Class SslContextFactory.Server

java.lang.Object

org.eclipse.jetty.util.component.AbstractLifeCycle

org.eclipse.jetty.util.ssl.SslContextFactory

org.eclipse.jetty.util.ssl.SslContextFactory.Server

All Implemented Interfaces:

Dumpable, LifeCycle, SniX509ExtendedKeyManager.SniSelector

Enclosing class:

SslContextFactory

@ManagedObject
public static class SslContextFactory.Server
extends SslContextFactory
implements SniX509ExtendedKeyManager.SniSelector

Nested Class Summary

Nested classes/interfaces inherited from class SslContextFactory

SslContextFactory.AliasSNIMatcher, SslContextFactory.Client, SslContextFactory.Factory, SslContextFactory.Server, SslContextFactory.X509ExtendedKeyManagerWrapper, SslContextFactory.X509ExtendedTrustManagerWrapper

Nested classes/interfaces inherited from class AbstractLifeCycle

AbstractLifeCycle.AbstractLifeCycleListener

Nested classes/interfaces inherited from interface Dumpable

Dumpable.DumpableContainer

Nested classes/interfaces inherited from interface LifeCycle

LifeCycle.Listener

Field Summary

Fields

Modifier and Type	Field	Description
private boolean	_sniRequired
private SniX509ExtendedKeyManager.SniSelector	_sniSelector

Fields inherited from class SslContextFactory

DEFAULT_KEYMANAGERFACTORY_ALGORITHM, DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM, KEYPASSWORD_PROPERTY, PASSWORD_PROPERTY, TRUST_ALL_CERTS

Fields inherited from class AbstractLifeCycle

FAILED, RUNNING, STARTED, STARTING, STOPPED, STOPPING

Fields inherited from interface Dumpable

KEY

Fields inherited from interface SniX509ExtendedKeyManager.SniSelector

DELEGATE

Constructor Summary

Constructors

Constructor	Description
Server()

Method Summary

Modifier and Type	Method	Description
protected KeyManager[]	getKeyManagers(KeyStore keyStore)
boolean	getNeedClientAuth()
SniX509ExtendedKeyManager.SniSelector	getSNISelector()
boolean	getWantClientAuth()
boolean	isSniRequired()	Does the default sniSelect(String, Principal[], SSLSession, String, Collection) implementation require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected at the HTTP level for incorrect SNI (see SecureRequestCustomizer).
protected X509ExtendedKeyManager	newSniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager)
void	setNeedClientAuth(boolean needClientAuth)
void	setSniRequired(boolean sniRequired)	Set if the default sniSelect(String, Principal[], SSLSession, String, Collection) implementation require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected at the HTTP level for incorrect SNI (see SecureRequestCustomizer).
void	setSNISelector(SniX509ExtendedKeyManager.SniSelector sniSelector)	Sets a custom function to select certificates based on SNI information.
void	setWantClientAuth(boolean wantClientAuth)
String	sniSelect(String keyType, Principal[] issuers, SSLSession session, String sniHost, Collection<X509> certificates)	Selects a certificate based on SNI information.

Methods inherited from class SslContextFactory

addExcludeCipherSuites, addExcludeProtocols, checkCiphers, checkConfiguration, checkEndPointIdentificationAlgorithm, checkProtocols, checkTrustAll, customize, customize, deduceKeyLength, doStart, doStop, dump, dump, getAliases, getCertAlias, getCertChain, getCertificateFactoryInstance, getCertStoreInstance, getCipherComparator, getCrlPath, getEndpointIdentificationAlgorithm, getExcludeCipherSuites, getExcludeProtocols, getHostnameVerifier, getIncludeCipherSuites, getIncludeProtocols, getKeyManagerFactoryAlgorithm, getKeyManagerFactoryInstance, getKeyStore, getKeyStorePath, getKeyStoreProvider, getKeyStoreResource, getKeyStoreType, getMaxCertPathLength, getOcspResponderURL, getPassword, getPkixCertPathChecker, getProtocol, getProvider, getRenegotiationLimit, getSecureRandomAlgorithm, getSecureRandomInstance, getSelectedCipherSuites, getSelectedProtocols, getSslContext, getSSLContextInstance, getSslSessionCacheSize, getSslSessionTimeout, getTrustManagerFactoryAlgorithm, getTrustManagerFactoryInstance, getTrustManagers, getTrustStore, getTrustStorePath, getTrustStoreProvider, getTrustStoreResource, getTrustStoreType, getX509, getX509CertChain, isEnableCRLDP, isEnableOCSP, isRenegotiationAllowed, isSessionCachingEnabled, isTrustAll, isUseCipherSuitesOrder, isValidateCerts, isValidatePeerCerts, loadCRL, loadKeyStore, loadTrustStore, newPassword, newPKIXBuilderParameters, newSSLEngine, newSSLEngine, newSSLEngine, newSslServerSocket, newSslSocket, processIncludeCipherSuites, reload, removeExcludedCipherSuites, selectCipherSuites, selectionDump, selectProtocols, setCertAlias, setCipherComparator, setCrlPath, setEnableCRLDP, setEnableOCSP, setEndpointIdentificationAlgorithm, setExcludeCipherSuites, setExcludeProtocols, setHostnameVerifier, setIncludeCipherSuites, setIncludeProtocols, setKeyManagerFactoryAlgorithm, setKeyManagerPassword, setKeyStore, setKeyStorePassword, setKeyStorePath, setKeyStoreProvider, setKeyStoreResource, setKeyStoreType, setMaxCertPathLength, setOcspResponderURL, setPkixCertPathChecker, setProtocol, setProvider, setRenegotiationAllowed, setRenegotiationLimit, setSecureRandomAlgorithm, setSessionCachingEnabled, setSslContext, setSslSessionCacheSize, setSslSessionTimeout, setTrustAll, setTrustManagerFactoryAlgorithm, setTrustStore, setTrustStorePassword, setTrustStorePath, setTrustStoreProvider, setTrustStoreResource, setTrustStoreType, setUseCipherSuitesOrder, setValidateCerts, setValidatePeerCerts, toString

Methods inherited from class AbstractLifeCycle

addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, setStopTimeout, start, stop

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface Dumpable

dumpSelf

Field Details

_sniRequired

private boolean _sniRequired

_sniSelector

private SniX509ExtendedKeyManager.SniSelector _sniSelector

Constructor Details

Server

public Server()

Method Details

getWantClientAuth

public boolean getWantClientAuth()

Overrides:

getWantClientAuth in class SslContextFactory

Returns:

True if SSL wants client authentication.

See Also:

• SSLEngine.getWantClientAuth()

setWantClientAuth

public void setWantClientAuth(boolean wantClientAuth)

Overrides:

setWantClientAuth in class SslContextFactory

Parameters:

wantClientAuth - True if SSL wants client authentication.

See Also:

• SSLEngine.getWantClientAuth()

getNeedClientAuth

public boolean getNeedClientAuth()

Overrides:

getNeedClientAuth in class SslContextFactory

Returns:

True if SSL needs client authentication.

See Also:

• SSLEngine.getNeedClientAuth()

setNeedClientAuth

public void setNeedClientAuth(boolean needClientAuth)

Overrides:

setNeedClientAuth in class SslContextFactory

Parameters:

needClientAuth - True if SSL needs client authentication.

See Also:

• SSLEngine.getNeedClientAuth()

isSniRequired

@ManagedAttribute("Whether the TLS handshake is rejected if there is no SNI host match")
public boolean isSniRequired()

Does the default sniSelect(String, Principal[], SSLSession, String, Collection) implementation require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected at the HTTP level for incorrect SNI (see SecureRequestCustomizer).

Returns:

true if no SNI match is handled as no certificate match, false if no SNI match is handled by delegation to the non SNI matching methods.

setSniRequired

public void setSniRequired(boolean sniRequired)

Set if the default sniSelect(String, Principal[], SSLSession, String, Collection) implementation require an SNI match? Note that if a non SNI handshake is accepted, requests may still be rejected at the HTTP level for incorrect SNI (see SecureRequestCustomizer). This setting may have no effect if sniSelect(String, Principal[], SSLSession, String, Collection) is overridden or a non null function is passed to setSNISelector(SniX509ExtendedKeyManager.SniSelector).

Parameters:

sniRequired - true if no SNI match is handled as no certificate match, false if no SNI match is handled by delegation to the non SNI matching methods.

getKeyManagers

protected KeyManager[] getKeyManagers(KeyStore keyStore)
                               throws Exception

Overrides:

getKeyManagers in class SslContextFactory

Throws:

Exception

getSNISelector

public SniX509ExtendedKeyManager.SniSelector getSNISelector()

Returns:

the custom function to select certificates based on SNI information

setSNISelector

public void setSNISelector(SniX509ExtendedKeyManager.SniSelector sniSelector)

Sets a custom function to select certificates based on SNI information.

Parameters:

sniSelector - the selection function

sniSelect

public String sniSelect(String keyType,
 Principal[] issuers,
 SSLSession session,
 String sniHost,
 Collection<X509> certificates)

Description copied from interface: SniX509ExtendedKeyManager.SniSelector

Selects a certificate based on SNI information.

This method may be invoked multiple times during the TLS handshake, with different parameters. For example, the keyType could be different, and subsequently the collection of certificates (because they need to match the keyType.

Specified by:

sniSelect in interface SniX509ExtendedKeyManager.SniSelector

Parameters:

keyType - the key algorithm type name

issuers - the list of acceptable CA issuer subject names or null if it does not matter which issuers are used

session - the TLS handshake session or null if not known.

sniHost - the server name indication sent by the client, or null if the client did not send the server name indication

certificates - the list of certificates matching keyType and issuers known to this SslContextFactory

Returns:

the alias of the certificate to return to the client, from the certificates list, or SniX509ExtendedKeyManager.SniSelector.DELEGATE if the certificate choice should be delegated to the nested key manager or null for no match.

newSniX509ExtendedKeyManager

protected X509ExtendedKeyManager newSniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager)

Overrides:

newSniX509ExtendedKeyManager in class SslContextFactory