|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||
java.lang.Objectorg.apache.http.conn.ssl.SSLSocketFactory
@ThreadSafe public class SSLSocketFactory
Layered socket factory for TLS/SSL connections.
SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.
SSLSocketFactory will enable server authentication when supplied with
a trust-store file containing one or several trusted certificates. The client
secure socket will reject the connection during the SSL session handshake if the target HTTPS
server attempts to authenticate itself with a non-trusted certificate.
Use JDK keytool utility to import a trusted certificate and generate a trust-store file:
keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
In special cases the standard trust verification process can be bypassed by using a custom
TrustStrategy. This interface is primarily intended for allowing self-signed
certificates to be accepted as trusted without having to add them to the trust-store file.
The following parameters can be used to customize the behavior of this class:
CoreConnectionPNames.CONNECTION_TIMEOUTCoreConnectionPNames.SO_TIMEOUTCoreConnectionPNames.SO_REUSEADDR
SSLSocketFactory will enable client authentication when supplied with
a key-store file containing a private key/public certificate
pair. The client secure socket will use the private key to authenticate
itself to the target HTTPS server during the SSL session handshake if
requested to do so by the server.
The target HTTPS server will in its turn verify the certificate presented
by the client in order to establish client's authenticity
Use the following sequence of actions to generate a key-store file
Use JDK keytool utility to generate a new key
keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystoreFor simplicity use the same password for the key as that of the key-store
Issue a certificate signing request (CSR)
keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore
Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.
Import the trusted CA root certificate
keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore
Import the PKCS#7 file containg the complete certificate chain
keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore
Verify the content the resultant keystore file
keytool -list -v -keystore my.keystore
| Field Summary | |
|---|---|
static X509HostnameVerifier |
ALLOW_ALL_HOSTNAME_VERIFIER
|
static X509HostnameVerifier |
BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
|
static String |
SSL
|
static String |
SSLV2
|
static X509HostnameVerifier |
STRICT_HOSTNAME_VERIFIER
|
static String |
TLS
|
| Method Summary | |
|---|---|
Socket |
connectSocket(Socket socket,
InetSocketAddress remoteAddress,
InetSocketAddress localAddress,
HttpParams params)
Connects a socket to the target host with the given remote address. |
Socket |
connectSocket(Socket socket,
String host,
int port,
InetAddress localAddress,
int localPort,
HttpParams params)
Deprecated. Use connectSocket(Socket, InetSocketAddress, InetSocketAddress, HttpParams) |
Socket |
createLayeredSocket(Socket socket,
String host,
int port,
boolean autoClose)
Deprecated. use createLayeredSocket(Socket, String, int, HttpParams) |
Socket |
createLayeredSocket(Socket socket,
String host,
int port,
HttpParams params)
Returns a socket connected to the given host that is layered over an existing socket. |
Socket |
createSocket()
Deprecated. |
Socket |
createSocket(HttpParams params)
Creates a new, unconnected socket. |
Socket |
createSocket(Socket socket,
String host,
int port,
boolean autoClose)
Deprecated. Use createLayeredSocket(Socket, String, int, boolean) |
X509HostnameVerifier |
getHostnameVerifier()
|
static SSLSocketFactory |
getSocketFactory()
Gets the default factory, which uses the default JSSE settings for initializing the SSL context. |
static SSLSocketFactory |
getSystemSocketFactory()
Gets the default factory, which uses system properties for initializing the SSL context as described in "JavaTM Secure Socket Extension (JSSE) Reference Guide for the JavaTM 2 Platform Standard Edition 5 |
boolean |
isSecure(Socket sock)
Checks whether a socket connection is secure. |
protected void |
prepareSocket(SSLSocket socket)
Performs any custom initialization for a newly created SSLSocket (before the SSL handshake happens). |
void |
setHostnameVerifier(X509HostnameVerifier hostnameVerifier)
Deprecated. |
| Methods inherited from class java.lang.Object |
|---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Field Detail |
|---|
public static final String TLS
public static final String SSL
public static final String SSLV2
public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER
public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER
| Constructor Detail |
|---|
@Deprecated
public SSLSocketFactory(String algorithm,
KeyStore keystore,
String keystorePassword,
KeyStore truststore,
SecureRandom random,
HostNameResolver nameResolver)
throws NoSuchAlgorithmException,
KeyManagementException,
KeyStoreException,
UnrecoverableKeyException
SSLSocketFactory(String, KeyStore, String, KeyStore, SecureRandom, X509HostnameVerifier)
NoSuchAlgorithmException
KeyManagementException
KeyStoreException
UnrecoverableKeyException
public SSLSocketFactory(String algorithm,
KeyStore keystore,
String keystorePassword,
KeyStore truststore,
SecureRandom random,
X509HostnameVerifier hostnameVerifier)
throws NoSuchAlgorithmException,
KeyManagementException,
KeyStoreException,
UnrecoverableKeyException
NoSuchAlgorithmException
KeyManagementException
KeyStoreException
UnrecoverableKeyException
public SSLSocketFactory(String algorithm,
KeyStore keystore,
String keystorePassword,
KeyStore truststore,
SecureRandom random,
TrustStrategy trustStrategy,
X509HostnameVerifier hostnameVerifier)
throws NoSuchAlgorithmException,
KeyManagementException,
KeyStoreException,
UnrecoverableKeyException
NoSuchAlgorithmException
KeyManagementException
KeyStoreException
UnrecoverableKeyException
public SSLSocketFactory(KeyStore keystore,
String keystorePassword,
KeyStore truststore)
throws NoSuchAlgorithmException,
KeyManagementException,
KeyStoreException,
UnrecoverableKeyException
NoSuchAlgorithmException
KeyManagementException
KeyStoreException
UnrecoverableKeyException
public SSLSocketFactory(KeyStore keystore,
String keystorePassword)
throws NoSuchAlgorithmException,
KeyManagementException,
KeyStoreException,
UnrecoverableKeyException
NoSuchAlgorithmException
KeyManagementException
KeyStoreException
UnrecoverableKeyException
public SSLSocketFactory(KeyStore truststore)
throws NoSuchAlgorithmException,
KeyManagementException,
KeyStoreException,
UnrecoverableKeyException
NoSuchAlgorithmException
KeyManagementException
KeyStoreException
UnrecoverableKeyException
public SSLSocketFactory(TrustStrategy trustStrategy,
X509HostnameVerifier hostnameVerifier)
throws NoSuchAlgorithmException,
KeyManagementException,
KeyStoreException,
UnrecoverableKeyException
NoSuchAlgorithmException
KeyManagementException
KeyStoreException
UnrecoverableKeyException
public SSLSocketFactory(TrustStrategy trustStrategy)
throws NoSuchAlgorithmException,
KeyManagementException,
KeyStoreException,
UnrecoverableKeyException
NoSuchAlgorithmException
KeyManagementException
KeyStoreException
UnrecoverableKeyExceptionpublic SSLSocketFactory(SSLContext sslContext)
@Deprecated
public SSLSocketFactory(SSLContext sslContext,
HostNameResolver nameResolver)
SSLSocketFactory(SSLContext)
public SSLSocketFactory(SSLContext sslContext,
X509HostnameVerifier hostnameVerifier)
public SSLSocketFactory(SSLSocketFactory socketfactory,
X509HostnameVerifier hostnameVerifier)
| Method Detail |
|---|
public static SSLSocketFactory getSocketFactory()
throws SSLInitializationException
SSLInitializationException
public static SSLSocketFactory getSystemSocketFactory()
throws SSLInitializationException
The following system properties are taken into account by this method:
SSLInitializationException
public Socket createSocket(HttpParams params)
throws IOException
SchemeSocketFactorySchemeSocketFactory.connectSocket(Socket, InetSocketAddress, InetSocketAddress, HttpParams).
createSocket in interface SchemeSocketFactoryparams - Optional parameters. Parameters passed to this method will have no effect.
This method will create a unconnected instance of Socket class.
IOException - if an I/O error occurs while creating the socket
@Deprecated
public Socket createSocket()
throws IOException
SocketFactoryconnectSocket.
createSocket in interface SocketFactoryIOException - if an I/O error occurs while creating the socket
public Socket connectSocket(Socket socket,
InetSocketAddress remoteAddress,
InetSocketAddress localAddress,
HttpParams params)
throws IOException,
UnknownHostException,
ConnectTimeoutException
SchemeSocketFactoryHttpInetSocketAddress class should be used in order to pass
the target remote address along with the original HttpHost value used to resolve
the address. The use of HttpInetSocketAddress can also ensure that no reverse
DNS lookup will be performed if the target remote address was specified as an IP address.
connectSocket in interface SchemeSocketFactorysocket - the socket to connect, as obtained from
createSocket.
null indicates that a new socket
should be created and connected.remoteAddress - the remote address to connect to.localAddress - the local address to bind the socket to, or
null for anyparams - additional parameters for connecting
sock argument if this factory supports
a layered protocol.
IOException - if an I/O error occurs
UnknownHostException - if the IP address of the target host
can not be determined
ConnectTimeoutException - if the socket cannot be connected
within the time limit defined in the paramsHttpInetSocketAddress
public boolean isSecure(Socket sock)
throws IllegalArgumentException
isSecure in interface SchemeSocketFactoryisSecure in interface SocketFactorysock - the connected socket
true
IllegalArgumentException - if the argument is invalid
public Socket createLayeredSocket(Socket socket,
String host,
int port,
HttpParams params)
throws IOException,
UnknownHostException
SchemeLayeredSocketFactory
createLayeredSocket in interface SchemeLayeredSocketFactorysocket - the existing sockethost - the name of the target host.port - the port to connect to on the target hostparams - HTTP parameters
IOException - if an I/O error occurs while creating the socket
UnknownHostException - if the IP address of the host cannot be
determined
public Socket createLayeredSocket(Socket socket,
String host,
int port,
boolean autoClose)
throws IOException,
UnknownHostException
createLayeredSocket(Socket, String, int, HttpParams)
LayeredSchemeSocketFactory
createLayeredSocket in interface LayeredSchemeSocketFactorysocket - the existing sockethost - the name of the target host.port - the port to connect to on the target hostautoClose - a flag for closing the underling socket when the created
socket is closed
IOException - if an I/O error occurs while creating the socket
UnknownHostException - if the IP address of the host cannot be
determined@Deprecated public void setHostnameVerifier(X509HostnameVerifier hostnameVerifier)
public X509HostnameVerifier getHostnameVerifier()
@Deprecated
public Socket connectSocket(Socket socket,
String host,
int port,
InetAddress localAddress,
int localPort,
HttpParams params)
throws IOException,
UnknownHostException,
ConnectTimeoutException
connectSocket(Socket, InetSocketAddress, InetSocketAddress, HttpParams)
SocketFactory
connectSocket in interface SocketFactorysocket - the socket to connect, as obtained from
createSocket.
null indicates that a new socket
should be created and connected.host - the host to connect toport - the port to connect to on the hostlocalAddress - the local address to bind the socket to, or
null for anylocalPort - the port on the local machine,
0 or a negative number for anyparams - additional parameters for connecting
sock argument if this factory supports
a layered protocol.
IOException - if an I/O error occurs
UnknownHostException - if the IP address of the target host
can not be determined
ConnectTimeoutException - if the socket cannot be connected
within the time limit defined in the params
@Deprecated
public Socket createSocket(Socket socket,
String host,
int port,
boolean autoClose)
throws IOException,
UnknownHostException
createLayeredSocket(Socket, String, int, boolean)
LayeredSocketFactory
createSocket in interface LayeredSocketFactorysocket - the existing sockethost - the host name/IPport - the port on the hostautoClose - a flag for closing the underling socket when the created
socket is closed
IOException - if an I/O error occurs while creating the socket
UnknownHostException - if the IP address of the host cannot be
determined
protected void prepareSocket(SSLSocket socket)
throws IOException
SSLSocket.setEnabledCipherSuites(java.lang.String[]).
IOException
|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||