List of usage examples for javax.net.ssl SSLSocket getEnabledCipherSuites
public abstract String[] getEnabledCipherSuites();
From source file:net.i2p.util.I2PSSLSocketFactory.java
/** * Select protocols and cipher suites to be used * based on configured inclusion and exclusion lists * as well as enabled and supported protocols and cipher suites. * * Adapted from Jetty SslContextFactory.java * * @since 0.9.16//www .j ava2 s . com */ public static void setProtocolsAndCiphers(SSLSocket socket) { socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(), socket.getSupportedProtocols())); socket.setEnabledCipherSuites( selectCipherSuites(socket.getEnabledCipherSuites(), socket.getSupportedCipherSuites())); }
From source file:com.joyent.manta.http.MantaSSLConnectionSocketFactory.java
@Override protected void prepareSocket(final SSLSocket socket) throws IOException { final Set<String> enabledProtocols = new LinkedHashSet<>(Arrays.asList(socket.getEnabledProtocols())); final Set<String> enabledCipherSuites = new LinkedHashSet<>(Arrays.asList(socket.getEnabledCipherSuites())); if (LOG.isDebugEnabled()) { LOG.debug("Enabled TLS protocols: {}", MantaUtils.asString(enabledProtocols)); LOG.debug("Enabled cipher suites: {}", MantaUtils.asString(enabledCipherSuites)); }/*w w w. j a v a2s . c o m*/ supportedCipherSuites.retainAll(enabledCipherSuites); if (!supportedCipherSuites.isEmpty()) { try { String[] supportedCiphers = new String[supportedCipherSuites.size()]; supportedCipherSuites.toArray(supportedCiphers); socket.setEnabledCipherSuites(supportedCiphers); } catch (IllegalArgumentException e) { String msg = String.format("Unsupported encryption provider. Supported providers: %s", MantaUtils.asString(socket.getEnabledCipherSuites())); throw new ConfigurationException(msg, e); } } supportedProtocols.retainAll(enabledProtocols); if (!supportedProtocols.isEmpty()) { String[] supportedProtos = new String[supportedProtocols.size()]; supportedProtocols.toArray(supportedProtos); socket.setEnabledProtocols(supportedProtos); } if (LOG.isDebugEnabled()) { LOG.debug("Supported TLS protocols: {}", MantaUtils.asString(supportedProtocols)); LOG.debug("Supported cipher suites: {}", MantaUtils.asString(supportedCipherSuites)); } }
From source file:github.popeen.dsub.service.ssl.SSLSocketFactory.java
private String[] getCiphers(SSLSocket sslSocket) { String[] ciphers = sslSocket.getEnabledCipherSuites(); List<String> enabledCiphers = new ArrayList(Arrays.asList(ciphers)); // On Android 5.0 release, Jetty doesn't seem to play nice with these ciphers // Issue seems to have been fixed in M, and now won't work without them. Because Google if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && Build.VERSION.SDK_INT <= Build.VERSION_CODES.LOLLIPOP_MR1) { enabledCiphers.remove("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"); enabledCiphers.remove("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"); }/*from w w w .ja v a2s .c o m*/ ciphers = enabledCiphers.toArray(new String[enabledCiphers.size()]); return ciphers; }
From source file:com.apporiented.hermesftp.cmd.impl.FtpCmdAuth.java
private SSLSocket createSslSocket() throws IOException { String clientHost = getCtx().getClientSocket().getInetAddress().getHostAddress(); SSLContext sslContext = getCtx().getOptions().getSslContext(); SSLSocketFactory factory = sslContext.getSocketFactory(); SSLSocket sslSocket = (SSLSocket) factory.createSocket(getCtx().getClientSocket(), clientHost, getCtx().getOptions().getFtpPort(), true); sslSocket.setUseClientMode(false);//from www.j ava 2 s . co m sslSocket.addHandshakeCompletedListener(this); enableCipherSuites(sslSocket); log.info("Enabled cipher suites (explicit SSL): " + StringUtils.arrayToCommaDelimitedString(sslSocket.getEnabledCipherSuites())); return sslSocket; }
From source file:com.dubsar_dictionary.SecureClient.SecureSocketFactory.java
private void setupCrypto(SSLSocket socket) { // Log.d(TAG, "in setupCrypto"); String[] protocols = getEnabledProtocols(); if (protocols != null) { socket.setEnabledProtocols(protocols); }/*from w ww .j av a2s. com*/ String[] ciphers = getEnabledCipherSuites(); if (ciphers != null) { socket.setEnabledCipherSuites(ciphers); } protocols = socket.getEnabledProtocols(); if (protocols == null) { Log.e(TAG, "protocols is null"); return; } for (String protocol : protocols) { Log.d(TAG, protocol + " is enabled"); } ciphers = socket.getEnabledCipherSuites(); if (ciphers == null) { Log.e(TAG, "ciphers is null"); return; } for (String cipher : ciphers) { Log.d(TAG, cipher + " is enabled"); } // no? // socket.setHandshakeTimeout(mHandshakeTimeoutMillis); }
From source file:com.serphacker.serposcope.scraper.http.extensions.ScrapClientSSLConnectionFactory.java
@Override public Socket createLayeredSocket(final Socket socket, final String target, final int port, final HttpContext context) throws IOException { SSLSocketFactory sslSocketFactory = insecure ? insecoreSSLSocketfactory : defaultSSLSocketFactory; final SSLSocket sslsock = (SSLSocket) sslSocketFactory.createSocket(socket, target, port, true); if (supportedProtocols != null) { sslsock.setEnabledProtocols(supportedProtocols); } else {// w w w .j a va 2 s . co m // If supported protocols are not explicitly set, remove all SSL protocol versions final String[] allProtocols = sslsock.getEnabledProtocols(); final List<String> enabledProtocols = new ArrayList<String>(allProtocols.length); for (String protocol : allProtocols) { if (!protocol.startsWith("SSL")) { enabledProtocols.add(protocol); } } if (!enabledProtocols.isEmpty()) { sslsock.setEnabledProtocols(enabledProtocols.toArray(new String[enabledProtocols.size()])); } } if (supportedCipherSuites != null) { sslsock.setEnabledCipherSuites(supportedCipherSuites); } if (this.log.isDebugEnabled()) { this.log.debug("Enabled protocols: " + Arrays.asList(sslsock.getEnabledProtocols())); this.log.debug("Enabled cipher suites:" + Arrays.asList(sslsock.getEnabledCipherSuites())); } prepareSocket(sslsock); this.log.debug("Starting handshake"); sslsock.startHandshake(); verifyHostname(sslsock, target); return sslsock; }
From source file:org.dcache.srm.client.FlexibleCredentialSSLConnectionSocketFactory.java
@Override public Socket createLayeredSocket(final Socket socket, final String target, final int port, final HttpContext context) throws IOException { final X509Credential credential = (X509Credential) context .getAttribute(HttpClientTransport.TRANSPORT_HTTP_CREDENTIALS); if (credential == null) { throw new IOException("Client credentials are missing from context."); }//www . j a va 2 s . c o m final SSLContext sslContext; try { sslContext = contextProvider.getContext(credential); } catch (GeneralSecurityException e) { throw new IOException("Failed to create SSLContext: " + e.getMessage(), e); } final SSLSocket sslsock = (SSLSocket) sslContext.getSocketFactory().createSocket(socket, target, port, true); if (supportedProtocols != null) { sslsock.setEnabledProtocols(supportedProtocols); } else { // If supported protocols are not explicitly set, remove all SSL protocol versions final String[] allProtocols = sslsock.getEnabledProtocols(); final List<String> enabledProtocols = new ArrayList<String>(allProtocols.length); for (String protocol : allProtocols) { if (!protocol.startsWith("SSL")) { enabledProtocols.add(protocol); } } if (!enabledProtocols.isEmpty()) { sslsock.setEnabledProtocols(enabledProtocols.toArray(new String[enabledProtocols.size()])); } } if (supportedCipherSuites != null) { sslsock.setEnabledCipherSuites(supportedCipherSuites); } if (LOGGER.isDebugEnabled()) { LOGGER.debug("Enabled protocols: {}", Arrays.asList(sslsock.getEnabledProtocols())); LOGGER.debug("Enabled cipher suites: {}", Arrays.asList(sslsock.getEnabledCipherSuites())); } prepareSocket(sslsock); LOGGER.debug("Starting handshake"); sslsock.startHandshake(); verifyHostname(sslsock, target); return sslsock; }
From source file:com.newrelic.agent.deps.org.apache.http.conn.ssl.SSLConnectionSocketFactory.java
@Override public Socket createLayeredSocket(final Socket socket, final String target, final int port, final HttpContext context) throws IOException { final SSLSocket sslsock = (SSLSocket) this.socketfactory.createSocket(socket, target, port, true); if (supportedProtocols != null) { sslsock.setEnabledProtocols(supportedProtocols); } else {/*from w w w . j ava 2 s.c om*/ // If supported protocols are not explicitly set, remove all SSL protocol versions final String[] allProtocols = sslsock.getEnabledProtocols(); final List<String> enabledProtocols = new ArrayList<String>(allProtocols.length); for (String protocol : allProtocols) { if (!protocol.startsWith("SSL")) { enabledProtocols.add(protocol); } } if (!enabledProtocols.isEmpty()) { sslsock.setEnabledProtocols(enabledProtocols.toArray(new String[enabledProtocols.size()])); } } if (supportedCipherSuites != null) { sslsock.setEnabledCipherSuites(supportedCipherSuites); } if (this.log.isDebugEnabled()) { this.log.debug("Enabled protocols: " + Arrays.asList(sslsock.getEnabledProtocols())); this.log.debug("Enabled cipher suites:" + Arrays.asList(sslsock.getEnabledCipherSuites())); } prepareSocket(sslsock); this.log.debug("Starting handshake"); sslsock.startHandshake(); verifyHostname(sslsock, target); return sslsock; }
From source file:at.bitfire.davdroid.mirakel.webdav.TlsSniSocketFactory.java
@SuppressLint("DefaultLocale") private void setReasonableEncryption(SSLSocket ssl) { // set reasonable SSL/TLS settings before the handshake // Android 5.0+ (API level21) provides reasonable default settings // but it still allows SSLv3 // https://developer.android.com/about/versions/android-5.0-changes.html#ssl // - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0, if available) // - remove all SSL versions (especially SSLv3) because they're insecure now List<String> protocols = new LinkedList<String>(); for (String protocol : ssl.getSupportedProtocols()) if (!protocol.toUpperCase().contains("SSL")) protocols.add(protocol);/*from ww w .j av a 2 s .c o m*/ Log.v(TAG, "Setting allowed TLS protocols: " + StringUtils.join(protocols, ", ")); ssl.setEnabledProtocols(protocols.toArray(new String[0])); if (android.os.Build.VERSION.SDK_INT < 21) { // choose secure cipher suites List<String> allowedCiphers = Arrays.asList(// TLS 1.2 "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256", // maximum interoperability "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", // additionally "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"); List<String> availableCiphers = Arrays.asList(ssl.getSupportedCipherSuites()); // preferred ciphers = allowed Ciphers \ availableCiphers HashSet<String> preferredCiphers = new HashSet<String>(allowedCiphers); preferredCiphers.retainAll(availableCiphers); // add preferred ciphers to enabled ciphers // for maximum security, preferred ciphers should *replace* enabled ciphers, // but I guess for the security level of DAVdroid, disabling of insecure // ciphers should be a server-side task HashSet<String> enabledCiphers = preferredCiphers; enabledCiphers.addAll(new HashSet<String>(Arrays.asList(ssl.getEnabledCipherSuites()))); Log.v(TAG, "Setting allowed TLS ciphers: " + StringUtils.join(enabledCiphers, ", ")); ssl.setEnabledCipherSuites(enabledCiphers.toArray(new String[0])); } }
From source file:org.apache.camel.component.file.remote.FtpsEndpoint.java
/** * Create the FTPS client.//from ww w. ja va 2 s. com */ protected FTPClient createFtpClient() throws Exception { FTPSClient client = null; if (sslContextParameters != null) { SSLContext context = sslContextParameters.createSSLContext(); client = new FTPSClient(getFtpsConfiguration().isImplicit(), context); // The FTPSClient tries to manage the following SSLSocket related configuration options // on its own based on internal configuration options. FTPSClient does not lend itself // to subclassing for the purpose of overriding this behavior (private methods, fields, etc.). // As such, we create a socket (preconfigured by SSLContextParameters) from the context // we gave to FTPSClient and then setup FTPSClient to reuse the already configured configuration // from the socket for all future sockets it creates. Not sexy and a little brittle, but it works. SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket(); client.setEnabledCipherSuites(socket.getEnabledCipherSuites()); client.setEnabledProtocols(socket.getEnabledProtocols()); client.setNeedClientAuth(socket.getNeedClientAuth()); client.setWantClientAuth(socket.getWantClientAuth()); client.setEnabledSessionCreation(socket.getEnableSessionCreation()); } else { client = new FTPSClient(getFtpsConfiguration().getSecurityProtocol(), getFtpsConfiguration().isImplicit()); if (ftpClientKeyStoreParameters != null) { String type = (ftpClientKeyStoreParameters.containsKey("type")) ? (String) ftpClientKeyStoreParameters.get("type") : KeyStore.getDefaultType(); String file = (String) ftpClientKeyStoreParameters.get("file"); String password = (String) ftpClientKeyStoreParameters.get("password"); String algorithm = (ftpClientKeyStoreParameters.containsKey("algorithm")) ? (String) ftpClientKeyStoreParameters.get("algorithm") : KeyManagerFactory.getDefaultAlgorithm(); String keyPassword = (String) ftpClientKeyStoreParameters.get("keyPassword"); KeyStore keyStore = KeyStore.getInstance(type); FileInputStream keyStoreFileInputStream = new FileInputStream(new File(file)); try { keyStore.load(keyStoreFileInputStream, password.toCharArray()); } finally { IOHelper.close(keyStoreFileInputStream, "keyStore", log); } KeyManagerFactory keyMgrFactory = KeyManagerFactory.getInstance(algorithm); keyMgrFactory.init(keyStore, keyPassword.toCharArray()); client.setNeedClientAuth(true); client.setKeyManager(keyMgrFactory.getKeyManagers()[0]); } if (ftpClientTrustStoreParameters != null) { String type = (ftpClientTrustStoreParameters.containsKey("type")) ? (String) ftpClientTrustStoreParameters.get("type") : KeyStore.getDefaultType(); String file = (String) ftpClientTrustStoreParameters.get("file"); String password = (String) ftpClientTrustStoreParameters.get("password"); String algorithm = (ftpClientTrustStoreParameters.containsKey("algorithm")) ? (String) ftpClientTrustStoreParameters.get("algorithm") : TrustManagerFactory.getDefaultAlgorithm(); KeyStore trustStore = KeyStore.getInstance(type); FileInputStream trustStoreFileInputStream = new FileInputStream(new File(file)); try { trustStore.load(trustStoreFileInputStream, password.toCharArray()); } finally { IOHelper.close(trustStoreFileInputStream, "trustStore", log); } TrustManagerFactory trustMgrFactory = TrustManagerFactory.getInstance(algorithm); trustMgrFactory.init(trustStore); client.setTrustManager(trustMgrFactory.getTrustManagers()[0]); } } return client; }