List of usage examples for javax.net.ssl SSLEngine getEnabledCipherSuites
public abstract String[] getEnabledCipherSuites();
From source file:mitm.BouncyCastleSslEngineSource.java
private void filterWeakCipherSuites(SSLEngine sslEngine) { List<String> ciphers = new LinkedList<String>(); for (String each : sslEngine.getEnabledCipherSuites()) { if (each.equals(each.equals("TLS_DHE_RSA_WITH_AES_128_CBC_SHA") || each.equals("TLS_DHE_RSA_WITH_AES_256_CBC_SHA"))) { LOG.debug("Removed cipher {}", each); } else {/*from w w w .jav a 2 s . com*/ ciphers.add(each); } } sslEngine.setEnabledCipherSuites(ciphers.toArray(new String[ciphers.size()])); if (LOG.isDebugEnabled()) { if (sslEngine.getUseClientMode()) { LOG.debug("Enabled server cipher suites:"); } else { String host = sslEngine.getPeerHost(); int port = sslEngine.getPeerPort(); LOG.debug("Enabled client {}:{} cipher suites:", host, port); } for (String each : ciphers) { LOG.debug(each); } } }
From source file:com.bt.pi.api.http.SimpleHttpsServerFactoryBean.java
protected HttpServer getInitializedServer(InetSocketAddress address) throws IOException { HttpsServer server = HttpsServer.create(address, getBacklog()); try {//from www . j a v a 2s . com SSLContext sslContext = SSLContext.getInstance(sslContextProtocol); KeyStore ks = KeyStore.getInstance(keyStoreType); InputStream is = keyStoreLocation.getInputStream(); try { ks.load(is, password); } catch (EOFException e) { LOG.warn(String.format( "Unable to load certificate store %s. This may be possible because https isn't enabled with a valid certificate", keyStoreLocation)); return null; } KeyManagerFactory kmf = KeyManagerFactory.getInstance(keyManagerAlgorithm); kmf.init(ks, password); TrustManagerFactory tmf = TrustManagerFactory.getInstance(trustManagerAlgorithm); tmf.init(ks); sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); final SSLEngine m_engine = sslContext.createSSLEngine(); server.setHttpsConfigurator(new HttpsConfigurator(sslContext) { public void configure(HttpsParameters params) { params.setSSLParameters(getSSLContext().getDefaultSSLParameters()); params.setNeedClientAuth(false); params.setWantClientAuth(false); params.setCipherSuites(m_engine.getEnabledCipherSuites()); params.setProtocols(m_engine.getEnabledProtocols()); } }); } catch (Throwable e) { throw new IOException("initializing HttpsServer failed due to exception", e); } return server; }
From source file:org.opcfoundation.ua.transport.https.HttpsClient.java
/** * Initialize HttpsClient. // w w w .j a v a 2 s .c o m * * @param connectUrl * @param tcs */ public void initialize(String connectUrl, TransportChannelSettings tcs, EncoderContext ctx) throws ServiceResultException { this.connectUrl = connectUrl; this.securityPolicyUri = tcs.getDescription().getSecurityPolicyUri(); this.transportChannelSettings = tcs; HttpsSettings httpsSettings = tcs.getHttpsSettings(); HttpsSecurityPolicy[] policies = httpsSettings.getHttpsSecurityPolicies(); if (policies != null && policies.length > 0) securityPolicy = policies[policies.length - 1]; else securityPolicy = HttpsSecurityPolicy.TLS_1_1; // securityPolicy = SecurityPolicy.getSecurityPolicy( this.securityPolicyUri ); if (securityPolicy != HttpsSecurityPolicy.TLS_1_0 && securityPolicy != HttpsSecurityPolicy.TLS_1_1 && securityPolicy != HttpsSecurityPolicy.TLS_1_2) throw new ServiceResultException(StatusCodes.Bad_SecurityChecksFailed, "Https Client doesn't support securityPolicy " + securityPolicy); if (logger.isDebugEnabled()) { logger.debug("initialize: url={}; settings={}", tcs.getDescription().getEndpointUrl(), ObjectUtils.printFields(tcs)); } // Setup Encoder EndpointConfiguration endpointConfiguration = tcs.getConfiguration(); encoderCtx = ctx; encoderCtx.setMaxArrayLength( endpointConfiguration.getMaxArrayLength() != null ? endpointConfiguration.getMaxArrayLength() : 0); encoderCtx.setMaxStringLength( endpointConfiguration.getMaxStringLength() != null ? endpointConfiguration.getMaxStringLength() : 0); encoderCtx.setMaxByteStringLength(endpointConfiguration.getMaxByteStringLength() != null ? endpointConfiguration.getMaxByteStringLength() : 0); encoderCtx.setMaxMessageSize( endpointConfiguration.getMaxMessageSize() != null ? endpointConfiguration.getMaxMessageSize() : 0); timer = TimerUtil.getTimer(); try { SchemeRegistry sr = new SchemeRegistry(); if (protocol.equals(UriUtil.SCHEME_HTTPS)) { SSLContext sslcontext = SSLContext.getInstance("TLS"); sslcontext.init(httpsSettings.getKeyManagers(), httpsSettings.getTrustManagers(), null); X509HostnameVerifier hostnameVerifier = httpsSettings.getHostnameVerifier() != null ? httpsSettings.getHostnameVerifier() : SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER; SSLSocketFactory sf = new SSLSocketFactory(sslcontext, hostnameVerifier) { protected void prepareSocket(javax.net.ssl.SSLSocket socket) throws IOException { socket.setEnabledCipherSuites(cipherSuites); }; }; SSLEngine sslEngine = sslcontext.createSSLEngine(); String[] enabledCipherSuites = sslEngine.getEnabledCipherSuites(); cipherSuites = CryptoUtil.filterCipherSuiteList(enabledCipherSuites, securityPolicy.getCipherSuites()); logger.info("Enabled protocols in SSL Engine are {}", Arrays.toString(sslEngine.getEnabledProtocols())); logger.info("Enabled CipherSuites in SSL Engine are {}", Arrays.toString(enabledCipherSuites)); logger.info("Client CipherSuite selection for {} is {}", securityPolicy.getPolicyUri(), Arrays.toString(cipherSuites)); Scheme https = new Scheme("https", 443, sf); sr.register(https); } if (protocol.equals(UriUtil.SCHEME_HTTP)) { Scheme http = new Scheme("http", 80, PlainSocketFactory.getSocketFactory()); sr.register(http); } if (ccm == null) { PoolingClientConnectionManager pccm = new PoolingClientConnectionManager(sr); ccm = pccm; pccm.setMaxTotal(maxConnections); pccm.setDefaultMaxPerRoute(maxConnections); } BasicHttpParams httpParams = new BasicHttpParams(); HttpConnectionParams.setConnectionTimeout(httpParams, transportChannelSettings.getConfiguration().getOperationTimeout()); HttpConnectionParams.setSoTimeout(httpParams, 0); httpclient = new DefaultHttpClient(ccm, httpParams); // Set username and password authentication if (httpsSettings.getUsername() != null && httpsSettings.getPassword() != null) { BasicCredentialsProvider credsProvider = new BasicCredentialsProvider(); credsProvider.setCredentials(new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT), new UsernamePasswordCredentials(httpsSettings.getUsername(), httpsSettings.getPassword())); httpclient.setCredentialsProvider(credsProvider); } } catch (NoSuchAlgorithmException e) { new ServiceResultException(e); } catch (KeyManagementException e) { new ServiceResultException(e); } }
From source file:org.elasticsearch.xpack.core.ssl.SSLServiceTests.java
public void testCiphersAndInvalidCiphersWork() throws Exception { List<String> ciphers = new ArrayList<>(XPackSettings.DEFAULT_CIPHERS); ciphers.add("foo"); ciphers.add("bar"); MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder().put("xpack.ssl.keystore.path", testnodeStore) .put("xpack.ssl.keystore.type", testnodeStoreType).setSecureSettings(secureSettings) .putList("xpack.ssl.ciphers", ciphers.toArray(new String[ciphers.size()])).build(); SSLService sslService = new SSLService(settings, env); SSLEngine engine = sslService.createSSLEngine(Settings.EMPTY, Settings.EMPTY); assertThat(engine, is(notNullValue())); String[] enabledCiphers = engine.getEnabledCipherSuites(); assertThat(Arrays.asList(enabledCiphers), not(contains("foo", "bar"))); }
From source file:com.hypersocket.server.HypersocketServerImpl.java
private void rebuildEnabledCipherSuites() { try {/*from w w w . j a v a2s. com*/ enabledProtocols = configurationService.getValues("ssl.protocols"); } catch (IllegalStateException ex) { } try { String[] ciphers = configurationService.getValues("ssl.ciphers"); SSLEngine engine = defaultSSLContext.createSSLEngine(); if (ciphers != null && ciphers.length > 0) { List<String> enabledCSList = new ArrayList<String>(Arrays.asList(engine.getEnabledCipherSuites())); List<String> includedCSList = new ArrayList<String>(); boolean hasValid = false; for (String cipherName : ciphers) { if (enabledCSList.contains(cipherName)) { includedCSList.add(cipherName); hasValid = true; } else { if (log.isInfoEnabled()) { log.warn("Disabled cipher: " + cipherName); } } } enabledCipherSuites = (String[]) includedCSList.toArray(new String[includedCSList.size()]); if (!hasValid) { if (log.isWarnEnabled()) { log.warn("SSL cipher list did not contain any valid ciphers. Reverting to defaults."); } enabledCipherSuites = engine.getEnabledCipherSuites(); } else { for (String cipher : enabledCipherSuites) { if (log.isInfoEnabled()) { log.info("Enabled cipher: " + cipher); } } } } } catch (IllegalStateException ex) { } }
From source file:com.floragunn.searchguard.ssl.SSLTest.java
@Test public void testAvailCiphers() throws Exception { final SSLContext serverContext = SSLContext.getInstance("TLS"); serverContext.init(null, null, null); final SSLEngine engine = serverContext.createSSLEngine(); final List<String> jdkSupportedCiphers = new ArrayList<>(Arrays.asList(engine.getSupportedCipherSuites())); jdkSupportedCiphers.retainAll(SSLConfigConstants.getSecureSSLCiphers(Settings.EMPTY, false)); engine.setEnabledCipherSuites(jdkSupportedCiphers.toArray(new String[0])); final List<String> jdkEnabledCiphers = Arrays.asList(engine.getEnabledCipherSuites()); // example/*from w w w.j a v a 2 s . c o m*/ // TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA System.out.println("JDK enabled ciphers: " + jdkEnabledCiphers); Assert.assertTrue(jdkEnabledCiphers.size() > 0); }
From source file:org.elasticsearch.xpack.core.ssl.SSLServiceTests.java
public void testThatSSLEngineHasProperCiphersAndProtocols() throws Exception { MockSecureSettings secureSettings = new MockSecureSettings(); secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode"); Settings settings = Settings.builder().put("xpack.ssl.keystore.path", testnodeStore) .put("xpack.ssl.keystore.type", testnodeStoreType).setSecureSettings(secureSettings).build(); SSLService sslService = new SSLService(settings, env); SSLEngine engine = sslService.createSSLEngine(Settings.EMPTY, Settings.EMPTY); SSLConfiguration config = sslService.sslConfiguration(Settings.EMPTY); final String[] ciphers = sslService.supportedCiphers(engine.getSupportedCipherSuites(), config.cipherSuites(), false); final String[] supportedProtocols = config.supportedProtocols().toArray(Strings.EMPTY_ARRAY); assertThat(engine.getEnabledCipherSuites(), is(ciphers)); assertArrayEquals(ciphers, engine.getSSLParameters().getCipherSuites()); // the order we set the protocols in is not going to be what is returned as internally the JDK may sort the versions assertThat(engine.getEnabledProtocols(), arrayContainingInAnyOrder(supportedProtocols)); assertThat(engine.getSSLParameters().getProtocols(), arrayContainingInAnyOrder(supportedProtocols)); }
From source file:org.opcfoundation.ua.transport.https.HttpsServer.java
protected void initReactor() throws ServiceResultException { boolean https = false, http = false; for (SocketHandle sh : socketHandles.values()) { https |= sh.scheme.equals(UriUtil.SCHEME_HTTPS); http |= sh.scheme.equals(UriUtil.SCHEME_HTTP); }/*w w w .j a v a 2 s . c o m*/ try { if (https && sslSetupHandler == null) { SSLContext sslcontext = SSLContext.getInstance("TLS"); sslcontext.init(application.getHttpsSettings().getKeyManagers(), application.getHttpsSettings().getTrustManagers(), null); // SSL Setup Handler sslSetupHandler = new SSLSetupHandler() { public void verify(IOSession iosession, SSLSession sslsession) throws SSLException { } public void initalize(SSLEngine sslengine) throws SSLException { //sslengine.setEnabledCipherSuites( calcCipherSuites() ); } }; // Create HTTP connection factory sslConnFactory = new SSLNHttpServerConnectionFactory(sslcontext, sslSetupHandler, getHttpParams()); // Create server-side I/O event dispatch sslIoEventDispatch = new DefaultHttpServerIODispatch(protocolHandler, sslConnFactory); // Create ssl engine sslEngine = sslcontext.createSSLEngine(); log.info("Enabled protocols in SSL Engine are {}", Arrays.toString(sslEngine.getEnabledProtocols())); enabledCipherSuites = sslEngine.getEnabledCipherSuites(); log.info("Enabled CipherSuites in SSL Engine are {}", Arrays.toString(enabledCipherSuites)); } if (https) { // Create list of cipher suites String[] oldCipherSuiteSelection = cipherSuites; cipherSuitePatterns = calcCipherSuitePatterns(); //securityPolicies = calcSecurityPolicies().toArray( new SecurityPolicy[0] ); cipherSuites = CryptoUtil.filterCipherSuiteList(enabledCipherSuites, cipherSuitePatterns); sslEngine.setEnabledCipherSuites(cipherSuites); if (oldCipherSuiteSelection == null || !Arrays.equals(oldCipherSuiteSelection, cipherSuites)) { log.info("CipherSuites for policies ({}) are {}", Arrays.toString(securityPolicies), Arrays.toString(cipherSuites)); } } if (http && plainConnFactory == null) { plainConnFactory = new DefaultNHttpServerConnectionFactory(getHttpParams()); // Create server-side I/O event dispatch plainIoEventDispatch = new DefaultHttpServerIODispatch(protocolHandler, plainConnFactory); } if (ioReactor == null) { // Create server-side I/O reactor ioReactor = new DefaultListeningIOReactor(ioConfig, null); } } catch (KeyManagementException e1) { throw new ServiceResultException(e1); } catch (NoSuchAlgorithmException e1) { throw new ServiceResultException(e1); } catch (IOReactorException e1) { throw new ServiceResultException(e1); } }
From source file:org.apache.hadoop.security.ssl.SSLFactory.java
private void disableExcludedCiphers(SSLEngine sslEngine) { String[] cipherSuites = sslEngine.getEnabledCipherSuites(); ArrayList<String> defaultEnabledCipherSuites = new ArrayList<String>(Arrays.asList(cipherSuites)); Iterator iterator = excludeCiphers.iterator(); while (iterator.hasNext()) { String cipherName = (String) iterator.next(); if (defaultEnabledCipherSuites.contains(cipherName)) { defaultEnabledCipherSuites.remove(cipherName); LOG.debug("Disabling cipher suite {}.", cipherName); }//from ww w . ja v a2 s. c o m } cipherSuites = defaultEnabledCipherSuites.toArray(new String[defaultEnabledCipherSuites.size()]); sslEngine.setEnabledCipherSuites(cipherSuites); }