Package org.mozilla.jss.nss
Class SSL
java.lang.Object
org.mozilla.jss.nss.SSL
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final int
Option for sending SCSV in handshakes.static final int
Enable post-handshake authentication extension.static final int
Option for configuring renegotiation after initial handshake.static final int
Value for never allowing renegotiation after initial handshake.static final int
Value for allowing renegotiation after initial handshake with the TLS renegotiation_info extension; safe.static final int
Value for disallowing unsafe renegotiation in server sockets only, but allows clients to continue to renegotiate with vulnerable servers.static final int
Value for always allowing renegotiation after initial handshake, regardless of whether or not the peer's client hellow bears the renegotiation info extension; unsafe.static final int
Request certificate from the remote peer.static final int
Value for always requiring a certificate.static final int
Require certificate from the remote peer.static final int
Value for requiring a certificate only on the first handshake.static final int
Value for never requiring a certificate.static final int
Value for requiring a certificate but not erring if the peer doesn't provide one.static final int
Option for requiring safe negotiation.static final int
Return value on failure from NSS functions.static final int
Return value on success from NSS functions.static final int
Return value from NSS functions when the operation would block. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic int
Use client authentication; set client certificate from SSLFDProxy.static int
AuthCertificateComplete
(SSLFDProxy fd, int error) Inform NSS that the asynchronous certificate check handler has completed, allowing us to continue the handshake.static boolean
CipherPrefGet
(SSLFDProxy fd, int cipher) Get the preference for a specific cipher suite on the specified PRFileDesc.static boolean
CipherPrefGetDefault
(int cipher) Get the default preferences for a specific cipher suite across all future PRFileDesc's.static int
CipherPrefSet
(SSLFDProxy fd, int cipher, boolean enabled) Set the preference for a specific cipher suite on the specified PRFileDesc.static int
CipherPrefSetDefault
(int cipher, boolean enabled) Set the default preferences for a specific cipher suite across all future PRFileDesc's.static int
Use an asynchronous bad certificate handler which allows us to approve rejected certificates.static int
Use an asynchronous certificate checking handler which allows us to invoke an arbitrary number of TrustManagers.static int
Use the default JSS certificate checking handler (which understands CryptoManager OCSP status).static int
ConfigSecureServer
(SSLFDProxy fd, PK11Cert cert, PK11PrivKey key, int kea) Deprecated.replaced with ConfigServerCert See also: SSL_ConfigSecureServer in /usr/include/nss3/ssl.hstatic int
ConfigServerCert
(SSLFDProxy fd, PK11Cert cert, PK11PrivKey key) Configure the certificate and private key for a server socket.static int
ConfigServerSessionIDCache
(int maxCacheEntries, long timeout, long ssl3_timeout, String directory) Configure the server's session cache.static int
Use a synchronous bad certificate handler which allows us to approve rejected certificates.static int
Use a synchronous certificate checking handler based off the SSLFDProxy proper.static int
Enable recording of alerts in the SSLFDProxy object.private static int
static int
static int
Force a handshake to occur if not started, else step one.static SSLChannelInfo
Inquire for SSL Channel Information after the handshake has completed.static SSLPreliminaryChannelInfo
Inquire for SSL Channel Information before the handshake has completed.private static int
private static int
private static int
private static int
private static int
private static int
private static int
private static int
private static int
private static int
private static int
private static int
private static int
private static int
private static int
private static int
private static int
static SSLFDProxy
Import a file descriptor to create a new SSL file descriptor out of it.static byte[]
ImportFDNative
(PRFDProxy model, PRFDProxy fd) static int
Invalidate the SSL session associated with this socket.static int
KeyUpdate
(SSLFDProxy fd, boolean requestUpdate) Send the TLS 1.3 KeyUpdate Request; experimental.static int
OptionGet
(SSLFDProxy fd, int option) Get the value of a SSL option on the specified PRFileDesc.static int
OptionSet
(SSLFDProxy fd, int option, int val) Set the value of a SSL option on the specified PRFileDesc.static PK11Cert
Introspect the peer's certificate.static PK11Cert[]
Introspect the peer's certificate chain.static int
ReHandshake
(SSLFDProxy fd, boolean flushCache) Rehandshake an existing socket, optionally flushing the cache line.static void
Removes all enabled callbacks.static int
ResetHandshake
(SSLFDProxy fd, boolean asServer) Reset the handshake status, optionally handshaking as a server.static SecurityStatusResult
Check the security status of a SSL handshake.static int
Send the TLS 1.3 Certificate Request as a server; experimental.static int
SetURL
(SSLFDProxy fd, String url) Set the hostname of a handshake on the specified PRFileDesc.static SSLVersionRange
Get the range of TLS versions enabled by this server.static SSLVersionRange
Get the range of TLS versions enabled in all future PRFileDesc's of the default STREAM protocol variant..static SSLVersionRange
VersionRangeGetDefault
(SSLProtocolVariant variant) Get the range of TLS versions enabled in all future PRFileDesc's of the specified protocol variant.private static SSLVersionRange
VersionRangeGetDefaultNative
(int variant) static int
VersionRangeSet
(SSLFDProxy fd, SSLVersionRange range) Set the range of TLS versions enabled by this server by SSLVersionRange.static int
VersionRangeSetDefault
(SSLProtocolVariant variant, SSLVersionRange range) Set the range of TLS versions enabled by default, for all future PRFileDesc's of the specified protocol variant.static int
Set the range of TLS versions enabled by default, for all future PRFileDesc's of the default protocol variant type, STREAM.private static int
VersionRangeSetDefaultNative
(int variant_ssl, int min_ssl, int max_ssl) Set the range of default TLS versions enabled in all future PRFileDesc's.private static int
VersionRangeSetNative
(SSLFDProxy fd, int min_ssl, int max_ssl) Set the range of TLS versions enabled by this server.
-
Field Details
-
REQUEST_CERTIFICATE
public static final int REQUEST_CERTIFICATERequest certificate from the remote peer. Value for use with OptionGet and OptionSet. See also: SSL_REQUEST_CERTIFICATE in /usr/include/nss3/ssl.h -
REQUIRE_CERTIFICATE
public static final int REQUIRE_CERTIFICATERequire certificate from the remote peer. Value for use with OptionGet and OptionSet. See also: SSL_REQUIRE_CERTIFICATE in /usr/include/nss3/ssl.h -
SECSuccess
public static final int SECSuccessReturn value on success from NSS functions. See also: SECSuccess in /usr/include/nss3/seccomon.h -
SECFailure
public static final int SECFailureReturn value on failure from NSS functions. See also: SECFailure in /usr/include/nss3/seccomon.h -
SECWouldBlock
public static final int SECWouldBlockReturn value from NSS functions when the operation would block. See also: SECWouldBlock in /usr/include/nss3/seccomon.h -
ENABLE_POST_HANDSHAKE_AUTH
public static final int ENABLE_POST_HANDSHAKE_AUTHEnable post-handshake authentication extension. Value for use with OptionGet. See also: SSL_ENABLE_POST_HANDSHAKE_AUTH in /usr/include/nss3/ssl.h -
ENABLE_RENEGOTIATION
public static final int ENABLE_RENEGOTIATIONOption for configuring renegotiation after initial handshake. Value for use with OptionGet and OptionSet. See also: SSL_ENABLE_RENEGOTIATION in /usr/include/nss3/ssl.h -
REQUIRE_SAFE_NEGOTIATION
public static final int REQUIRE_SAFE_NEGOTIATIONOption for requiring safe negotiation. Value for use with OptionGet and OptionSet. See also: SSL_REQUIRE_SAFE_NEGOTIATION in /usr/include/nss3/ssl.h -
RENEGOTIATE_NEVER
public static final int RENEGOTIATE_NEVERValue for never allowing renegotiation after initial handshake. Value for use with ENABLE_RENEGOTIATION with OptionGet and OptionSet. See also: SSL_RENEGOTIATE_NEVER in /usr/include/nss3/ssl.h -
RENEGOTIATE_UNRESTRICTED
public static final int RENEGOTIATE_UNRESTRICTEDValue for always allowing renegotiation after initial handshake, regardless of whether or not the peer's client hellow bears the renegotiation info extension; unsafe. Value for use with ENABLE_RENEGOTIATION with OptionGet and OptionSet. See also: SSL_RENEGOTIATE_UNRESTRICTED in /usr/include/nss3/ssl.h -
RENEGOTIATE_REQUIRES_XTN
public static final int RENEGOTIATE_REQUIRES_XTNValue for allowing renegotiation after initial handshake with the TLS renegotiation_info extension; safe. Value for use with ENABLE_RENEGOTIATION with OptionGet and OptionSet. See also: SSL_RENEGOTIATE_REQUIRES_XTN in /usr/include/nss3/ssl.h -
RENEGOTIATE_TRANSITIONAL
public static final int RENEGOTIATE_TRANSITIONALValue for disallowing unsafe renegotiation in server sockets only, but allows clients to continue to renegotiate with vulnerable servers. Value for use with ENABLE_RENEGOTIATION with OptionGet and OptionSet. See also: SSL_RENEGOTIATE_TRANSITIONAL in /usr/include/nss3/ssl.h -
ENABLE_FALLBACK_SCSV
public static final int ENABLE_FALLBACK_SCSVOption for sending SCSV in handshakes. Value for use with OptionGet and OptionSet. See also: SSL_ENABLE_FALLBACK_SCSV in /usr/include/nss3/ssl.h -
REQUIRE_NEVER
public static final int REQUIRE_NEVERValue for never requiring a certificate. Value for use with SSL_REQUIRE_CERTIFICATE with OptionGet and OptionSet. See also: SSL_REQUIRE_NEVER in /usr/include/nss3/ssl.h -
REQUIRE_ALWAYS
public static final int REQUIRE_ALWAYSValue for always requiring a certificate. Value for use with SSL_REQUIRE_CERTIFICATE with OptionGet and OptionSet. See also: SSL_REQUIRE_ALWAYS in /usr/include/nss3/ssl.h -
REQUIRE_FIRST_HANDSHAKE
public static final int REQUIRE_FIRST_HANDSHAKEValue for requiring a certificate only on the first handshake. Value for use with SSL_REQUIRE_CERTIFICATE with OptionGet and OptionSet. See also: SSL_REQUIRE_FIRST_HANDSHAKE in /usr/include/nss3/ssl.h -
REQUIRE_NO_ERROR
public static final int REQUIRE_NO_ERRORValue for requiring a certificate but not erring if the peer doesn't provide one. Value for use with SSL_REQUIRE_CERTIFICATE with OptionGet and OptionSet. See also: SSL_REQUIRE_NO_ERROR in /usr/include/nss3/ssl.h
-
-
Constructor Details
-
SSL
public SSL()
-
-
Method Details
-
ImportFD
Import a file descriptor to create a new SSL file descriptor out of it. See also: SSL_ImportFD in /usr/include/nss3/ssl.h -
ImportFDNative
-
OptionSet
Set the value of a SSL option on the specified PRFileDesc. See also: SSL_OptionSet in /usr/include/nss3/ssl.h -
OptionGet
Get the value of a SSL option on the specified PRFileDesc. Note that this raises an exception in the case of an invalid option. See also: SSL_OptionGet in /usr/include/nss3/ssl.h- Throws:
Exception
-
SetURL
Set the hostname of a handshake on the specified PRFileDesc. See also: SSL_SetURL in /usr/include/nss3/ssl.h -
CipherPrefSet
Set the preference for a specific cipher suite on the specified PRFileDesc. See also: SSL_CipherPrefSet in /usr/include/nss3/ssl.h -
CipherPrefGet
Get the preference for a specific cipher suite on the specified PRFileDesc. Note that this can raise an Exception when the cipher is unknown. See also: SSL_CipherPrefGet in /usr/include/nss3/ssl.h- Throws:
Exception
-
CipherPrefSetDefault
public static int CipherPrefSetDefault(int cipher, boolean enabled) Set the default preferences for a specific cipher suite across all future PRFileDesc's. See also: SSL_CipherPrefSetDefault in /usr/include/nss3/ssl.h -
CipherPrefGetDefault
public static boolean CipherPrefGetDefault(int cipher) Get the default preferences for a specific cipher suite across all future PRFileDesc's. Note that this can raise an Exception when the cipher is unknown. See also: SSL_CipherPrefGetDefault in /usr/include/nss3/ssl.h -
VersionRangeSet
Set the range of TLS versions enabled by this server by SSLVersionRange. See also: SSL_VersionRangeSet in /usr/include/nss3/ssl.h -
VersionRangeSetNative
Set the range of TLS versions enabled by this server. The integer parameters are values of the SSLVersion enum. See also: SSL_VersionRangeSet in /usr/include/nss3/ssl.h -
VersionRangeGet
Get the range of TLS versions enabled by this server. See also: SSL_VersionRangeSet in /usr/include/nss3/ssl.h- Throws:
Exception
-
VersionRangeSetDefault
Set the range of TLS versions enabled by default, for all future PRFileDesc's of the default protocol variant type, STREAM. See also: SSL_VersionRangeSetDefault in /usr/include/nss3/ssl.h -
VersionRangeSetDefault
Set the range of TLS versions enabled by default, for all future PRFileDesc's of the specified protocol variant. See also: SSL_VersionRangeSetDefault in /usr/include/nss3/ssl.h -
VersionRangeSetDefaultNative
private static int VersionRangeSetDefaultNative(int variant_ssl, int min_ssl, int max_ssl) Set the range of default TLS versions enabled in all future PRFileDesc's. The integer parameters are values of the SSLVersion enum. See also: SSL_VersionRangeSet in /usr/include/nss3/ssl.h -
VersionRangeGetDefault
Get the range of TLS versions enabled in all future PRFileDesc's of the default STREAM protocol variant.. See also: SSL_VersionRangeGetDefault in /usr/include/nss3/ssl.h -
VersionRangeGetDefault
Get the range of TLS versions enabled in all future PRFileDesc's of the specified protocol variant. See also: SSL_VersionRangeGetDefault in /usr/include/nss3/ssl.h -
VersionRangeGetDefaultNative
-
SecurityStatus
Check the security status of a SSL handshake. See also: SSL_SecurityStatus in /usr/include/nss3/ssl.h -
GetChannelInfo
Inquire for SSL Channel Information after the handshake has completed. See also: SSL_GetChannelInfo in /usr/include/nss3/ssl.h -
GetPreliminaryChannelInfo
Inquire for SSL Channel Information before the handshake has completed. See also: SSL_GetPreliminaryChannelInfo in /usr/include/nss3/ssl.h -
ResetHandshake
Reset the handshake status, optionally handshaking as a server. See also: SSL_ResetHandshake in /usr/include/nss3/ssl.h -
ReHandshake
Rehandshake an existing socket, optionally flushing the cache line. See also: SSL_ReHandshake in /usr/include/nss3/ssl.h -
ForceHandshake
Force a handshake to occur if not started, else step one. See also: SSL_ForceHandshake in /usr/include/nss3/ssl.h -
ConfigSecureServer
@Deprecated public static int ConfigSecureServer(SSLFDProxy fd, PK11Cert cert, PK11PrivKey key, int kea) Deprecated.replaced with ConfigServerCert See also: SSL_ConfigSecureServer in /usr/include/nss3/ssl.hConfigure the certificate and private key for a server socket. -
ConfigServerCert
Configure the certificate and private key for a server socket. This form assumes no additional data is passed. See also: SSL_ConfigServerCert in /usr/include/nss3/ssl.h -
ConfigServerSessionIDCache
public static int ConfigServerSessionIDCache(int maxCacheEntries, long timeout, long ssl3_timeout, String directory) Configure the server's session cache. See also: SSL_ConfigServerSessionIDCache in /usr/include/nss3/ssl.h -
InvalidateSession
Invalidate the SSL session associated with this socket. See also: SSL_InvalidateSession in /usr/include/nss3/ssl.h -
PeerCertificate
Introspect the peer's certificate. See also: SSL_PeerCertificate in /usr/include/nss3/ssl.h -
PeerCertificateChain
Introspect the peer's certificate chain. See also: SSL_PeerCertificateChain in /usr/include/nss3/ssl.h- Throws:
Exception
-
SendCertificateRequest
Send the TLS 1.3 Certificate Request as a server; experimental. See also: SSL_SendCertificateRequest in /usr/include/nss3/sslexp.h -
KeyUpdate
Send the TLS 1.3 KeyUpdate Request; experimental. See also: SSL_KeyUpdate in /usr/include/nss3/sslexp.h -
AttachClientCertCallback
Use client authentication; set client certificate from SSLFDProxy. See also: SSL_GetClientAuthDataHook in /usr/include/nss3/ssl.h, org.mozilla.jss.nss.SSLFDProxy.SetClientCert(...) -
EnableAlertLogging
Enable recording of alerts in the SSLFDProxy object. See also: SSL_AlertReceivedCallback in /usr/include/nss3/ssl.h, SSL_AlertSentCallback in /usr/include/nss3/ssl.h -
EnableAlertLoggingNative
-
ConfigJSSDefaultCertAuthCallback
Use the default JSS certificate checking handler (which understands CryptoManager OCSP status). See also: SSL_AuthCertificateHook in /usr/include/nss3/ssl.h and JSSL_DefaultCertAuthCallback in jss/ssl/callbacks.c -
ConfigAsyncTrustManagerCertAuthCallback
Use an asynchronous certificate checking handler which allows us to invoke an arbitrary number of TrustManagers. This makes functions like SSL_ForceHandshake, PR_Read, and PR_Write return back to the caller when cert auth is required. We set the SSLFDProxy.needCertValidation field to true in this case. Set this field to false and call SSL_AuthCertificateComplete with the status code of the error (0 if the cert is valid), and resume handshaking. See also: SSL_AuthCertificateHook in /usr/include/nss3/ssl.h and JSSL_SSLFDAsyncCertAuthCallback in jss/nss/SSLFDProxy.c -
ConfigSyncTrustManagerCertAuthCallback
Use a synchronous certificate checking handler based off the SSLFDProxy proper. This allows us to invoke an arbitrary number of TrustManagers, but with the caveat that it needs to be synchronous and respond via the auth callback hook. This should only be called on the server side of the connection, because it doesn't support the superior async method. See also: SSL_AuthCertificateHook in /usr/include/nss3/ssl.h and JSSL_SSLFDSyncCertAuthCallback in jss/nss/SSLFDProxy.c -
ConfigAsyncBadCertCallback
Use an asynchronous bad certificate handler which allows us to approve rejected certificates. This allows us to bypass the hostname check failure caused by the Java socket having no knowledge of the hostname we use for certificate validation; no HostnameVerifier is passed in. As a result, NSS has no value for the hostname and validation will fail. Note: This does NOT work for server-side connections. See also: SSL_BadCertHook in /usr/include/nss3/ssl.h and JSSL_SSLFDAsyncBadCertCallback in jss/nss/SSLFDProxy.c -
ConfigSyncBadCertCallback
Use a synchronous bad certificate handler which allows us to approve rejected certificates. This allows us to bypass the hostname check failure caused by the Java socket having no knowledge of the hostname we use for certificate validation; no HostnameVerifier is passed in. As a result, NSS has no value for the hostname and validation will fail. See also: SSL_BadCertHook in /usr/include/nss3/ssl.h and JSSL_SSLFDSyncBadCertCallback in jss/nss/SSLFDProxy.c -
AuthCertificateComplete
Inform NSS that the asynchronous certificate check handler has completed, allowing us to continue the handshake. This is also used for the async bad certificate handler as well. See also: SSL_AuthCertificateComplete in /usr/include/nss3/ssl.h -
RemoveCallbacks
Removes all enabled callbacks. -
EnableHandshakeCallback
-
getSSLRequestCertificate
private static int getSSLRequestCertificate() -
getSSLRequireCertificate
private static int getSSLRequireCertificate() -
getSSLSECSuccess
private static int getSSLSECSuccess() -
getSSLSECFailure
private static int getSSLSECFailure() -
getSSLSECWouldBlock
private static int getSSLSECWouldBlock() -
getSSLEnablePostHandshakeAuth
private static int getSSLEnablePostHandshakeAuth() -
getSSLEnableRenegotiation
private static int getSSLEnableRenegotiation() -
getSSLRequireSafeNegotiation
private static int getSSLRequireSafeNegotiation() -
getSSLRenegotiateNever
private static int getSSLRenegotiateNever() -
getSSLRenegotiateUnrestricted
private static int getSSLRenegotiateUnrestricted() -
getSSLRenegotiateRequiresXtn
private static int getSSLRenegotiateRequiresXtn() -
getSSLRenegotiateTransitional
private static int getSSLRenegotiateTransitional() -
getSSLEnableFallbackSCSV
private static int getSSLEnableFallbackSCSV() -
getSSLRequireNever
private static int getSSLRequireNever() -
getSSLRequireAlways
private static int getSSLRequireAlways() -
getSSLRequireFirstHandshake
private static int getSSLRequireFirstHandshake() -
getSSLRequireNoError
private static int getSSLRequireNoError()
-