Java Code Examples for javax.net.ssl.SSLEngine.setSSLParameters()

The following are Jave code examples for showing how to use setSSLParameters() of the javax.net.ssl.SSLEngine class. You can vote up the examples you like. Your votes will be used in our system to get more good examples.
Example 1
Project: openjdk-jdk10   File: SSLEngineTestCase.java   Source Code and License Vote up 7 votes
/**
 * Returns client ssl engine.
 *
 * @param context - SSLContext to get SSLEngine from.
 * @param useSNI  - flag used to enable or disable using SNI extension.
 *                Needed for Kerberos.
 */
public static SSLEngine getClientSSLEngine(
        SSLContext context, boolean useSNI) {

    SSLEngine clientEngine = context.createSSLEngine(HOST, 80);
    clientEngine.setUseClientMode(true);
    if (useSNI) {
        SNIHostName serverName = new SNIHostName(SERVER_NAME);
        List<SNIServerName> serverNames = new ArrayList<>();
        serverNames.add(serverName);
        SSLParameters params = clientEngine.getSSLParameters();
        params.setServerNames(serverNames);
        clientEngine.setSSLParameters(params);
    }
    return clientEngine;
}
 
Example 2
Project: kafka-0.11.0.0-src-with-comment   File: SslFactory.java   Source Code and License Vote up 6 votes
public SSLEngine createSslEngine(String peerHost, int peerPort) {
    SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort);
    if (cipherSuites != null) sslEngine.setEnabledCipherSuites(cipherSuites);
    if (enabledProtocols != null) sslEngine.setEnabledProtocols(enabledProtocols);

    // SSLParameters#setEndpointIdentificationAlgorithm enables endpoint validation
    // only in client mode. Hence, validation is enabled only for clients.
    if (mode == Mode.SERVER) {
        sslEngine.setUseClientMode(false);
        if (needClientAuth)
            sslEngine.setNeedClientAuth(needClientAuth);
        else
            sslEngine.setWantClientAuth(wantClientAuth);
    } else {
        sslEngine.setUseClientMode(true);
        SSLParameters sslParams = sslEngine.getSSLParameters();
        sslParams.setEndpointIdentificationAlgorithm(endpointIdentification);
        sslEngine.setSSLParameters(sslParams);
    }
    return sslEngine;
}
 
Example 3
Project: openjdk-jdk10   File: SSLEngineTestCase.java   Source Code and License Vote up 6 votes
/**
 * Returns server ssl engine.
 *
 * @param context - SSLContext to get SSLEngine from.
 * @param useSNI  - flag used to enable or disable using SNI extension.
 *                Needed for Kerberos.
 */
public static SSLEngine getServerSSLEngine(
        SSLContext context, boolean useSNI) {

    SSLEngine serverEngine = context.createSSLEngine();
    serverEngine.setUseClientMode(false);
    if (useSNI) {
        SNIMatcher matcher = SNIHostName.createSNIMatcher(SNI_PATTERN);
        List<SNIMatcher> matchers = new ArrayList<>();
        matchers.add(matcher);
        SSLParameters params = serverEngine.getSSLParameters();
        params.setSNIMatchers(matchers);
        serverEngine.setSSLParameters(params);
    }
    return serverEngine;
}
 
Example 4
Project: kafka-0.11.0.0-src-with-comment   File: SslTransportLayerTest.java   Source Code and License Vote up 5 votes
/**
 * According to RFC 2818:
 * <blockquote>Typically, the server has no external knowledge of what the client's
 * identity ought to be and so checks (other than that the client has a
 * certificate chain rooted in an appropriate CA) are not possible. If a
 * server has such knowledge (typically from some source external to
 * HTTP or TLS) it SHOULD check the identity as described above.</blockquote>
 *
 * However, Java SSL engine does not perform any endpoint validation for client IP address.
 * Hence it is safe to avoid reverse DNS lookup while creating the SSL engine. This test checks
 * that client validation does not fail even if the client certificate has an invalid hostname.
 * This test is to ensure that if client endpoint validation is added to Java in future, we can detect
 * and update Kafka SSL code to enable validation on the server-side and provide hostname if required.
 */
@Test
public void testClientEndpointNotValidated() throws Exception {
    String node = "0";

    // Create client certificate with an invalid hostname
    clientCertStores = new CertStores(false, "non-existent.com");
    serverCertStores = new CertStores(true, "localhost");
    sslServerConfigs = serverCertStores.getTrustingConfig(clientCertStores);
    sslClientConfigs = clientCertStores.getTrustingConfig(serverCertStores);

    // Create a server with endpoint validation enabled on the server SSL engine
    SslChannelBuilder serverChannelBuilder = new SslChannelBuilder(Mode.SERVER) {
        @Override
        protected SslTransportLayer buildTransportLayer(SslFactory sslFactory, String id, SelectionKey key, String host) throws IOException {
            SocketChannel socketChannel = (SocketChannel) key.channel();
            SSLEngine sslEngine = sslFactory.createSslEngine(host, socketChannel.socket().getPort());
            SSLParameters sslParams = sslEngine.getSSLParameters();
            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
            sslEngine.setSSLParameters(sslParams);
            TestSslTransportLayer transportLayer = new TestSslTransportLayer(id, key, sslEngine, BUFFER_SIZE, BUFFER_SIZE, BUFFER_SIZE);
            transportLayer.startHandshake();
            return transportLayer;
        }
    };
    serverChannelBuilder.configure(sslServerConfigs);
    server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL,
            new TestSecurityConfig(sslServerConfigs), "localhost", serverChannelBuilder);
    server.start();

    createSelector(sslClientConfigs);
    InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
    selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);

    NetworkTestUtils.checkClientConnection(selector, node, 100, 10);
}
 
Example 5
Project: openjdk-jdk10   File: SSLEngineTestCase.java   Source Code and License Vote up 4 votes
/**
 * Does the handshake of the two specified engines according to the
 * {@code mode} specified.
 *
 * @param clientEngine          - Client SSLEngine.
 * @param serverEngine          - Server SSLEngine.
 * @param maxPacketSize         - Maximum packet size for MFLN of zero
 *                                for no limit.
 * @param mode                  - Handshake mode according to
 *                                {@link HandshakeMode} enum.
 * @param enableReplicatedPacks - Set {@code true} to enable replicated
 *                                packet sending.
 * @throws SSLException - thrown on engine errors.
 */
public static void doHandshake(SSLEngine clientEngine,
        SSLEngine serverEngine, int maxPacketSize,
        HandshakeMode mode,
        boolean enableReplicatedPacks) throws SSLException {

    System.out.println("=============================================");
    System.out.println("Starting handshake " + mode.name());
    int loop = 0;
    if (maxPacketSize < 0) {
        throw new Error("Test issue: maxPacketSize is less than zero!");
    }
    SSLParameters params = clientEngine.getSSLParameters();
    params.setMaximumPacketSize(maxPacketSize);
    clientEngine.setSSLParameters(params);
    params = serverEngine.getSSLParameters();
    params.setMaximumPacketSize(maxPacketSize);
    serverEngine.setSSLParameters(params);
    SSLEngine firstEngine;
    SSLEngine secondEngine;
    switch (mode) {
        case INITIAL_HANDSHAKE:
            firstEngine = clientEngine;
            secondEngine = serverEngine;
            doUnwrapForNotHandshakingStatus = false;
            clientEngine.beginHandshake();
            serverEngine.beginHandshake();
            break;
        case REHANDSHAKE_BEGIN_CLIENT:
            firstEngine = clientEngine;
            secondEngine = serverEngine;
            doUnwrapForNotHandshakingStatus = true;
            clientEngine.beginHandshake();
            break;
        case REHANDSHAKE_BEGIN_SERVER:
            firstEngine = serverEngine;
            secondEngine = clientEngine;
            doUnwrapForNotHandshakingStatus = true;
            serverEngine.beginHandshake();
            break;
        default:
            throw new Error("Test issue: unknown handshake mode");
    }
    endHandshakeLoop = false;
    while (!endHandshakeLoop) {
        if (++loop > MAX_HANDSHAKE_LOOPS) {
            throw new Error("Too much loops for handshaking");
        }
        System.out.println("============================================");
        System.out.println("Handshake loop " + loop + ": round 1");
        System.out.println("==========================");
        handshakeProcess(firstEngine, secondEngine, maxPacketSize,
                enableReplicatedPacks);
        if (endHandshakeLoop) {
            break;
        }
        System.out.println("Handshake loop " + loop + ": round 2");
        System.out.println("==========================");
        handshakeProcess(secondEngine, firstEngine, maxPacketSize,
                enableReplicatedPacks);
    }
}