Example 21 with SSLParameters
use of javax.net.ssl.SSLParameters in project qpid-broker-j by apache.
the class HttpManagement method getSslContextFactory.
private SslContextFactory getSslContextFactory(final HttpPort<?> port) {
KeyStore keyStore = port.getKeyStore();
if (keyStore == null) {
throw new IllegalConfigurationException("Key store is not configured. Cannot start management on HTTPS port without keystore");
}
boolean needClientCert = port.getNeedClientAuth() || port.getWantClientAuth();
Collection<TrustStore> trustStores = port.getTrustStores();
if (needClientCert && trustStores.isEmpty()) {
throw new IllegalConfigurationException(String.format("Client certificate authentication is enabled on HTTPS port '%s' but no trust store defined", this.getName()));
}
SSLContext sslContext = SSLUtil.createSslContext(keyStore, trustStores, port.getName());
SSLSessionContext serverSessionContext = sslContext.getServerSessionContext();
if (port.getTLSSessionCacheSize() > 0) {
serverSessionContext.setSessionCacheSize(port.getTLSSessionCacheSize());
}
if (port.getTLSSessionTimeout() > 0) {
serverSessionContext.setSessionTimeout(port.getTLSSessionTimeout());
}
SslContextFactory factory = new SslContextFactory() {
@Override
public void customize(final SSLEngine sslEngine) {
super.customize(sslEngine);
if (port.getTlsCipherSuiteWhiteList() != null && !port.getTlsCipherSuiteWhiteList().isEmpty()) {
SSLParameters sslParameters = sslEngine.getSSLParameters();
sslParameters.setUseCipherSuitesOrder(true);
sslEngine.setSSLParameters(sslParameters);
}
SSLUtil.updateEnabledCipherSuites(sslEngine, port.getTlsCipherSuiteWhiteList(), port.getTlsCipherSuiteBlackList());
SSLUtil.updateEnabledTlsProtocols(sslEngine, port.getTlsProtocolWhiteList(), port.getTlsProtocolBlackList());
}
};
factory.setSslContext(sslContext);
if (port.getNeedClientAuth()) {
factory.setNeedClientAuth(true);
} else if (port.getWantClientAuth()) {
factory.setWantClientAuth(true);
}
return factory;
}
Also used :
SslContextFactory(org.eclipse.jetty.util.ssl.SslContextFactory)
SSLSessionContext(javax.net.ssl.SSLSessionContext)
SSLParameters(javax.net.ssl.SSLParameters)
SSLEngine(javax.net.ssl.SSLEngine)
IllegalConfigurationException(org.apache.qpid.server.configuration.IllegalConfigurationException)
TrustStore(org.apache.qpid.server.model.TrustStore)
SSLContext(javax.net.ssl.SSLContext)
KeyStore(org.apache.qpid.server.model.KeyStore)
Example 22 with SSLParameters
use of javax.net.ssl.SSLParameters in project qpid-broker-j by apache.
the class NonBlockingConnectionTLSDelegate method processData.
@Override
public boolean processData() throws IOException {
if (!_hostChecked) {
try (QpidByteBuffer buffer = _netInputBuffer.duplicate()) {
buffer.flip();
if (SSLUtil.isSufficientToDetermineClientSNIHost(buffer)) {
String hostName = SSLUtil.getServerNameFromTLSClientHello(buffer);
if (hostName != null) {
_parent.setSelectedHost(hostName);
SSLParameters sslParameters = _sslEngine.getSSLParameters();
sslParameters.setServerNames(Collections.singletonList(new SNIHostName(hostName)));
_sslEngine.setSSLParameters(sslParameters);
}
_hostChecked = true;
} else {
return false;
}
}
}
_netInputBuffer.flip();
boolean readData = false;
boolean tasksRun;
int oldNetBufferPos;
do {
int oldAppBufPos = _applicationBuffer.position();
oldNetBufferPos = _netInputBuffer.position();
_status = QpidByteBuffer.decryptSSL(_sslEngine, _netInputBuffer, _applicationBuffer);
if (_status.getStatus() == SSLEngineResult.Status.CLOSED) {
int remaining = _netInputBuffer.remaining();
_netInputBuffer.position(_netInputBuffer.limit());
// We'd usually expect no more bytes to be sent following a close_notify
LOGGER.debug("SSLEngine closed, discarded {} byte(s)", remaining);
}
tasksRun = runSSLEngineTasks(_status);
_applicationBuffer.flip();
if (_applicationBuffer.position() > oldAppBufPos) {
readData = true;
}
_parent.processAmqpData(_applicationBuffer);
restoreApplicationBufferForWrite();
} while ((_netInputBuffer.hasRemaining() && (_netInputBuffer.position() > oldNetBufferPos)) || tasksRun);
if (_netInputBuffer.hasRemaining()) {
_netInputBuffer.compact();
} else {
_netInputBuffer.clear();
}
return readData;
}
Also used :
SSLParameters(javax.net.ssl.SSLParameters)
SNIHostName(javax.net.ssl.SNIHostName)
QpidByteBuffer(org.apache.qpid.server.bytebuffer.QpidByteBuffer)
Example 23 with SSLParameters
use of javax.net.ssl.SSLParameters in project qpid-broker-j by apache.
the class NonBlockingConnectionTLSDelegate method createSSLEngine.
private SSLEngine createSSLEngine(AmqpPort<?> port) {
SSLEngine sslEngine = port.getSSLContext().createSSLEngine();
sslEngine.setUseClientMode(false);
SSLUtil.updateEnabledTlsProtocols(sslEngine, port.getTlsProtocolWhiteList(), port.getTlsProtocolBlackList());
SSLUtil.updateEnabledCipherSuites(sslEngine, port.getTlsCipherSuiteWhiteList(), port.getTlsCipherSuiteBlackList());
if (port.getTlsCipherSuiteWhiteList() != null && !port.getTlsCipherSuiteWhiteList().isEmpty()) {
SSLParameters sslParameters = sslEngine.getSSLParameters();
sslParameters.setUseCipherSuitesOrder(true);
sslEngine.setSSLParameters(sslParameters);
}
if (port.getNeedClientAuth()) {
sslEngine.setNeedClientAuth(true);
} else if (port.getWantClientAuth()) {
sslEngine.setWantClientAuth(true);
}
return sslEngine;
}
Also used :
SSLParameters(javax.net.ssl.SSLParameters)
SSLEngine(javax.net.ssl.SSLEngine)
Example 24 with SSLParameters
use of javax.net.ssl.SSLParameters in project qpid-broker-j by apache.
the class SNITest method performTest.
private void performTest(final boolean useMatching, final String defaultAlias, final String sniHostName, final KeyCertPair expectedCert) throws Exception {
if (SSLUtil.canGenerateCerts()) {
doBrokerStartup(useMatching, defaultAlias);
SSLContext context = SSLUtil.tryGetSSLContext();
context.init(null, new TrustManager[] { new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
} }, null);
SSLSocketFactory socketFactory = context.getSocketFactory();
try (SSLSocket socket = (SSLSocket) socketFactory.createSocket()) {
SSLParameters parameters = socket.getSSLParameters();
if (sniHostName != null) {
parameters.setServerNames(Collections.singletonList(new SNIHostName(sniHostName)));
}
socket.setSSLParameters(parameters);
InetSocketAddress address = new InetSocketAddress("localhost", _boundPort);
socket.connect(address, SOCKET_TIMEOUT);
final Certificate[] certs = socket.getSession().getPeerCertificates();
assertEquals(1, certs.length);
assertEquals(expectedCert.getCertificate(), certs[0]);
}
}
}
Also used :
InetSocketAddress(java.net.InetSocketAddress)
SSLSocket(javax.net.ssl.SSLSocket)
SSLContext(javax.net.ssl.SSLContext)
X509Certificate(java.security.cert.X509Certificate)
SSLParameters(javax.net.ssl.SSLParameters)
X509TrustManager(javax.net.ssl.X509TrustManager)
SNIHostName(javax.net.ssl.SNIHostName)
SSLSocketFactory(javax.net.ssl.SSLSocketFactory)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 25 with SSLParameters
use of javax.net.ssl.SSLParameters in project async-http-client by AsyncHttpClient.
the class SslEngineFactoryBase method configureSslEngine.
protected void configureSslEngine(SSLEngine sslEngine, AsyncHttpClientConfig config) {
sslEngine.setUseClientMode(true);
if (!config.isDisableHttpsEndpointIdentificationAlgorithm()) {
SSLParameters params = sslEngine.getSSLParameters();
params.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(params);
}
}
Also used :
SSLParameters(javax.net.ssl.SSLParameters)
Aggregations
SSLParameters (javax.net.ssl.SSLParameters)153
SSLEngine (javax.net.ssl.SSLEngine)41
SSLContext (javax.net.ssl.SSLContext)29
SSLSocket (javax.net.ssl.SSLSocket)29
SSLSocketFactory (javax.net.ssl.SSLSocketFactory)21
IOException (java.io.IOException)19
Test (org.junit.Test)18
Test (org.testng.annotations.Test)18
InetSocketAddress (java.net.InetSocketAddress)17
SNIHostName (javax.net.ssl.SNIHostName)16
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)13
SSLException (javax.net.ssl.SSLException)11
SslHandler (io.netty.handler.ssl.SslHandler)10
ArrayList (java.util.ArrayList)10
CertificateException (java.security.cert.CertificateException)9
ByteString (com.linkedin.data.ByteString)8
SNIServerName (javax.net.ssl.SNIServerName)8
HttpsConfigurator (com.sun.net.httpserver.HttpsConfigurator)7
HttpsParameters (com.sun.net.httpserver.HttpsParameters)7
SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)7
