use of javax.net.ssl.SSLParameters in project keystore-explorer by kaikramer.
the class CustomSslSocketFactory method disableSNI.
private void disableSNI(SSLSocket socket) {
// effectively disable SNI by passing an empty server name list (works only in Java 8 or higher)
SSLParameters sslParameters = socket.getSSLParameters();
Method setServerNamesMethod;
try {
setServerNamesMethod = sslParameters.getClass().getMethod("setServerNames", List.class);
setServerNamesMethod.invoke(sslParameters, new ArrayList<Object>());
socket.setSSLParameters(sslParameters);
} catch (Exception e) {
// Java 6/7, nothing we can do here (setting jsse.enableSNIExtension wouldn't work here anymore)
}
}
use of javax.net.ssl.SSLParameters in project apache-kafka-on-k8s by banzaicloud.
the class SslTransportLayerTest method testClientEndpointNotValidated.
/**
* According to RFC 2818:
* <blockquote>Typically, the server has no external knowledge of what the client's
* identity ought to be and so checks (other than that the client has a
* certificate chain rooted in an appropriate CA) are not possible. If a
* server has such knowledge (typically from some source external to
* HTTP or TLS) it SHOULD check the identity as described above.</blockquote>
*
* However, Java SSL engine does not perform any endpoint validation for client IP address.
* Hence it is safe to avoid reverse DNS lookup while creating the SSL engine. This test checks
* that client validation does not fail even if the client certificate has an invalid hostname.
* This test is to ensure that if client endpoint validation is added to Java in future, we can detect
* and update Kafka SSL code to enable validation on the server-side and provide hostname if required.
*/
@Test
public void testClientEndpointNotValidated() throws Exception {
String node = "0";
// Create client certificate with an invalid hostname
clientCertStores = new CertStores(false, "non-existent.com");
serverCertStores = new CertStores(true, "localhost");
sslServerConfigs = serverCertStores.getTrustingConfig(clientCertStores);
sslClientConfigs = clientCertStores.getTrustingConfig(serverCertStores);
// Create a server with endpoint validation enabled on the server SSL engine
SslChannelBuilder serverChannelBuilder = new TestSslChannelBuilder(Mode.SERVER) {
@Override
protected TestSslTransportLayer newTransportLayer(String id, SelectionKey key, SSLEngine sslEngine) throws IOException {
SSLParameters sslParams = sslEngine.getSSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParams);
return super.newTransportLayer(id, key, sslEngine);
}
};
serverChannelBuilder.configure(sslServerConfigs);
server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(sslServerConfigs), "localhost", serverChannelBuilder, null);
server.start();
createSelector(sslClientConfigs);
InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
NetworkTestUtils.checkClientConnection(selector, node, 100, 10);
}
use of javax.net.ssl.SSLParameters in project Bytecoder by mirkosertic.
the class SSLServerSocketImpl method getSSLParameters.
/**
* Returns the SSLParameters in effect for newly accepted connections.
*/
@Override
public synchronized SSLParameters getSSLParameters() {
SSLParameters params = super.getSSLParameters();
// the super implementation does not handle the following parameters
params.setEndpointIdentificationAlgorithm(identificationProtocol);
params.setAlgorithmConstraints(algorithmConstraints);
params.setSNIMatchers(sniMatchers);
params.setUseCipherSuitesOrder(preferLocalCipherSuites);
params.setApplicationProtocols(applicationProtocols);
return params;
}
use of javax.net.ssl.SSLParameters in project photon-model by vmware.
the class CertificateUtil method resolveCertificate.
public static X509TrustManagerResolver resolveCertificate(URI uri, Proxy proxy, String proxyUsername, String proxyPassword, long timeoutMillis) {
logger.entering(logger.getName(), "resolveCertificate");
X509TrustManagerResolver trustManagerResolver = new X509TrustManagerResolver();
SSLContext sslContext;
try {
sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { trustManagerResolver }, null);
} catch (KeyManagementException | NoSuchAlgorithmException e) {
logger.throwing(logger.getName(), "connect", e);
throw new LocalizableValidationException(e, "Failed to initialize SSL context.", "security.certificate.context.init.error");
}
String hostAddress = uri.getHost();
int port = uri.getPort() == -1 ? DEFAULT_SECURE_CONNECTION_PORT : uri.getPort();
String uriScheme = uri.getScheme();
String host = String.format("%s://%s:%d", uriScheme, hostAddress, port);
try {
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
if (proxy != null && proxy.type() == Type.HTTP && proxyUsername != null && UriUtils.HTTPS_SCHEME.equalsIgnoreCase(uriScheme)) {
URL url = uri.toURL();
handleCertForHttpsThroughHttpProxyWithAuth(url, proxy, proxyUsername, proxyPassword, timeoutMillis, sslSocketFactory);
} else {
SSLSocket sslSocket;
if (proxy != null) {
if (proxyUsername != null) {
throw new LocalizableValidationException("Proxy authentication supported " + "for HTTPS URI through HTTP Proxy only." + " URI: " + uri.toASCIIString() + ", Proxy: " + proxy.toString(), "security.certificate.proxy.authentication.not.supported.error", uri.toASCIIString(), proxy.toString());
}
Socket tunnel = new Socket(proxy);
tunnel.connect(new InetSocketAddress(hostAddress, port), (int) timeoutMillis);
sslSocket = (SSLSocket) sslSocketFactory.createSocket(tunnel, hostAddress, port, true);
} else {
sslSocket = (SSLSocket) sslSocketFactory.createSocket();
if (SSL_CONNECT_USE_SNI) {
SNIHostName serverName = new SNIHostName(hostAddress);
List<SNIServerName> serverNames = new ArrayList<>(1);
serverNames.add(serverName);
SSLParameters params = sslSocket.getSSLParameters();
params.setServerNames(serverNames);
sslSocket.setSSLParameters(params);
}
sslSocket.connect(new InetSocketAddress(hostAddress, port), (int) timeoutMillis);
}
SSLSession session = sslSocket.getSession();
session.invalidate();
}
} catch (IOException e) {
try {
if (trustManagerResolver.isCertsTrusted() || trustManagerResolver.getCertificateChain().length == 0) {
Utils.logWarning("Exception while resolving certificate for host: [%s]. Error: %s ", host, e.getMessage());
} else {
logger.throwing(logger.getName(), "connect", e);
throw new IllegalArgumentException(e.getMessage(), e);
}
} catch (IllegalStateException ise) {
throw new LocalizableValidationException(e, String.format("Cannot connect to host: [%s]. Error: %s", host, e.getMessage()), "security.certificate.connection.error", host, e.getMessage());
}
}
if (trustManagerResolver.getCertificateChain().length == 0) {
LocalizableValidationException e = new LocalizableValidationException("Check ssl certificate failed for server: " + host, "security.certificate.check.error", host);
logger.throwing(logger.getName(), "connect", e);
throw e;
}
logger.exiting(logger.getName(), "resolveCertificate");
return trustManagerResolver;
}
use of javax.net.ssl.SSLParameters in project cosmic by MissionCriticalCloud.
the class ConsoleProxySecureServerFactoryImpl method createHttpServerInstance.
@Override
public HttpServer createHttpServerInstance(final int port) throws IOException {
try {
final HttpsServer server = HttpsServer.create(new InetSocketAddress(port), 5);
server.setHttpsConfigurator(new HttpsConfigurator(sslContext) {
@Override
public void configure(final HttpsParameters params) {
final SSLContext c = getSSLContext();
// get the default parameters
final SSLParameters sslparams = c.getDefaultSSLParameters();
params.setSSLParameters(sslparams);
// statement above could throw IAE if any params invalid.
// eg. if app has a UI and parameters supplied by a user.
}
});
s_logger.info("create HTTPS server instance on port: " + port);
return server;
} catch (final Exception ioe) {
s_logger.error(ioe.toString(), ioe);
}
return null;
}
Aggregations