/** * Apply engine modifications that will exist in any use-case of TLS * * @param sslEngine the ssl engine that will be used for the connections. Is mutated. * @return the updated sslEngine (should be the same as the original, but don't rely on that) */ @Override public SSLEngine apply( SSLEngine sslEngine ) { if ( tlsVersions != null ) { sslEngine.setEnabledProtocols( tlsVersions ); } sslEngine.setUseClientMode( isClient ); return sslEngine; } }
@Override public ByteChannel wrapChannel(SocketChannel channel, SelectionKey key) throws IOException { SSLEngine e = sslcontext.createSSLEngine(); if (enabledProtocols != null) { e.setEnabledProtocols(enabledProtocols); } if (enabledCiphersuites != null) { e.setEnabledCipherSuites(enabledCiphersuites); } e.setUseClientMode(false); return new SSLSocketChannel2(channel, e, exec, key); }
/** * A utility method that implements the shared functionality of getClientModeSSLEngine and getServerModeSSLEngine. * * This method is used to initialize and pre-configure an instance of SSLEngine for a particular connection type. * The returned value lacks further configuration. In most cases, developers will want to use getClientModeSSLEngine * or getServerModeSSLEngine instead of this method. * * @return A new pre-configured SSLEngine instance (never null). */ private SSLEngine createSSLEngine() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { final SSLContext sslContext = getSSLContext(); final SSLEngine sslEngine = sslContext.createSSLEngine(); // Configure protocol support. final Set<String> protocols = configuration.getEncryptionProtocols(); if ( !protocols.isEmpty() ) { // When an explicit list of enabled protocols is defined, use only those (otherwise, an implementation-specific default will be used). sslEngine.setEnabledProtocols( protocols.toArray( new String[ protocols.size() ] ) ); } // Configure cipher suite support. final Set<String> cipherSuites = configuration.getEncryptionCipherSuites(); if ( !cipherSuites.isEmpty() ) { // When an explicit list of enabled protocols is defined, use only those (otherwise, an implementation-specific default will be used).. sslEngine.setEnabledCipherSuites( cipherSuites.toArray( new String[ cipherSuites.size() ] ) ); } return sslEngine; }
private SSLEngine createSslEngine(SSLContext sslContext, String peerHost, int peerPort) { SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort); if (cipherSuites != null) sslEngine.setEnabledCipherSuites(cipherSuites); if (enabledProtocols != null) sslEngine.setEnabledProtocols(enabledProtocols); // SSLParameters#setEndpointIdentificationAlgorithm enables endpoint validation // only in client mode. Hence, validation is enabled only for clients. if (mode == Mode.SERVER) { sslEngine.setUseClientMode(false); if (needClientAuth) sslEngine.setNeedClientAuth(needClientAuth); else sslEngine.setWantClientAuth(wantClientAuth); } else { sslEngine.setUseClientMode(true); SSLParameters sslParams = sslEngine.getSSLParameters(); sslParams.setEndpointIdentificationAlgorithm(endpointIdentification); sslEngine.setSSLParameters(sslParams); } return sslEngine; }
/** * Sets various SSL handshake parameters based on the SSLParameter * argument. Specifically, sets the SSLEngine's enabled cipher * suites if the parameter's cipher suites are non-null. Similarly * sets the enabled protocols. If the parameters specify the want * or need for client authentication, those requirements are set * on the SSLEngine, otherwise both are set to false. * @since 1.6 */ public void setSSLParameters(SSLParameters p) { String[] cipherSuites = p.getCipherSuites(); if (cipherSuites != null) { setEnabledCipherSuites(cipherSuites); } String[] protocols = p.getProtocols(); if (protocols != null) { setEnabledProtocols(protocols); } if (p.getNeedClientAuth()) { setNeedClientAuth(true); } else if (p.getWantClientAuth()) { setWantClientAuth(true); } else { setWantClientAuth(false); } } }
/** * Returns a configured SSLEngine. * * @return the configured SSLEngine. * @throws GeneralSecurityException thrown if the SSL engine could not * be initialized. * @throws IOException thrown if and IO error occurred while loading * the server keystore. */ public SSLEngine createSSLEngine() throws GeneralSecurityException, IOException { SSLEngine sslEngine = context.createSSLEngine(); if (mode == Mode.CLIENT) { sslEngine.setUseClientMode(true); } else { sslEngine.setUseClientMode(false); sslEngine.setNeedClientAuth(requireClientCert); disableExcludedCiphers(sslEngine); } sslEngine.setEnabledProtocols(enabledProtocols); return sslEngine; }
@Override public final SSLEngine newEngine() { SSLEngine engine = context().createSSLEngine(); engine.setEnabledCipherSuites(cipherSuites); engine.setEnabledProtocols(PROTOCOLS); engine.setUseClientMode(isClient()); return wrapEngine(engine); }
public static SSLEngine createSSLEngine(SSLOption option, SSLCustom custom) { SSLContext context = createSSLContext(option, custom); SSLEngine engine = context.createSSLEngine(); engine.setEnabledProtocols(option.getProtocols().split(",")); String[] supported = engine.getSupportedCipherSuites(); String[] eanbled = option.getCiphers().split(","); engine.setEnabledCipherSuites(getEnabledCiphers(supported, eanbled)); engine.setNeedClientAuth(option.isAuthPeer()); return engine; }
/** * Creates an SSL Engine that is configured to use client mode when handshaking. * * For Openfire, an engine of this mode is typically used when the server tries to connect to another server. * * These SSLEngines never send SSLV2 ClientHello messages. * * @return An initialized SSLEngine instance (never null). */ public SSLEngine createClientModeSSLEngine() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { final SSLEngine sslEngine = createSSLEngine(); sslEngine.setUseClientMode( true ); final Set<String> protocols = new LinkedHashSet<>( Arrays.asList( sslEngine.getEnabledProtocols() ) ); protocols.remove( "SSLv2Hello" ); sslEngine.setEnabledProtocols( protocols.toArray( new String[ protocols.size() ] ) ); return sslEngine; }
@Override public final SSLEngine newEngine(String peerHost, int peerPort) { SSLEngine engine = context().createSSLEngine(peerHost, peerPort); engine.setEnabledCipherSuites(cipherSuites); engine.setEnabledProtocols(PROTOCOLS); engine.setUseClientMode(isClient()); return wrapEngine(engine); }
public static SSLEngine createSSLEngine(SSLOption option, SSLCustom custom, String peerHost, int peerPort) { SSLContext context = createSSLContext(option, custom); SSLEngine engine = context.createSSLEngine(peerHost, peerPort); engine.setEnabledProtocols(option.getProtocols().split(",")); String[] supported = engine.getSupportedCipherSuites(); String[] eanbled = option.getCiphers().split(","); engine.setEnabledCipherSuites(getEnabledCiphers(supported, eanbled)); engine.setNeedClientAuth(option.isAuthPeer()); return engine; }
sslEngine.setUseClientMode(true); sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols())); sslEngine.beginHandshake(); if (!Link.doHandshake(_clientConnection, sslEngine)) {
private Optional<SSLEngine> getSslEngine(boolean useClientMode) { return getSslContext().map(sslContext -> { SSLEngine sslEngine = sslContext.createSSLEngine(); sslEngine.setUseClientMode(useClientMode); sslEngine.setEnabledProtocols( getFilteredProtocols(sslEngine.getEnabledProtocols())); sslEngine.setEnabledCipherSuites( getFilteredCipherSuites(sslEngine.getEnabledCipherSuites())); return sslEngine; }); }
public static boolean validateProtocolAndCiphers(SSLEngine eng, LoggerShim logger, BasicSettings basicSettings) { try { String[] defaultProtocols = eng.getEnabledProtocols(); logger.info("ROR SSL: Available ciphers: " + Joiner.on(",").join(eng.getEnabledCipherSuites())); basicSettings.getAllowedSSLCiphers() .map(x -> x.toArray(new String[x.size()])) .ifPresent(p -> { eng.setEnabledCipherSuites(p); logger.info("ROR SSL: Restricting to ciphers: " + Joiner.on(",").join(eng.getEnabledCipherSuites())); }); logger.info("ROR SSL: Available SSL protocols: " + Joiner.on(",").join(defaultProtocols)); basicSettings.getAllowedSSLProtocols() .map(x -> x.toArray(new String[x.size()])) .ifPresent(p -> { eng.setEnabledProtocols(p); logger.info("ROR SSL: Restricting to SSL protocols: " + Joiner.on(",").join(eng.getEnabledProtocols())); }); return true; } catch (Exception e) { logger.error("ROR SSL: cannot validate SSL protocols and ciphers! " + e.getClass().getSimpleName() + ": " + e.getMessage(), e); return false; } }
SSLContext sslContext = Link.initManagementSSLContext(caService); sslEngine = sslContext.createSSLEngine(ip, port); sslEngine.setUseClientMode(true); sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols())); sslEngine.beginHandshake(); if (!Link.doHandshake(ch1, sslEngine)) {
public void configureEngine(SSLEngine engine, String serverName) { if (enabledCipherSuites != null && !enabledCipherSuites.isEmpty()) { String[] toUse = enabledCipherSuites.toArray(new String[enabledCipherSuites.size()]); engine.setEnabledCipherSuites(toUse); engine.setUseClientMode(client); Set<String> protocols = new LinkedHashSet<>(enabledProtocols); protocols.retainAll(Arrays.asList(engine.getSupportedProtocols())); log.warn("no SSL/TLS protocols are enabled due to configuration restrictions"); engine.setEnabledProtocols(protocols.toArray(new String[protocols.size()])); if (!client) { switch (getClientAuth()) {
private void setSslParams(final SSLEngine engine) { if (enabledCipherSuites.length > 0) { engine.setEnabledCipherSuites(enabledCipherSuites); } if (enabledProtocols.length > 0) { engine.setEnabledProtocols(enabledProtocols); } }
try { sslEngine = Link.initServerSSLEngine(caService, socketChannel.getRemoteAddress().toString()); sslEngine.setUseClientMode(false); sslEngine.setEnabledProtocols(SSLUtils.getSupportedProtocols(sslEngine.getEnabledProtocols())); final NioConnection nioConnection = this; _sslHandshakeExecutor.submit(new Runnable() {
optionMap.get(Options.SSL_PEER_PORT, peerAddress.getPort()) ); engine.setUseClientMode(true); engine.setEnableSessionCreation(optionMap.get(Options.SSL_ENABLE_SESSION_CREATION, true)); final Sequence<String> cipherSuites = optionMap.get(Options.SSL_ENABLED_CIPHER_SUITES); engine.setEnabledCipherSuites(finalList.toArray(new String[finalList.size()])); engine.setEnabledProtocols(finalList.toArray(new String[finalList.size()]));
private void setSslParams(final SSLEngine engine) { if (enabledCipherSuites.length > 0) { engine.setEnabledCipherSuites(enabledCipherSuites); } if (enabledProtocols.length > 0) { engine.setEnabledProtocols(enabledProtocols); } }