext.free(sslCtx); } } } return supportsOcsp; } private static boolean doesSupportProtocol(int protocol, int opt) {
private static boolean doesSupportProtocol(int protocol, int opt) { if (opt == 0) { // If the opt is 0 the protocol is not supported. This is for example the case with BoringSSL and SSLv2. return false; } long sslCtx = -1; try { sslCtx = SSLContext.make(protocol, SSL.SSL_MODE_COMBINED); return true; } catch (Exception ignore) { return false; } finally { if (sslCtx != -1) { SSLContext.free(sslCtx); } } }
@Override public boolean isSessionCacheEnabled() { Lock readerLock = context.ctxLock.readLock(); readerLock.lock(); try { return SSLContext.getSessionCacheMode(context.ctx) == SSL.SSL_SESS_CACHE_SERVER; } finally { readerLock.unlock(); } }
@Override public int getSessionTimeout() { Lock readerLock = context.ctxLock.readLock(); readerLock.lock(); try { return (int) SSLContext.getSessionCacheTimeout(context.ctx); } finally { readerLock.unlock(); } }
@Override public int getSessionCacheSize() { Lock readerLock = context.ctxLock.readLock(); readerLock.lock(); try { return (int) SSLContext.getSessionCacheSize(context.ctx); } finally { readerLock.unlock(); } }
/** * Cipher Suite available for negotiation in SSL handshake. * <br> * This complex directive uses a colon-separated cipher-spec string consisting * of OpenSSL cipher specifications to configure the Cipher Suite the client * is permitted to negotiate in the SSL handshake phase. Notice that this * directive can be used both in per-server and per-directory context. * In per-server context it applies to the standard SSL handshake when a * connection is established. In per-directory context it forces a SSL * renegotiation with the reconfigured Cipher Suite after the HTTP request * was read but before the HTTP response is sent. * @param ctx Server or Client context to use. * @param ciphers An SSL cipher specification. * @return {@code true} if successful * @throws Exception if an error happened * @deprecated Use {@link #setCipherSuite(long, String, boolean)}. */ @Deprecated public static boolean setCipherSuite(long ctx, String ciphers) throws Exception { return setCipherSuite(ctx, ciphers, false); }
try { try { ctx = SSLContext.make(SSL.SSL_PROTOCOL_ALL, mode); } catch (Exception e) { throw new SSLException("failed to create an SSL_CTX", e); SSLContext.setOptions(ctx, SSLContext.getOptions(ctx) | SSL.SSL_OP_NO_SSLv2 | SSL.SSL_OP_NO_SSLv3 | SSLContext.setMode(ctx, SSLContext.getMode(ctx) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSLContext.setTmpDHLength(ctx, DH_KEY_LENGTH); SSLContext.setCipherSuite(ctx, CipherSuiteConverter.toOpenSsl(unmodifiableCiphers)); } catch (SSLException e) { throw e; SSLContext.setNpnProtos(ctx, appProtocols, selectorBehavior); break; case ALPN: SSLContext.setAlpnProtos(ctx, appProtocols, selectorBehavior); break; case NPN_AND_ALPN: SSLContext.setNpnProtos(ctx, appProtocols, selectorBehavior); SSLContext.setAlpnProtos(ctx, appProtocols, selectorBehavior); break; default:
private static boolean doesSupportOcsp() { boolean supportsOcsp = false; if (version() >= 0x10002000L) { long sslCtx = -1; try { sslCtx = SSLContext.make(SSL.SSL_PROTOCOL_TLSV1_2, SSL.SSL_MODE_SERVER); SSLContext.enableOcsp(sslCtx, false); supportsOcsp = true; } catch (Exception ignore) { // ignore } finally { if (sslCtx != -1) { SSLContext.free(sslCtx); } } } return supportsOcsp; } private static boolean doesSupportProtocol(int protocol, int opt) {
/** * Sets the SSL session ticket keys of this context. * @deprecated use {@link #setTicketKeys(OpenSslSessionTicketKey...)}. */ @Deprecated public void setTicketKeys(byte[] keys) { if (keys.length % SessionTicketKey.TICKET_KEY_SIZE != 0) { throw new IllegalArgumentException("keys.length % " + SessionTicketKey.TICKET_KEY_SIZE + " != 0"); } SessionTicketKey[] tickets = new SessionTicketKey[keys.length / SessionTicketKey.TICKET_KEY_SIZE]; for (int i = 0, a = 0; i < tickets.length; i++) { byte[] name = Arrays.copyOfRange(keys, a, SessionTicketKey.NAME_SIZE); a += SessionTicketKey.NAME_SIZE; byte[] hmacKey = Arrays.copyOfRange(keys, a, SessionTicketKey.HMAC_KEY_SIZE); i += SessionTicketKey.HMAC_KEY_SIZE; byte[] aesKey = Arrays.copyOfRange(keys, a, SessionTicketKey.AES_KEY_SIZE); a += SessionTicketKey.AES_KEY_SIZE; tickets[i] = new SessionTicketKey(name, hmacKey, aesKey); } Lock writerLock = context.ctxLock.writeLock(); writerLock.lock(); try { SSLContext.clearOptions(context.ctx, SSL.SSL_OP_NO_TICKET); SSLContext.setSessionTicketKeys(context.ctx, tickets); } finally { writerLock.unlock(); } }
private static boolean doesSupportProtocol(int protocol, int opt) { if (opt == 0) { // If the opt is 0 the protocol is not supported. This is for example the case with BoringSSL and SSLv2. return false; } long sslCtx = -1; try { sslCtx = SSLContext.make(protocol, SSL.SSL_MODE_COMBINED); return true; } catch (Exception ignore) { return false; } finally { if (sslCtx != -1) { SSLContext.free(sslCtx); } } }
private void destroy() { Lock writerLock = ctxLock.writeLock(); writerLock.lock(); try { if (ctx != 0) { if (enableOcsp) { SSLContext.disableOcsp(ctx); } SSLContext.free(ctx); ctx = 0; OpenSslSessionContext context = sessionContext(); if (context != null) { context.destroy(); } } } finally { writerLock.unlock(); } }