@Override public ByteChannel wrapChannel(SocketChannel channel, SelectionKey key) throws IOException { SSLEngine e = sslcontext.createSSLEngine(); if (enabledProtocols != null) { e.setEnabledProtocols(enabledProtocols); } if (enabledCiphersuites != null) { e.setEnabledCipherSuites(enabledCiphersuites); } e.setUseClientMode(false); return new SSLSocketChannel2(channel, e, exec, key); }
@Override public ByteChannel wrapChannel( SocketChannel channel, SelectionKey key ) throws IOException { SSLEngine e = sslcontext.createSSLEngine(); /* * See https://github.com/TooTallNate/Java-WebSocket/issues/466 * * We remove TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 from the enabled ciphers since it is just available when you patch your java installation directly. * E.g. firefox requests this cipher and this causes some dcs/instable connections */ List<String> ciphers = new ArrayList<String>( Arrays.asList(e.getEnabledCipherSuites())); ciphers.remove("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"); e.setEnabledCipherSuites( ciphers.toArray( new String[ciphers.size()] ) ); e.setUseClientMode( false ); return new SSLSocketChannel2( channel, e, exec, key ); }
/** * A utility method that implements the shared functionality of getClientModeSSLEngine and getServerModeSSLEngine. * * This method is used to initialize and pre-configure an instance of SSLEngine for a particular connection type. * The returned value lacks further configuration. In most cases, developers will want to use getClientModeSSLEngine * or getServerModeSSLEngine instead of this method. * * @return A new pre-configured SSLEngine instance (never null). */ private SSLEngine createSSLEngine() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { final SSLContext sslContext = getSSLContext(); final SSLEngine sslEngine = sslContext.createSSLEngine(); // Configure protocol support. final Set<String> protocols = configuration.getEncryptionProtocols(); if ( !protocols.isEmpty() ) { // When an explicit list of enabled protocols is defined, use only those (otherwise, an implementation-specific default will be used). sslEngine.setEnabledProtocols( protocols.toArray( new String[ protocols.size() ] ) ); } // Configure cipher suite support. final Set<String> cipherSuites = configuration.getEncryptionCipherSuites(); if ( !cipherSuites.isEmpty() ) { // When an explicit list of enabled protocols is defined, use only those (otherwise, an implementation-specific default will be used).. sslEngine.setEnabledCipherSuites( cipherSuites.toArray( new String[ cipherSuites.size() ] ) ); } return sslEngine; }
private SSLEngine createSslEngine(SSLContext sslContext, String peerHost, int peerPort) { SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort); if (cipherSuites != null) sslEngine.setEnabledCipherSuites(cipherSuites); if (enabledProtocols != null) sslEngine.setEnabledProtocols(enabledProtocols); // SSLParameters#setEndpointIdentificationAlgorithm enables endpoint validation // only in client mode. Hence, validation is enabled only for clients. if (mode == Mode.SERVER) { sslEngine.setUseClientMode(false); if (needClientAuth) sslEngine.setNeedClientAuth(needClientAuth); else sslEngine.setWantClientAuth(wantClientAuth); } else { sslEngine.setUseClientMode(true); SSLParameters sslParams = sslEngine.getSSLParameters(); sslParams.setEndpointIdentificationAlgorithm(endpointIdentification); sslEngine.setSSLParameters(sslParams); } return sslEngine; }
/** * Sets various SSL handshake parameters based on the SSLParameter * argument. Specifically, sets the SSLEngine's enabled cipher * suites if the parameter's cipher suites are non-null. Similarly * sets the enabled protocols. If the parameters specify the want * or need for client authentication, those requirements are set * on the SSLEngine, otherwise both are set to false. * @since 1.6 */ public void setSSLParameters(SSLParameters p) { String[] cipherSuites = p.getCipherSuites(); if (cipherSuites != null) { setEnabledCipherSuites(cipherSuites); } String[] protocols = p.getProtocols(); if (protocols != null) { setEnabledProtocols(protocols); } if (p.getNeedClientAuth()) { setNeedClientAuth(true); } else if (p.getWantClientAuth()) { setWantClientAuth(true); } else { setWantClientAuth(false); } } }
/** * Creates an SSL engine each time a connection is established. * * <p> * * <p>You might want to override this if you need to fine-tune the engine's configuration (for * example enabling hostname verification). * * @param channel the Netty channel for that connection. * @return the engine. */ protected SSLEngine newSSLEngine(@SuppressWarnings("unused") SocketChannel channel) { SSLEngine engine = context.createSSLEngine(); engine.setUseClientMode(true); if (cipherSuites != null) engine.setEnabledCipherSuites(cipherSuites); return engine; }
@Override public final SSLEngine newEngine(String peerHost, int peerPort) { SSLEngine engine = context().createSSLEngine(peerHost, peerPort); engine.setEnabledCipherSuites(cipherSuites); engine.setEnabledProtocols(PROTOCOLS); engine.setUseClientMode(isClient()); return wrapEngine(engine); }
public static SSLEngine createSSLEngine(SSLOption option, SSLCustom custom) { SSLContext context = createSSLContext(option, custom); SSLEngine engine = context.createSSLEngine(); engine.setEnabledProtocols(option.getProtocols().split(",")); String[] supported = engine.getSupportedCipherSuites(); String[] eanbled = option.getCiphers().split(","); engine.setEnabledCipherSuites(getEnabledCiphers(supported, eanbled)); engine.setNeedClientAuth(option.isAuthPeer()); return engine; }
/** * Creates an SSL engine each time a connection is established. * * <p>You might want to override this if you need to fine-tune the engine's configuration (for * example enabling hostname verification). * * @param channel the Netty channel for that connection. * @param remoteEndpoint the remote endpoint we are connecting to. * @return the engine. * @since 3.2.0 */ protected SSLEngine newSSLEngine( @SuppressWarnings("unused") SocketChannel channel, InetSocketAddress remoteEndpoint) { SSLEngine engine = remoteEndpoint == null ? context.createSSLEngine() : context.createSSLEngine(remoteEndpoint.getHostName(), remoteEndpoint.getPort()); engine.setUseClientMode(true); if (cipherSuites != null) engine.setEnabledCipherSuites(cipherSuites); return engine; }
@Override public final SSLEngine newEngine() { SSLEngine engine = context().createSSLEngine(); engine.setEnabledCipherSuites(cipherSuites); engine.setEnabledProtocols(PROTOCOLS); engine.setUseClientMode(isClient()); return wrapEngine(engine); }
public static SSLEngine createSSLEngine(SSLOption option, SSLCustom custom, String peerHost, int peerPort) { SSLContext context = createSSLContext(option, custom); SSLEngine engine = context.createSSLEngine(peerHost, peerPort); engine.setEnabledProtocols(option.getProtocols().split(",")); String[] supported = engine.getSupportedCipherSuites(); String[] eanbled = option.getCiphers().split(","); engine.setEnabledCipherSuites(getEnabledCiphers(supported, eanbled)); engine.setNeedClientAuth(option.isAuthPeer()); return engine; }
@Override public void onPostCreate(SSLEngine e) { e.setEnabledCipherSuites(enabledCipherSuites); e.setUseClientMode(false); } };
private Optional<SSLEngine> getSslEngine(boolean useClientMode) { return getSslContext().map(sslContext -> { SSLEngine sslEngine = sslContext.createSSLEngine(); sslEngine.setUseClientMode(useClientMode); sslEngine.setEnabledProtocols( getFilteredProtocols(sslEngine.getEnabledProtocols())); sslEngine.setEnabledCipherSuites( getFilteredCipherSuites(sslEngine.getEnabledCipherSuites())); return sslEngine; }); }
public static boolean validateProtocolAndCiphers(SSLEngine eng, LoggerShim logger, BasicSettings basicSettings) { try { String[] defaultProtocols = eng.getEnabledProtocols(); logger.info("ROR SSL: Available ciphers: " + Joiner.on(",").join(eng.getEnabledCipherSuites())); basicSettings.getAllowedSSLCiphers() .map(x -> x.toArray(new String[x.size()])) .ifPresent(p -> { eng.setEnabledCipherSuites(p); logger.info("ROR SSL: Restricting to ciphers: " + Joiner.on(",").join(eng.getEnabledCipherSuites())); }); logger.info("ROR SSL: Available SSL protocols: " + Joiner.on(",").join(defaultProtocols)); basicSettings.getAllowedSSLProtocols() .map(x -> x.toArray(new String[x.size()])) .ifPresent(p -> { eng.setEnabledProtocols(p); logger.info("ROR SSL: Restricting to SSL protocols: " + Joiner.on(",").join(eng.getEnabledProtocols())); }); return true; } catch (Exception e) { logger.error("ROR SSL: cannot validate SSL protocols and ciphers! " + e.getClass().getSimpleName() + ": " + e.getMessage(), e); return false; } }
@Override public void onPostCreate(SSLEngine e) { e.setEnabledCipherSuites(enabledCipherSuites); e.setUseClientMode(false); } };
public void configureEngine(SSLEngine engine, String serverName) { if (enabledCipherSuites != null && !enabledCipherSuites.isEmpty()) { String[] toUse = enabledCipherSuites.toArray(new String[enabledCipherSuites.size()]); engine.setEnabledCipherSuites(toUse); engine.setUseClientMode(client); Set<String> protocols = new LinkedHashSet<>(enabledProtocols); protocols.retainAll(Arrays.asList(engine.getSupportedProtocols())); log.warn("no SSL/TLS protocols are enabled due to configuration restrictions"); engine.setEnabledProtocols(protocols.toArray(new String[protocols.size()])); if (!client) { switch (getClientAuth()) {
private void setSslParams(final SSLEngine engine) { if (enabledCipherSuites.length > 0) { engine.setEnabledCipherSuites(enabledCipherSuites); } if (enabledProtocols.length > 0) { engine.setEnabledProtocols(enabledProtocols); } }
protected final SslHandler createSslHandler() { SSLEngine sslEngine = sslContext.createSSLEngine(); sslEngine.setUseClientMode(false); String[] suites = SSLFactory.filterCipherSuites(sslEngine.getSupportedCipherSuites(), encryptionOptions.cipher_suites); sslEngine.setEnabledCipherSuites(suites); sslEngine.setNeedClientAuth(encryptionOptions.require_client_auth); return new SslHandler(sslEngine); } }
optionMap.get(Options.SSL_PEER_PORT, peerAddress.getPort()) ); engine.setUseClientMode(client); engine.setEnableSessionCreation(optionMap.get(Options.SSL_ENABLE_SESSION_CREATION, true)); final Sequence<String> cipherSuites = optionMap.get(Options.SSL_ENABLED_CIPHER_SUITES); engine.setEnabledCipherSuites(finalList.toArray(new String[finalList.size()])); engine.setEnabledProtocols(finalList.toArray(new String[finalList.size()]));
private void setSslParams(final SSLEngine engine) { if (enabledCipherSuites.length > 0) { engine.setEnabledCipherSuites(enabledCipherSuites); } if (enabledProtocols.length > 0) { engine.setEnabledProtocols(enabledProtocols); } }