Examples with SSLParameters javax.net.ssl.SSLParameters used on opensource projects

Example 31 with SSLParameters

use of javax.net.ssl.SSLParameters in project keystore-explorer by kaikramer.

the class CustomSslSocketFactory method disableSNI.

private void disableSNI(SSLSocket socket) {
    // effectively disable SNI by passing an empty server name list (works only in Java 8 or higher)
    SSLParameters sslParameters = socket.getSSLParameters();
    Method setServerNamesMethod;
    try {
        setServerNamesMethod = sslParameters.getClass().getMethod("setServerNames", List.class);
        setServerNamesMethod.invoke(sslParameters, new ArrayList<Object>());
        socket.setSSLParameters(sslParameters);
    } catch (Exception e) {
    // Java 6/7, nothing we can do here (setting jsse.enableSNIExtension wouldn't work here anymore)
    }
}

Example 32 with SSLParameters

use of javax.net.ssl.SSLParameters in project apache-kafka-on-k8s by banzaicloud.

the class SslTransportLayerTest method testClientEndpointNotValidated.

/**
 * According to RFC 2818:
 * <blockquote>Typically, the server has no external knowledge of what the client's
 * identity ought to be and so checks (other than that the client has a
 * certificate chain rooted in an appropriate CA) are not possible. If a
 * server has such knowledge (typically from some source external to
 * HTTP or TLS) it SHOULD check the identity as described above.</blockquote>
 *
 * However, Java SSL engine does not perform any endpoint validation for client IP address.
 * Hence it is safe to avoid reverse DNS lookup while creating the SSL engine. This test checks
 * that client validation does not fail even if the client certificate has an invalid hostname.
 * This test is to ensure that if client endpoint validation is added to Java in future, we can detect
 * and update Kafka SSL code to enable validation on the server-side and provide hostname if required.
 */
@Test
public void testClientEndpointNotValidated() throws Exception {
    String node = "0";
    // Create client certificate with an invalid hostname
    clientCertStores = new CertStores(false, "non-existent.com");
    serverCertStores = new CertStores(true, "localhost");
    sslServerConfigs = serverCertStores.getTrustingConfig(clientCertStores);
    sslClientConfigs = clientCertStores.getTrustingConfig(serverCertStores);
    // Create a server with endpoint validation enabled on the server SSL engine
    SslChannelBuilder serverChannelBuilder = new TestSslChannelBuilder(Mode.SERVER) {

        @Override
        protected TestSslTransportLayer newTransportLayer(String id, SelectionKey key, SSLEngine sslEngine) throws IOException {
            SSLParameters sslParams = sslEngine.getSSLParameters();
            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
            sslEngine.setSSLParameters(sslParams);
            return super.newTransportLayer(id, key, sslEngine);
        }
    };
    serverChannelBuilder.configure(sslServerConfigs);
    server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(sslServerConfigs), "localhost", serverChannelBuilder, null);
    server.start();
    createSelector(sslClientConfigs);
    InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
    selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, node, 100, 10);
}

Example 33 with SSLParameters

use of javax.net.ssl.SSLParameters in project Bytecoder by mirkosertic.

the class SSLServerSocketImpl method getSSLParameters.

/**
 * Returns the SSLParameters in effect for newly accepted connections.
 */
@Override
public synchronized SSLParameters getSSLParameters() {
    SSLParameters params = super.getSSLParameters();
    // the super implementation does not handle the following parameters
    params.setEndpointIdentificationAlgorithm(identificationProtocol);
    params.setAlgorithmConstraints(algorithmConstraints);
    params.setSNIMatchers(sniMatchers);
    params.setUseCipherSuitesOrder(preferLocalCipherSuites);
    params.setApplicationProtocols(applicationProtocols);
    return params;
}

Example 34 with SSLParameters

use of javax.net.ssl.SSLParameters in project photon-model by vmware.

the class CertificateUtil method resolveCertificate.

public static X509TrustManagerResolver resolveCertificate(URI uri, Proxy proxy, String proxyUsername, String proxyPassword, long timeoutMillis) {
    logger.entering(logger.getName(), "resolveCertificate");
    X509TrustManagerResolver trustManagerResolver = new X509TrustManagerResolver();
    SSLContext sslContext;
    try {
        sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, new TrustManager[] { trustManagerResolver }, null);
    } catch (KeyManagementException | NoSuchAlgorithmException e) {
        logger.throwing(logger.getName(), "connect", e);
        throw new LocalizableValidationException(e, "Failed to initialize SSL context.", "security.certificate.context.init.error");
    }
    String hostAddress = uri.getHost();
    int port = uri.getPort() == -1 ? DEFAULT_SECURE_CONNECTION_PORT : uri.getPort();
    String uriScheme = uri.getScheme();
    String host = String.format("%s://%s:%d", uriScheme, hostAddress, port);
    try {
        SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
        if (proxy != null && proxy.type() == Type.HTTP && proxyUsername != null && UriUtils.HTTPS_SCHEME.equalsIgnoreCase(uriScheme)) {
            URL url = uri.toURL();
            handleCertForHttpsThroughHttpProxyWithAuth(url, proxy, proxyUsername, proxyPassword, timeoutMillis, sslSocketFactory);
        } else {
            SSLSocket sslSocket;
            if (proxy != null) {
                if (proxyUsername != null) {
                    throw new LocalizableValidationException("Proxy authentication supported " + "for HTTPS URI through HTTP Proxy only." + " URI: " + uri.toASCIIString() + ", Proxy: " + proxy.toString(), "security.certificate.proxy.authentication.not.supported.error", uri.toASCIIString(), proxy.toString());
                }
                Socket tunnel = new Socket(proxy);
                tunnel.connect(new InetSocketAddress(hostAddress, port), (int) timeoutMillis);
                sslSocket = (SSLSocket) sslSocketFactory.createSocket(tunnel, hostAddress, port, true);
            } else {
                sslSocket = (SSLSocket) sslSocketFactory.createSocket();
                if (SSL_CONNECT_USE_SNI) {
                    SNIHostName serverName = new SNIHostName(hostAddress);
                    List<SNIServerName> serverNames = new ArrayList<>(1);
                    serverNames.add(serverName);
                    SSLParameters params = sslSocket.getSSLParameters();
                    params.setServerNames(serverNames);
                    sslSocket.setSSLParameters(params);
                }
                sslSocket.connect(new InetSocketAddress(hostAddress, port), (int) timeoutMillis);
            }
            SSLSession session = sslSocket.getSession();
            session.invalidate();
        }
    } catch (IOException e) {
        try {
            if (trustManagerResolver.isCertsTrusted() || trustManagerResolver.getCertificateChain().length == 0) {
                Utils.logWarning("Exception while resolving certificate for host: [%s]. Error: %s ", host, e.getMessage());
            } else {
                logger.throwing(logger.getName(), "connect", e);
                throw new IllegalArgumentException(e.getMessage(), e);
            }
        } catch (IllegalStateException ise) {
            throw new LocalizableValidationException(e, String.format("Cannot connect to host: [%s]. Error: %s", host, e.getMessage()), "security.certificate.connection.error", host, e.getMessage());
        }
    }
    if (trustManagerResolver.getCertificateChain().length == 0) {
        LocalizableValidationException e = new LocalizableValidationException("Check ssl certificate failed for server: " + host, "security.certificate.check.error", host);
        logger.throwing(logger.getName(), "connect", e);
        throw e;
    }
    logger.exiting(logger.getName(), "resolveCertificate");
    return trustManagerResolver;
}

Example 35 with SSLParameters

use of javax.net.ssl.SSLParameters in project cosmic by MissionCriticalCloud.

the class ConsoleProxySecureServerFactoryImpl method createHttpServerInstance.

@Override
public HttpServer createHttpServerInstance(final int port) throws IOException {
    try {
        final HttpsServer server = HttpsServer.create(new InetSocketAddress(port), 5);
        server.setHttpsConfigurator(new HttpsConfigurator(sslContext) {

            @Override
            public void configure(final HttpsParameters params) {
                final SSLContext c = getSSLContext();
                // get the default parameters
                final SSLParameters sslparams = c.getDefaultSSLParameters();
                params.setSSLParameters(sslparams);
            // statement above could throw IAE if any params invalid.
            // eg. if app has a UI and parameters supplied by a user.
            }
        });
        s_logger.info("create HTTPS server instance on port: " + port);
        return server;
    } catch (final Exception ioe) {
        s_logger.error(ioe.toString(), ioe);
    }
    return null;
}