151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski/* 251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. 351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * This code is free software; you can redistribute it and/or modify it 651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * under the terms of the GNU General Public License version 2 only, as 751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * published by the Free Software Foundation. Oracle designates this 851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * particular file as subject to the "Classpath" exception as provided 951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * by Oracle in the LICENSE file that accompanied this code. 1051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 1151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * This code is distributed in the hope that it will be useful, but WITHOUT 1251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 1351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 1451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * version 2 for more details (a copy is included in the LICENSE file that 1551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * accompanied this code). 1651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 1751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * You should have received a copy of the GNU General Public License version 1851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 2 along with this work; if not, write to the Free Software Foundation, 1951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 2151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * or visit www.oracle.com if you need additional information or have any 2351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * questions. 2451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 2551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 2651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 2751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskipackage sun.security.ssl; 2851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 2951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.io.IOException; 3051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.net.InetAddress; 3151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.net.Socket; 3251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.net.ServerSocket; 3351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 3451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.security.AlgorithmConstraints; 3551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 3651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.util.*; 3751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 3851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport javax.net.ServerSocketFactory; 3951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport javax.net.ssl.SSLException; 4051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport javax.net.ssl.SSLServerSocket; 4151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport javax.net.ssl.SSLParameters; 4251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 4351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 4451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski/** 4551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * This class provides a simple way for servers to support conventional 4651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * use of the Secure Sockets Layer (SSL). Application code uses an 4751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * SSLServerSocketImpl exactly like it uses a regular TCP ServerSocket; the 4851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * difference is that the connections established are secured using SSL. 4951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 5051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * <P> Also, the constructors take an explicit authentication context 5151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * parameter, giving flexibility with respect to how the server socket 5251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * authenticates itself. That policy flexibility is not exposed through 5351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * the standard SSLServerSocketFactory API. 5451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 5551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * <P> System security defaults prevent server sockets from accepting 5651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * connections if they the authentication context has not been given 5751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * a certificate chain and its matching private key. If the clients 5851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * of your application support "anonymous" cipher suites, you may be 5951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * able to configure a server socket to accept those suites. 6051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 6151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @see SSLSocketImpl 6251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @see SSLServerSocketFactoryImpl 6351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 6451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @author David Brownell 6551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 6651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskifinal 6751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiclass SSLServerSocketImpl extends SSLServerSocket 6851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski{ 6951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private SSLContextImpl sslContext; 7051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 7151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* Do newly accepted connections require clients to authenticate? */ 7251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private byte doClientAuth = SSLEngineImpl.clauth_none; 7351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 7451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* Do new connections created here use the "server" mode of SSL? */ 7551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private boolean useServerMode = true; 7651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 7751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* Can new connections created establish new sessions? */ 7851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private boolean enableSessionCreation = true; 7951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 8051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* what cipher suites to use by default */ 8151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private CipherSuiteList enabledCipherSuites = null; 8251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 8351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* which protocol to use by default */ 8451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private ProtocolList enabledProtocols = null; 8551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 8651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* could enabledCipherSuites ever complete handshaking? */ 8751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private boolean checkedEnabled = false; 8851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 8951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // the endpoint identification protocol to use by default 9051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private String identificationProtocol = null; 9151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 9251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // The cryptographic algorithm constraints 9351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private AlgorithmConstraints algorithmConstraints = null; 9451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 9551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 9651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Create an SSL server socket on a port, using a non-default 9751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * authentication context and a specified connection backlog. 9851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 9951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @param port the port on which to listen 10051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @param backlog how many connections may be pending before 10151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * the system should start rejecting new requests 10251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @param context authentication context for this server 10351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 10451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLServerSocketImpl(int port, int backlog, SSLContextImpl context) 10551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throws IOException, SSLException 10651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski { 10751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski super(port, backlog); 10851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski initServer(context); 10951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 11051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 11151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 11251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 11351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Create an SSL server socket on a port, using a specified 11451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * authentication context and a specified backlog of connections 11551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * as well as a particular specified network interface. This 11651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * constructor is used on multihomed hosts, such as those used 11751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * for firewalls or as routers, to control through which interface 11851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * a network service is provided. 11951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 12051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @param port the port on which to listen 12151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @param backlog how many connections may be pending before 12251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * the system should start rejecting new requests 12351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @param address the address of the network interface through 12451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * which connections will be accepted 12551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @param context authentication context for this server 12651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 12751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLServerSocketImpl( 12851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski int port, 12951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski int backlog, 13051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski InetAddress address, 13151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLContextImpl context) 13251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throws IOException 13351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski { 13451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski super(port, backlog, address); 13551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski initServer(context); 13651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 13751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 13851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 13951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 14051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Creates an unbound server socket. 14151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 14251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLServerSocketImpl(SSLContextImpl context) throws IOException { 14351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski super(); 14451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski initServer(context); 14551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 14651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 14751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 14851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 14951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Initializes the server socket. 15051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 15151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private void initServer(SSLContextImpl context) throws SSLException { 15251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (context == null) { 15351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new SSLException("No Authentication context given"); 15451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 15551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski sslContext = context; 15651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski enabledCipherSuites = sslContext.getDefaultCipherSuiteList(true); 15751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski enabledProtocols = sslContext.getDefaultProtocolList(true); 15851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 15951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 16051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 16151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Returns the names of the cipher suites which could be enabled for use 16251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * on an SSL connection. Normally, only a subset of these will actually 16351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * be enabled by default, since this list may include cipher suites which 16451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * do not support the mutual authentication of servers and clients, or 16551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * which do not protect data confidentiality. Servers may also need 16651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * certain kinds of certificates to use certain cipher suites. 16751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 16851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @return an array of cipher suite names 16951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 17051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String[] getSupportedCipherSuites() { 17151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return sslContext.getSupportedCipherSuiteList().toStringArray(); 17251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 17351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 17451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 17551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Returns the list of cipher suites which are currently enabled 17651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * for use by newly accepted connections. A null return indicates 17751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * that the system defaults are in effect. 17851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 17951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski synchronized public String[] getEnabledCipherSuites() { 18051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return enabledCipherSuites.toStringArray(); 18151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 18251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 18351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 18451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Controls which particular SSL cipher suites are enabled for use 18551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * by accepted connections. 18651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 18751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @param suites Names of all the cipher suites to enable; null 18851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * means to accept system defaults. 18951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 19051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski synchronized public void setEnabledCipherSuites(String[] suites) { 19151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski enabledCipherSuites = new CipherSuiteList(suites); 19251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski checkedEnabled = false; 19351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 19451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 19551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String[] getSupportedProtocols() { 19651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return sslContext.getSuportedProtocolList().toStringArray(); 19751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 19851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 19951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 20051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Controls which protocols are enabled for use. 20151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * The protocols must have been listed by 20251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * getSupportedProtocols() as being supported. 20351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 20451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @param protocols protocols to enable. 20551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @exception IllegalArgumentException when one of the protocols 20651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * named by the parameter is not supported. 20751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 20851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski synchronized public void setEnabledProtocols(String[] protocols) { 20951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski enabledProtocols = new ProtocolList(protocols); 21051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 21151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 21251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski synchronized public String[] getEnabledProtocols() { 21351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return enabledProtocols.toStringArray(); 21451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 21551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 21651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 21751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Controls whether the connections which are accepted must include 21851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * client authentication. 21951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 22051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void setNeedClientAuth(boolean flag) { 22151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski doClientAuth = (flag ? 22251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLEngineImpl.clauth_required : SSLEngineImpl.clauth_none); 22351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 22451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 22551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public boolean getNeedClientAuth() { 22651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return (doClientAuth == SSLEngineImpl.clauth_required); 22751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 22851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 22951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 23051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Controls whether the connections which are accepted should request 23151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * client authentication. 23251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 23351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void setWantClientAuth(boolean flag) { 23451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski doClientAuth = (flag ? 23551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLEngineImpl.clauth_requested : SSLEngineImpl.clauth_none); 23651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 23751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 23851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public boolean getWantClientAuth() { 23951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return (doClientAuth == SSLEngineImpl.clauth_requested); 24051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 24151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 24251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 24351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Makes the returned sockets act in SSL "client" mode, not the usual 24451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * server mode. The canonical example of why this is needed is for 24551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * FTP clients, which accept connections from servers and should be 24651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * rejoining the already-negotiated SSL connection. 24751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 24851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void setUseClientMode(boolean flag) { 24951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 25051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * If we need to change the socket mode and the enabled 25151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * protocols haven't specifically been set by the user, 25251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * change them to the corresponding default ones. 25351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 25451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (useServerMode != (!flag) && 25551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski sslContext.isDefaultProtocolList(enabledProtocols)) { 25651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski enabledProtocols = sslContext.getDefaultProtocolList(!flag); 25751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 25851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 25951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski useServerMode = !flag; 26051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 26151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 26251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public boolean getUseClientMode() { 26351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return !useServerMode; 26451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 26551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 26651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 26751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 26851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Controls whether new connections may cause creation of new SSL 26951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * sessions. 27051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 27151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void setEnableSessionCreation(boolean flag) { 27251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski enableSessionCreation = flag; 27351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 27451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 27551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 27651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Returns true if new connections may cause creation of new SSL 27751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * sessions. 27851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 27951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public boolean getEnableSessionCreation() { 28051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return enableSessionCreation; 28151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 28251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 28351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 28451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Returns the SSLParameters in effect for newly accepted connections. 28551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 28651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski synchronized public SSLParameters getSSLParameters() { 28751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLParameters params = super.getSSLParameters(); 28851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 28951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // the super implementation does not handle the following parameters 29051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski params.setEndpointIdentificationAlgorithm(identificationProtocol); 29151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski params.setAlgorithmConstraints(algorithmConstraints); 29251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 29351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return params; 29451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 29551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 29651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 29751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Applies SSLParameters to newly accepted connections. 29851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 29951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski synchronized public void setSSLParameters(SSLParameters params) { 30051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski super.setSSLParameters(params); 30151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 30251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // the super implementation does not handle the following parameters 30351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski identificationProtocol = params.getEndpointIdentificationAlgorithm(); 30451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski algorithmConstraints = params.getAlgorithmConstraints(); 30551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 30651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 30751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 30851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Accept a new SSL connection. This server identifies itself with 30951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * information provided in the authentication context which was 31051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * presented during construction. 31151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 31251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public Socket accept() throws IOException { 31351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLSocketImpl s = new SSLSocketImpl(sslContext, useServerMode, 31451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski enabledCipherSuites, doClientAuth, enableSessionCreation, 31551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski enabledProtocols, identificationProtocol, algorithmConstraints); 31651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 31751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski implAccept(s); 31851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski s.doneConnect(); 31951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return s; 32051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 32151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 32251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 32351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Provides a brief description of this SSL socket. 32451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 32551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String toString() { 32651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return "[SSL: "+ super.toString() + "]"; 32751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 32851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski} 329