org.apache.tomcat.jni.SSL Java Examples
The following examples show how to use
org.apache.tomcat.jni.SSL.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: OpenSSLEngine.java From Tomcat8-Source-Read with MIT License | 6 votes |
|
@Override
public String getCipherSuite() {
if (cipher == null) {
String ciphers;
synchronized (OpenSSLEngine.this) {
if (!handshakeFinished) {
return INVALID_CIPHER;
}
if (destroyed) {
return INVALID_CIPHER;
}
ciphers = SSL.getCipherForSSL(ssl);
}
String c = OpenSSLCipherConfigurationParser.openSSLToJsse(ciphers);
if (c != null) {
cipher = c;
}
}
return cipher;
}
Example #2
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 6 votes |
|
private void handshake() throws SSLException {
int code = SSL.doHandshake(ssl);
if (code <= 0) {
// Check for OpenSSL errors caused by the handshake
long error = SSL.getLastErrorNumber();
if (OpenSsl.isError(error)) {
String err = SSL.getErrorString(error);
if (logger.isDebugEnabled()) {
logger.debug(
"SSL_do_handshake failed: OpenSSL error: '" + err + '\'');
}
// There was an internal error -- shutdown
shutdown();
throw new SSLException(err);
}
} else {
// if SSL_do_handshake returns > 0 it means the handshake was finished. This means we can update
// handshakeFinished directly and so eliminate uncessary calls to SSL.isInInit(...)
handshakeFinished = true;
}
}
Example #3
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 6 votes |
|
@Override
public synchronized void closeOutbound() {
if (isOutboundDone) {
return;
}
isOutboundDone = true;
engineClosed = true;
if (accepted != 0 && destroyed == 0) {
int mode = SSL.getShutdown(ssl);
if ((mode & SSL.SSL_SENT_SHUTDOWN) != SSL.SSL_SENT_SHUTDOWN) {
SSL.shutdownSSL(ssl);
}
} else {
// engine closing before initial handshake
shutdown();
}
}
Example #4
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 6 votes |
|
/**
* Creates a new instance
*
* @param sslCtx an OpenSSL {@code SSL_CTX} object
* @param alloc the {@link ByteBufAllocator} that will be used by this engine
* @param clientMode {@code true} if this is used for clients, {@code false} otherwise
* @param sessionContext the {@link OpenSslSessionContext} this {@link SSLEngine} belongs to.
*/
OpenSslEngine(long sslCtx, ByteBufAllocator alloc, String fallbackApplicationProtocol,
boolean clientMode, OpenSslSessionContext sessionContext, OpenSslEngineMap engineMap) {
OpenSsl.ensureAvailability();
if (sslCtx == 0) {
throw new NullPointerException("sslCtx");
}
this.alloc = ObjectUtil.checkNotNull(alloc, "alloc");
ssl = SSL.newSSL(sslCtx, !clientMode);
networkBIO = SSL.makeNetworkBIO(ssl);
this.fallbackApplicationProtocol = fallbackApplicationProtocol;
this.clientMode = clientMode;
this.sessionContext = sessionContext;
this.engineMap = engineMap;
}
Example #5
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 6 votes |
|
private void setClientAuth(ClientAuthMode mode) {
if (clientMode) {
return;
}
synchronized (this) {
if (clientAuth == mode) {
// No need to issue any JNI calls if the mode is the same
return;
}
switch (mode) {
case NONE:
SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, OpenSslContext.VERIFY_DEPTH);
break;
case REQUIRE:
SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, OpenSslContext.VERIFY_DEPTH);
break;
case OPTIONAL:
SSL.setVerify(ssl, SSL.SSL_CVERIFY_OPTIONAL, OpenSslContext.VERIFY_DEPTH);
break;
}
clientAuth = mode;
}
}
Example #6
| Source File: TesterSupport.java From Tomcat8-Source-Read with MIT License | 6 votes |
|
public static String getDefaultTLSProtocolForTesting(Connector connector) {
// Clients always use JSSE
if (!TLSV13_AVAILABLE) {
// Client doesn't support TLS 1.3 so we have to use TLS 1.2
return Constants.SSL_PROTO_TLSv1_2;
}
if (connector.getProtocolHandlerClassName().contains("Apr")) {
// APR connector so OpenSSL is used for TLS.
if (SSL.version() >= 0x1010100f) {
return Constants.SSL_PROTO_TLSv1_3;
} else {
return Constants.SSL_PROTO_TLSv1_2;
}
} else {
// NIO or NIO2. Tests do not use JSSE+OpenSSL so JSSE will be used.
// Due to check above, it is known that TLS 1.3 is available
return Constants.SSL_PROTO_TLSv1_3;
}
}
Example #7
| Source File: OpenSSLEngine.java From Tomcat8-Source-Read with MIT License | 6 votes |
|
private void setClientAuth(ClientAuthMode mode) {
if (clientMode) {
return;
}
synchronized (this) {
if (clientAuth == mode) {
// No need to issue any JNI calls if the mode is the same
return;
}
switch (mode) {
case NONE:
SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, certificateVerificationDepth);
break;
case REQUIRE:
SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, certificateVerificationDepth);
break;
case OPTIONAL:
SSL.setVerify(ssl,
certificateVerificationOptionalNoCA ? SSL.SSL_CVERIFY_OPTIONAL_NO_CA : SSL.SSL_CVERIFY_OPTIONAL,
certificateVerificationDepth);
break;
}
clientAuth = mode;
}
}
Example #8
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 6 votes |
|
@Override
public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
// these are lazy created to reduce memory overhead
X509Certificate[] c = x509PeerCerts;
if (c == null) {
if (SSL.isInInit(ssl) != 0) {
throw new SSLPeerUnverifiedException("peer not verified");
}
byte[][] chain = SSL.getPeerCertChain(ssl);
if (chain == null) {
throw new SSLPeerUnverifiedException("peer not verified");
}
X509Certificate[] peerCerts = new X509Certificate[chain.length];
for (int i = 0; i < peerCerts.length; i++) {
try {
peerCerts[i] = X509Certificate.getInstance(chain[i]);
} catch (CertificateException e) {
throw new IllegalStateException(e);
}
}
c = x509PeerCerts = peerCerts;
}
return c;
}
Example #9
| Source File: OpenSSLEngine.java From Tomcat8-Source-Read with MIT License | 6 votes |
|
private synchronized void renegotiate() throws SSLException {
clearLastError();
int code;
if (SSL.getVersion(ssl).equals(Constants.SSL_PROTO_TLSv1_3)) {
code = SSL.verifyClientPostHandshake(ssl);
} else {
code = SSL.renegotiate(ssl);
}
if (code <= 0) {
checkLastError();
}
handshakeFinished = false;
peerCerts = null;
x509PeerCerts = null;
currentHandshake = SSL.getHandshakeCount(ssl);
int code2 = SSL.doHandshake(ssl);
if (code2 <= 0) {
checkLastError();
}
}
Example #10
| Source File: OpenSSLEngine.java From Tomcat8-Source-Read with MIT License | 6 votes |
|
private void handshake() throws SSLException {
currentHandshake = SSL.getHandshakeCount(ssl);
clearLastError();
int code = SSL.doHandshake(ssl);
if (code <= 0) {
checkLastError();
} else {
if (alpn) {
selectedProtocol = SSL.getAlpnSelected(ssl);
if (selectedProtocol == null) {
selectedProtocol = SSL.getNextProtoNegotiated(ssl);
}
}
session.lastAccessedTime = System.currentTimeMillis();
// if SSL_do_handshake returns > 0 it means the handshake was finished. This means we can update
// handshakeFinished directly and so eliminate unnecessary calls to SSL.isInInit(...)
handshakeFinished = true;
}
}
Example #11
| Source File: OpenSSLEngine.java From Tomcat8-Source-Read with MIT License | 6 votes |
|
@Override
public synchronized String[] getEnabledCipherSuites() {
if (destroyed) {
return new String[0];
}
String[] enabled = SSL.getCiphers(ssl);
if (enabled == null) {
return new String[0];
} else {
for (int i = 0; i < enabled.length; i++) {
String mapped = OpenSSLCipherConfigurationParser.openSSLToJsse(enabled[i]);
if (mapped != null) {
enabled[i] = mapped;
}
}
return enabled;
}
}
Example #12
| Source File: OpenSSLEngine.java From Tomcat8-Source-Read with MIT License | 6 votes |
|
/**
* Creates a new instance
*
* @param sslCtx an OpenSSL {@code SSL_CTX} object
* @param fallbackApplicationProtocol the fallback application protocol
* @param clientMode {@code true} if this is used for clients, {@code false}
* otherwise
* @param sessionContext the {@link OpenSSLSessionContext} this
* {@link SSLEngine} belongs to.
* @param alpn {@code true} if alpn should be used, {@code false}
* otherwise
* @param initialized {@code true} if this instance gets its protocol,
* cipher and client verification from the {@code SSL_CTX} {@code sslCtx}
* @param certificateVerificationDepth Certificate verification depth
* @param certificateVerificationOptionalNoCA Skip CA verification in
* optional mode
*/
OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol,
boolean clientMode, OpenSSLSessionContext sessionContext, boolean alpn,
boolean initialized, int certificateVerificationDepth,
boolean certificateVerificationOptionalNoCA) {
if (sslCtx == 0) {
throw new IllegalArgumentException(sm.getString("engine.noSSLContext"));
}
session = new OpenSSLSession();
destroyed = true;
ssl = SSL.newSSL(sslCtx, !clientMode);
networkBIO = SSL.makeNetworkBIO(ssl);
destroyed = false;
this.fallbackApplicationProtocol = fallbackApplicationProtocol;
this.clientMode = clientMode;
this.sessionContext = sessionContext;
this.alpn = alpn;
this.initialized = initialized;
this.certificateVerificationDepth = certificateVerificationDepth;
this.certificateVerificationOptionalNoCA = certificateVerificationOptionalNoCA;
}
Example #13
| Source File: OpenSSLEngine.java From Tomcat8-Source-Read with MIT License | 6 votes |
|
@Override
public synchronized void closeOutbound() {
if (isOutboundDone) {
return;
}
isOutboundDone = true;
engineClosed = true;
if (accepted != Accepted.NOT && !destroyed) {
int mode = SSL.getShutdown(ssl);
if ((mode & SSL.SSL_SENT_SHUTDOWN) != SSL.SSL_SENT_SHUTDOWN) {
SSL.shutdownSSL(ssl);
}
} else {
// engine closing before initial handshake
shutdown();
}
}
Example #14
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 6 votes |
|
@Override
public String getProtocol() {
String applicationProtocol = OpenSslEngine.this.applicationProtocol;
if (applicationProtocol == null) {
applicationProtocol = SSL.getNextProtoNegotiated(ssl);
if (applicationProtocol == null) {
applicationProtocol = fallbackApplicationProtocol;
}
if (applicationProtocol != null) {
OpenSslEngine.this.applicationProtocol = applicationProtocol.replace(':', '_');
} else {
OpenSslEngine.this.applicationProtocol = applicationProtocol = "";
}
}
String version = SSL.getVersion(ssl);
if (applicationProtocol.isEmpty()) {
return version;
} else {
return version + ':' + applicationProtocol;
}
}
Example #15
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 5 votes |
|
@Override
public synchronized SSLEngineResult.HandshakeStatus getHandshakeStatus() {
if (accepted == 0 || destroyed != 0) {
return NOT_HANDSHAKING;
}
// Check if we are in the initial handshake phase
if (!handshakeFinished) {
// There is pending data in the network BIO -- call wrap
if (SSL.pendingWrittenBytesInBIO(networkBIO) != 0) {
return NEED_WRAP;
}
// No pending data to be sent to the peer
// Check to see if we have finished handshaking
if (SSL.isInInit(ssl) == 0) {
handshakeFinished = true;
return FINISHED;
}
// No pending data and still handshaking
// Must be waiting on the peer to send more data
return NEED_UNWRAP;
}
// Check if we are in the shutdown phase
if (engineClosed) {
// Waiting to send the close_notify message
if (SSL.pendingWrittenBytesInBIO(networkBIO) != 0) {
return NEED_WRAP;
}
// Must be waiting to receive the close_notify message
return NEED_UNWRAP;
}
return NOT_HANDSHAKING;
}
Example #16
| Source File: AprSSLSupport.java From Tomcat8-Source-Read with MIT License | 5 votes |
|
@Override
public String getSessionId() throws IOException {
try {
return socketWrapper.getSSLInfoS(SSL.SSL_INFO_SESSION_ID);
} catch (Exception e) {
throw new IOException(e);
}
}
Example #17
| Source File: AprSSLSupport.java From Tomcat8-Source-Read with MIT License | 5 votes |
|
@Override
public String getProtocol() throws IOException {
try {
return socketWrapper.getSSLInfoS(SSL.SSL_INFO_PROTOCOL);
} catch (Exception e) {
throw new IOException(e);
}
}
Example #18
| Source File: AprEndpoint.java From Tomcat7.0.67 with Apache License 2.0 | 5 votes |
|
/**
* Process the specified connection.
*/
protected boolean setSocketOptions(long socket) {
// Process the connection
int step = 1;
try {
// 1: Set socket options: timeout, linger, etc
if (socketProperties.getSoLingerOn() && socketProperties.getSoLingerTime() >= 0)
Socket.optSet(socket, Socket.APR_SO_LINGER, socketProperties.getSoLingerTime());
if (socketProperties.getTcpNoDelay())
Socket.optSet(socket, Socket.APR_TCP_NODELAY, (socketProperties.getTcpNoDelay() ? 1 : 0));
Socket.timeoutSet(socket, socketProperties.getSoTimeout() * 1000);
// 2: SSL handshake
step = 2;
if (sslContext != 0) {
SSLSocket.attach(sslContext, socket);
if (SSLSocket.handshake(socket) != 0) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("endpoint.err.handshake") + ": " + SSL.getLastError());
}
return false;
}
}
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
if (log.isDebugEnabled()) {
if (step == 2) {
log.debug(sm.getString("endpoint.err.handshake"), t);
} else {
log.debug(sm.getString("endpoint.err.unexpected"), t);
}
}
// Tell to close the socket
return false;
}
return true;
}
Example #19
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 5 votes |
|
@Override
public byte[] getId() {
// We don't cache that to keep memory usage to a minimum.
byte[] id = SSL.getSessionId(ssl);
if (id == null) {
// The id should never be null, if it was null then the SESSION itself was not valid.
throw new IllegalStateException("SSL session ID not available");
}
return id;
}
Example #20
| Source File: AprEndpoint.java From tomcatsrc with Apache License 2.0 | 5 votes |
|
/**
* Process the specified connection.
*/
protected boolean setSocketOptions(long socket) {
// Process the connection
int step = 1;
try {
// 1: Set socket options: timeout, linger, etc
if (socketProperties.getSoLingerOn() && socketProperties.getSoLingerTime() >= 0)
Socket.optSet(socket, Socket.APR_SO_LINGER, socketProperties.getSoLingerTime());
if (socketProperties.getTcpNoDelay())
Socket.optSet(socket, Socket.APR_TCP_NODELAY, (socketProperties.getTcpNoDelay() ? 1 : 0));
Socket.timeoutSet(socket, socketProperties.getSoTimeout() * 1000);
// 2: SSL handshake
step = 2;
if (sslContext != 0) {
SSLSocket.attach(sslContext, socket);
if (SSLSocket.handshake(socket) != 0) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("endpoint.err.handshake") + ": " + SSL.getLastError());
}
return false;
}
}
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
if (log.isDebugEnabled()) {
if (step == 2) {
log.debug(sm.getString("endpoint.err.handshake"), t);
} else {
log.debug(sm.getString("endpoint.err.unexpected"), t);
}
}
// Tell to close the socket
return false;
}
return true;
}
Example #21
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 5 votes |
|
/**
* Converts the specified OpenSSL cipher suite to the Java cipher suite.
*/
private String toJavaCipherSuite(String openSslCipherSuite) {
if (openSslCipherSuite == null) {
return null;
}
String prefix = toJavaCipherSuitePrefix(SSL.getVersion(ssl));
return CipherSuiteConverter.toJava(openSslCipherSuite, prefix);
}
Example #22
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 5 votes |
|
@Override
public String getCipherSuite() {
if (!handshakeFinished) {
return INVALID_CIPHER;
}
if (cipher == null) {
String c = toJavaCipherSuite(SSL.getCipherForSSL(ssl));
if (c != null) {
cipher = c;
}
}
return cipher;
}
Example #23
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 5 votes |
|
/**
* Destroys this engine.
*/
public synchronized void shutdown() {
if (DESTROYED_UPDATER.compareAndSet(this, 0, 1)) {
engineMap.remove(ssl);
SSL.freeSSL(ssl);
SSL.freeBIO(networkBIO);
ssl = networkBIO = 0;
// internal errors can cause shutdown without marking the engine closed
isInboundDone = isOutboundDone = engineClosed = true;
}
}
Example #24
| Source File: AprEndpoint.java From Tomcat8-Source-Read with MIT License | 5 votes |
|
@Override
public void doClientAuth(SSLSupport sslSupport) throws IOException {
long socket = getSocket().longValue();
// Configure connection to require a certificate
try {
SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE, -1);
SSLSocket.renegotiate(socket);
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
throw new IOException(sm.getString("socket.sslreneg"), t);
}
}
Example #25
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 5 votes |
|
@Override
public String[] getEnabledCipherSuites() {
String[] enabled = SSL.getCiphers(ssl);
if (enabled == null) {
return EmptyArrays.EMPTY_STRINGS;
} else {
for (int i = 0; i < enabled.length; i++) {
String mapped = toJavaCipherSuite(enabled[i]);
if (mapped != null) {
enabled[i] = mapped;
}
}
return enabled;
}
}
Example #26
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 5 votes |
|
@Override
public void setEnabledCipherSuites(String[] cipherSuites) {
ObjectUtil.checkNotNull(cipherSuites, "cipherSuites");
final StringBuilder buf = new StringBuilder();
for (String c: cipherSuites) {
if (c == null) {
break;
}
String converted = CipherSuiteConverter.toOpenSsl(c);
if (converted == null) {
converted = c;
}
if (!OpenSsl.isCipherSuiteAvailable(converted)) {
throw new IllegalArgumentException("unsupported cipher suite: " + c + '(' + converted + ')');
}
buf.append(converted);
buf.append(':');
}
if (buf.length() == 0) {
throw new IllegalArgumentException("empty cipher suites");
}
buf.setLength(buf.length() - 1);
final String cipherSuiteSpec = buf.toString();
try {
SSL.setCipherSuites(ssl, cipherSuiteSpec);
} catch (Exception e) {
throw new IllegalStateException("failed to enable cipher suites: " + cipherSuiteSpec, e);
}
}
Example #27
| Source File: OpenSslEngine.java From netty4.0.27Learn with Apache License 2.0 | 5 votes |
|
@Override
public String[] getEnabledProtocols() {
List<String> enabled = new ArrayList<String>();
// Seems like there is no way to explict disable SSLv2Hello in openssl so it is always enabled
enabled.add(PROTOCOL_SSL_V2_HELLO);
int opts = SSL.getOptions(ssl);
if ((opts & SSL.SSL_OP_NO_TLSv1) == 0) {
enabled.add(PROTOCOL_TLS_V1);
}
if ((opts & SSL.SSL_OP_NO_TLSv1_1) == 0) {
enabled.add(PROTOCOL_TLS_V1_1);
}
if ((opts & SSL.SSL_OP_NO_TLSv1_2) == 0) {
enabled.add(PROTOCOL_TLS_V1_2);
}
if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) {
enabled.add(PROTOCOL_SSL_V2);
}
if ((opts & SSL.SSL_OP_NO_SSLv3) == 0) {
enabled.add(PROTOCOL_SSL_V3);
}
int size = enabled.size();
if (size == 0) {
return EmptyArrays.EMPTY_STRINGS;
} else {
return enabled.toArray(new String[size]);
}
}
Example #28
| Source File: AprSSLSupport.java From Tomcat8-Source-Read with MIT License | 5 votes |
|
@Override
public X509Certificate[] getPeerCertificateChain() throws IOException {
try {
// certLength == -1 indicates an error unless TLS session tickets
// are in use in which case OpenSSL won't store the chain in the
// ticket.
int certLength = socketWrapper.getSSLInfoI(SSL.SSL_INFO_CLIENT_CERT_CHAIN);
byte[] clientCert = socketWrapper.getSSLInfoB(SSL.SSL_INFO_CLIENT_CERT);
X509Certificate[] certs = null;
if (clientCert != null) {
if (certLength < 0) {
certLength = 0;
}
certs = new X509Certificate[certLength + 1];
CertificateFactory cf;
if (clientCertProvider == null) {
cf = CertificateFactory.getInstance("X.509");
} else {
cf = CertificateFactory.getInstance("X.509", clientCertProvider);
}
certs[0] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientCert));
for (int i = 0; i < certLength; i++) {
byte[] data = socketWrapper.getSSLInfoB(SSL.SSL_INFO_CLIENT_CERT_CHAIN + i);
certs[i+1] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(data));
}
}
return certs;
} catch (Exception e) {
throw new IOException(e);
}
}
Example #29
| Source File: OpenSSLEngine.java From Tomcat8-Source-Read with MIT License | 5 votes |
|
@Override
public synchronized String[] getEnabledProtocols() {
if (destroyed) {
return new String[0];
}
List<String> enabled = new ArrayList<>();
// Seems like there is no way to explicitly disable SSLv2Hello in OpenSSL so it is always enabled
enabled.add(Constants.SSL_PROTO_SSLv2Hello);
int opts = SSL.getOptions(ssl);
if ((opts & SSL.SSL_OP_NO_TLSv1) == 0) {
enabled.add(Constants.SSL_PROTO_TLSv1);
}
if ((opts & SSL.SSL_OP_NO_TLSv1_1) == 0) {
enabled.add(Constants.SSL_PROTO_TLSv1_1);
}
if ((opts & SSL.SSL_OP_NO_TLSv1_2) == 0) {
enabled.add(Constants.SSL_PROTO_TLSv1_2);
}
if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) {
enabled.add(Constants.SSL_PROTO_SSLv2);
}
if ((opts & SSL.SSL_OP_NO_SSLv3) == 0) {
enabled.add(Constants.SSL_PROTO_SSLv3);
}
int size = enabled.size();
if (size == 0) {
return new String[0];
} else {
return enabled.toArray(new String[size]);
}
}
Example #30
| Source File: OpenSSLEngine.java From Tomcat8-Source-Read with MIT License | 5 votes |
|
@Override
public synchronized void setEnabledCipherSuites(String[] cipherSuites) {
if (initialized) {
return;
}
if (cipherSuites == null) {
throw new IllegalArgumentException(sm.getString("engine.nullCipherSuite"));
}
if (destroyed) {
return;
}
final StringBuilder buf = new StringBuilder();
for (String cipherSuite : cipherSuites) {
if (cipherSuite == null) {
break;
}
String converted = OpenSSLCipherConfigurationParser.jsseToOpenSSL(cipherSuite);
if (!AVAILABLE_CIPHER_SUITES.contains(cipherSuite)) {
logger.debug(sm.getString("engine.unsupportedCipher", cipherSuite, converted));
}
if (converted != null) {
cipherSuite = converted;
}
buf.append(cipherSuite);
buf.append(':');
}
if (buf.length() == 0) {
throw new IllegalArgumentException(sm.getString("engine.emptyCipherSuite"));
}
buf.setLength(buf.length() - 1);
final String cipherSuiteSpec = buf.toString();
try {
SSL.setCipherSuites(ssl, cipherSuiteSpec);
} catch (Exception e) {
throw new IllegalStateException(sm.getString("engine.failedCipherSuite", cipherSuiteSpec), e);
}
}
