Search in sources :

Example 31 with SSLParameters

use of javax.net.ssl.SSLParameters in project keystore-explorer by kaikramer.

the class CustomSslSocketFactory method disableSNI.

private void disableSNI(SSLSocket socket) {
    // effectively disable SNI by passing an empty server name list (works only in Java 8 or higher)
    SSLParameters sslParameters = socket.getSSLParameters();
    Method setServerNamesMethod;
    try {
        setServerNamesMethod = sslParameters.getClass().getMethod("setServerNames", List.class);
        setServerNamesMethod.invoke(sslParameters, new ArrayList<Object>());
        socket.setSSLParameters(sslParameters);
    } catch (Exception e) {
    // Java 6/7, nothing we can do here (setting jsse.enableSNIExtension wouldn't work here anymore)
    }
}
Also used : SSLParameters(javax.net.ssl.SSLParameters) List(java.util.List) ArrayList(java.util.ArrayList) Method(java.lang.reflect.Method) IOException(java.io.IOException) UnknownHostException(java.net.UnknownHostException)

Example 32 with SSLParameters

use of javax.net.ssl.SSLParameters in project apache-kafka-on-k8s by banzaicloud.

the class SslTransportLayerTest method testClientEndpointNotValidated.

/**
 * According to RFC 2818:
 * <blockquote>Typically, the server has no external knowledge of what the client's
 * identity ought to be and so checks (other than that the client has a
 * certificate chain rooted in an appropriate CA) are not possible. If a
 * server has such knowledge (typically from some source external to
 * HTTP or TLS) it SHOULD check the identity as described above.</blockquote>
 *
 * However, Java SSL engine does not perform any endpoint validation for client IP address.
 * Hence it is safe to avoid reverse DNS lookup while creating the SSL engine. This test checks
 * that client validation does not fail even if the client certificate has an invalid hostname.
 * This test is to ensure that if client endpoint validation is added to Java in future, we can detect
 * and update Kafka SSL code to enable validation on the server-side and provide hostname if required.
 */
@Test
public void testClientEndpointNotValidated() throws Exception {
    String node = "0";
    // Create client certificate with an invalid hostname
    clientCertStores = new CertStores(false, "non-existent.com");
    serverCertStores = new CertStores(true, "localhost");
    sslServerConfigs = serverCertStores.getTrustingConfig(clientCertStores);
    sslClientConfigs = clientCertStores.getTrustingConfig(serverCertStores);
    // Create a server with endpoint validation enabled on the server SSL engine
    SslChannelBuilder serverChannelBuilder = new TestSslChannelBuilder(Mode.SERVER) {

        @Override
        protected TestSslTransportLayer newTransportLayer(String id, SelectionKey key, SSLEngine sslEngine) throws IOException {
            SSLParameters sslParams = sslEngine.getSSLParameters();
            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
            sslEngine.setSSLParameters(sslParams);
            return super.newTransportLayer(id, key, sslEngine);
        }
    };
    serverChannelBuilder.configure(sslServerConfigs);
    server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(sslServerConfigs), "localhost", serverChannelBuilder, null);
    server.start();
    createSelector(sslClientConfigs);
    InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
    selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, node, 100, 10);
}
Also used : SelectionKey(java.nio.channels.SelectionKey) SSLParameters(javax.net.ssl.SSLParameters) SSLEngine(javax.net.ssl.SSLEngine) InetSocketAddress(java.net.InetSocketAddress) TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) Test(org.junit.Test)

Example 33 with SSLParameters

use of javax.net.ssl.SSLParameters in project Bytecoder by mirkosertic.

the class SSLServerSocketImpl method getSSLParameters.

/**
 * Returns the SSLParameters in effect for newly accepted connections.
 */
@Override
public synchronized SSLParameters getSSLParameters() {
    SSLParameters params = super.getSSLParameters();
    // the super implementation does not handle the following parameters
    params.setEndpointIdentificationAlgorithm(identificationProtocol);
    params.setAlgorithmConstraints(algorithmConstraints);
    params.setSNIMatchers(sniMatchers);
    params.setUseCipherSuitesOrder(preferLocalCipherSuites);
    params.setApplicationProtocols(applicationProtocols);
    return params;
}
Also used : SSLParameters(javax.net.ssl.SSLParameters)

Example 34 with SSLParameters

use of javax.net.ssl.SSLParameters in project photon-model by vmware.

the class CertificateUtil method resolveCertificate.

public static X509TrustManagerResolver resolveCertificate(URI uri, Proxy proxy, String proxyUsername, String proxyPassword, long timeoutMillis) {
    logger.entering(logger.getName(), "resolveCertificate");
    X509TrustManagerResolver trustManagerResolver = new X509TrustManagerResolver();
    SSLContext sslContext;
    try {
        sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, new TrustManager[] { trustManagerResolver }, null);
    } catch (KeyManagementException | NoSuchAlgorithmException e) {
        logger.throwing(logger.getName(), "connect", e);
        throw new LocalizableValidationException(e, "Failed to initialize SSL context.", "security.certificate.context.init.error");
    }
    String hostAddress = uri.getHost();
    int port = uri.getPort() == -1 ? DEFAULT_SECURE_CONNECTION_PORT : uri.getPort();
    String uriScheme = uri.getScheme();
    String host = String.format("%s://%s:%d", uriScheme, hostAddress, port);
    try {
        SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
        if (proxy != null && proxy.type() == Type.HTTP && proxyUsername != null && UriUtils.HTTPS_SCHEME.equalsIgnoreCase(uriScheme)) {
            URL url = uri.toURL();
            handleCertForHttpsThroughHttpProxyWithAuth(url, proxy, proxyUsername, proxyPassword, timeoutMillis, sslSocketFactory);
        } else {
            SSLSocket sslSocket;
            if (proxy != null) {
                if (proxyUsername != null) {
                    throw new LocalizableValidationException("Proxy authentication supported " + "for HTTPS URI through HTTP Proxy only." + " URI: " + uri.toASCIIString() + ", Proxy: " + proxy.toString(), "security.certificate.proxy.authentication.not.supported.error", uri.toASCIIString(), proxy.toString());
                }
                Socket tunnel = new Socket(proxy);
                tunnel.connect(new InetSocketAddress(hostAddress, port), (int) timeoutMillis);
                sslSocket = (SSLSocket) sslSocketFactory.createSocket(tunnel, hostAddress, port, true);
            } else {
                sslSocket = (SSLSocket) sslSocketFactory.createSocket();
                if (SSL_CONNECT_USE_SNI) {
                    SNIHostName serverName = new SNIHostName(hostAddress);
                    List<SNIServerName> serverNames = new ArrayList<>(1);
                    serverNames.add(serverName);
                    SSLParameters params = sslSocket.getSSLParameters();
                    params.setServerNames(serverNames);
                    sslSocket.setSSLParameters(params);
                }
                sslSocket.connect(new InetSocketAddress(hostAddress, port), (int) timeoutMillis);
            }
            SSLSession session = sslSocket.getSession();
            session.invalidate();
        }
    } catch (IOException e) {
        try {
            if (trustManagerResolver.isCertsTrusted() || trustManagerResolver.getCertificateChain().length == 0) {
                Utils.logWarning("Exception while resolving certificate for host: [%s]. Error: %s ", host, e.getMessage());
            } else {
                logger.throwing(logger.getName(), "connect", e);
                throw new IllegalArgumentException(e.getMessage(), e);
            }
        } catch (IllegalStateException ise) {
            throw new LocalizableValidationException(e, String.format("Cannot connect to host: [%s]. Error: %s", host, e.getMessage()), "security.certificate.connection.error", host, e.getMessage());
        }
    }
    if (trustManagerResolver.getCertificateChain().length == 0) {
        LocalizableValidationException e = new LocalizableValidationException("Check ssl certificate failed for server: " + host, "security.certificate.check.error", host);
        logger.throwing(logger.getName(), "connect", e);
        throw e;
    }
    logger.exiting(logger.getName(), "resolveCertificate");
    return trustManagerResolver;
}
Also used : LocalizableValidationException(com.vmware.xenon.common.LocalizableValidationException) InetSocketAddress(java.net.InetSocketAddress) SSLSocket(javax.net.ssl.SSLSocket) ArrayList(java.util.ArrayList) SSLSession(javax.net.ssl.SSLSession) SSLContext(javax.net.ssl.SSLContext) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) DEROctetString(org.bouncycastle.asn1.DEROctetString) IOException(java.io.IOException) CertIOException(org.bouncycastle.cert.CertIOException) KeyManagementException(java.security.KeyManagementException) URL(java.net.URL) SNIServerName(javax.net.ssl.SNIServerName) SSLParameters(javax.net.ssl.SSLParameters) SNIHostName(javax.net.ssl.SNIHostName) X509TrustManagerResolver(com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver) SSLSocketFactory(javax.net.ssl.SSLSocketFactory) SSLSocket(javax.net.ssl.SSLSocket) Socket(java.net.Socket)

Example 35 with SSLParameters

use of javax.net.ssl.SSLParameters in project cosmic by MissionCriticalCloud.

the class ConsoleProxySecureServerFactoryImpl method createHttpServerInstance.

@Override
public HttpServer createHttpServerInstance(final int port) throws IOException {
    try {
        final HttpsServer server = HttpsServer.create(new InetSocketAddress(port), 5);
        server.setHttpsConfigurator(new HttpsConfigurator(sslContext) {

            @Override
            public void configure(final HttpsParameters params) {
                final SSLContext c = getSSLContext();
                // get the default parameters
                final SSLParameters sslparams = c.getDefaultSSLParameters();
                params.setSSLParameters(sslparams);
            // statement above could throw IAE if any params invalid.
            // eg. if app has a UI and parameters supplied by a user.
            }
        });
        s_logger.info("create HTTPS server instance on port: " + port);
        return server;
    } catch (final Exception ioe) {
        s_logger.error(ioe.toString(), ioe);
    }
    return null;
}
Also used : HttpsConfigurator(com.sun.net.httpserver.HttpsConfigurator) SSLParameters(javax.net.ssl.SSLParameters) InetSocketAddress(java.net.InetSocketAddress) HttpsParameters(com.sun.net.httpserver.HttpsParameters) SSLContext(javax.net.ssl.SSLContext) HttpsServer(com.sun.net.httpserver.HttpsServer) IOException(java.io.IOException)

Aggregations

SSLParameters (javax.net.ssl.SSLParameters)153 SSLEngine (javax.net.ssl.SSLEngine)41 SSLContext (javax.net.ssl.SSLContext)29 SSLSocket (javax.net.ssl.SSLSocket)29 SSLSocketFactory (javax.net.ssl.SSLSocketFactory)21 IOException (java.io.IOException)19 Test (org.junit.Test)18 Test (org.testng.annotations.Test)18 InetSocketAddress (java.net.InetSocketAddress)17 SNIHostName (javax.net.ssl.SNIHostName)16 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)13 SSLException (javax.net.ssl.SSLException)11 SslHandler (io.netty.handler.ssl.SslHandler)10 ArrayList (java.util.ArrayList)10 CertificateException (java.security.cert.CertificateException)9 ByteString (com.linkedin.data.ByteString)8 SNIServerName (javax.net.ssl.SNIServerName)8 HttpsConfigurator (com.sun.net.httpserver.HttpsConfigurator)7 HttpsParameters (com.sun.net.httpserver.HttpsParameters)7 SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)7