Java Code Examples for javax.net.ssl.SSLSocket#getEnabledProtocols()

/**
 * Returns {@code true} if the socket, as currently configured, supports this ConnectionSpec.
 * In order for a socket to be compatible the enabled cipher suites and protocols must intersect.
 *
 * <p>For cipher suites, at least one of the {@link #cipherSuites() required cipher suites} must
 * match the socket's enabled cipher suites. If there are no required cipher suites the socket
 * must have at least one cipher suite enabled.
 *
 * <p>For protocols, at least one of the {@link #tlsVersions() required protocols} must match the
 * socket's enabled protocols.
 */
public boolean isCompatible(SSLSocket socket) {
  if (!tls) {
    return false;
  }

  String[] enabledProtocols = socket.getEnabledProtocols();
  boolean requiredProtocolsEnabled = nonEmptyIntersection(tlsVersions, enabledProtocols);
  if (!requiredProtocolsEnabled) {
    return false;
  }

  boolean requiredCiphersEnabled;
  if (cipherSuites == null) {
    requiredCiphersEnabled = socket.getEnabledCipherSuites().length > 0;
  } else {
    String[] enabledCipherSuites = socket.getEnabledCipherSuites();
    requiredCiphersEnabled = nonEmptyIntersection(cipherSuites, enabledCipherSuites);
  }
  return requiredCiphersEnabled;
}
 

/**
 * Returns a copy of this that omits cipher suites and TLS versions not enabled by {@code
 * sslSocket}.
 */
private ConnectionSpec supportedSpec(SSLSocket sslSocket, boolean isFallback) {
  String[] cipherSuitesIntersection = cipherSuites != null
      ? intersect(CipherSuite.ORDER_BY_NAME, sslSocket.getEnabledCipherSuites(), cipherSuites)
      : sslSocket.getEnabledCipherSuites();
  String[] tlsVersionsIntersection = tlsVersions != null
      ? intersect(Util.NATURAL_ORDER, sslSocket.getEnabledProtocols(), tlsVersions)
      : sslSocket.getEnabledProtocols();

  // In accordance with https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
  // the SCSV cipher is added to signal that a protocol fallback has taken place.
  String[] supportedCipherSuites = sslSocket.getSupportedCipherSuites();
  int indexOfFallbackScsv = indexOf(
      CipherSuite.ORDER_BY_NAME, supportedCipherSuites, "TLS_FALLBACK_SCSV");
  if (isFallback && indexOfFallbackScsv != -1) {
    cipherSuitesIntersection = concat(
        cipherSuitesIntersection, supportedCipherSuites[indexOfFallbackScsv]);
  }

  return new Builder(this)
      .cipherSuites(cipherSuitesIntersection)
      .tlsVersions(tlsVersionsIntersection)
      .build();
}
 

/**
 * Returns a copy of this that omits cipher suites and TLS versions not enabled by {@code
 * sslSocket}.
 */
private ConnectionSpec supportedSpec(SSLSocket sslSocket, boolean isFallback) {
  String[] cipherSuitesIntersection = cipherSuites != null
      ? intersect(CipherSuite.ORDER_BY_NAME, sslSocket.getEnabledCipherSuites(), cipherSuites)
      : sslSocket.getEnabledCipherSuites();
  String[] tlsVersionsIntersection = tlsVersions != null
      ? intersect(Util.NATURAL_ORDER, sslSocket.getEnabledProtocols(), tlsVersions)
      : sslSocket.getEnabledProtocols();

  // In accordance with https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
  // the SCSV cipher is added to signal that a protocol fallback has taken place.
  String[] supportedCipherSuites = sslSocket.getSupportedCipherSuites();
  int indexOfFallbackScsv = indexOf(
      CipherSuite.ORDER_BY_NAME, supportedCipherSuites, "TLS_FALLBACK_SCSV");
  if (isFallback && indexOfFallbackScsv != -1) {
    cipherSuitesIntersection = concat(
        cipherSuitesIntersection, supportedCipherSuites[indexOfFallbackScsv]);
  }

  return new Builder(this)
      .cipherSuites(cipherSuitesIntersection)
      .tlsVersions(tlsVersionsIntersection)
      .build();
}
 

@Override
public ServerSocket createServerSocket(int port) throws IOException {
  return new ServerSocket(port) {
    @Override
    public Socket accept() throws IOException {
      Socket socket = super.accept();
      SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
      SSLSocket sslSocket =
          (SSLSocket) sslSocketFactory.createSocket(socket,
            socket.getInetAddress().getHostName(), socket.getPort(), true);
      sslSocket.setUseClientMode(false);
      sslSocket.setNeedClientAuth(false);

      ArrayList<String> secureProtocols = new ArrayList<>();
      for (String p : sslSocket.getEnabledProtocols()) {
        if (!p.contains("SSLv3")) {
          secureProtocols.add(p);
        }
      }
      sslSocket.setEnabledProtocols(secureProtocols.toArray(new String[secureProtocols.size()]));

      return sslSocket;
    }
  };
}
 

/**
 * Returns {@code true} if the socket, as currently configured, supports this ConnectionSpec.
 * In order for a socket to be compatible the enabled cipher suites and protocols must intersect.
 *
 * <p>For cipher suites, at least one of the {@link #cipherSuites() required cipher suites} must
 * match the socket's enabled cipher suites. If there are no required cipher suites the socket
 * must have at least one cipher suite enabled.
 *
 * <p>For protocols, at least one of the {@link #tlsVersions() required protocols} must match the
 * socket's enabled protocols.
 */
public boolean isCompatible(SSLSocket socket) {
  if (!tls) {
    return false;
  }

  String[] enabledProtocols = socket.getEnabledProtocols();
  boolean requiredProtocolsEnabled = nonEmptyIntersection(tlsVersions, enabledProtocols);
  if (!requiredProtocolsEnabled) {
    return false;
  }

  boolean requiredCiphersEnabled;
  if (cipherSuites == null) {
    requiredCiphersEnabled = socket.getEnabledCipherSuites().length > 0;
  } else {
    String[] enabledCipherSuites = socket.getEnabledCipherSuites();
    requiredCiphersEnabled = nonEmptyIntersection(cipherSuites, enabledCipherSuites);
  }
  return requiredCiphersEnabled;
}
 

/**
 * Returns a copy of this that omits cipher suites and TLS versions not enabled by
 * {@code sslSocket}.
 */
private ConnectionSpec supportedSpec(SSLSocket sslSocket, boolean isFallback) {
  String[] cipherSuitesToEnable = null;
  if (cipherSuites != null) {
    String[] cipherSuitesToSelectFrom = sslSocket.getEnabledCipherSuites();
    cipherSuitesToEnable =
        Util.intersect(String.class, cipherSuites, cipherSuitesToSelectFrom);
  }

  if (isFallback) {
    // In accordance with https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
    // the SCSV cipher is added to signal that a protocol fallback has taken place.
    final String fallbackScsv = "TLS_FALLBACK_SCSV";
    boolean socketSupportsFallbackScsv =
        Arrays.asList(sslSocket.getSupportedCipherSuites()).contains(fallbackScsv);

    if (socketSupportsFallbackScsv) {
      // Add the SCSV cipher to the set of enabled cipher suites iff it is supported.
      String[] oldEnabledCipherSuites = cipherSuitesToEnable != null
          ? cipherSuitesToEnable
          : sslSocket.getEnabledCipherSuites();
      String[] newEnabledCipherSuites = new String[oldEnabledCipherSuites.length + 1];
      System.arraycopy(oldEnabledCipherSuites, 0,
          newEnabledCipherSuites, 0, oldEnabledCipherSuites.length);
      newEnabledCipherSuites[newEnabledCipherSuites.length - 1] = fallbackScsv;
      cipherSuitesToEnable = newEnabledCipherSuites;
    }
  }

  String[] protocolsToSelectFrom = sslSocket.getEnabledProtocols();
  String[] protocolsToEnable = Util.intersect(String.class, tlsVersions, protocolsToSelectFrom);
  return new Builder(this)
      .cipherSuites(cipherSuitesToEnable)
      .tlsVersions(protocolsToEnable)
      .build();
}
 

private String[] getProtocols(SSLSocket sslSocket) {
	String[] protocols = sslSocket.getEnabledProtocols();

	// Remove SSLv3 if it is not the only option
	if(protocols.length > 1) {
		List<String> protocolList = new ArrayList(Arrays.asList(protocols));
		protocolList.remove("SSLv3");
		protocols = protocolList.toArray(new String[protocolList.size()]);
	}

	return protocols;
}
 

public void test_SSLSocket_setEnabledProtocols_storesCopy() throws Exception {
    SSLSocketFactory sf = (SSLSocketFactory) SSLSocketFactory.getDefault();
    SSLSocket ssl = (SSLSocket) sf.createSocket();
    String[] array = new String[] {ssl.getEnabledProtocols()[0]};
    String originalFirstElement = array[0];
    ssl.setEnabledProtocols(array);
    array[0] = "Modified after having been set";
    assertEquals(originalFirstElement, ssl.getEnabledProtocols()[0]);
}
 

@Override
public Socket createSocket(String host, int port) throws IOException {
  SSLSocket socket = (SSLSocket) super.createSocket(host, port);
  ArrayList<String> secureProtocols = new ArrayList<>();
  for (String p : socket.getEnabledProtocols()) {
    if (!p.contains("SSLv3")) {
      secureProtocols.add(p);
    }
  }
  socket.setEnabledProtocols(secureProtocols.toArray(
          new String[secureProtocols.size()]));
  return socket;
}
 

private SSLSocket upgradeTlsAndRemoveSsl(SSLSocket socket) {
    String[] supportedProtocols = socket.getSupportedProtocols();
    String[] enabledProtocols = socket.getEnabledProtocols();
    String[] newEnabledProtocols;

    int sslEnabled = Arrays.binarySearch(enabledProtocols, "SSLv3");
    if (Arrays.binarySearch(supportedProtocols, "TLSv1.2") >= 0
            && Arrays.binarySearch(enabledProtocols, "TLSv1.2") < 0) {
        if (sslEnabled >= 0) {
            enabledProtocols[sslEnabled] = "TLSv1.2";
            newEnabledProtocols = enabledProtocols;
        } else {
            newEnabledProtocols = new String[enabledProtocols.length + 1];
            System.arraycopy(
                    enabledProtocols, 0, newEnabledProtocols, 0, enabledProtocols.length);
            newEnabledProtocols[newEnabledProtocols.length - 1] = "TLSv1.2";
        }
    } else if (sslEnabled >= 0) {
        newEnabledProtocols = new String[enabledProtocols.length-1];
        System.arraycopy(enabledProtocols, 0, newEnabledProtocols, 0, sslEnabled);
        if (newEnabledProtocols.length > sslEnabled) {
            System.arraycopy(
                    enabledProtocols, sslEnabled + 1,
                    newEnabledProtocols, sslEnabled,
                    newEnabledProtocols.length - sslEnabled);
        }
    } else {
        newEnabledProtocols = enabledProtocols;
    }

    socket.setEnabledProtocols(newEnabledProtocols);
    return socket;
}
 

/**
 * Returns a copy of this that omits cipher suites and TLS versions not enabled by
 * {@code sslSocket}.
 */
private ConnectionSpec supportedSpec(SSLSocket sslSocket, boolean isFallback) {
  String[] cipherSuitesToEnable = null;
  if (cipherSuites != null) {
    String[] cipherSuitesToSelectFrom = sslSocket.getEnabledCipherSuites();
    cipherSuitesToEnable =
        Util.intersect(String.class, cipherSuites, cipherSuitesToSelectFrom);
  }

  if (isFallback) {
    // In accordance with https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
    // the SCSV cipher is added to signal that a protocol fallback has taken place.
    final String fallbackScsv = "TLS_FALLBACK_SCSV";
    boolean socketSupportsFallbackScsv =
        Arrays.asList(sslSocket.getSupportedCipherSuites()).contains(fallbackScsv);

    if (socketSupportsFallbackScsv) {
      // Add the SCSV cipher to the set of enabled cipher suites iff it is supported.
      String[] oldEnabledCipherSuites = cipherSuitesToEnable != null
          ? cipherSuitesToEnable
          : sslSocket.getEnabledCipherSuites();
      String[] newEnabledCipherSuites = new String[oldEnabledCipherSuites.length + 1];
      System.arraycopy(oldEnabledCipherSuites, 0,
          newEnabledCipherSuites, 0, oldEnabledCipherSuites.length);
      newEnabledCipherSuites[newEnabledCipherSuites.length - 1] = fallbackScsv;
      cipherSuitesToEnable = newEnabledCipherSuites;
    }
  }

  String[] protocolsToSelectFrom = sslSocket.getEnabledProtocols();
  String[] protocolsToEnable = Util.intersect(String.class, tlsVersions, protocolsToSelectFrom);
  return new Builder(this)
      .cipherSuites(cipherSuitesToEnable)
      .tlsVersions(protocolsToEnable)
      .build();
}