net.shibboleth.utilities.java.support.httpclient

Class TLSSocketFactory

java.lang.Object

net.shibboleth.utilities.java.support.httpclient.TLSSocketFactory

All Implemented Interfaces:

ConnectionSocketFactory, LayeredConnectionSocketFactory

@ThreadSafe
public class TLSSocketFactory
extends Object
implements LayeredConnectionSocketFactory

An implementation of HttpClient LayeredConnectionSocketFactory that is a factory for TLS sockets.

This class is functionally modeled on SSLConnectionSocketFactory, but provides better support for subclassing, as well as specific additional features:

• Factory hostname verifier defaults to StrictHostnameVerifier rather than BrowserCompatHostnameVerifier
• Per-request specification of enabled TLS protocols and cipher suites via HttpContext attributes.
• Per-request specification of hostname verifier via HttpContext attribute.

Field Summary

Fields

Modifier and Type	Field and Description
static X509HostnameVerifier	ALLOW_ALL_HOSTNAME_VERIFIER Hostname verifier which passes all hostnames.
static X509HostnameVerifier	BROWSER_COMPATIBLE_HOSTNAME_VERIFIER Hostname verifier which implements a policy similar to most browsers.
static String	CONTEXT_KEY_HOSTNAME_VERIFIER HttpContext key for an instance of X509HostnameVerifier.
static String	CONTEXT_KEY_TLS_CIPHER_SUITES HttpContext key for a a list of TLS cipher suites to enable on the socket.
static String	CONTEXT_KEY_TLS_PROTOCOLS HttpContext key for a a list of TLS protocols to enable on the socket.
private X509HostnameVerifier	hostnameVerifier Hostname verifier.
private Logger	log Logger.
private SSLSocketFactory	socketfactory Socket factory.
static String	SSL Protocol: SSL.
static String	SSLV2 Protocol: SSLv2.
static X509HostnameVerifier	STRICT_HOSTNAME_VERIFIER Hostname verifier which implements a strict policy.
private String[]	supportedCipherSuites Factory-wide supported cipher suites.
private String[]	supportedProtocols Factory-wide supported protocols.
static String	TLS Protocol: TLS.

Constructor Summary

Constructors

Constructor and Description
TLSSocketFactory(SSLContext sslContext) Constructor.
TLSSocketFactory(SSLContext sslContext, String[] protocols, String[] cipherSuites, X509HostnameVerifier verifier) Constructor.
TLSSocketFactory(SSLContext sslContext, X509HostnameVerifier verifier) Constructor.
TLSSocketFactory(SSLSocketFactory factory, String[] protocols, String[] cipherSuites, X509HostnameVerifier verifier) Constructor.
TLSSocketFactory(SSLSocketFactory factory, X509HostnameVerifier verifier) Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
Socket	connectSocket(int connectTimeout, Socket socket, org.apache.http.HttpHost host, InetSocketAddress remoteAddress, InetSocketAddress localAddress, org.apache.http.protocol.HttpContext context)
Socket	createLayeredSocket(Socket socket, String target, int port, org.apache.http.protocol.HttpContext context)
Socket	createSocket(org.apache.http.protocol.HttpContext context)
protected X509HostnameVerifier	getHostnameVerifier() Get the configured hostname verifier.
protected String[]	getListAttribute(org.apache.http.protocol.HttpContext context, String contextKey) Get a normalized String array from a context attribute holding a List.
protected SSLSocketFactory	getSocketfactory() Get the JSSE socket factory instance.
protected String[]	getSupportedCipherSuites() Get the configured factory-wide supported cipher suites.
protected String[]	getSupportedProtocols() Get the configured factory-wide supported protocols.
private void	logSocketInfo(SSLSocket socket) Log various diagnostic information from the SSLSocket and SSLSession.
protected void	prepareSocket(SSLSocket socket, org.apache.http.protocol.HttpContext context) Performs any custom initialization for a newly created SSLSocket (before the SSL handshake happens).
protected void	verifyHostname(SSLSocket sslsock, String hostname, org.apache.http.protocol.HttpContext context) Verify the peer's socket hostname against the supplied expected name.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CONTEXT_KEY_TLS_PROTOCOLS

public static final String CONTEXT_KEY_TLS_PROTOCOLS

HttpContext key for a a list of TLS protocols to enable on the socket. Must be an instance of List.

See Also:

Constant Field Values

CONTEXT_KEY_TLS_CIPHER_SUITES

public static final String CONTEXT_KEY_TLS_CIPHER_SUITES

HttpContext key for a a list of TLS cipher suites to enable on the socket. Must be an instance of List.

See Also:

Constant Field Values

CONTEXT_KEY_HOSTNAME_VERIFIER

public static final String CONTEXT_KEY_HOSTNAME_VERIFIER

HttpContext key for an instance of X509HostnameVerifier.

See Also:

Constant Field Values

TLS

public static final String TLS

Protocol: TLS.

See Also:

Constant Field Values

SSL

public static final String SSL

Protocol: SSL.

See Also:

Constant Field Values

SSLV2

public static final String SSLV2

Protocol: SSLv2.

See Also:

Constant Field Values

ALLOW_ALL_HOSTNAME_VERIFIER

public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER

Hostname verifier which passes all hostnames.

BROWSER_COMPATIBLE_HOSTNAME_VERIFIER

public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER

Hostname verifier which implements a policy similar to most browsers.

STRICT_HOSTNAME_VERIFIER

public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER

Hostname verifier which implements a strict policy.

log

private final Logger log

Logger.

socketfactory

private final SSLSocketFactory socketfactory

Socket factory.

hostnameVerifier

private final X509HostnameVerifier hostnameVerifier

Hostname verifier.

supportedProtocols

private final String[] supportedProtocols

Factory-wide supported protocols.

supportedCipherSuites

private final String[] supportedCipherSuites

Factory-wide supported cipher suites.

Constructor Detail

TLSSocketFactory

public TLSSocketFactory(@Nonnull
                SSLContext sslContext)

Constructor.

Parameters:

sslContext - the effective SSLContext instance

TLSSocketFactory

public TLSSocketFactory(@Nonnull
                SSLContext sslContext,
                @Nullable
                X509HostnameVerifier verifier)

Constructor.

Parameters:

sslContext - the effective SSLContext instance

verifier - the effective hostname verifier

TLSSocketFactory

public TLSSocketFactory(@Nonnull
                SSLContext sslContext,
                @Nullable
                String[] protocols,
                @Nullable
                String[] cipherSuites,
                @Nullable
                X509HostnameVerifier verifier)

Constructor.

Parameters:

sslContext - the effective SSLContext instance

protocols - the factory-wide enabled TLS protocols

cipherSuites - the factory-wide enabled TLS cipher suites

verifier - the effective hostname verifier

TLSSocketFactory

public TLSSocketFactory(@Nonnull
                SSLSocketFactory factory,
                @Nullable
                X509HostnameVerifier verifier)

Constructor.

Parameters:

factory - the effective SSL socket factory

verifier - the effective hostname verifier

TLSSocketFactory

public TLSSocketFactory(@Nonnull
                SSLSocketFactory factory,
                @Nullable
                String[] protocols,
                @Nullable
                String[] cipherSuites,
                @Nullable
                X509HostnameVerifier verifier)

Constructor.

Parameters:

factory - the effective SSL socket factory

protocols - the factory-wide enabled TLS protocols

cipherSuites - the factory-wide enabled TLS cipher suites

verifier - the effective hostname verifier

Method Detail

getSocketfactory

@Nonnull
protected SSLSocketFactory getSocketfactory()

Get the JSSE socket factory instance.

Returns:

the socket factory

getHostnameVerifier

@Nonnull
protected X509HostnameVerifier getHostnameVerifier()

Get the configured hostname verifier.

Returns:

the hostname verifier

getSupportedProtocols

@Nullable
protected String[] getSupportedProtocols()

Get the configured factory-wide supported protocols.

Returns:

the configured protocols

getSupportedCipherSuites

@Nullable
protected String[] getSupportedCipherSuites()

Get the configured factory-wide supported cipher suites.

Returns:

the configured cipher suites

prepareSocket

protected void prepareSocket(@Nonnull
                 SSLSocket socket,
                 @Nullable
                 org.apache.http.protocol.HttpContext context)
                      throws IOException

Performs any custom initialization for a newly created SSLSocket (before the SSL handshake happens). The default implementation is a no-op, but could be overridden to, e.g., call SSLSocket.setEnabledCipherSuites(String[]).

Parameters:

socket - the SSL socket instance being prepared

context - the current HttpContext instance

Throws:

IOException - if there is an error customizing the socket

createSocket

@Nonnull
public Socket createSocket(@Nullable
                          org.apache.http.protocol.HttpContext context)
                    throws IOException

Specified by:

createSocket in interface ConnectionSocketFactory

Throws:

IOException

connectSocket

public Socket connectSocket(int connectTimeout,
                   @Nullable
                   Socket socket,
                   @Nonnull
                   org.apache.http.HttpHost host,
                   @Nonnull
                   InetSocketAddress remoteAddress,
                   @Nullable
                   InetSocketAddress localAddress,
                   @Nullable
                   org.apache.http.protocol.HttpContext context)
                     throws IOException

Specified by:

connectSocket in interface ConnectionSocketFactory

Throws:

IOException

createLayeredSocket

public Socket createLayeredSocket(@Nonnull
                         Socket socket,
                         @Nonnull@NotEmpty
                         String target,
                         int port,
                         @Nullable
                         org.apache.http.protocol.HttpContext context)
                           throws IOException

Specified by:

createLayeredSocket in interface LayeredConnectionSocketFactory

Throws:

IOException

logSocketInfo

private void logSocketInfo(SSLSocket socket)

Log various diagnostic information from the SSLSocket and SSLSession.

Parameters:

socket - the SSLSocket instance

getListAttribute

@Nullable
protected String[] getListAttribute(@Nullable
                                 org.apache.http.protocol.HttpContext context,
                                 @Nonnull
                                 String contextKey)

Get a normalized String array from a context attribute holding a List.

Parameters:

context - the current HttpContext

contextKey - the attribute context key

Returns:

a String array, or null

verifyHostname

protected void verifyHostname(@Nonnull
                  SSLSocket sslsock,
                  @Nonnull
                  String hostname,
                  @Nullable
                  org.apache.http.protocol.HttpContext context)
                       throws IOException

Verify the peer's socket hostname against the supplied expected name.

Parameters:

sslsock - the SSL socket being prepared

hostname - the expected hostname

context - the current HttpContext instance

Throws:

IOException - if peer failed hostname verification, or if there was an error during verification