Class TLSSocketFactory
- java.lang.Object
-
- net.shibboleth.utilities.java.support.httpclient.TLSSocketFactory
-
- All Implemented Interfaces:
ConnectionSocketFactory,LayeredConnectionSocketFactory
@ThreadSafe public class TLSSocketFactory extends Object implements LayeredConnectionSocketFactory
An implementation of HttpClientLayeredConnectionSocketFactorythat is a factory for TLS sockets.This class is functionally modeled on
SSLConnectionSocketFactory, but provides better support for subclassing, as well as specific additional features:- Factory hostname verifier defaults to
StrictHostnameVerifierrather thanBrowserCompatHostnameVerifier - Per-request specification of enabled TLS protocols and cipher suites via
HttpContextattributes. - Per-request specification of hostname verifier via
HttpContextattribute.
-
-
Field Summary
Fields Modifier and Type Field Description static X509HostnameVerifierALLOW_ALL_HOSTNAME_VERIFIERHostname verifier which passes all hostnames.static X509HostnameVerifierBROWSER_COMPATIBLE_HOSTNAME_VERIFIERHostname verifier which implements a policy similar to most browsers.static StringCONTEXT_KEY_HOSTNAME_VERIFIERHttpContext key for an instance ofX509HostnameVerifier.static StringCONTEXT_KEY_TLS_CIPHER_SUITESHttpContext key for a a list of TLS cipher suites to enable on the socket.static StringCONTEXT_KEY_TLS_PROTOCOLSHttpContext key for a a list of TLS protocols to enable on the socket.private X509HostnameVerifierhostnameVerifierHostname verifier.private LoggerlogLogger.private SSLSocketFactorysocketfactorySocket factory.static StringSSLProtocol: SSL.static StringSSLV2Protocol: SSLv2.static X509HostnameVerifierSTRICT_HOSTNAME_VERIFIERHostname verifier which implements a strict policy.private String[]supportedCipherSuitesFactory-wide supported cipher suites.private String[]supportedProtocolsFactory-wide supported protocols.static StringTLSProtocol: TLS.
-
Constructor Summary
Constructors Constructor Description TLSSocketFactory(SSLContext sslContext)Constructor.TLSSocketFactory(SSLContext sslContext, String[] protocols, String[] cipherSuites, X509HostnameVerifier verifier)Constructor.TLSSocketFactory(SSLContext sslContext, X509HostnameVerifier verifier)Constructor.TLSSocketFactory(SSLSocketFactory factory, String[] protocols, String[] cipherSuites, X509HostnameVerifier verifier)Constructor.TLSSocketFactory(SSLSocketFactory factory, X509HostnameVerifier verifier)Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description SocketconnectSocket(int connectTimeout, Socket socket, HttpHost host, InetSocketAddress remoteAddress, InetSocketAddress localAddress, HttpContext context)SocketcreateLayeredSocket(Socket socket, String target, int port, HttpContext context)SocketcreateSocket(HttpContext context)protected X509HostnameVerifiergetHostnameVerifier()Get the configured hostname verifier.protected String[]getListAttribute(HttpContext context, String contextKey)protected SSLSocketFactorygetSocketfactory()Get the JSSE socket factory instance.protected String[]getSupportedCipherSuites()Get the configured factory-wide supported cipher suites.protected String[]getSupportedProtocols()Get the configured factory-wide supported protocols.private voidlogSocketInfo(SSLSocket socket)Log various diagnostic information from theSSLSocketandSSLSession.protected voidprepareSocket(SSLSocket socket, HttpContext context)Performs any custom initialization for a newly created SSLSocket (before the SSL handshake happens).protected voidverifyHostname(SSLSocket sslsock, String hostname, HttpContext context)Verify the peer's socket hostname against the supplied expected name.
-
-
-
Field Detail
-
CONTEXT_KEY_TLS_PROTOCOLS
@Nonnull @NotEmpty public static final String CONTEXT_KEY_TLS_PROTOCOLS
HttpContext key for a a list of TLS protocols to enable on the socket. Must be an instance ofList<String>.- See Also:
- Constant Field Values
-
CONTEXT_KEY_TLS_CIPHER_SUITES
@Nonnull @NotEmpty public static final String CONTEXT_KEY_TLS_CIPHER_SUITES
HttpContext key for a a list of TLS cipher suites to enable on the socket. Must be an instance ofList<String>.- See Also:
- Constant Field Values
-
CONTEXT_KEY_HOSTNAME_VERIFIER
@Nonnull @NotEmpty public static final String CONTEXT_KEY_HOSTNAME_VERIFIER
HttpContext key for an instance ofX509HostnameVerifier.- See Also:
- Constant Field Values
-
TLS
@Nonnull @NotEmpty public static final String TLS
Protocol: TLS.- See Also:
- Constant Field Values
-
SSL
@Nonnull @NotEmpty public static final String SSL
Protocol: SSL.- See Also:
- Constant Field Values
-
SSLV2
@Nonnull @NotEmpty public static final String SSLV2
Protocol: SSLv2.- See Also:
- Constant Field Values
-
ALLOW_ALL_HOSTNAME_VERIFIER
@Nonnull public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER
Hostname verifier which passes all hostnames.
-
BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
@Nonnull public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
Hostname verifier which implements a policy similar to most browsers.
-
STRICT_HOSTNAME_VERIFIER
@Nonnull public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER
Hostname verifier which implements a strict policy.
-
log
@Nonnull private final Logger log
Logger.
-
socketfactory
@Nonnull private final SSLSocketFactory socketfactory
Socket factory.
-
hostnameVerifier
@Nonnull private final X509HostnameVerifier hostnameVerifier
Hostname verifier.
-
supportedProtocols
private final String[] supportedProtocols
Factory-wide supported protocols.
-
supportedCipherSuites
private final String[] supportedCipherSuites
Factory-wide supported cipher suites.
-
-
Constructor Detail
-
TLSSocketFactory
public TLSSocketFactory(@Nonnull SSLContext sslContext)Constructor.- Parameters:
sslContext- the effective SSLContext instance
-
TLSSocketFactory
public TLSSocketFactory(@Nonnull SSLContext sslContext, @Nullable X509HostnameVerifier verifier)Constructor.- Parameters:
sslContext- the effective SSLContext instanceverifier- the effective hostname verifier
-
TLSSocketFactory
public TLSSocketFactory(@Nonnull SSLContext sslContext, @Nullable String[] protocols, @Nullable String[] cipherSuites, @Nullable X509HostnameVerifier verifier)Constructor.- Parameters:
sslContext- the effective SSLContext instanceprotocols- the factory-wide enabled TLS protocolscipherSuites- the factory-wide enabled TLS cipher suitesverifier- the effective hostname verifier
-
TLSSocketFactory
public TLSSocketFactory(@Nonnull SSLSocketFactory factory, @Nullable X509HostnameVerifier verifier)Constructor.- Parameters:
factory- the effective SSL socket factoryverifier- the effective hostname verifier
-
TLSSocketFactory
public TLSSocketFactory(@Nonnull SSLSocketFactory factory, @Nullable String[] protocols, @Nullable String[] cipherSuites, @Nullable X509HostnameVerifier verifier)Constructor.- Parameters:
factory- the effective SSL socket factoryprotocols- the factory-wide enabled TLS protocolscipherSuites- the factory-wide enabled TLS cipher suitesverifier- the effective hostname verifier
-
-
Method Detail
-
getSocketfactory
@Nonnull protected SSLSocketFactory getSocketfactory()
Get the JSSE socket factory instance.- Returns:
- the socket factory
-
getHostnameVerifier
@Nonnull protected X509HostnameVerifier getHostnameVerifier()
Get the configured hostname verifier.- Returns:
- the hostname verifier
-
getSupportedProtocols
@Nullable protected String[] getSupportedProtocols()
Get the configured factory-wide supported protocols.- Returns:
- the configured protocols
-
getSupportedCipherSuites
@Nullable protected String[] getSupportedCipherSuites()
Get the configured factory-wide supported cipher suites.- Returns:
- the configured cipher suites
-
prepareSocket
protected void prepareSocket(@Nonnull SSLSocket socket, @Nullable HttpContext context) throws IOExceptionPerforms any custom initialization for a newly created SSLSocket (before the SSL handshake happens). The default implementation is a no-op, but could be overridden to, e.g., callSSLSocket.setEnabledCipherSuites(String[]).- Parameters:
socket- the SSL socket instance being preparedcontext- the current HttpContext instance- Throws:
IOException- if there is an error customizing the socket
-
createSocket
@Nonnull public Socket createSocket(@Nullable HttpContext context) throws IOException
- Specified by:
createSocketin interfaceConnectionSocketFactory- Throws:
IOException
-
connectSocket
public Socket connectSocket(int connectTimeout, Socket socket, HttpHost host, InetSocketAddress remoteAddress, InetSocketAddress localAddress, HttpContext context) throws IOException
- Specified by:
connectSocketin interfaceConnectionSocketFactory- Throws:
IOException
-
createLayeredSocket
public Socket createLayeredSocket(Socket socket, String target, int port, HttpContext context) throws IOException
- Specified by:
createLayeredSocketin interfaceLayeredConnectionSocketFactory- Throws:
IOException
-
logSocketInfo
private void logSocketInfo(SSLSocket socket)
Log various diagnostic information from theSSLSocketandSSLSession.- Parameters:
socket- the SSLSocket instance
-
getListAttribute
@Nullable protected String[] getListAttribute(@Nullable HttpContext context, @Nonnull String contextKey)
- Parameters:
context- the current HttpContextcontextKey- the attribute context key- Returns:
- a String array, or null
-
verifyHostname
protected void verifyHostname(@Nonnull SSLSocket sslsock, @Nonnull String hostname, @Nullable HttpContext context) throws IOExceptionVerify the peer's socket hostname against the supplied expected name.- Parameters:
sslsock- the SSL socket being preparedhostname- the expected hostnamecontext- the current HttpContext instance- Throws:
IOException- if peer failed hostname verification, or if there was an error during verification
-
-