@Override public String[] getEnabledProtocols() { return sock.getEnabledProtocols(); }
public String[] getEnabledProtocols() { return delegate.getEnabledProtocols(); }
@Override public Socket createSocket(String host, int port) throws IOException { SSLSocket socket = (SSLSocket) super.createSocket(host, port); ArrayList<String> secureProtocols = new ArrayList<>(); for (String p : socket.getEnabledProtocols()) { if (!p.contains("SSLv3")) { secureProtocols.add(p); } } socket.setEnabledProtocols(secureProtocols.toArray( new String[secureProtocols.size()])); return socket; } }
@Override public Socket accept() throws IOException { Socket socket = super.accept(); SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault(); SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(socket, socket.getInetAddress().getHostName(), socket.getPort(), true); sslSocket.setUseClientMode(false); sslSocket.setNeedClientAuth(false); ArrayList<String> secureProtocols = new ArrayList<>(); for (String p : sslSocket.getEnabledProtocols()) { if (!p.contains("SSLv3")) { secureProtocols.add(p); } } sslSocket.setEnabledProtocols(secureProtocols.toArray(new String[secureProtocols.size()])); return sslSocket; } };
/** * Configures the supplied {@link SSLSocket} to connect to the specified host using an appropriate * {@link ConnectionSpec}. Returns the chosen {@link ConnectionSpec}, never {@code null}. * * @throws IOException if the socket does not support any of the TLS modes available */ public ConnectionSpec configureSecureSocket(SSLSocket sslSocket) throws IOException { ConnectionSpec tlsConfiguration = null; for (int i = nextModeIndex, size = connectionSpecs.size(); i < size; i++) { ConnectionSpec connectionSpec = connectionSpecs.get(i); if (connectionSpec.isCompatible(sslSocket)) { tlsConfiguration = connectionSpec; nextModeIndex = i + 1; break; } } if (tlsConfiguration == null) { // This may be the first time a connection has been attempted and the socket does not support // any the required protocols, or it may be a retry (but this socket supports fewer // protocols than was suggested by a prior socket). throw new UnknownServiceException( "Unable to find acceptable protocols. isFallback=" + isFallback + ", modes=" + connectionSpecs + ", supported protocols=" + Arrays.toString(sslSocket.getEnabledProtocols())); } isFallbackPossible = isFallbackPossible(sslSocket); Internal.instance.apply(tlsConfiguration, sslSocket, isFallback); return tlsConfiguration; }
/** * Returns {@code true} if the socket, as currently configured, supports this connection spec. In * order for a socket to be compatible the enabled cipher suites and protocols must intersect. * * <p>For cipher suites, at least one of the {@link #cipherSuites() required cipher suites} must * match the socket's enabled cipher suites. If there are no required cipher suites the socket * must have at least one cipher suite enabled. * * <p>For protocols, at least one of the {@link #tlsVersions() required protocols} must match the * socket's enabled protocols. */ public boolean isCompatible(SSLSocket socket) { if (!tls) { return false; } if (tlsVersions != null && !nonEmptyIntersection( Util.NATURAL_ORDER, tlsVersions, socket.getEnabledProtocols())) { return false; } if (cipherSuites != null && !nonEmptyIntersection( CipherSuite.ORDER_BY_NAME, cipherSuites, socket.getEnabledCipherSuites())) { return false; } return true; }
for (String protocol : socket.getEnabledProtocols()) { if ((includeProtocols.isEmpty() || includeProtocols.contains(protocol)) && !excludeProtocols.contains(protocol)) {
/** * Configures the supplied {@link SSLSocket} to connect to the specified host using an appropriate * {@link ConnectionSpec}. Returns the chosen {@link ConnectionSpec}, never {@code null}. * * @throws IOException if the socket does not support any of the TLS modes available */ public ConnectionSpec configureSecureSocket(SSLSocket sslSocket) throws IOException { ConnectionSpec tlsConfiguration = null; for (int i = nextModeIndex, size = connectionSpecs.size(); i < size; i++) { ConnectionSpec connectionSpec = connectionSpecs.get(i); if (connectionSpec.isCompatible(sslSocket)) { tlsConfiguration = connectionSpec; nextModeIndex = i + 1; break; } } if (tlsConfiguration == null) { // This may be the first time a connection has been attempted and the socket does not support // any the required protocols, or it may be a retry (but this socket supports fewer // protocols than was suggested by a prior socket). throw new UnknownServiceException( "Unable to find acceptable protocols. isFallback=" + isFallback + ", modes=" + connectionSpecs + ", supported protocols=" + Arrays.toString(sslSocket.getEnabledProtocols())); } isFallbackPossible = isFallbackPossible(sslSocket); Internal.instance.apply(tlsConfiguration, sslSocket, isFallback); return tlsConfiguration; }
protected final void prepareSocket(final SSLSocket socket) { String[] supported = socket.getSupportedProtocols(); String[] enabled = socket.getEnabledProtocols(); if (LOG.isDebugEnabled()) { LOG.debug("socket.getSupportedProtocols(): " + Arrays.toString(supported)
private SSLSocket fixupSocket(Socket socket) throws IOException { SSLSocket sslSocket = (SSLSocket) socket; sslSocket.setEnabledProtocols( filter(sslSocket.getEnabledProtocols(), sslSocket.getSupportedProtocols())); sslSocket.setEnabledCipherSuites( filter(sslSocket.getEnabledCipherSuites(), sslSocket.getSupportedCipherSuites())); return sslSocket; }
/** * Returns {@code true} if the socket, as currently configured, supports this connection spec. In * order for a socket to be compatible the enabled cipher suites and protocols must intersect. * * <p>For cipher suites, at least one of the {@link #cipherSuites() required cipher suites} must * match the socket's enabled cipher suites. If there are no required cipher suites the socket * must have at least one cipher suite enabled. * * <p>For protocols, at least one of the {@link #tlsVersions() required protocols} must match the * socket's enabled protocols. */ public boolean isCompatible(SSLSocket socket) { if (!tls) { return false; } if (tlsVersions != null && !nonEmptyIntersection( Util.NATURAL_ORDER, tlsVersions, socket.getEnabledProtocols())) { return false; } if (cipherSuites != null && !nonEmptyIntersection( CipherSuite.ORDER_BY_NAME, cipherSuites, socket.getEnabledCipherSuites())) { return false; } return true; }
/** * Create a secure client socket that is connected to the given address and * port. * * @param address the address to connect to * @param port the port * @return the socket */ public static Socket createSocket(InetAddress address, int port) throws IOException { Socket socket = null; setKeystore(); SSLSocketFactory f = (SSLSocketFactory) SSLSocketFactory.getDefault(); SSLSocket secureSocket = (SSLSocket) f.createSocket(); secureSocket.connect(new InetSocketAddress(address, port), SysProperties.SOCKET_CONNECT_TIMEOUT); secureSocket.setEnabledProtocols( disableSSL(secureSocket.getEnabledProtocols())); if (SysProperties.ENABLE_ANONYMOUS_TLS) { String[] list = enableAnonymous( secureSocket.getEnabledCipherSuites(), secureSocket.getSupportedCipherSuites()); secureSocket.setEnabledCipherSuites(list); } socket = secureSocket; return socket; }
/** * Configures the supplied {@link SSLSocket} to connect to the specified host using an appropriate * {@link ConnectionSpec}. Returns the chosen {@link ConnectionSpec}, never {@code null}. * * @throws IOException if the socket does not support any of the TLS modes available */ public ConnectionSpec configureSecureSocket(SSLSocket sslSocket) throws IOException { ConnectionSpec tlsConfiguration = null; for (int i = nextModeIndex, size = connectionSpecs.size(); i < size; i++) { ConnectionSpec connectionSpec = connectionSpecs.get(i); if (connectionSpec.isCompatible(sslSocket)) { tlsConfiguration = connectionSpec; nextModeIndex = i + 1; break; } } if (tlsConfiguration == null) { // This may be the first time a connection has been attempted and the socket does not support // any the required protocols, or it may be a retry (but this socket supports fewer // protocols than was suggested by a prior socket). throw new UnknownServiceException( "Unable to find acceptable protocols. isFallback=" + isFallback + ", modes=" + connectionSpecs + ", supported protocols=" + Arrays.toString(sslSocket.getEnabledProtocols())); } isFallbackPossible = isFallbackPossible(sslSocket); Internal.instance.apply(tlsConfiguration, sslSocket, isFallback); return tlsConfiguration; }
/** * Returns {@code true} if the socket, as currently configured, supports this connection spec. In * order for a socket to be compatible the enabled cipher suites and protocols must intersect. * * <p>For cipher suites, at least one of the {@link #cipherSuites() required cipher suites} must * match the socket's enabled cipher suites. If there are no required cipher suites the socket * must have at least one cipher suite enabled. * * <p>For protocols, at least one of the {@link #tlsVersions() required protocols} must match the * socket's enabled protocols. */ public boolean isCompatible(SSLSocket socket) { if (!tls) { return false; } if (tlsVersions != null && !nonEmptyIntersection( Util.NATURAL_ORDER, tlsVersions, socket.getEnabledProtocols())) { return false; } if (cipherSuites != null && !nonEmptyIntersection( CipherSuite.ORDER_BY_NAME, cipherSuites, socket.getEnabledCipherSuites())) { return false; } return true; }
/** * Returns a copy of this that omits cipher suites and TLS versions not enabled by {@code * sslSocket}. */ private ConnectionSpec supportedSpec(SSLSocket sslSocket, boolean isFallback) { String[] cipherSuitesIntersection = cipherSuites != null ? intersect(CipherSuite.ORDER_BY_NAME, sslSocket.getEnabledCipherSuites(), cipherSuites) : sslSocket.getEnabledCipherSuites(); String[] tlsVersionsIntersection = tlsVersions != null ? intersect(Util.NATURAL_ORDER, sslSocket.getEnabledProtocols(), tlsVersions) : sslSocket.getEnabledProtocols(); // In accordance with https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 // the SCSV cipher is added to signal that a protocol fallback has taken place. String[] supportedCipherSuites = sslSocket.getSupportedCipherSuites(); int indexOfFallbackScsv = indexOf( CipherSuite.ORDER_BY_NAME, supportedCipherSuites, "TLS_FALLBACK_SCSV"); if (isFallback && indexOfFallbackScsv != -1) { cipherSuitesIntersection = concat( cipherSuitesIntersection, supportedCipherSuites[indexOfFallbackScsv]); } return new Builder(this) .cipherSuites(cipherSuitesIntersection) .tlsVersions(tlsVersionsIntersection) .build(); }
/** * Returns a copy of this that omits cipher suites and TLS versions not enabled by {@code * sslSocket}. */ private ConnectionSpec supportedSpec(SSLSocket sslSocket, boolean isFallback) { String[] cipherSuitesIntersection = cipherSuites != null ? intersect(CipherSuite.ORDER_BY_NAME, sslSocket.getEnabledCipherSuites(), cipherSuites) : sslSocket.getEnabledCipherSuites(); String[] tlsVersionsIntersection = tlsVersions != null ? intersect(Util.NATURAL_ORDER, sslSocket.getEnabledProtocols(), tlsVersions) : sslSocket.getEnabledProtocols(); // In accordance with https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 // the SCSV cipher is added to signal that a protocol fallback has taken place. String[] supportedCipherSuites = sslSocket.getSupportedCipherSuites(); int indexOfFallbackScsv = indexOf( CipherSuite.ORDER_BY_NAME, supportedCipherSuites, "TLS_FALLBACK_SCSV"); if (isFallback && indexOfFallbackScsv != -1) { cipherSuitesIntersection = concat( cipherSuitesIntersection, supportedCipherSuites[indexOfFallbackScsv]); } return new Builder(this) .cipherSuites(cipherSuitesIntersection) .tlsVersions(tlsVersionsIntersection) .build(); }
if (protocols != null && protocols.length == 1 && "SSLv3".equals(protocols[0])) { List<String> enabledProtocols = new ArrayList<String>(Arrays.asList(delegate.getEnabledProtocols())); if (enabledProtocols.size() > 1) { enabledProtocols.remove("SSLv3"); return delegate.getEnabledProtocols();
/** * Returns a copy of this that omits cipher suites and TLS versions not enabled by {@code * sslSocket}. */ private ConnectionSpec supportedSpec(SSLSocket sslSocket, boolean isFallback) { String[] cipherSuitesIntersection = cipherSuites != null ? intersect(CipherSuite.ORDER_BY_NAME, sslSocket.getEnabledCipherSuites(), cipherSuites) : sslSocket.getEnabledCipherSuites(); String[] tlsVersionsIntersection = tlsVersions != null ? intersect(Util.NATURAL_ORDER, sslSocket.getEnabledProtocols(), tlsVersions) : sslSocket.getEnabledProtocols(); // In accordance with https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 // the SCSV cipher is added to signal that a protocol fallback has taken place. String[] supportedCipherSuites = sslSocket.getSupportedCipherSuites(); int indexOfFallbackScsv = indexOf( CipherSuite.ORDER_BY_NAME, supportedCipherSuites, "TLS_FALLBACK_SCSV"); if (isFallback && indexOfFallbackScsv != -1) { cipherSuitesIntersection = concat( cipherSuitesIntersection, supportedCipherSuites[indexOfFallbackScsv]); } return new Builder(this) .cipherSuites(cipherSuitesIntersection) .tlsVersions(tlsVersionsIntersection) .build(); }
/** * Returns a new SSLParameters based on this SSLSocket's current * cipher suites, protocols, and client authentication settings. * * @since 1.6 */ public SSLParameters getSSLParameters() { SSLParameters p = new SSLParameters(); p.setCipherSuites(getEnabledCipherSuites()); p.setProtocols(getEnabledProtocols()); p.setNeedClientAuth(getNeedClientAuth()); p.setWantClientAuth(getWantClientAuth()); return p; }
private javax.net.ssl.SSLParameters createSSLParameters(boolean supported) { try { SSLSocket s = (SSLSocket) engineGetSocketFactory().createSocket(); javax.net.ssl.SSLParameters p = new javax.net.ssl.SSLParameters(); String[] cipherSuites; String[] protocols; if (supported) { cipherSuites = s.getSupportedCipherSuites(); protocols = s.getSupportedProtocols(); } else { cipherSuites = s.getEnabledCipherSuites(); protocols = s.getEnabledProtocols(); } p.setCipherSuites(cipherSuites); p.setProtocols(protocols); p.setNeedClientAuth(s.getNeedClientAuth()); p.setWantClientAuth(s.getWantClientAuth()); return p; } catch (IOException e) { /* * SSLContext.getDefaultSSLParameters specifies to throw * UnsupportedOperationException if there is a problem getting the * parameters */ throw new UnsupportedOperationException("Could not access supported SSL parameters"); } } }