Module net.shibboleth.utilities.java.support
Package net.shibboleth.utilities.java.support.httpclient

Class TLSSocketFactory

  • All Implemented Interfaces:
    org.apache.http.conn.socket.ConnectionSocketFactory, org.apache.http.conn.socket.LayeredConnectionSocketFactory
    @ThreadSafe
public class TLSSocketFactory
extends Object
implements org.apache.http.conn.socket.LayeredConnectionSocketFactory
    An implementation of HttpClient LayeredConnectionSocketFactory that is a factory for TLS sockets.

    This class is functionally modeled on SSLConnectionSocketFactory, but provides better support for subclassing, as well as specific additional features:

    • Factory hostname verifier defaults to DefaultHostnameVerifier without a configured PublicSuffixMatcher.
    • Per-request specification of enabled TLS protocols and cipher suites via HttpContext attributes.
    • Per-request specification of hostname verifier via HttpContext attribute.

    • Field Detail

      • CONTEXT_KEY_TLS_PROTOCOLS

        @Nonnull
@NotEmpty
public static final String CONTEXT_KEY_TLS_PROTOCOLS
        HttpContext key for a a list of TLS protocols to enable on the socket. Must be an instance of List<String>.
        See Also:
        Constant Field Values

      • CONTEXT_KEY_TLS_CIPHER_SUITES

        @Nonnull
@NotEmpty
public static final String CONTEXT_KEY_TLS_CIPHER_SUITES
        HttpContext key for a a list of TLS cipher suites to enable on the socket. Must be an instance of List<String>.
        See Also:
        Constant Field Values

      • ALLOW_ALL_HOSTNAME_VERIFIER

        @Nonnull
public static final HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER
        Hostname verifier which passes all hostnames.

      • STRICT_HOSTNAME_VERIFIER

        @Nonnull
public static final HostnameVerifier STRICT_HOSTNAME_VERIFIER
        Hostname verifier which implements a strict policy.

      • log

        @Nonnull
private final org.slf4j.Logger log
        Logger.

      • socketfactory

        @Nonnull
private final SSLSocketFactory socketfactory
        Socket factory.

      • hostnameVerifier

        @Nonnull
private final HostnameVerifier hostnameVerifier
        Hostname verifier.

      • supportedProtocols

        private final String[] supportedProtocols
        Factory-wide supported protocols.

      • supportedCipherSuites

        private final String[] supportedCipherSuites
        Factory-wide supported cipher suites.

    • Constructor Detail

      • TLSSocketFactory

        public TLSSocketFactory​(@Nonnull
                        SSLContext sslContext)
        Constructor.
        Parameters:
        sslContext - the effective SSLContext instance

      • TLSSocketFactory

        public TLSSocketFactory​(@Nonnull
                        SSLContext sslContext,
                        @Nullable
                        HostnameVerifier verifier)
        Constructor.
        Parameters:
        sslContext - the effective SSLContext instance
        verifier - the effective hostname verifier

      • TLSSocketFactory

        public TLSSocketFactory​(@Nonnull
                        SSLContext sslContext,
                        @Nullable
                        String[] protocols,
                        @Nullable
                        String[] cipherSuites,
                        @Nullable
                        HostnameVerifier verifier)
        Constructor.
        Parameters:
        sslContext - the effective SSLContext instance
        protocols - the factory-wide enabled TLS protocols
        cipherSuites - the factory-wide enabled TLS cipher suites
        verifier - the effective hostname verifier

      • TLSSocketFactory

        public TLSSocketFactory​(@Nonnull
                        SSLSocketFactory factory,
                        @Nullable
                        HostnameVerifier verifier)
        Constructor.
        Parameters:
        factory - the effective SSL socket factory
        verifier - the effective hostname verifier

      • TLSSocketFactory

        public TLSSocketFactory​(@Nonnull
                        SSLSocketFactory factory,
                        @Nullable
                        String[] protocols,
                        @Nullable
                        String[] cipherSuites,
                        @Nullable
                        HostnameVerifier verifier)
        Constructor.
        Parameters:
        factory - the effective SSL socket factory
        protocols - the factory-wide enabled TLS protocols
        cipherSuites - the factory-wide enabled TLS cipher suites
        verifier - the effective hostname verifier

    • Method Detail

      • getSocketfactory

        @Nonnull
protected SSLSocketFactory getSocketfactory()
        Get the JSSE socket factory instance.
        Returns:
        the socket factory

      • getHostnameVerifier

        @Nonnull
protected HostnameVerifier getHostnameVerifier()
        Get the configured hostname verifier.
        Returns:
        the hostname verifier

      • getSupportedProtocols

        @Nullable
protected String[] getSupportedProtocols()
        Get the configured factory-wide supported protocols.
        Returns:
        the configured protocols

      • getSupportedCipherSuites

        @Nullable
protected String[] getSupportedCipherSuites()
        Get the configured factory-wide supported cipher suites.
        Returns:
        the configured cipher suites

      • prepareSocket

        protected void prepareSocket​(@Nonnull
                             SSLSocket socket,
                             @Nullable
                             org.apache.http.protocol.HttpContext context)
                      throws IOException
        Performs any custom initialization for a newly created SSLSocket (before the SSL handshake happens). The default implementation is a no-op, but could be overridden to, e.g., call SSLSocket.setEnabledCipherSuites(String[]).
        Parameters:
        socket - the SSL socket instance being prepared
        context - the current HttpContext instance
        Throws:
        IOException - if there is an error customizing the socket

      • createSocket

        @Nonnull
public Socket createSocket​(@Nullable
                           org.apache.http.protocol.HttpContext context)
                    throws IOException
        Specified by:
        createSocket in interface org.apache.http.conn.socket.ConnectionSocketFactory
        Throws:
        IOException

      • connectSocket

        public Socket connectSocket​(int connectTimeout,
                            Socket socket,
                            org.apache.http.HttpHost host,
                            InetSocketAddress remoteAddress,
                            InetSocketAddress localAddress,
                            org.apache.http.protocol.HttpContext context)
                     throws IOException
        Specified by:
        connectSocket in interface org.apache.http.conn.socket.ConnectionSocketFactory
        Throws:
        IOException

      • createLayeredSocket

        public Socket createLayeredSocket​(Socket socket,
                                  String target,
                                  int port,
                                  org.apache.http.protocol.HttpContext context)
                           throws IOException
        Specified by:
        createLayeredSocket in interface org.apache.http.conn.socket.LayeredConnectionSocketFactory
        Throws:
        IOException

      • logSocketInfo

        private void logSocketInfo​(SSLSocket socket)
        Log various diagnostic information from the SSLSocket and SSLSession.
        Parameters:
        socket - the SSLSocket instance

      • getListAttribute

        @Nullable
protected String[] getListAttribute​(@Nullable
                                    org.apache.http.protocol.HttpContext context,
                                    @Nonnull
                                    String contextKey)
        Get a normalized String array from a context attribute holding a List<String>.
        Parameters:
        context - the current HttpContext
        contextKey - the attribute context key
        Returns:
        a String array, or null

      • verifyHostname

        protected void verifyHostname​(@Nonnull
                              SSLSocket sslsock,
                              @Nonnull
                              String hostname,
                              @Nullable
                              org.apache.http.protocol.HttpContext context)
                       throws IOException
        Verify the peer's socket hostname against the supplied expected name.
        Parameters:
        sslsock - the SSL socket being prepared
        hostname - the expected hostname
        context - the current HttpContext instance
        Throws:
        IOException - if peer failed hostname verification, or if there was an error during verification