Java Code Examples for org.eclipse.jetty.util.ssl.SslContextFactory#setExcludeCipherSuites()
The following examples show how to use
org.eclipse.jetty.util.ssl.SslContextFactory#setExcludeCipherSuites() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: InjectionModule.java From ja-micro with Apache License 2.0 | 6 votes |
|
private HttpClient createHttpClient() {
//Allow ssl by default
SslContextFactory sslContextFactory = new SslContextFactory();
//Don't exclude RSA because Sixt needs them, dammit!
sslContextFactory.setExcludeCipherSuites("");
HttpClient client = new HttpClient(sslContextFactory);
client.setFollowRedirects(false);
client.setMaxConnectionsPerDestination(16);
client.setRequestBufferSize(65536);
client.setConnectTimeout(FeatureFlags.getHttpConnectTimeout(serviceProperties));
client.setAddressResolutionTimeout(FeatureFlags.getHttpAddressResolutionTimeout(serviceProperties));
//You can set more restrictive timeouts per request, but not less, so
// we set the maximum timeout of 1 hour here.
client.setIdleTimeout(60 * 60 * 1000);
try {
client.start();
} catch (Exception e) {
logger.error("Error building http client", e);
}
return client;
}
Example 2
| Source File: ServiceImpersonatorLoadBalancer.java From ja-micro with Apache License 2.0 | 6 votes |
|
private HttpClient createHttpClient() {
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setExcludeCipherSuites("");
HttpClient client = new HttpClient(sslContextFactory);
client.setFollowRedirects(false);
client.setMaxConnectionsPerDestination(2);
//You can set more restrictive timeouts per request, but not less, so
// we set the maximum timeout of 1 hour here.
client.setIdleTimeout(60 * 60 * 1000);
try {
client.start();
} catch (Exception e) {
logger.error("Error building http client", e);
}
return client;
}
Example 3
| Source File: App.java From mysql_perf_analyzer with Apache License 2.0 | 6 votes |
|
/**
* Create ssl connector if https is used
* @return
*/
private ServerConnector sslConnector() {
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(this.getPort());
HttpConfiguration https_config = new HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
SslContextFactory sslContextFactory = new SslContextFactory(this.getCertKeyStorePath());
sslContextFactory.setKeyStorePassword(this.getCertKeyStorePassword());
//exclude weak ciphers
sslContextFactory.setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
//only support tlsv1.2
sslContextFactory.addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1");
ServerConnector connector = new ServerConnector(jettyServer,
new SslConnectionFactory(sslContextFactory, "http/1.1"),
new HttpConnectionFactory(https_config));
connector.setPort(this.getPort());
connector.setIdleTimeout(50000);
return connector;
}
Example 4
| Source File: WebClientFactoryImpl.java From smarthome with Eclipse Public License 2.0 | 6 votes |
|
private SslContextFactory createSslContextFactoryFromExtensibleTrustManager() {
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setEndpointIdentificationAlgorithm("HTTPS");
if (extensibleTrustManager != null) {
try {
logger.debug("Setting up SSLContext for {}", extensibleTrustManager);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { extensibleTrustManager }, null);
sslContextFactory.setSslContext(sslContext);
} catch (NoSuchAlgorithmException | KeyManagementException ex) {
throw new HttpClientInitializationException("Cannot create an TLS context!", ex);
}
}
String excludeCipherSuites[] = { "^.*_(MD5)$" };
sslContextFactory.setExcludeCipherSuites(excludeCipherSuites);
return sslContextFactory;
}
Example 5
| Source File: WebClientFactoryImpl.java From smarthome with Eclipse Public License 2.0 | 6 votes |
|
@Deprecated
private SslContextFactory createSslContextFactoryFromTrustManagerProvider(@Nullable String endpoint) {
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setEndpointIdentificationAlgorithm("HTTPS");
if (endpoint != null && trustmanagerProvider != null) {
Stream<TrustManager> trustManagerStream = trustmanagerProvider.getTrustManagers(endpoint);
TrustManager[] trustManagers = trustManagerStream.toArray(TrustManager[]::new);
if (trustManagers.length > 0) {
logger.debug("using custom trustmanagers (certificate pinning) for httpClient for endpoint {}",
endpoint);
try {
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustManagers, null);
sslContextFactory.setSslContext(sslContext);
} catch (NoSuchAlgorithmException | KeyManagementException ex) {
throw new HttpClientInitializationException(
"Cannot create an TLS context for the endpoint '" + endpoint + "'!", ex);
}
}
}
String excludeCipherSuites[] = { "^.*_(MD5)$" };
sslContextFactory.setExcludeCipherSuites(excludeCipherSuites);
return sslContextFactory;
}
Example 6
| Source File: SecureEmbeddedServer.java From atlas with Apache License 2.0 | 4 votes |
|
@Override
protected Connector getConnector(String host, int port) throws IOException {
org.apache.commons.configuration.Configuration config = getConfiguration();
SSLContext sslContext = getSSLContext();
if (sslContext != null) {
SSLContext.setDefault(sslContext);
}
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(config.getString(KEYSTORE_FILE_KEY,
System.getProperty(KEYSTORE_FILE_KEY, DEFAULT_KEYSTORE_FILE_LOCATION)));
sslContextFactory.setKeyStorePassword(getPassword(config, KEYSTORE_PASSWORD_KEY));
sslContextFactory.setKeyManagerPassword(getPassword(config, SERVER_CERT_PASSWORD_KEY));
sslContextFactory.setTrustStorePath(config.getString(TRUSTSTORE_FILE_KEY,
System.getProperty(TRUSTSTORE_FILE_KEY, DEFATULT_TRUSTORE_FILE_LOCATION)));
sslContextFactory.setTrustStorePassword(getPassword(config, TRUSTSTORE_PASSWORD_KEY));
sslContextFactory.setWantClientAuth(config.getBoolean(CLIENT_AUTH_KEY, Boolean.getBoolean(CLIENT_AUTH_KEY)));
List<Object> cipherList = config.getList(ATLAS_SSL_EXCLUDE_CIPHER_SUITES, DEFAULT_CIPHER_SUITES);
sslContextFactory.setExcludeCipherSuites(cipherList.toArray(new String[cipherList.size()]));
sslContextFactory.setRenegotiationAllowed(false);
String[] excludedProtocols = config.containsKey(ATLAS_SSL_EXCLUDE_PROTOCOLS) ?
config.getStringArray(ATLAS_SSL_EXCLUDE_PROTOCOLS) : DEFAULT_EXCLUDE_PROTOCOLS;
if (excludedProtocols != null && excludedProtocols.length > 0) {
sslContextFactory.addExcludeProtocols(excludedProtocols);
}
// SSL HTTP Configuration
// HTTP Configuration
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
final int bufferSize = AtlasConfiguration.WEBSERVER_REQUEST_BUFFER_SIZE.getInt();
http_config.setSecurePort(port);
http_config.setRequestHeaderSize(bufferSize);
http_config.setResponseHeaderSize(bufferSize);
http_config.setSendServerVersion(true);
http_config.setSendDateHeader(false);
HttpConfiguration https_config = new HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
// SSL Connector
ServerConnector sslConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(https_config));
sslConnector.setPort(port);
server.addConnector(sslConnector);
return sslConnector;
}
Example 7
| Source File: SslContextFactoryUtils.java From vespa with Apache License 2.0 | 4 votes |
|
static void setEnabledCipherSuites(SslContextFactory factory, SSLContext sslContext, List<String> enabledCiphers) {
String[] supportedCiphers = sslContext.getSupportedSSLParameters().getCipherSuites();
factory.setIncludeCipherSuites(enabledCiphers.toArray(String[]::new));
factory.setExcludeCipherSuites(createExclusionList(enabledCiphers, supportedCiphers));
}
Example 8
| Source File: ZTSUtils.java From athenz with Apache License 2.0 | 4 votes |
|
public static SslContextFactory createSSLContextObject(final String[] clientProtocols,
final PrivateKeyStore privateKeyStore) {
String keyStorePath = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PATH);
String keyStorePasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PASSWORD_APPNAME);
String keyStorePassword = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_PASSWORD);
String keyStoreType = System.getProperty(ZTSConsts.ZTS_PROP_KEYSTORE_TYPE, "PKCS12");
String keyManagerPassword = System.getProperty(ZTSConsts.ZTS_PROP_KEYMANAGER_PASSWORD);
String keyManagerPasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_KEYMANAGER_PASSWORD_APPNAME);
String trustStorePath = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PATH);
String trustStorePassword = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PASSWORD);
String trustStorePasswordAppName = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_PASSWORD_APPNAME);
String trustStoreType = System.getProperty(ZTSConsts.ZTS_PROP_TRUSTSTORE_TYPE, "PKCS12");
String excludedCipherSuites = System.getProperty(ZTSConsts.ZTS_PROP_EXCLUDED_CIPHER_SUITES,
ZTS_DEFAULT_EXCLUDED_CIPHER_SUITES);
String excludedProtocols = System.getProperty(ZTSConsts.ZTS_PROP_EXCLUDED_PROTOCOLS,
ZTS_DEFAULT_EXCLUDED_PROTOCOLS);
boolean wantClientAuth = Boolean.parseBoolean(System.getProperty(ZTSConsts.ZTS_PROP_WANT_CLIENT_CERT, "false"));
SslContextFactory sslContextFactory = new SslContextFactory();
if (keyStorePath != null) {
LOGGER.info("createSSLContextObject: using SSL KeyStore path: " + keyStorePath);
sslContextFactory.setKeyStorePath(keyStorePath);
}
if (keyStorePassword != null) {
keyStorePassword = getApplicationSecret(privateKeyStore, keyStorePasswordAppName, keyStorePassword);
sslContextFactory.setKeyStorePassword(keyStorePassword);
}
sslContextFactory.setKeyStoreType(keyStoreType);
if (keyManagerPassword != null) {
keyManagerPassword = getApplicationSecret(privateKeyStore, keyManagerPasswordAppName, keyManagerPassword);
sslContextFactory.setKeyManagerPassword(keyManagerPassword);
}
if (trustStorePath != null) {
LOGGER.info("createSSLContextObject: using SSL TrustStore path: " + trustStorePath);
sslContextFactory.setTrustStorePath(trustStorePath);
}
if (trustStorePassword != null) {
trustStorePassword = getApplicationSecret(privateKeyStore, trustStorePasswordAppName, trustStorePassword);
sslContextFactory.setTrustStorePassword(trustStorePassword);
}
sslContextFactory.setTrustStoreType(trustStoreType);
sslContextFactory.setExcludeCipherSuites(excludedCipherSuites.split(","));
sslContextFactory.setExcludeProtocols(excludedProtocols.split(","));
sslContextFactory.setWantClientAuth(wantClientAuth);
if (clientProtocols != null) {
sslContextFactory.setIncludeProtocols(clientProtocols);
}
return sslContextFactory;
}
Example 9
| Source File: SecureEmbeddedServer.java From incubator-atlas with Apache License 2.0 | 4 votes |
|
protected Connector getConnector(int port) throws IOException {
org.apache.commons.configuration.Configuration config = getConfiguration();
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(config.getString(KEYSTORE_FILE_KEY,
System.getProperty(KEYSTORE_FILE_KEY, DEFAULT_KEYSTORE_FILE_LOCATION)));
sslContextFactory.setKeyStorePassword(getPassword(config, KEYSTORE_PASSWORD_KEY));
sslContextFactory.setKeyManagerPassword(getPassword(config, SERVER_CERT_PASSWORD_KEY));
sslContextFactory.setTrustStorePath(config.getString(TRUSTSTORE_FILE_KEY,
System.getProperty(TRUSTSTORE_FILE_KEY, DEFATULT_TRUSTORE_FILE_LOCATION)));
sslContextFactory.setTrustStorePassword(getPassword(config, TRUSTSTORE_PASSWORD_KEY));
sslContextFactory.setWantClientAuth(config.getBoolean(CLIENT_AUTH_KEY, Boolean.getBoolean(CLIENT_AUTH_KEY)));
List<Object> cipherList = config.getList(ATLAS_SSL_EXCLUDE_CIPHER_SUITES, DEFAULT_CIPHER_SUITES);
sslContextFactory.setExcludeCipherSuites(cipherList.toArray(new String[cipherList.size()]));
sslContextFactory.setRenegotiationAllowed(false);
String[] excludedProtocols = config.containsKey(ATLAS_SSL_EXCLUDE_PROTOCOLS) ?
config.getStringArray(ATLAS_SSL_EXCLUDE_PROTOCOLS) : DEFAULT_EXCLUDE_PROTOCOLS;
if (excludedProtocols != null && excludedProtocols.length > 0) {
sslContextFactory.addExcludeProtocols(excludedProtocols);
}
// SSL HTTP Configuration
// HTTP Configuration
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
final int bufferSize = AtlasConfiguration.WEBSERVER_REQUEST_BUFFER_SIZE.getInt();
http_config.setSecurePort(port);
http_config.setRequestHeaderSize(bufferSize);
http_config.setResponseHeaderSize(bufferSize);
http_config.setSendServerVersion(true);
http_config.setSendDateHeader(false);
HttpConfiguration https_config = new HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
// SSL Connector
ServerConnector sslConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(https_config));
sslConnector.setPort(port);
server.addConnector(sslConnector);
return sslConnector;
}
Example 10
| Source File: JettyHTTPServerEngine.java From cxf with Apache License 2.0 | 4 votes |
|
protected SSLContext createSSLContext(SslContextFactory scf) throws Exception {
String proto = tlsServerParameters.getSecureSocketProtocol() == null
? "TLS" : tlsServerParameters.getSecureSocketProtocol();
// Jetty 9 excludes SSLv3 by default. So if we want it then we need to
// remove it from the default excluded protocols
boolean allowSSLv3 = "SSLv3".equals(proto);
if (allowSSLv3 || !tlsServerParameters.getIncludeProtocols().isEmpty()) {
List<String> excludedProtocols = new ArrayList<>();
for (String excludedProtocol : scf.getExcludeProtocols()) {
if (!(tlsServerParameters.getIncludeProtocols().contains(excludedProtocol)
|| (allowSSLv3 && ("SSLv3".equals(excludedProtocol)
|| "SSLv2Hello".equals(excludedProtocol))))) {
excludedProtocols.add(excludedProtocol);
}
}
String[] revisedProtocols = new String[excludedProtocols.size()];
excludedProtocols.toArray(revisedProtocols);
scf.setExcludeProtocols(revisedProtocols);
}
for (String p : tlsServerParameters.getExcludeProtocols()) {
scf.addExcludeProtocols(p);
}
SSLContext context = tlsServerParameters.getJsseProvider() == null
? SSLContext.getInstance(detectProto(proto, allowSSLv3))
: SSLContext.getInstance(detectProto(proto, allowSSLv3), tlsServerParameters.getJsseProvider());
KeyManager[] keyManagers = tlsServerParameters.getKeyManagers();
KeyManager[] configuredKeyManagers = org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias(
tlsServerParameters, keyManagers);
context.init(configuredKeyManagers,
tlsServerParameters.getTrustManagers(),
tlsServerParameters.getSecureRandom());
// Set the CipherSuites
final String[] supportedCipherSuites =
SSLUtils.getServerSupportedCipherSuites(context);
if (tlsServerParameters.getCipherSuitesFilter() != null
&& tlsServerParameters.getCipherSuitesFilter().isSetExclude()) {
String[] excludedCipherSuites =
SSLUtils.getFilteredCiphersuites(tlsServerParameters.getCipherSuitesFilter(),
supportedCipherSuites,
LOG,
true);
scf.setExcludeCipherSuites(excludedCipherSuites);
}
String[] includedCipherSuites =
SSLUtils.getCiphersuitesToInclude(tlsServerParameters.getCipherSuites(),
tlsServerParameters.getCipherSuitesFilter(),
context.getServerSocketFactory().getDefaultCipherSuites(),
supportedCipherSuites,
LOG);
scf.setIncludeCipherSuites(includedCipherSuites);
return context;
}
