/** * Checks if the handshake status is finished * Sets the interestOps for the selectionKey. */ private void handshakeFinished() throws IOException { // SSLEngine.getHandshakeStatus is transient and it doesn't record FINISHED status properly. // It can move from FINISHED status to NOT_HANDSHAKING after the handshake is completed. // Hence we also need to check handshakeResult.getHandshakeStatus() if the handshake finished or not if (handshakeResult.getHandshakeStatus() == HandshakeStatus.FINISHED) { //we are complete if we have delivered the last packet //remove OP_WRITE if we are complete, otherwise we still have data to write if (netWriteBuffer.hasRemaining()) key.interestOps(key.interestOps() | SelectionKey.OP_WRITE); else { state = State.READY; key.interestOps(key.interestOps() & ~SelectionKey.OP_WRITE); SSLSession session = sslEngine.getSession(); log.debug("SSL handshake completed successfully with peerHost '{}' peerPort {} peerPrincipal '{}' cipherSuite '{}'", session.getPeerHost(), session.getPeerPort(), peerPrincipal(), session.getCipherSuite()); } log.trace("SSLHandshake FINISHED channelId {}, appReadBuffer pos {}, netReadBuffer pos {}, netWriteBuffer pos {} ", channelId, appReadBuffer.position(), netReadBuffer.position(), netWriteBuffer.position()); } else { throw new IOException("NOT_HANDSHAKING during handshake"); } }
public String getPeerHost() { return unwrap().getPeerHost(); }
@Override public Certificate[] getPeerCertificates() { if (tlsStreamHandler != null) { try { return tlsStreamHandler.getSSLSession().getPeerCertificates(); } catch (SSLPeerUnverifiedException e ) { // Perfectly valid when client-auth is 'want', a problem when it is 'need'. Log.debug( "Peer certificates have not been verified - there are no certificates to return for: {}", tlsStreamHandler.getSSLSession().getPeerHost(), e ); } } return new Certificate[0]; }
public boolean verify( String hostname, SSLSession session ) { if ( isDebug() ) { logDebug( "Warning: URL Host: " + hostname + " vs. " + session.getPeerHost() ); } return true; } };
/** * Invalidates all SSL/TLS sessions in {@code sessionContext} associated with {@code remoteAddress}. * * @param sessionContext collection of SSL/TLS sessions to be (potentially) invalidated * @param remoteAddress associated with sessions to invalidate */ private void clearSessionCache(final SSLSessionContext sessionContext, final InetSocketAddress remoteAddress) { final String hostName = remoteAddress.getHostName(); final int port = remoteAddress.getPort(); final Enumeration<byte[]> ids = sessionContext.getIds(); if (ids == null) { return; } while (ids.hasMoreElements()) { final byte[] id = ids.nextElement(); final SSLSession session = sessionContext.getSession(id); if (session != null && session.getPeerHost() != null && session.getPeerHost().equalsIgnoreCase(hostName) && session.getPeerPort() == port) { session.invalidate(); if (LOG.isDebugEnabled()) { LOG.debug("Invalidated session " + session); } } } }
+ session.getPeerHost() + ", CipherSuite: " + session.getCipherSuite());
+ session.getPeerHost() + ", CipherSuite: " + session.getCipherSuite()); + session.getPeerHost() + ", CipherSuite: " + session.getCipherSuite());
SSLSocketFactory ssf = (SSLSocketFactory) SSLSocketFactory.getDefault(); // It's important NOT to resolve the IP address first, but to use the intended name. SSLSocket socket = (SSLSocket) ssf.createSocket("my.host.name", 443); socket.startHandshake(); SSLSession session = socket.getSession(); StrictHostnameVerifier verifier = new StrictHostnameVerifier(); if (!verifier.verify(session.getPeerHost(), session)) { // throw some exception or do something similar. }
/** * Invalidates all SSL/TLS sessions in {@code sessionContext} associated with {@code remoteAddress}. * * @param sessionContext collection of SSL/TLS sessions to be (potentially) invalidated * @param remoteAddress associated with sessions to invalidate */ private void clearSessionCache(final SSLSessionContext sessionContext, final InetSocketAddress remoteAddress) { final String hostName = remoteAddress.getHostName(); final int port = remoteAddress.getPort(); final Enumeration<byte[]> ids = sessionContext.getIds(); if (ids == null) { return; } while (ids.hasMoreElements()) { final byte[] id = ids.nextElement(); final SSLSession session = sessionContext.getSession(id); if (session != null && session.getPeerHost() != null && session.getPeerHost().equalsIgnoreCase(hostName) && session.getPeerPort() == port) { session.invalidate(); if (LOG.isDebugEnabled()) { LOG.debug("Invalidated session " + session); } } } }
.equalsIgnoreCase(session.getPeerHost()); SSLContext sslContext = SSLContexts.custom() .loadTrustMaterial(null, new TrustStrategy() {
@Override public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException { if (!option.isAuthPeer()) { return; } String ip = null; if (engine != null) { SSLSession session = engine.getHandshakeSession(); ip = session.getPeerHost(); } checkTrustedCustom(chain, ip); trustManager.checkServerTrusted(chain, authType, engine); }
@Override public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException { if (!option.isAuthPeer()) { return; } String ip = null; if (engine != null) { SSLSession session = engine.getHandshakeSession(); ip = session.getPeerHost(); } checkTrustedCustom(chain, ip); trustManager.checkClientTrusted(chain, authType, engine); }
throws SSLPeerUnverifiedException { try { String hostname = sslSession.getPeerHost(); X509Certificate serverCertificate = (X509Certificate) sslSession .getPeerCertificates()[0];
@Override public boolean verify(String requestedHost, SSLSession remoteServerSession) { return requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost()); } }
public boolean verify(String hostname, javax.net.ssl.SSLSession session) { if (log.isTraceEnabled()) { log.trace("HostName verification disabled"); log.trace("Host: " + hostname); log.trace("Peer Host: " + session.getPeerHost()); } return true; } });
public boolean verify(String hostname, SSLSession session) { String peerHost = session.getPeerHost(); if (!hostname.equals(peerHost)) { String oldPeerHost = sslMap.get(hostname); if (oldPeerHost == null || !oldPeerHost.equals(peerHost)) { logger.warn("hostname was %s while session was %s", hostname, peerHost); sslMap.put(hostname, peerHost); } } return true; } }
public boolean verify(String hostname, SSLSession session) { String peerHost = session.getPeerHost(); if (!hostname.equals(peerHost)) { String oldPeerHost = sslMap.get(hostname); if (oldPeerHost == null || !oldPeerHost.equals(peerHost)) { logger.warn("hostname was %s while session was %s", hostname, peerHost); sslMap.put(hostname, peerHost); } } return true; } }
public boolean verify(String hostname, SSLSession session) { String peerHost = session.getPeerHost(); if (!hostname.equals(peerHost)) { String oldPeerHost = sslMap.get(hostname); if (oldPeerHost == null || !oldPeerHost.equals(peerHost)) { logger.warn("hostname was %s while session was %s", hostname, peerHost); sslMap.put(hostname, peerHost); } } return true; } }
@Override public Certificate[] getPeerCertificates() { if (tlsStreamHandler != null) { try { return tlsStreamHandler.getSSLSession().getPeerCertificates(); } catch (SSLPeerUnverifiedException e ) { // Perfectly valid when client-auth is 'want', a problem when it is 'need'. Log.debug( "Peer certificates have not been verified - there are no certificates to return for: {}", tlsStreamHandler.getSSLSession().getPeerHost(), e ); } } return new Certificate[0]; }
protected void sessionRemoved(SSLSession session) { String host = session.getPeerHost(); int port = session.getPeerPort(); if (host == null) { return; } HostAndPort hostAndPortKey = new HostAndPort(host, port); synchronized (sessionsByHostAndPort) { sessionsByHostAndPort.remove(hostAndPortKey); } }