Java Code Examples for org.eclipse.jetty.util.ssl.SslContextFactory#setIncludeCipherSuites()

The following examples show how to use org.eclipse.jetty.util.ssl.SslContextFactory#setIncludeCipherSuites() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: JettyWebServer.java    From Doradus with Apache License 2.0 6 votes vote down vote up
private ServerConnector createSSLConnector() {
    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStorePath(m_keystore);
    sslContextFactory.setKeyStorePassword(m_keystorepassword);
    sslContextFactory.setTrustStorePath(m_truststore);
    sslContextFactory.setTrustStorePassword(m_truststorepassword);
    sslContextFactory.setNeedClientAuth(m_clientauthentication);
    sslContextFactory.setIncludeCipherSuites(m_tls_cipher_suites);

    HttpConfiguration http_config = new HttpConfiguration();
    http_config.setSecureScheme("https");
    HttpConfiguration https_config = new HttpConfiguration(http_config);
    https_config.addCustomizer(new SecureRequestCustomizer());
    SslConnectionFactory sslConnFactory = new SslConnectionFactory(sslContextFactory, "http/1.1");
    HttpConnectionFactory httpConnFactory = new HttpConnectionFactory(https_config);
    ServerConnector sslConnector = new ServerConnector(m_jettyServer, sslConnFactory, httpConnFactory);
    return sslConnector;
}
 
Example 2
Source File: SSLUtils.java    From kop with Apache License 2.0 5 votes vote down vote up
/**
 * Configures Protocol, Algorithm and Provider related settings in SslContextFactory.
 */
protected static void configureSslContextFactoryAlgorithms(SslContextFactory ssl,
                                                           Map<String, Object> sslConfigValues) {
    Set<String> sslEnabledProtocols =
        (Set<String>) getOrDefault(
            sslConfigValues,
            SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG,
            Arrays.asList(SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS.split("\\s*,\\s*")));
    ssl.setIncludeProtocols(sslEnabledProtocols.toArray(new String[sslEnabledProtocols.size()]));

    String sslProvider = (String) sslConfigValues.get(SslConfigs.SSL_PROVIDER_CONFIG);
    if (sslProvider != null) {
        ssl.setProvider(sslProvider);
    }

    ssl.setProtocol(
        (String) getOrDefault(sslConfigValues, SslConfigs.SSL_PROTOCOL_CONFIG, SslConfigs.DEFAULT_SSL_PROTOCOL));

    Set<String> sslCipherSuites = (Set<String>) sslConfigValues.get(SslConfigs.SSL_CIPHER_SUITES_CONFIG);
    if (sslCipherSuites != null) {
        ssl.setIncludeCipherSuites(sslCipherSuites.toArray(new String[sslCipherSuites.size()]));
    }

    ssl.setKeyManagerFactoryAlgorithm((String) getOrDefault(
        sslConfigValues,
        SslConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG,
        SslConfigs.DEFAULT_SSL_KEYMANGER_ALGORITHM));

    String sslSecureRandomImpl = (String) sslConfigValues.get(SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG);
    if (sslSecureRandomImpl != null) {
        ssl.setSecureRandomAlgorithm(sslSecureRandomImpl);
    }

    ssl.setTrustManagerFactoryAlgorithm((String) getOrDefault(
        sslConfigValues,
        SslConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG,
        SslConfigs.DEFAULT_SSL_TRUSTMANAGER_ALGORITHM));
}
 
Example 3
Source File: HttpServerExtension.java    From kareldb with Apache License 2.0 4 votes vote down vote up
private static SslContextFactory createSslContextFactory(KarelDbConfig config) {
    SslContextFactory sslContextFactory = new SslContextFactory();
    if (!config.getString(KarelDbConfig.SSL_KEYSTORE_LOCATION_CONFIG).isEmpty()) {
        sslContextFactory.setKeyStorePath(
            config.getString(KarelDbConfig.SSL_KEYSTORE_LOCATION_CONFIG)
        );
        sslContextFactory.setKeyStorePassword(
            config.getPassword(KarelDbConfig.SSL_KEYSTORE_PASSWORD_CONFIG).value()
        );
        sslContextFactory.setKeyManagerPassword(
            config.getPassword(KarelDbConfig.SSL_KEY_PASSWORD_CONFIG).value()
        );
        sslContextFactory.setKeyStoreType(
            config.getString(KarelDbConfig.SSL_KEYSTORE_TYPE_CONFIG)
        );

        if (!config.getString(KarelDbConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG).isEmpty()) {
            sslContextFactory.setKeyManagerFactoryAlgorithm(
                config.getString(KarelDbConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG));
        }
    }

    configureClientAuth(config, sslContextFactory);

    List<String> enabledProtocols = config.getList(KarelDbConfig.SSL_ENABLED_PROTOCOLS_CONFIG);
    if (!enabledProtocols.isEmpty()) {
        sslContextFactory.setIncludeProtocols(enabledProtocols.toArray(new String[0]));
    }

    List<String> cipherSuites = config.getList(KarelDbConfig.SSL_CIPHER_SUITES_CONFIG);
    if (!cipherSuites.isEmpty()) {
        sslContextFactory.setIncludeCipherSuites(cipherSuites.toArray(new String[0]));
    }

    sslContextFactory.setEndpointIdentificationAlgorithm(
        config.getString(KarelDbConfig.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG));

    if (!config.getString(KarelDbConfig.SSL_TRUSTSTORE_LOCATION_CONFIG).isEmpty()) {
        sslContextFactory.setTrustStorePath(
            config.getString(KarelDbConfig.SSL_TRUSTSTORE_LOCATION_CONFIG)
        );
        sslContextFactory.setTrustStorePassword(
            config.getPassword(KarelDbConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG).value()
        );
        sslContextFactory.setTrustStoreType(
            config.getString(KarelDbConfig.SSL_TRUSTSTORE_TYPE_CONFIG)
        );

        if (!config.getString(KarelDbConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG).isEmpty()) {
            sslContextFactory.setTrustManagerFactoryAlgorithm(
                config.getString(KarelDbConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG)
            );
        }
    }

    sslContextFactory.setProtocol(config.getString(KarelDbConfig.SSL_PROTOCOL_CONFIG));
    if (!config.getString(KarelDbConfig.SSL_PROVIDER_CONFIG).isEmpty()) {
        sslContextFactory.setProtocol(config.getString(KarelDbConfig.SSL_PROVIDER_CONFIG));
    }

    sslContextFactory.setRenegotiationAllowed(false);

    return sslContextFactory;
}
 
Example 4
Source File: HttpsConnectorGenerator.java    From dremio-oss with Apache License 2.0 4 votes vote down vote up
/**
 * Create an HTTPS connector for given jetty server instance. If the config has specified keystore/truststore settings
 * they will be used else a self-signed certificate is generated and used.
 *
 * @param hostName      hostname
 * @param config        {@link DremioConfig} containing SSL related settings if any.
 * @param embeddedJetty Jetty server instance needed for creating a ServerConnector.
 * @return Initialized {@link ServerConnector} for HTTPS connections and the trust store. Trust store is non-null only
 * when in case of auto generated self-signed certificate.
 * @throws Exception
 */
public Pair<ServerConnector, KeyStore> createHttpsConnector(
    final Server embeddedJetty,
    final DremioConfig config,
    final String hostName,
    final String... alternativeNames
) throws Exception {
  logger.info("Setting up HTTPS connector for web server");

  final SSLConfigurator configurator = new SSLConfigurator(config, DremioConfig.WEB_SSL_PREFIX, "web");
  final Optional<SSLConfig> sslConfigOption = configurator.getSSLConfig(true, hostName, alternativeNames);
  Preconditions.checkState(sslConfigOption.isPresent()); // caller's responsibility
  final SSLConfig sslConfig = sslConfigOption.get();

  final KeyStore keyStore = KeyStore.getInstance(sslConfig.getKeyStoreType());
  try (InputStream stream = Files.newInputStream(Paths.get(sslConfig.getKeyStorePath()))) {
    keyStore.load(stream, sslConfig.getKeyStorePassword().toCharArray());
  }

  KeyStore trustStore = null;
  //noinspection StringEquality
  if (sslConfig.getTrustStorePath() != SSLConfig.UNSPECIFIED) {
    trustStore = KeyStore.getInstance(sslConfig.getTrustStoreType());
    try (InputStream stream = Files.newInputStream(Paths.get(sslConfig.getTrustStorePath()))) {
      trustStore.load(stream, sslConfig.getTrustStorePassword().toCharArray());
    }
  }

  final SslContextFactory sslContextFactory = new SslContextFactory.Server();
  sslContextFactory.setKeyStore(keyStore);
  sslContextFactory.setKeyManagerPassword(sslConfig.getKeyPassword());
  // TODO(DX-12920): sslContextFactory.setKeyStorePassword(sslConfig.getKeyStorePassword());
  sslContextFactory.setTrustStore(trustStore);

  final String[] enabledCiphers;
  final String customCipherSuite = System.getProperty(DREMIO_SSL_CIPHERSUITE_OVERRIDE);
  if (customCipherSuite != null) {
    logger.info("Using custom cipher list for web server");
    enabledCiphers = Splitter.on(",")
        .trimResults()
        .omitEmptyStrings()
        .splitToList(customCipherSuite)
        .toArray(new String[0]);
    logger.info("Selected cipher list: {}", Arrays.toString(enabledCiphers));
  } else {
    /* By default, only enable the OWASP broad compatibility list of cipher suites, the order listed
     * is the preferred priority of the cipher suites.
     * TLS 1.3 is not supported in JDK 8, but the first three ciphers are still included for future compatibility.
     *
     * See: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/TLS_Cipher_String_Cheat_Sheet.md
     */
    enabledCiphers = new String[] {
      "TLS_AES_256_GCM_SHA384", // TLS 1.3
      "TLS_CHACHA20_POLY1305_SHA256", // TLS 1.3
      "TLS_AES_128_GCM_SHA256", // TLS 1.3
      "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
      "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
    };
  }
  sslContextFactory.setIncludeCipherSuites(enabledCiphers);
  sslContextFactory.setRenegotiationAllowed(false);

  // TODO(DX-12920): sslContextFactory.setValidateCerts(true); to ensure that the server starts up with a valid
  // certificate
  // TODO(DX-12920): sslContextFactory.setValidatePeerCerts(!sslConfig.disableCertificateVerification());

  // this ensures that jersey is aware that we are using https - without this it thinks that every connection is unsecured
  final HttpConfiguration httpConfig = new HttpConfiguration();
  httpConfig.setSecureScheme("https");
  httpConfig.addCustomizer(new SecureRequestCustomizer());

  final ServerConnector sslConnector =
    new ServerConnector(
      embeddedJetty,
      new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
      new HttpConnectionFactory(httpConfig)
    );

  return Pair.of(sslConnector, trustStore);
}
 
Example 5
Source File: SslContextFactoryUtils.java    From vespa with Apache License 2.0 4 votes vote down vote up
static void setEnabledCipherSuites(SslContextFactory factory, SSLContext sslContext, List<String> enabledCiphers) {
    String[] supportedCiphers = sslContext.getSupportedSSLParameters().getCipherSuites();
    factory.setIncludeCipherSuites(enabledCiphers.toArray(String[]::new));
    factory.setExcludeCipherSuites(createExclusionList(enabledCiphers, supportedCiphers));
}
 
Example 6
Source File: Launcher.java    From EchoQuery with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Configures and sets up a Jetty server.
 * @param args
 * @throws Exception
 */
public static void main(final String[] args) throws Exception {
  // Configure logging to output to the console with default level of
  // INFO.
  BasicConfigurator.configure();

  Server server = new Server();

  // Configure SSL from system properties.
  SslConnectionFactory sslConnectionFactory = new SslConnectionFactory();
  SslContextFactory sslContextFactory =
      sslConnectionFactory.getSslContextFactory();
  sslContextFactory.setKeyStorePath(
      System.getProperty("javax.net.ssl.keyStore"));
  sslContextFactory.setKeyStorePassword(
      System.getProperty("javax.net.ssl.keyStorePassword"));
  sslContextFactory.setIncludeCipherSuites(Sdk.SUPPORTED_CIPHER_SUITES);

  // Configure HTTPS server.
  HttpConfiguration httpConf = new HttpConfiguration();
  httpConf.setSecurePort(PORT);
  httpConf.setSecureScheme(HTTPS_SCHEME);
  httpConf.addCustomizer(new SecureRequestCustomizer());
  HttpConnectionFactory httpConnectionFactory =
      new HttpConnectionFactory(httpConf);

  // Set up the servlets.
  ServerConnector serverConnector = new ServerConnector(
      server, sslConnectionFactory, httpConnectionFactory);
  serverConnector.setPort(PORT);

  Connector[] connectors = new Connector[1];
  connectors[0] = serverConnector;
  server.setConnectors(connectors);

  ServletContextHandler context =
      new ServletContextHandler(ServletContextHandler.SESSIONS);
  context.setContextPath("/");
  server.setHandler(context);
  context.addServlet(new ServletHolder(
      createServlet(new EchoQuerySpeechlet())), "/echoquery");
  server.start();
  server.join();
}
 
Example 7
Source File: WebSocketCommon.java    From datacollector with Apache License 2.0 4 votes vote down vote up
public static WebSocketClient createWebSocketClient(String resourceUrl, TlsConfigBean tlsConf) {
  try {
    resourceUrl = resourceUrl.toLowerCase();
    if (resourceUrl.startsWith("wss")) {
      SslContextFactory sslContextFactory = new SslContextFactory();
      if (tlsConf != null && tlsConf.isEnabled() && tlsConf.isInitialized()) {
        if (tlsConf.getKeyStore() != null) {
          sslContextFactory.setKeyStore(tlsConf.getKeyStore());
        } else {
          if (tlsConf.keyStoreFilePath != null) {
            sslContextFactory.setKeyStorePath(tlsConf.keyStoreFilePath);
          }
          if (tlsConf.keyStoreType != null) {
            sslContextFactory.setKeyStoreType(tlsConf.keyStoreType.getJavaValue());
          }
        }
        if (tlsConf.keyStorePassword != null) {
          sslContextFactory.setKeyStorePassword(tlsConf.keyStorePassword.get());
        }
        if (tlsConf.getTrustStore() != null) {
          sslContextFactory.setTrustStore(tlsConf.getTrustStore());
        } else {
          if (tlsConf.trustStoreFilePath != null) {
            sslContextFactory.setTrustStorePath(tlsConf.trustStoreFilePath);
          }
          if (tlsConf.trustStoreType != null) {
            sslContextFactory.setTrustStoreType(tlsConf.trustStoreType.getJavaValue());
          }
        }
        if (tlsConf.trustStorePassword != null) {
          sslContextFactory.setTrustStorePassword(tlsConf.trustStorePassword.get());
        }

        sslContextFactory.setSslContext(tlsConf.getSslContext());
        sslContextFactory.setIncludeCipherSuites(tlsConf.getFinalCipherSuites());
        sslContextFactory.setIncludeProtocols(tlsConf.getFinalProtocols());
      }
      return new WebSocketClient(sslContextFactory);
    } else {
     return new WebSocketClient();
    }
  } catch (Exception e) {
    throw new IllegalArgumentException(resourceUrl, e);
  }
}
 
Example 8
Source File: BrooklynWebServer.java    From brooklyn-server with Apache License 2.0 4 votes vote down vote up
private SslContextFactory createContextFactory() throws KeyStoreException {
    SslContextFactory sslContextFactory = new SslContextFactory();

    // allow webconsole keystore & related properties to be set in brooklyn.properties
    String ksUrl = getKeystoreUrl();
    String ksPassword = getConfig(keystorePassword, BrooklynWebConfig.KEYSTORE_PASSWORD);
    String ksCertAlias = getConfig(keystoreCertAlias, BrooklynWebConfig.KEYSTORE_CERTIFICATE_ALIAS);
    String trProtos = getConfig(transportProtocols, BrooklynWebConfig.TRANSPORT_PROTOCOLS);
    String trCiphers = getConfig(transportCiphers, BrooklynWebConfig.TRANSPORT_CIPHERS);
    
    if (ksUrl!=null) {
        sslContextFactory.setKeyStorePath(getLocalKeyStorePath(ksUrl));
        if (Strings.isEmpty(ksPassword))
            throw new IllegalArgumentException("Keystore password is required and non-empty if keystore is specified.");
        sslContextFactory.setKeyStorePassword(ksPassword);
        if (Strings.isNonEmpty(ksCertAlias))
            sslContextFactory.setCertAlias(ksCertAlias);
    } else {
        log.info("No keystore specified but https enabled; creating a default keystore");
        
        if (Strings.isEmpty(ksCertAlias))
            ksCertAlias = "web-console";
        
        // if password is blank the process will block and read from stdin !
        if (Strings.isEmpty(ksPassword)) {
            ksPassword = Identifiers.makeRandomId(8);
            log.debug("created random password "+ksPassword+" for ad hoc internal keystore");
        }
        
        KeyStore ks = SecureKeys.newKeyStore();
        KeyPair key = SecureKeys.newKeyPair();
        X509Certificate cert = new FluentKeySigner("brooklyn").newCertificateFor("web-console", key);
        ks.setKeyEntry(ksCertAlias, key.getPrivate(), ksPassword.toCharArray(),
            new Certificate[] { cert });
        
        sslContextFactory.setKeyStore(ks);
        sslContextFactory.setKeyStorePassword(ksPassword);
        sslContextFactory.setCertAlias(ksCertAlias);
    }
    if (!Strings.isEmpty(truststorePath)) {
        sslContextFactory.setTrustStorePath(checkFileExists(truststorePath, "truststore"));
        sslContextFactory.setTrustStorePassword(trustStorePassword);
    }

    if (Strings.isNonBlank(trProtos)) {
        sslContextFactory.setIncludeProtocols(parseArray(trProtos));
    }
    if (Strings.isNonBlank(trCiphers)) {
        sslContextFactory.setIncludeCipherSuites(parseArray(trCiphers));
    }
    return sslContextFactory;
}
 
Example 9
Source File: JettyHTTPServerEngine.java    From cxf with Apache License 2.0 4 votes vote down vote up
protected SSLContext createSSLContext(SslContextFactory scf) throws Exception  {
    String proto = tlsServerParameters.getSecureSocketProtocol() == null
        ? "TLS" : tlsServerParameters.getSecureSocketProtocol();

    // Jetty 9 excludes SSLv3 by default. So if we want it then we need to
    // remove it from the default excluded protocols
    boolean allowSSLv3 = "SSLv3".equals(proto);
    if (allowSSLv3 || !tlsServerParameters.getIncludeProtocols().isEmpty()) {
        List<String> excludedProtocols = new ArrayList<>();
        for (String excludedProtocol : scf.getExcludeProtocols()) {
            if (!(tlsServerParameters.getIncludeProtocols().contains(excludedProtocol)
                || (allowSSLv3 && ("SSLv3".equals(excludedProtocol)
                    || "SSLv2Hello".equals(excludedProtocol))))) {
                excludedProtocols.add(excludedProtocol);
            }
        }
        String[] revisedProtocols = new String[excludedProtocols.size()];
        excludedProtocols.toArray(revisedProtocols);
        scf.setExcludeProtocols(revisedProtocols);
    }

    for (String p : tlsServerParameters.getExcludeProtocols()) {
        scf.addExcludeProtocols(p);
    }

    SSLContext context = tlsServerParameters.getJsseProvider() == null
        ? SSLContext.getInstance(detectProto(proto, allowSSLv3))
            : SSLContext.getInstance(detectProto(proto, allowSSLv3), tlsServerParameters.getJsseProvider());

    KeyManager[] keyManagers = tlsServerParameters.getKeyManagers();
    KeyManager[] configuredKeyManagers = org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias(
        tlsServerParameters, keyManagers);

    context.init(configuredKeyManagers,
                 tlsServerParameters.getTrustManagers(),
                 tlsServerParameters.getSecureRandom());

    // Set the CipherSuites
    final String[] supportedCipherSuites =
        SSLUtils.getServerSupportedCipherSuites(context);

    if (tlsServerParameters.getCipherSuitesFilter() != null
        && tlsServerParameters.getCipherSuitesFilter().isSetExclude()) {
        String[] excludedCipherSuites =
            SSLUtils.getFilteredCiphersuites(tlsServerParameters.getCipherSuitesFilter(),
                                             supportedCipherSuites,
                                             LOG,
                                             true);
        scf.setExcludeCipherSuites(excludedCipherSuites);
    }

    String[] includedCipherSuites =
        SSLUtils.getCiphersuitesToInclude(tlsServerParameters.getCipherSuites(),
                                          tlsServerParameters.getCipherSuitesFilter(),
                                          context.getServerSocketFactory().getDefaultCipherSuites(),
                                          supportedCipherSuites,
                                          LOG);
    scf.setIncludeCipherSuites(includedCipherSuites);

    return context;
}
 
Example 10
Source File: ApplicationServer.java    From rest-utils with Apache License 2.0 4 votes vote down vote up
private SslContextFactory createSslContextFactory(RestConfig config) {
  SslContextFactory sslContextFactory = new SslContextFactory.Server();
  if (!config.getString(RestConfig.SSL_KEYSTORE_LOCATION_CONFIG).isEmpty()) {
    sslContextFactory.setKeyStorePath(
            config.getString(RestConfig.SSL_KEYSTORE_LOCATION_CONFIG)
    );
    sslContextFactory.setKeyStorePassword(
            config.getPassword(RestConfig.SSL_KEYSTORE_PASSWORD_CONFIG).value()
    );
    sslContextFactory.setKeyManagerPassword(
            config.getPassword(RestConfig.SSL_KEY_PASSWORD_CONFIG).value()
    );
    sslContextFactory.setKeyStoreType(
            config.getString(RestConfig.SSL_KEYSTORE_TYPE_CONFIG)
    );

    if (!config.getString(RestConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG).isEmpty()) {
      sslContextFactory.setKeyManagerFactoryAlgorithm(
              config.getString(RestConfig.SSL_KEYMANAGER_ALGORITHM_CONFIG));
    }

    if (config.getBoolean(RestConfig.SSL_KEYSTORE_RELOAD_CONFIG)) {
      Path watchLocation = getWatchLocation(config);
      try {
        FileWatcher.onFileChange(watchLocation, () -> {
              // Need to reset the key store path for symbolic link case
              sslContextFactory.setKeyStorePath(
                  config.getString(RestConfig.SSL_KEYSTORE_LOCATION_CONFIG)
              );
              sslContextFactory.reload(scf -> log.info("Reloaded SSL cert"));
            }
        );
        log.info("Enabled SSL cert auto reload for: " + watchLocation);
      } catch (java.io.IOException e) {
        log.error("Can not enabled SSL cert auto reload", e);
      }
    }
  }

  configureClientAuth(sslContextFactory, config);

  List<String> enabledProtocols = config.getList(RestConfig.SSL_ENABLED_PROTOCOLS_CONFIG);
  if (!enabledProtocols.isEmpty()) {
    sslContextFactory.setIncludeProtocols(enabledProtocols.toArray(new String[0]));
  }

  List<String> cipherSuites = config.getList(RestConfig.SSL_CIPHER_SUITES_CONFIG);
  if (!cipherSuites.isEmpty()) {
    sslContextFactory.setIncludeCipherSuites(cipherSuites.toArray(new String[0]));
  }

  sslContextFactory.setEndpointIdentificationAlgorithm(
          config.getString(RestConfig.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG));

  if (!config.getString(RestConfig.SSL_TRUSTSTORE_LOCATION_CONFIG).isEmpty()) {
    sslContextFactory.setTrustStorePath(
            config.getString(RestConfig.SSL_TRUSTSTORE_LOCATION_CONFIG)
    );
    sslContextFactory.setTrustStorePassword(
            config.getPassword(RestConfig.SSL_TRUSTSTORE_PASSWORD_CONFIG).value()
    );
    sslContextFactory.setTrustStoreType(
            config.getString(RestConfig.SSL_TRUSTSTORE_TYPE_CONFIG)
    );

    if (!config.getString(RestConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG).isEmpty()) {
      sslContextFactory.setTrustManagerFactoryAlgorithm(
              config.getString(RestConfig.SSL_TRUSTMANAGER_ALGORITHM_CONFIG)
      );
    }
  }

  sslContextFactory.setProtocol(config.getString(RestConfig.SSL_PROTOCOL_CONFIG));
  if (!config.getString(RestConfig.SSL_PROVIDER_CONFIG).isEmpty()) {
    sslContextFactory.setProtocol(config.getString(RestConfig.SSL_PROVIDER_CONFIG));
  }

  sslContextFactory.setRenegotiationAllowed(false);

  return sslContextFactory;
}