Java Code Examples for javax.net.ssl.SSLEngine#getEnabledCipherSuites()
The following examples show how to use
javax.net.ssl.SSLEngine#getEnabledCipherSuites() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: SSLEngineFactory.java From NetBare with MIT License | 6 votes |
|
/**
* Create a client {@link SSLEngine} with the remote server IP and port.
*
* @param host Remote server host.
* @param port Remote server port.
* @return A client {@link SSLEngine} instance.
* @throws ExecutionException If an execution error has occurred.
*/
public SSLEngine createClientEngine(@NonNull final String host, int port) throws ExecutionException {
SSLContext ctx = CLIENT_SSL_CONTEXTS.get(host, new Callable<SSLContext>() {
@Override
public SSLContext call() throws GeneralSecurityException, IOException,
OperatorCreationException {
return createClientContext(host);
}
});
SSLEngine engine = ctx.createSSLEngine(host, port);
List<String> ciphers = new LinkedList<>();
for (String each : engine.getEnabledCipherSuites()) {
if (!each.equals("TLS_DHE_RSA_WITH_AES_128_CBC_SHA") &&
!each.equals("TLS_DHE_RSA_WITH_AES_256_CBC_SHA")) {
ciphers.add(each);
}
}
engine.setEnabledCipherSuites(ciphers.toArray(new String[0]));
engine.setUseClientMode(true);
engine.setNeedClientAuth(false);
return engine;
}
Example 2
| Source File: AlpnOpenListener.java From lams with GNU General Public License v2.0 | 6 votes |
|
public static boolean engineSupportsHTTP2(SSLEngine engine) {
//check to make sure the engine meets the minimum requirements for HTTP/2
//if not then ALPN will not be attempted
String[] protcols = engine.getEnabledProtocols();
boolean found = false;
for (String proto : protcols) {
if (proto.equals(REQUIRED_PROTOCOL)) {
found = true;
break;
}
}
if (!found) {
return false;
}
String[] ciphers = engine.getEnabledCipherSuites();
for (String i : ciphers) {
if (i.equals(REQUIRED_CIPHER)) {
return true;
}
}
return false;
}
Example 3
| Source File: TransportSupportTest.java From qpid-jms with Apache License 2.0 | 6 votes |
|
@Test
public void testCreateSslEngineFromJksStoreWithExplicitEnabledCiphersJDK() throws Exception {
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There were no initial ciphers to choose from!", ciphers.length > 0);
// Pull out one to enable specifically
String cipher = ciphers[0];
String[] enabledCipher = new String[] { cipher };
options.setEnabledCipherSuites(enabledCipher);
SSLContext context = TransportSupport.createJdkSslContext(options);
SSLEngine engine = TransportSupport.createJdkSslEngine(null, context, options);
// verify the option took effect
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", enabledCipher, engine.getEnabledCipherSuites());
}
Example 4
| Source File: TransportSupportTest.java From qpid-jms with Apache License 2.0 | 6 votes |
|
@Test
public void testCreateSslEngineFromJksStoreWithExplicitEnabledCiphersOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createOpenSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There were no initial ciphers to choose from!", ciphers.length > 0);
// Pull out one to enable specifically
String cipher = ciphers[0];
String[] enabledCipher = new String[] { cipher };
options.setEnabledCipherSuites(enabledCipher);
SslContext context = TransportSupport.createOpenSslContext(options);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
// verify the option took effect
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", enabledCipher, engine.getEnabledCipherSuites());
}
Example 5
| Source File: TransportSupportTest.java From qpid-jms with Apache License 2.0 | 6 votes |
|
@Test
public void testCreateSslEngineFromJksStoreWithExplicitDisabledCiphersJDK() throws Exception {
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There were no initial ciphers to choose from!", ciphers.length > 0);
// Pull out one to disable specifically
String[] disabledCipher = new String[] { ciphers[ciphers.length - 1] };
String[] trimmedCiphers = Arrays.copyOf(ciphers, ciphers.length - 1);
options.setDisabledCipherSuites(disabledCipher);
SSLContext context = TransportSupport.createJdkSslContext(options);
SSLEngine engine = TransportSupport.createJdkSslEngine(null, context, options);
// verify the option took effect
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", trimmedCiphers, engine.getEnabledCipherSuites());
}
Example 6
| Source File: TransportSupportTest.java From qpid-jms with Apache License 2.0 | 6 votes |
|
@Test
public void testCreateSslEngineFromJksStoreWithExplicitDisabledCiphersOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createOpenSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There were no initial ciphers to choose from!", ciphers.length > 0);
// Pull out one to disable specifically
String[] disabledCipher = new String[] { ciphers[ciphers.length - 1] };
String[] trimmedCiphers = Arrays.copyOf(ciphers, ciphers.length - 1);
options.setDisabledCipherSuites(disabledCipher);
SslContext context = TransportSupport.createOpenSslContext(options);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
// verify the option took effect
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", trimmedCiphers, engine.getEnabledCipherSuites());
}
Example 7
| Source File: TransportSupportTest.java From qpid-jms with Apache License 2.0 | 6 votes |
|
@Test
public void testCreateSslEngineFromJksStoreWithExplicitEnabledAndDisabledCiphersJDK() throws Exception {
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There werent enough initial ciphers to choose from!", ciphers.length > 1);
// Pull out two to enable, and one to disable specifically
String cipher1 = ciphers[0];
String cipher2 = ciphers[1];
String[] enabledCiphers = new String[] { cipher1, cipher2 };
String[] disabledCipher = new String[] { cipher1 };
String[] remainingCipher = new String[] { cipher2 };
options.setEnabledCipherSuites(enabledCiphers);
options.setDisabledCipherSuites(disabledCipher);
SSLContext context = TransportSupport.createJdkSslContext(options);
SSLEngine engine = TransportSupport.createJdkSslEngine(null, context, options);
// verify the option took effect, that the disabled ciphers were removed from the enabled list.
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", remainingCipher, engine.getEnabledCipherSuites());
}
Example 8
| Source File: TransportSupportTest.java From qpid-jms with Apache License 2.0 | 6 votes |
|
@Test
public void testCreateSslEngineFromJksStoreWithExplicitEnabledAndDisabledCiphersOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createOpenSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There werent enough initial ciphers to choose from!", ciphers.length > 1);
// Pull out two to enable, and one to disable specifically
String cipher1 = ciphers[0];
String cipher2 = ciphers[1];
String[] enabledCiphers = new String[] { cipher1, cipher2 };
String[] disabledCipher = new String[] { cipher1 };
String[] remainingCipher = new String[] { cipher2 };
options.setEnabledCipherSuites(enabledCiphers);
options.setDisabledCipherSuites(disabledCipher);
SslContext context = TransportSupport.createOpenSslContext(options);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
// verify the option took effect, that the disabled ciphers were removed from the enabled list.
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", remainingCipher, engine.getEnabledCipherSuites());
}
Example 9
| Source File: NotEnabledRC4Test.java From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
|
public static void main(String[] s) throws Exception {
SSLContext context = SSLEngineTestCase.getContext();
SSLEngine clientEngine = context.createSSLEngine();
clientEngine.setUseClientMode(true);
SSLEngine serverEngine = context.createSSLEngine();
serverEngine.setUseClientMode(false);
String[] cliEnabledCiphers = clientEngine.getEnabledCipherSuites();
rc4Test(cliEnabledCiphers, true);
String[] srvEnabledCiphers = serverEngine.getEnabledCipherSuites();
rc4Test(srvEnabledCiphers, false);
}
Example 10
| Source File: HTTP2Customizer.java From thorntail with Apache License 2.0 | 5 votes |
|
protected boolean supportsHTTP2() {
try {
SSLContext context = SSLContext.getDefault();
SSLEngine engine = context.createSSLEngine();
String[] ciphers = engine.getEnabledCipherSuites();
for (String i : ciphers) {
if (REQUIRED_CIPHER.equals(i) || REQUIRED_CIPHER_IBMJDK.equals(i)) {
return true;
}
}
} catch (NoSuchAlgorithmException e) {
}
return false;
}
Example 11
| Source File: DefaultTlsContextTest.java From vespa with Apache License 2.0 | 5 votes |
|
@Test
public void can_create_sslcontext_from_credentials() {
KeyPair keyPair = KeyUtils.generateKeypair(EC);
X509Certificate certificate = X509CertificateBuilder
.fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, Instant.now().plus(1, DAYS), SHA256_WITH_ECDSA, generateRandomSerialNumber())
.build();
AuthorizedPeers authorizedPeers = new AuthorizedPeers(
singleton(
new PeerPolicy(
"dummy-policy",
singleton(new Role("dummy-role")),
singletonList(new RequiredPeerCredential(RequiredPeerCredential.Field.CN, new HostGlobPattern("dummy"))))));
DefaultTlsContext tlsContext =
new DefaultTlsContext(
singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers,
AuthorizationMode.ENFORCE, PeerAuthentication.NEED, HostnameVerification.ENABLED);
SSLEngine sslEngine = tlsContext.createSslEngine();
assertThat(sslEngine).isNotNull();
String[] enabledCiphers = sslEngine.getEnabledCipherSuites();
assertThat(enabledCiphers).isNotEmpty();
assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0]));
String[] enabledProtocols = sslEngine.getEnabledProtocols();
assertThat(enabledProtocols).contains("TLSv1.2");
}
Example 12
| Source File: ConfigFileBasedTlsContextTest.java From vespa with Apache License 2.0 | 5 votes |
|
@Test
public void can_create_sslcontext_from_credentials() throws IOException, InterruptedException {
KeyPair keyPair = KeyUtils.generateKeypair(EC);
Path privateKeyFile = tempDirectory.newFile().toPath();
com.yahoo.vespa.jdk8compat.Files.writeString(privateKeyFile, KeyUtils.toPem(keyPair.getPrivate()));
X509Certificate certificate = X509CertificateBuilder
.fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, EPOCH.plus(1, DAYS), SHA256_WITH_ECDSA, BigInteger.ONE)
.build();
Path certificateChainFile = tempDirectory.newFile().toPath();
String certificatePem = X509CertificateUtils.toPem(certificate);
com.yahoo.vespa.jdk8compat.Files.writeString(certificateChainFile, certificatePem);
Path caCertificatesFile = tempDirectory.newFile().toPath();
com.yahoo.vespa.jdk8compat.Files.writeString(caCertificatesFile, certificatePem);
TransportSecurityOptions options = new TransportSecurityOptions.Builder()
.withCertificates(certificateChainFile, privateKeyFile)
.withCaCertificates(caCertificatesFile)
.build();
Path optionsFile = tempDirectory.newFile().toPath();
options.toJsonFile(optionsFile);
try (TlsContext tlsContext = new ConfigFileBasedTlsContext(optionsFile, AuthorizationMode.ENFORCE)) {
SSLEngine sslEngine = tlsContext.createSslEngine();
assertThat(sslEngine).isNotNull();
String[] enabledCiphers = sslEngine.getEnabledCipherSuites();
assertThat(enabledCiphers).isNotEmpty();
assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0]));
String[] enabledProtocols = sslEngine.getEnabledProtocols();
assertThat(enabledProtocols).contains("TLSv1.2");
}
}
Example 13
| Source File: CoreClientOverOneWaySSLTest.java From activemq-artemis with Apache License 2.0 | 5 votes |
|
public String[] getEnabledCipherSuites() throws Exception {
SSLContext context = new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(SERVER_SIDE_KEYSTORE)
.setKeystorePassword(PASSWORD)
.setTruststoreProvider(storeType)
.setTruststorePath(CLIENT_SIDE_TRUSTSTORE)
.setTruststorePassword(PASSWORD)
.createContext();
SSLEngine engine = context.createSSLEngine();
return engine.getEnabledCipherSuites();
}
Example 14
| Source File: TestSSLUtils.java From ambry with Apache License 2.0 | 5 votes |
|
private static void verifySSLConfig(SSLContext sslContext, SSLEngine sslEngine, boolean isClient) {
// SSLContext verify
Assert.assertEquals(sslContext.getProtocol(), SSL_CONTEXT_PROTOCOL);
Assert.assertEquals(sslContext.getProvider().getName(), SSL_CONTEXT_PROVIDER);
// SSLEngine verify
String[] enabledProtocols = sslEngine.getEnabledProtocols();
if (enabledProtocols.length == 2) {
// Apparently the Netty OpenSslEngine has no way of disabling the SSLv2Hello protocol.
// This is the relevant code from ReferenceCountedOpenSslEngine.getEnabledProtocols():
// """
// // Seems like there is no way to explicit disable SSLv2Hello in openssl so it is always enabled
// enabled.add(PROTOCOL_SSL_V2_HELLO);
// """
Assert.assertArrayEquals("enabledProtocols does not match expected",
new String[]{SSL_V2_HELLO_PROTOCOL, TLS_V1_2_PROTOCOL}, enabledProtocols);
} else {
Assert.assertArrayEquals("enabledProtocols does not match expected", new String[]{TLS_V1_2_PROTOCOL},
enabledProtocols);
}
String[] enabledCipherSuite = sslEngine.getEnabledCipherSuites();
Assert.assertEquals(enabledCipherSuite.length, 1);
Assert.assertEquals(enabledCipherSuite[0], SSL_CIPHER_SUITES);
Assert.assertEquals(sslEngine.getWantClientAuth(), false);
if (isClient) {
Assert.assertEquals(sslEngine.getSSLParameters().getEndpointIdentificationAlgorithm(),
ENDPOINT_IDENTIFICATION_ALGORITHM);
Assert.assertEquals(sslEngine.getNeedClientAuth(), false);
Assert.assertEquals(sslEngine.getUseClientMode(), true);
} else {
Assert.assertEquals(sslEngine.getSSLParameters().getEndpointIdentificationAlgorithm(), null);
Assert.assertEquals(sslEngine.getNeedClientAuth(), true);
Assert.assertEquals(sslEngine.getUseClientMode(), false);
}
}
Example 15
| Source File: SslFactory.java From hivemq-community-edition with Apache License 2.0 | 4 votes |
|
public void verifySslAtBootstrap(@NotNull final Listener listener, @NotNull final Tls tls) {
try {
if (!sslContextStore.contains(tls)) {
final SslContext sslContext = sslContextFactory.createSslContext(tls);
sslContextStore.putAtStart(tls, sslContext);
final SSLEngine sslEngine = sslContext.newEngine(new PooledByteBufAllocator());
enableProtocols(sslEngine, tls.getProtocols());
log.info("Enabled protocols for {} at address {} and port {}: {}", listener.readableName(), listener.getBindAddress(), listener.getPort(), Arrays.toString(sslEngine.getEnabledProtocols()));
final String[] enabledCipherSuites = sslEngine.getEnabledCipherSuites();
log.info("Enabled cipher suites for {} at address {} and port {}: {}", listener.readableName(), listener.getBindAddress(), listener.getPort(), Arrays.toString(enabledCipherSuites));
final List<String> cipherSuites = tls.getCipherSuites();
if (cipherSuites.size() > 0) {
final Set<String> unknownCipherSuitesSet;
if (sslContext instanceof OpenSslServerContext) {
// the prefixes TLS_ and SSL_ are ignored by OpenSSL
final Set<String> enabledCipherSuitesSet = new HashSet<>();
for (final String enabledCipherSuite : enabledCipherSuites) {
enabledCipherSuitesSet.add(enabledCipherSuite.substring(4));
}
unknownCipherSuitesSet = new HashSet<>();
for (final String cipherSuite : cipherSuites) {
if (cipherSuite == null) {
continue;
}
if (!enabledCipherSuitesSet.contains(cipherSuite.substring(4))) {
unknownCipherSuitesSet.add(cipherSuite);
}
}
} else {
unknownCipherSuitesSet = Sets.difference(ImmutableSet.copyOf(cipherSuites), ImmutableSet.copyOf(enabledCipherSuites));
}
if (unknownCipherSuitesSet.size() > 0) {
log.warn("Unknown cipher suites for {} at address {} and port {}: {}", listener.readableName(), listener.getBindAddress(), listener.getPort(), unknownCipherSuitesSet);
}
}
}
} catch (final Exception e) {
log.error("Not able to create SSL server context", e);
throw new UnrecoverableException(false);
}
}
