javax.net.ssl.SSLParameters Java Examples

The following examples show how to use javax.net.ssl.SSLParameters. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: SslServerInitializerTest.java    From nomulus with Apache License 2.0 7 votes vote down vote up
private ChannelHandler getClientHandler(
    X509Certificate trustedCertificate, PrivateKey privateKey, X509Certificate certificate) {
  return new ChannelInitializer<LocalChannel>() {
    @Override
    protected void initChannel(LocalChannel ch) throws Exception {
      SslContextBuilder sslContextBuilder =
          SslContextBuilder.forClient().trustManager(trustedCertificate).sslProvider(sslProvider);
      if (privateKey != null && certificate != null) {
        sslContextBuilder.keyManager(privateKey, certificate);
      }
      SslHandler sslHandler =
          sslContextBuilder.build().newHandler(ch.alloc(), SSL_HOST, SSL_PORT);

      // Enable hostname verification.
      SSLEngine sslEngine = sslHandler.engine();
      SSLParameters sslParameters = sslEngine.getSSLParameters();
      sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
      sslEngine.setSSLParameters(sslParameters);

      ch.pipeline().addLast(sslHandler);
    }
  };
}
 
Example #2
Source File: PjedisFactory.java    From pepper-metrics with Apache License 2.0 6 votes vote down vote up
public PjedisFactory(final String host, final int port, final int connectionTimeout,
                    final int soTimeout, final String password, final int database, final String clientName,
                    final boolean ssl, final SSLSocketFactory sslSocketFactory, final SSLParameters sslParameters,
                    final HostnameVerifier hostnameVerifier) {
  this.hostAndPort.set(new HostAndPort(host, port));
  this.connectionTimeout = connectionTimeout;
  this.soTimeout = soTimeout;
  this.password = password;
  this.database = database;
  this.clientName = clientName;
  this.ssl = ssl;
  this.sslSocketFactory = sslSocketFactory;
  this.sslParameters = sslParameters;
  this.hostnameVerifier = hostnameVerifier;
  if (StringUtils.isNotEmpty(JedisPropsHolder.NAMESPACE.get())) {
    this.namespace = JedisPropsHolder.NAMESPACE.get();
  }
}
 
Example #3
Source File: Jdk9Platform.java    From styT with Apache License 2.0 6 votes vote down vote up
@RequiresApi(api = Build.VERSION_CODES.KITKAT)
@Override
public void configureTlsExtensions(SSLSocket sslSocket, String hostname,
    List<Protocol> protocols) {
  try {
    SSLParameters sslParameters = sslSocket.getSSLParameters();

    List<String> names = alpnProtocolNames(protocols);

    setProtocolMethod.invoke(sslParameters,
        new Object[] {names.toArray(new String[names.size()])});

    sslSocket.setSSLParameters(sslParameters);
  } catch (IllegalAccessException | InvocationTargetException e) {
    throw new AssertionError();
  }
}
 
Example #4
Source File: ImpersonatingMitmManager.java    From AndroidHttpCapture with MIT License 6 votes vote down vote up
@Override
public SSLEngine serverSslEngine(String peerHost, int peerPort) {
    try {
        SSLEngine sslEngine = upstreamServerSslContext.get().newEngine(ByteBufAllocator.DEFAULT, peerHost, peerPort);

        // support SNI by setting the endpoint identification algorithm. this requires Java 7+.
        SSLParameters sslParams = new SSLParameters();
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) {
            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
        }
        sslEngine.setSSLParameters(sslParams);

        return sslEngine;
    } catch (RuntimeException e) {
        throw new MitmException("Error creating SSLEngine for connection to upstream server: " + peerHost + ":" + peerPort, e);
    }
}
 
Example #5
Source File: HttpClientExamples.java    From hellokoding-courses with MIT License 6 votes vote down vote up
@Test
public void createAnHTTPClient() throws NoSuchAlgorithmException {
    HttpClient client = HttpClient.newBuilder()
        .version(HttpClient.Version.HTTP_2)
        .proxy(ProxySelector.getDefault())
        .followRedirects(HttpClient.Redirect.NEVER)
        .authenticator(new Authenticator() {
            @Override
            protected PasswordAuthentication getPasswordAuthentication() {
                return new PasswordAuthentication("user", "pass".toCharArray());
            }
        })
        .cookieHandler(new CookieManager())
        .executor(Executors.newFixedThreadPool(2))
        .priority(1)
        .sslContext(SSLContext.getDefault())
        .sslParameters(new SSLParameters())
        .connectTimeout(Duration.ofSeconds(1))
        .build();

    assertThat(client.connectTimeout()).get().isEqualTo(Duration.ofSeconds(1));
}
 
Example #6
Source File: AnonSslSocketFactoryProvider.java    From openAGV with Apache License 2.0 6 votes vote down vote up
/**
 * Returns an array of anonym cipher suits supported by the default {@link SSLContext} or
 * {@code null}, if accessing the default SSLContext fails.
 * <p>
 * {@link SslRMIClientSocketFactory} and {@link SslRMIServerSocketFactory} and therefore
 * {@link AnonSslClientSocketFactory} and {@link AnonSslServerSocketFactory} use the
 * default SSLContext to create SSL sockets (unless it is set explicitly).
 * The default SSLContext is therefore used to access the supported chipher suites and filter
 * the anonym ones.
 * </p>
 * Note: Getting the default SSLContext only works, if the system properties for keystore and
 * truststore are not set or if they are set and the corresponding files exist.
 *
 * @return An array of anonym cipher suits supported by the default ssl context or {@code null},
 * if accessing the default SSLContext fails.
 */
@Nullable
public static String[] getAnonymousCipherSuites() {
  try {
    SSLParameters parameters = SSLContext.getDefault().getSupportedSSLParameters();
    List<String> anonymousCipherSuites = new ArrayList<>();
    for (String supportedCipherSuite : parameters.getCipherSuites()) {
      if (supportedCipherSuite.toLowerCase().contains("anon")) {
        anonymousCipherSuites.add(supportedCipherSuite);
      }
    }
    return anonymousCipherSuites.toArray(new String[anonymousCipherSuites.size()]);
  }
  catch (NoSuchAlgorithmException ex) {
    LOG.error("Error accessing the default SSLContext.", ex);
    return null;
  }
}
 
Example #7
Source File: Http2TestServer.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
final ServerSocket initSecure(int port) throws Exception {
    ServerSocketFactory fac;
    if (sslContext != null) {
        fac = sslContext.getServerSocketFactory();
    } else {
        fac = SSLServerSocketFactory.getDefault();
    }
    SSLServerSocket se = (SSLServerSocket) fac.createServerSocket(port);
    SSLParameters sslp = se.getSSLParameters();
    sslp.setApplicationProtocols(new String[]{"h2"});
    se.setSSLParameters(sslp);
    se.setEnabledCipherSuites(se.getSupportedCipherSuites());
    se.setEnabledProtocols(se.getSupportedProtocols());
    // other initialisation here
    return se;
}
 
Example #8
Source File: UndertowXnioSsl.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
public void handleEvent(final StreamConnection connection) {
    try {

        SSLEngine sslEngine = JsseSslUtils.createSSLEngine(sslContext, optionMap, destination);
        SSLParameters params = sslEngine.getSSLParameters();
        params.setServerNames(Collections.singletonList(new SNIHostName(destination.getHostString())));
        sslEngine.setSSLParameters(params);

        final SslConnection wrappedConnection = new UndertowSslConnection(connection, sslEngine, bufferPool);
        if (!futureResult.setResult(wrappedConnection)) {
            IoUtils.safeClose(connection);
        } else {
            ChannelListeners.invokeChannelListener(wrappedConnection, openListener);
        }
    } catch (Throwable e) {
        futureResult.setException(new IOException(e));
    }
}
 
Example #9
Source File: TlsContextBasedProvider.java    From vespa with Apache License 2.0 6 votes vote down vote up
@Override
public final SslContextFactory getInstance(String containerId, int port) {
    TlsContext tlsContext = getTlsContext(containerId, port);
    SSLContext sslContext = tlsContext.context();
    SSLParameters parameters = tlsContext.parameters();

    SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
    sslContextFactory.setSslContext(sslContext);

    sslContextFactory.setNeedClientAuth(parameters.getNeedClientAuth());
    sslContextFactory.setWantClientAuth(parameters.getWantClientAuth());

    setEnabledProtocols(sslContextFactory, sslContext, List.of(parameters.getProtocols()));
    setEnabledCipherSuites(sslContextFactory, sslContext, List.of(parameters.getCipherSuites()));

    return sslContextFactory;
}
 
Example #10
Source File: Java8SslUtils.java    From netty-4.1.22 with Apache License 2.0 6 votes vote down vote up
static List<String> getSniHostNames(SSLParameters sslParameters) {
    List<SNIServerName> names = sslParameters.getServerNames();
    if (names == null || names.isEmpty()) {
        return Collections.emptyList();
    }
    List<String> strings = new ArrayList<String>(names.size());

    for (SNIServerName serverName : names) {
        if (serverName instanceof SNIHostName) {
            strings.add(((SNIHostName) serverName).getAsciiName());
        } else {
            throw new IllegalArgumentException("Only " + SNIHostName.class.getName()
                    + " instances are supported, but found: " + serverName);
        }
    }
    return strings;
}
 
Example #11
Source File: NonBlockingConnectionTLSDelegate.java    From qpid-broker-j with Apache License 2.0 6 votes vote down vote up
private SSLEngine createSSLEngine(AmqpPort<?> port)
{
    SSLEngine sslEngine = port.getSSLContext().createSSLEngine();
    sslEngine.setUseClientMode(false);
    SSLUtil.updateEnabledTlsProtocols(sslEngine, port.getTlsProtocolWhiteList(), port.getTlsProtocolBlackList());
    SSLUtil.updateEnabledCipherSuites(sslEngine, port.getTlsCipherSuiteWhiteList(), port.getTlsCipherSuiteBlackList());
    if(port.getTlsCipherSuiteWhiteList() != null && !port.getTlsCipherSuiteWhiteList().isEmpty())
    {
        SSLParameters sslParameters = sslEngine.getSSLParameters();
        sslParameters.setUseCipherSuitesOrder(true);
        sslEngine.setSSLParameters(sslParameters);
    }

    if(port.getNeedClientAuth())
    {
        sslEngine.setNeedClientAuth(true);
    }
    else if(port.getWantClientAuth())
    {
        sslEngine.setWantClientAuth(true);
    }
    return sslEngine;
}
 
Example #12
Source File: SSLSocketTest.java    From j2objc with Apache License 2.0 5 votes vote down vote up
public void test_SSLSocket_SNIHostName() throws Exception {
    TestSSLContext c = TestSSLContext.create();

    final SSLSocket client = (SSLSocket) c.clientContext.getSocketFactory().createSocket();
    SSLParameters clientParams = client.getSSLParameters();
    clientParams.setServerNames(Collections.singletonList(
            (SNIServerName) new SNIHostName("www.example.com")));
    client.setSSLParameters(clientParams);

    SSLParameters serverParams = c.serverSocket.getSSLParameters();
    serverParams.setSNIMatchers(Collections.singletonList(
            SNIHostName.createSNIMatcher("www\\.example\\.com")));
    c.serverSocket.setSSLParameters(serverParams);

    client.connect(new InetSocketAddress(c.host, c.port));
    final SSLSocket server = (SSLSocket) c.serverSocket.accept();

    ExecutorService executor = Executors.newSingleThreadExecutor();
    Future<Void> future = executor.submit(new Callable<Void>() {
        @Override public Void call() throws Exception {
            client.startHandshake();
            return null;
        }
    });
    executor.shutdown();
    server.startHandshake();

    SSLSession serverSession = server.getSession();
    assertTrue(serverSession instanceof ExtendedSSLSession);
    ExtendedSSLSession extendedServerSession = (ExtendedSSLSession) serverSession;
    List<SNIServerName> requestedNames = extendedServerSession.getRequestedServerNames();
    assertNotNull(requestedNames);
    assertEquals(1, requestedNames.size());
    SNIServerName serverName = requestedNames.get(0);
    assertEquals(StandardConstants.SNI_HOST_NAME, serverName.getType());
    assertTrue(serverName instanceof SNIHostName);
    SNIHostName serverHostName = (SNIHostName) serverName;
    assertEquals("www.example.com", serverHostName.getAsciiName());
}
 
Example #13
Source File: SSLServerSocketImpl.java    From jdk8u-dev-jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Applies SSLParameters to newly accepted connections.
 */
@Override
synchronized public void setSSLParameters(SSLParameters params) {
    super.setSSLParameters(params);

    // the super implementation does not handle the following parameters
    identificationProtocol = params.getEndpointIdentificationAlgorithm();
    algorithmConstraints = params.getAlgorithmConstraints();
    preferLocalCipherSuites = params.getUseCipherSuitesOrder();
    Collection<SNIMatcher> matchers = params.getSNIMatchers();
    if (matchers != null) {
        sniMatchers = params.getSNIMatchers();
    }
}
 
Example #14
Source File: PjedisPool.java    From pepper-metrics with Apache License 2.0 5 votes vote down vote up
public PjedisPool(final GenericObjectPoolConfig poolConfig, final URI uri,
                 final int connectionTimeout, final int soTimeout, final SSLSocketFactory sslSocketFactory,
                 final SSLParameters sslParameters, final HostnameVerifier hostnameVerifier) {
  super(poolConfig, new PjedisFactory(uri, connectionTimeout, soTimeout, null,
          (uri.getScheme() !=null && uri.getScheme().equals("rediss")), sslSocketFactory,
          sslParameters, hostnameVerifier));
}
 
Example #15
Source File: TracingJedisPool.java    From java-redis-client with Apache License 2.0 5 votes vote down vote up
public TracingJedisPool(final GenericObjectPoolConfig poolConfig, final String host,
    final int port, final int timeout,
    final String password, final int database, final boolean ssl,
    final SSLSocketFactory sslSocketFactory, final SSLParameters sslParameters,
    final HostnameVerifier hostnameVerifier, TracingConfiguration tracingConfiguration) {
  super(poolConfig, host, port, timeout, password, database, ssl, sslSocketFactory, sslParameters,
      hostnameVerifier);
  this.tracingConfiguration = tracingConfiguration;
}
 
Example #16
Source File: EnableTLSv12.java    From tutorials with MIT License 5 votes vote down vote up
public void enableTLSv12UsingSSLParameters() throws UnknownHostException, IOException {
    SSLSocketFactory socketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
    SSLSocket sslSocket = (SSLSocket) socketFactory.createSocket(url.trim(), port);
    SSLParameters params = new SSLParameters();
    params.setProtocols(new String[] { "TLSv1.2" });
    sslSocket.setSSLParameters(params);
    sslSocket.startHandshake();
    handleCommunication(sslSocket, "SSLSocketFactory-SSLParameters");
}
 
Example #17
Source File: TracingJedisPool.java    From java-redis-client with Apache License 2.0 5 votes vote down vote up
public TracingJedisPool(final GenericObjectPoolConfig poolConfig, final String host,
    final int port, final boolean ssl,
    final SSLSocketFactory sslSocketFactory, final SSLParameters sslParameters,
    final HostnameVerifier hostnameVerifier, TracingConfiguration tracingConfiguration) {
  super(poolConfig, host, port, ssl, sslSocketFactory, sslParameters, hostnameVerifier);
  this.tracingConfiguration = tracingConfiguration;
}
 
Example #18
Source File: UnboundSSLUtils.java    From dragonwell8_jdk with GNU General Public License v2.0 5 votes vote down vote up
static SSLClient init(String host, int port, String cipherSuiteFilter,
        String sniHostName) throws NoSuchAlgorithmException, IOException {
    SSLContext sslContext = SSLContext.getDefault();
    SSLSocketFactory ssf = (SSLSocketFactory) sslContext.getSocketFactory();
    SSLSocket socket = (SSLSocket) ssf.createSocket(host, port);
    SSLParameters params = new SSLParameters();

    if (cipherSuiteFilter != null) {
        String[] cipherSuites = UnboundSSLUtils.filterStringArray(
                ssf.getSupportedCipherSuites(), cipherSuiteFilter);
        System.out.println("Client: enabled cipher suites: "
                + Arrays.toString(cipherSuites));
        params.setCipherSuites(cipherSuites);
    }

    if (sniHostName != null) {
        System.out.println("Client: set SNI hostname: " + sniHostName);
        SNIHostName serverName = new SNIHostName(sniHostName);
        List<SNIServerName> serverNames = new ArrayList<>();
        serverNames.add(serverName);
        params.setServerNames(serverNames);
    }

    socket.setSSLParameters(params);

    return new SSLClient(socket);
}
 
Example #19
Source File: SSLContextValidatorEngine.java    From pulsar with Apache License 2.0 5 votes vote down vote up
private SSLEngine createSslEngine(SSLContext sslContext, String peerHost, int peerPort) {
    SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort);

    if (mode == Mode.SERVER) {
        sslEngine.setNeedClientAuth(true);
    } else {
        sslEngine.setUseClientMode(true);
        SSLParameters sslParams = sslEngine.getSSLParameters();
        sslEngine.setSSLParameters(sslParams);
    }
    return sslEngine;
}
 
Example #20
Source File: SSLServerSocketImpl.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Applies SSLParameters to newly accepted connections.
 */
@Override
synchronized public void setSSLParameters(SSLParameters params) {
    super.setSSLParameters(params);

    // the super implementation does not handle the following parameters
    identificationProtocol = params.getEndpointIdentificationAlgorithm();
    algorithmConstraints = params.getAlgorithmConstraints();
    preferLocalCipherSuites = params.getUseCipherSuitesOrder();
    Collection<SNIMatcher> matchers = params.getSNIMatchers();
    if (matchers != null) {
        sniMatchers = params.getSNIMatchers();
    }
}
 
Example #21
Source File: SSLConfigurationAsserts.java    From j2objc with Apache License 2.0 5 votes vote down vote up
/**
 * Asserts that the provided {@link SSLContext} has the expected default configuration, and that
 * {@link SSLSocketFactory}, {@link SSLServerSocketFactory}, {@link SSLSocket},
 * {@link SSLServerSocket} and {@link SSLEngine} instances created from the context match the
 * configuration.
 */
public static void assertSSLContextDefaultConfiguration(SSLContext sslContext)
    throws IOException {
  SSLParameters defaultParameters = sslContext.getDefaultSSLParameters();
  StandardNames.assertSSLContextEnabledProtocols(sslContext.getProtocol(),
      defaultParameters.getProtocols());
  StandardNames.assertDefaultCipherSuites(defaultParameters.getCipherSuites());
  assertFalse(defaultParameters.getWantClientAuth());
  assertFalse(defaultParameters.getNeedClientAuth());

  SSLParameters supportedParameters = sslContext.getSupportedSSLParameters();
  StandardNames.assertSupportedCipherSuites(supportedParameters.getCipherSuites());
  StandardNames.assertSupportedProtocols(supportedParameters.getProtocols());
  assertFalse(supportedParameters.getWantClientAuth());
  assertFalse(supportedParameters.getNeedClientAuth());

  assertContainsAll("Unsupported enabled cipher suites", supportedParameters.getCipherSuites(),
      defaultParameters.getCipherSuites());
  assertContainsAll("Unsupported enabled protocols", supportedParameters.getProtocols(),
      defaultParameters.getProtocols());

  assertSSLSocketFactoryConfigSameAsSSLContext(sslContext.getSocketFactory(), sslContext);
  assertSSLServerSocketFactoryConfigSameAsSSLContext(sslContext.getServerSocketFactory(),
      sslContext);

  SSLEngine sslEngine = sslContext.createSSLEngine();
  assertFalse(sslEngine.getUseClientMode());
  assertSSLEngineConfigSameAsSSLContext(sslEngine, sslContext);
}
 
Example #22
Source File: TracingJedisPool.java    From java-redis-client with Apache License 2.0 5 votes vote down vote up
public TracingJedisPool(final GenericObjectPoolConfig poolConfig, final URI uri,
    final int connectionTimeout,
    final int soTimeout, final SSLSocketFactory sslSocketFactory,
    final SSLParameters sslParameters,
    final HostnameVerifier hostnameVerifier, TracingConfiguration tracingConfiguration) {
  super(poolConfig, uri, connectionTimeout, soTimeout, sslSocketFactory, sslParameters,
      hostnameVerifier);
  this.tracingConfiguration = tracingConfiguration;
}
 
Example #23
Source File: ImpersonatingMitmManager.java    From browserup-proxy with Apache License 2.0 5 votes vote down vote up
@Override
public SSLEngine serverSslEngine(String peerHost, int peerPort) {
    try {
        SSLEngine sslEngine = upstreamServerSslContext.get().newEngine(ByteBufAllocator.DEFAULT, peerHost, peerPort);

        // support SNI by setting the endpoint identification algorithm. this requires Java 7+.
        SSLParameters sslParams = new SSLParameters();
        sslParams.setEndpointIdentificationAlgorithm("HTTPS");
        sslEngine.setSSLParameters(sslParams);

        return sslEngine;
    } catch (RuntimeException e) {
        throw new MitmException("Error creating SSLEngine for connection to upstream server: " + peerHost + ":" + peerPort, e);
    }
}
 
Example #24
Source File: PjedisPool.java    From pepper-metrics with Apache License 2.0 5 votes vote down vote up
public PjedisPool(final GenericObjectPoolConfig poolConfig, final String host, int port,
                 final int connectionTimeout, final int soTimeout, final String password, final int database,
                 final String clientName, final boolean ssl, final SSLSocketFactory sslSocketFactory,
                 final SSLParameters sslParameters, final HostnameVerifier hostnameVerifier) {
  super(poolConfig, new PjedisFactory(host, port, connectionTimeout, soTimeout, password,
          database, clientName, ssl, sslSocketFactory, sslParameters, hostnameVerifier));
}
 
Example #25
Source File: Java8SslTestUtils.java    From netty-4.1.22 with Apache License 2.0 5 votes vote down vote up
static void setSNIMatcher(SSLParameters parameters) {
    SNIMatcher matcher = new SNIMatcher(0) {
        @Override
        public boolean matches(SNIServerName sniServerName) {
            return false;
        }
    };
    parameters.setSNIMatchers(Collections.singleton(matcher));
}
 
Example #26
Source File: TracingJedisPool.java    From java-redis-client with Apache License 2.0 5 votes vote down vote up
public TracingJedisPool(final GenericObjectPoolConfig poolConfig, final String host,
    final int port, final boolean ssl,
    final SSLSocketFactory sslSocketFactory, final SSLParameters sslParameters,
    final HostnameVerifier hostnameVerifier, TracingConfiguration tracingConfiguration) {
  super(poolConfig, host, port, ssl, sslSocketFactory, sslParameters, hostnameVerifier);
  this.tracingConfiguration = tracingConfiguration;
}
 
Example #27
Source File: SslUtils.java    From servicetalk with Apache License 2.0 5 votes vote down vote up
/**
 * Creates a new {@link SslHandler} which will supports SNI if the {@link InetSocketAddress} was created from
 * a hostname.
 *
 * @param context the {@link SslContext} which will be used to create the {@link SslHandler}
 * @param allocator the {@link ByteBufAllocator} which will be used to allocate direct memory if required for
 * {@link SSLEngine}
 * @param hostnameVerificationAlgorithm see {@link SSLParameters#setEndpointIdentificationAlgorithm(String)}.
 * If this is {@code null} or empty then you will be vulnerable to a MITM attack.
 * @param hostnameVerificationHost the non-authoritative name of the host.
 * @param hostnameVerificationPort the non-authoritative port.
 * @return a {@link SslHandler}
 */
static SslHandler newHandler(SslContext context, ByteBufAllocator allocator,
                             @Nullable String hostnameVerificationAlgorithm,
                             @Nullable String hostnameVerificationHost,
                             int hostnameVerificationPort) {
    if (hostnameVerificationHost == null) {
        return newHandler(context, allocator);
    }

    SslHandler handler = context.newHandler(allocator, hostnameVerificationHost, hostnameVerificationPort);
    SSLEngine engine = handler.engine();
    try {
        SSLParameters parameters = engine.getSSLParameters();
        parameters.setEndpointIdentificationAlgorithm(hostnameVerificationAlgorithm);
        if (!NetUtil.isValidIpV4Address(hostnameVerificationHost) &&
                !NetUtil.isValidIpV6Address(hostnameVerificationHost)) {
            // SNI doesn't permit IP addresses!
            // https://tools.ietf.org/html/rfc6066#section-3
            // Literal IPv4 and IPv6 addresses are not permitted in "HostName".
            parameters.setServerNames(Collections.singletonList(new SNIHostName(hostnameVerificationHost)));
        }
        engine.setSSLParameters(parameters);
    } catch (Throwable cause) {
        ReferenceCountUtil.release(engine);
        throw cause;
    }
    return handler;
}
 
Example #28
Source File: SSLServerSocketImpl.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Applies SSLParameters to newly accepted connections.
 */
@Override
synchronized public void setSSLParameters(SSLParameters params) {
    super.setSSLParameters(params);

    // the super implementation does not handle the following parameters
    identificationProtocol = params.getEndpointIdentificationAlgorithm();
    algorithmConstraints = params.getAlgorithmConstraints();
    preferLocalCipherSuites = params.getUseCipherSuitesOrder();
    Collection<SNIMatcher> matchers = params.getSNIMatchers();
    if (matchers != null) {
        sniMatchers = params.getSNIMatchers();
    }
}
 
Example #29
Source File: NettySslFactory.java    From ambry with Apache License 2.0 5 votes vote down vote up
@Override
public SSLEngine createSSLEngine(String peerHost, int peerPort, Mode mode) {
  SslContext context = mode == Mode.CLIENT ? nettyClientSslContext : nettyServerSslContext;
  SSLEngine sslEngine = context.newEngine(ByteBufAllocator.DEFAULT, peerHost, peerPort);

  if (mode == Mode.CLIENT) {
    SSLParameters sslParams = sslEngine.getSSLParameters();
    sslParams.setEndpointIdentificationAlgorithm(endpointIdentification);
    sslEngine.setSSLParameters(sslParams);
  }
  return sslEngine;
}
 
Example #30
Source File: PjedisPool.java    From pepper-metrics with Apache License 2.0 5 votes vote down vote up
public PjedisPool(final GenericObjectPoolConfig poolConfig, final String host, int port,
                 int timeout, final String password, final boolean ssl,
                 final SSLSocketFactory sslSocketFactory, final SSLParameters sslParameters,
                 final HostnameVerifier hostnameVerifier) {
  this(poolConfig, host, port, timeout, password, Protocol.DEFAULT_DATABASE, null, ssl,
          sslSocketFactory, sslParameters, hostnameVerifier);
}