下面列出了javax.net.ssl.SSLEngine#getEnabledCipherSuites ( ) 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
/**
* Create a client {@link SSLEngine} with the remote server IP and port.
*
* @param host Remote server host.
* @param port Remote server port.
* @return A client {@link SSLEngine} instance.
* @throws ExecutionException If an execution error has occurred.
*/
public SSLEngine createClientEngine(@NonNull final String host, int port) throws ExecutionException {
SSLContext ctx = CLIENT_SSL_CONTEXTS.get(host, new Callable<SSLContext>() {
@Override
public SSLContext call() throws GeneralSecurityException, IOException,
OperatorCreationException {
return createClientContext(host);
}
});
SSLEngine engine = ctx.createSSLEngine(host, port);
List<String> ciphers = new LinkedList<>();
for (String each : engine.getEnabledCipherSuites()) {
if (!each.equals("TLS_DHE_RSA_WITH_AES_128_CBC_SHA") &&
!each.equals("TLS_DHE_RSA_WITH_AES_256_CBC_SHA")) {
ciphers.add(each);
}
}
engine.setEnabledCipherSuites(ciphers.toArray(new String[0]));
engine.setUseClientMode(true);
engine.setNeedClientAuth(false);
return engine;
}
public static boolean engineSupportsHTTP2(SSLEngine engine) {
//check to make sure the engine meets the minimum requirements for HTTP/2
//if not then ALPN will not be attempted
String[] protcols = engine.getEnabledProtocols();
boolean found = false;
for (String proto : protcols) {
if (proto.equals(REQUIRED_PROTOCOL)) {
found = true;
break;
}
}
if (!found) {
return false;
}
String[] ciphers = engine.getEnabledCipherSuites();
for (String i : ciphers) {
if (i.equals(REQUIRED_CIPHER)) {
return true;
}
}
return false;
}
@Test
public void testCreateSslEngineFromJksStoreWithExplicitEnabledCiphersJDK() throws Exception {
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There were no initial ciphers to choose from!", ciphers.length > 0);
// Pull out one to enable specifically
String cipher = ciphers[0];
String[] enabledCipher = new String[] { cipher };
options.setEnabledCipherSuites(enabledCipher);
SSLContext context = TransportSupport.createJdkSslContext(options);
SSLEngine engine = TransportSupport.createJdkSslEngine(null, context, options);
// verify the option took effect
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", enabledCipher, engine.getEnabledCipherSuites());
}
@Test
public void testCreateSslEngineFromJksStoreWithExplicitEnabledCiphersOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createOpenSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There were no initial ciphers to choose from!", ciphers.length > 0);
// Pull out one to enable specifically
String cipher = ciphers[0];
String[] enabledCipher = new String[] { cipher };
options.setEnabledCipherSuites(enabledCipher);
SslContext context = TransportSupport.createOpenSslContext(options);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
// verify the option took effect
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", enabledCipher, engine.getEnabledCipherSuites());
}
@Test
public void testCreateSslEngineFromJksStoreWithExplicitDisabledCiphersJDK() throws Exception {
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There were no initial ciphers to choose from!", ciphers.length > 0);
// Pull out one to disable specifically
String[] disabledCipher = new String[] { ciphers[ciphers.length - 1] };
String[] trimmedCiphers = Arrays.copyOf(ciphers, ciphers.length - 1);
options.setDisabledCipherSuites(disabledCipher);
SSLContext context = TransportSupport.createJdkSslContext(options);
SSLEngine engine = TransportSupport.createJdkSslEngine(null, context, options);
// verify the option took effect
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", trimmedCiphers, engine.getEnabledCipherSuites());
}
@Test
public void testCreateSslEngineFromJksStoreWithExplicitDisabledCiphersOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createOpenSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There were no initial ciphers to choose from!", ciphers.length > 0);
// Pull out one to disable specifically
String[] disabledCipher = new String[] { ciphers[ciphers.length - 1] };
String[] trimmedCiphers = Arrays.copyOf(ciphers, ciphers.length - 1);
options.setDisabledCipherSuites(disabledCipher);
SslContext context = TransportSupport.createOpenSslContext(options);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
// verify the option took effect
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", trimmedCiphers, engine.getEnabledCipherSuites());
}
@Test
public void testCreateSslEngineFromJksStoreWithExplicitEnabledAndDisabledCiphersJDK() throws Exception {
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There werent enough initial ciphers to choose from!", ciphers.length > 1);
// Pull out two to enable, and one to disable specifically
String cipher1 = ciphers[0];
String cipher2 = ciphers[1];
String[] enabledCiphers = new String[] { cipher1, cipher2 };
String[] disabledCipher = new String[] { cipher1 };
String[] remainingCipher = new String[] { cipher2 };
options.setEnabledCipherSuites(enabledCiphers);
options.setDisabledCipherSuites(disabledCipher);
SSLContext context = TransportSupport.createJdkSslContext(options);
SSLEngine engine = TransportSupport.createJdkSslEngine(null, context, options);
// verify the option took effect, that the disabled ciphers were removed from the enabled list.
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", remainingCipher, engine.getEnabledCipherSuites());
}
@Test
public void testCreateSslEngineFromJksStoreWithExplicitEnabledAndDisabledCiphersOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createOpenSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There werent enough initial ciphers to choose from!", ciphers.length > 1);
// Pull out two to enable, and one to disable specifically
String cipher1 = ciphers[0];
String cipher2 = ciphers[1];
String[] enabledCiphers = new String[] { cipher1, cipher2 };
String[] disabledCipher = new String[] { cipher1 };
String[] remainingCipher = new String[] { cipher2 };
options.setEnabledCipherSuites(enabledCiphers);
options.setDisabledCipherSuites(disabledCipher);
SslContext context = TransportSupport.createOpenSslContext(options);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
// verify the option took effect, that the disabled ciphers were removed from the enabled list.
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", remainingCipher, engine.getEnabledCipherSuites());
}
public static void main(String[] s) throws Exception {
SSLContext context = SSLEngineTestCase.getContext();
SSLEngine clientEngine = context.createSSLEngine();
clientEngine.setUseClientMode(true);
SSLEngine serverEngine = context.createSSLEngine();
serverEngine.setUseClientMode(false);
String[] cliEnabledCiphers = clientEngine.getEnabledCipherSuites();
rc4Test(cliEnabledCiphers, true);
String[] srvEnabledCiphers = serverEngine.getEnabledCipherSuites();
rc4Test(srvEnabledCiphers, false);
}
protected boolean supportsHTTP2() {
try {
SSLContext context = SSLContext.getDefault();
SSLEngine engine = context.createSSLEngine();
String[] ciphers = engine.getEnabledCipherSuites();
for (String i : ciphers) {
if (REQUIRED_CIPHER.equals(i) || REQUIRED_CIPHER_IBMJDK.equals(i)) {
return true;
}
}
} catch (NoSuchAlgorithmException e) {
}
return false;
}
@Test
public void can_create_sslcontext_from_credentials() {
KeyPair keyPair = KeyUtils.generateKeypair(EC);
X509Certificate certificate = X509CertificateBuilder
.fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, Instant.now().plus(1, DAYS), SHA256_WITH_ECDSA, generateRandomSerialNumber())
.build();
AuthorizedPeers authorizedPeers = new AuthorizedPeers(
singleton(
new PeerPolicy(
"dummy-policy",
singleton(new Role("dummy-role")),
singletonList(new RequiredPeerCredential(RequiredPeerCredential.Field.CN, new HostGlobPattern("dummy"))))));
DefaultTlsContext tlsContext =
new DefaultTlsContext(
singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers,
AuthorizationMode.ENFORCE, PeerAuthentication.NEED, HostnameVerification.ENABLED);
SSLEngine sslEngine = tlsContext.createSslEngine();
assertThat(sslEngine).isNotNull();
String[] enabledCiphers = sslEngine.getEnabledCipherSuites();
assertThat(enabledCiphers).isNotEmpty();
assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0]));
String[] enabledProtocols = sslEngine.getEnabledProtocols();
assertThat(enabledProtocols).contains("TLSv1.2");
}
@Test
public void can_create_sslcontext_from_credentials() throws IOException, InterruptedException {
KeyPair keyPair = KeyUtils.generateKeypair(EC);
Path privateKeyFile = tempDirectory.newFile().toPath();
com.yahoo.vespa.jdk8compat.Files.writeString(privateKeyFile, KeyUtils.toPem(keyPair.getPrivate()));
X509Certificate certificate = X509CertificateBuilder
.fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, EPOCH.plus(1, DAYS), SHA256_WITH_ECDSA, BigInteger.ONE)
.build();
Path certificateChainFile = tempDirectory.newFile().toPath();
String certificatePem = X509CertificateUtils.toPem(certificate);
com.yahoo.vespa.jdk8compat.Files.writeString(certificateChainFile, certificatePem);
Path caCertificatesFile = tempDirectory.newFile().toPath();
com.yahoo.vespa.jdk8compat.Files.writeString(caCertificatesFile, certificatePem);
TransportSecurityOptions options = new TransportSecurityOptions.Builder()
.withCertificates(certificateChainFile, privateKeyFile)
.withCaCertificates(caCertificatesFile)
.build();
Path optionsFile = tempDirectory.newFile().toPath();
options.toJsonFile(optionsFile);
try (TlsContext tlsContext = new ConfigFileBasedTlsContext(optionsFile, AuthorizationMode.ENFORCE)) {
SSLEngine sslEngine = tlsContext.createSslEngine();
assertThat(sslEngine).isNotNull();
String[] enabledCiphers = sslEngine.getEnabledCipherSuites();
assertThat(enabledCiphers).isNotEmpty();
assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0]));
String[] enabledProtocols = sslEngine.getEnabledProtocols();
assertThat(enabledProtocols).contains("TLSv1.2");
}
}
public String[] getEnabledCipherSuites() throws Exception {
SSLContext context = new SSLSupport()
.setKeystoreProvider(storeType)
.setKeystorePath(SERVER_SIDE_KEYSTORE)
.setKeystorePassword(PASSWORD)
.setTruststoreProvider(storeType)
.setTruststorePath(CLIENT_SIDE_TRUSTSTORE)
.setTruststorePassword(PASSWORD)
.createContext();
SSLEngine engine = context.createSSLEngine();
return engine.getEnabledCipherSuites();
}
private static void verifySSLConfig(SSLContext sslContext, SSLEngine sslEngine, boolean isClient) {
// SSLContext verify
Assert.assertEquals(sslContext.getProtocol(), SSL_CONTEXT_PROTOCOL);
Assert.assertEquals(sslContext.getProvider().getName(), SSL_CONTEXT_PROVIDER);
// SSLEngine verify
String[] enabledProtocols = sslEngine.getEnabledProtocols();
if (enabledProtocols.length == 2) {
// Apparently the Netty OpenSslEngine has no way of disabling the SSLv2Hello protocol.
// This is the relevant code from ReferenceCountedOpenSslEngine.getEnabledProtocols():
// """
// // Seems like there is no way to explicit disable SSLv2Hello in openssl so it is always enabled
// enabled.add(PROTOCOL_SSL_V2_HELLO);
// """
Assert.assertArrayEquals("enabledProtocols does not match expected",
new String[]{SSL_V2_HELLO_PROTOCOL, TLS_V1_2_PROTOCOL}, enabledProtocols);
} else {
Assert.assertArrayEquals("enabledProtocols does not match expected", new String[]{TLS_V1_2_PROTOCOL},
enabledProtocols);
}
String[] enabledCipherSuite = sslEngine.getEnabledCipherSuites();
Assert.assertEquals(enabledCipherSuite.length, 1);
Assert.assertEquals(enabledCipherSuite[0], SSL_CIPHER_SUITES);
Assert.assertEquals(sslEngine.getWantClientAuth(), false);
if (isClient) {
Assert.assertEquals(sslEngine.getSSLParameters().getEndpointIdentificationAlgorithm(),
ENDPOINT_IDENTIFICATION_ALGORITHM);
Assert.assertEquals(sslEngine.getNeedClientAuth(), false);
Assert.assertEquals(sslEngine.getUseClientMode(), true);
} else {
Assert.assertEquals(sslEngine.getSSLParameters().getEndpointIdentificationAlgorithm(), null);
Assert.assertEquals(sslEngine.getNeedClientAuth(), true);
Assert.assertEquals(sslEngine.getUseClientMode(), false);
}
}
public void verifySslAtBootstrap(@NotNull final Listener listener, @NotNull final Tls tls) {
try {
if (!sslContextStore.contains(tls)) {
final SslContext sslContext = sslContextFactory.createSslContext(tls);
sslContextStore.putAtStart(tls, sslContext);
final SSLEngine sslEngine = sslContext.newEngine(new PooledByteBufAllocator());
enableProtocols(sslEngine, tls.getProtocols());
log.info("Enabled protocols for {} at address {} and port {}: {}", listener.readableName(), listener.getBindAddress(), listener.getPort(), Arrays.toString(sslEngine.getEnabledProtocols()));
final String[] enabledCipherSuites = sslEngine.getEnabledCipherSuites();
log.info("Enabled cipher suites for {} at address {} and port {}: {}", listener.readableName(), listener.getBindAddress(), listener.getPort(), Arrays.toString(enabledCipherSuites));
final List<String> cipherSuites = tls.getCipherSuites();
if (cipherSuites.size() > 0) {
final Set<String> unknownCipherSuitesSet;
if (sslContext instanceof OpenSslServerContext) {
// the prefixes TLS_ and SSL_ are ignored by OpenSSL
final Set<String> enabledCipherSuitesSet = new HashSet<>();
for (final String enabledCipherSuite : enabledCipherSuites) {
enabledCipherSuitesSet.add(enabledCipherSuite.substring(4));
}
unknownCipherSuitesSet = new HashSet<>();
for (final String cipherSuite : cipherSuites) {
if (cipherSuite == null) {
continue;
}
if (!enabledCipherSuitesSet.contains(cipherSuite.substring(4))) {
unknownCipherSuitesSet.add(cipherSuite);
}
}
} else {
unknownCipherSuitesSet = Sets.difference(ImmutableSet.copyOf(cipherSuites), ImmutableSet.copyOf(enabledCipherSuites));
}
if (unknownCipherSuitesSet.size() > 0) {
log.warn("Unknown cipher suites for {} at address {} and port {}: {}", listener.readableName(), listener.getBindAddress(), listener.getPort(), unknownCipherSuitesSet);
}
}
}
} catch (final Exception e) {
log.error("Not able to create SSL server context", e);
throw new UnrecoverableException(false);
}
}