Class SSL

java.lang.Object
org.mozilla.jss.nss.SSL

public class SSL extends Object
  • Field Details

    • REQUEST_CERTIFICATE

      public static final int REQUEST_CERTIFICATE
      Request certificate from the remote peer. Value for use with OptionGet and OptionSet. See also: SSL_REQUEST_CERTIFICATE in /usr/include/nss3/ssl.h
    • REQUIRE_CERTIFICATE

      public static final int REQUIRE_CERTIFICATE
      Require certificate from the remote peer. Value for use with OptionGet and OptionSet. See also: SSL_REQUIRE_CERTIFICATE in /usr/include/nss3/ssl.h
    • SECSuccess

      public static final int SECSuccess
      Return value on success from NSS functions. See also: SECSuccess in /usr/include/nss3/seccomon.h
    • SECFailure

      public static final int SECFailure
      Return value on failure from NSS functions. See also: SECFailure in /usr/include/nss3/seccomon.h
    • SECWouldBlock

      public static final int SECWouldBlock
      Return value from NSS functions when the operation would block. See also: SECWouldBlock in /usr/include/nss3/seccomon.h
    • ENABLE_POST_HANDSHAKE_AUTH

      public static final int ENABLE_POST_HANDSHAKE_AUTH
      Enable post-handshake authentication extension. Value for use with OptionGet. See also: SSL_ENABLE_POST_HANDSHAKE_AUTH in /usr/include/nss3/ssl.h
    • ENABLE_RENEGOTIATION

      public static final int ENABLE_RENEGOTIATION
      Option for configuring renegotiation after initial handshake. Value for use with OptionGet and OptionSet. See also: SSL_ENABLE_RENEGOTIATION in /usr/include/nss3/ssl.h
    • REQUIRE_SAFE_NEGOTIATION

      public static final int REQUIRE_SAFE_NEGOTIATION
      Option for requiring safe negotiation. Value for use with OptionGet and OptionSet. See also: SSL_REQUIRE_SAFE_NEGOTIATION in /usr/include/nss3/ssl.h
    • RENEGOTIATE_NEVER

      public static final int RENEGOTIATE_NEVER
      Value for never allowing renegotiation after initial handshake. Value for use with ENABLE_RENEGOTIATION with OptionGet and OptionSet. See also: SSL_RENEGOTIATE_NEVER in /usr/include/nss3/ssl.h
    • RENEGOTIATE_UNRESTRICTED

      public static final int RENEGOTIATE_UNRESTRICTED
      Value for always allowing renegotiation after initial handshake, regardless of whether or not the peer's client hellow bears the renegotiation info extension; unsafe. Value for use with ENABLE_RENEGOTIATION with OptionGet and OptionSet. See also: SSL_RENEGOTIATE_UNRESTRICTED in /usr/include/nss3/ssl.h
    • RENEGOTIATE_REQUIRES_XTN

      public static final int RENEGOTIATE_REQUIRES_XTN
      Value for allowing renegotiation after initial handshake with the TLS renegotiation_info extension; safe. Value for use with ENABLE_RENEGOTIATION with OptionGet and OptionSet. See also: SSL_RENEGOTIATE_REQUIRES_XTN in /usr/include/nss3/ssl.h
    • RENEGOTIATE_TRANSITIONAL

      public static final int RENEGOTIATE_TRANSITIONAL
      Value for disallowing unsafe renegotiation in server sockets only, but allows clients to continue to renegotiate with vulnerable servers. Value for use with ENABLE_RENEGOTIATION with OptionGet and OptionSet. See also: SSL_RENEGOTIATE_TRANSITIONAL in /usr/include/nss3/ssl.h
    • ENABLE_FALLBACK_SCSV

      public static final int ENABLE_FALLBACK_SCSV
      Option for sending SCSV in handshakes. Value for use with OptionGet and OptionSet. See also: SSL_ENABLE_FALLBACK_SCSV in /usr/include/nss3/ssl.h
    • REQUIRE_NEVER

      public static final int REQUIRE_NEVER
      Value for never requiring a certificate. Value for use with SSL_REQUIRE_CERTIFICATE with OptionGet and OptionSet. See also: SSL_REQUIRE_NEVER in /usr/include/nss3/ssl.h
    • REQUIRE_ALWAYS

      public static final int REQUIRE_ALWAYS
      Value for always requiring a certificate. Value for use with SSL_REQUIRE_CERTIFICATE with OptionGet and OptionSet. See also: SSL_REQUIRE_ALWAYS in /usr/include/nss3/ssl.h
    • REQUIRE_FIRST_HANDSHAKE

      public static final int REQUIRE_FIRST_HANDSHAKE
      Value for requiring a certificate only on the first handshake. Value for use with SSL_REQUIRE_CERTIFICATE with OptionGet and OptionSet. See also: SSL_REQUIRE_FIRST_HANDSHAKE in /usr/include/nss3/ssl.h
    • REQUIRE_NO_ERROR

      public static final int REQUIRE_NO_ERROR
      Value for requiring a certificate but not erring if the peer doesn't provide one. Value for use with SSL_REQUIRE_CERTIFICATE with OptionGet and OptionSet. See also: SSL_REQUIRE_NO_ERROR in /usr/include/nss3/ssl.h
  • Constructor Details

    • SSL

      public SSL()
  • Method Details

    • ImportFD

      public static SSLFDProxy ImportFD(PRFDProxy model, PRFDProxy fd)
      Import a file descriptor to create a new SSL file descriptor out of it. See also: SSL_ImportFD in /usr/include/nss3/ssl.h
    • ImportFDNative

      public static byte[] ImportFDNative(PRFDProxy model, PRFDProxy fd)
    • OptionSet

      public static int OptionSet(SSLFDProxy fd, int option, int val)
      Set the value of a SSL option on the specified PRFileDesc. See also: SSL_OptionSet in /usr/include/nss3/ssl.h
    • OptionGet

      public static int OptionGet(SSLFDProxy fd, int option) throws Exception
      Get the value of a SSL option on the specified PRFileDesc. Note that this raises an exception in the case of an invalid option. See also: SSL_OptionGet in /usr/include/nss3/ssl.h
      Throws:
      Exception
    • SetURL

      public static int SetURL(SSLFDProxy fd, String url)
      Set the hostname of a handshake on the specified PRFileDesc. See also: SSL_SetURL in /usr/include/nss3/ssl.h
    • CipherPrefSet

      public static int CipherPrefSet(SSLFDProxy fd, int cipher, boolean enabled)
      Set the preference for a specific cipher suite on the specified PRFileDesc. See also: SSL_CipherPrefSet in /usr/include/nss3/ssl.h
    • CipherPrefGet

      public static boolean CipherPrefGet(SSLFDProxy fd, int cipher) throws Exception
      Get the preference for a specific cipher suite on the specified PRFileDesc. Note that this can raise an Exception when the cipher is unknown. See also: SSL_CipherPrefGet in /usr/include/nss3/ssl.h
      Throws:
      Exception
    • CipherPrefSetDefault

      public static int CipherPrefSetDefault(int cipher, boolean enabled)
      Set the default preferences for a specific cipher suite across all future PRFileDesc's. See also: SSL_CipherPrefSetDefault in /usr/include/nss3/ssl.h
    • CipherPrefGetDefault

      public static boolean CipherPrefGetDefault(int cipher)
      Get the default preferences for a specific cipher suite across all future PRFileDesc's. Note that this can raise an Exception when the cipher is unknown. See also: SSL_CipherPrefGetDefault in /usr/include/nss3/ssl.h
    • VersionRangeSet

      public static int VersionRangeSet(SSLFDProxy fd, SSLVersionRange range)
      Set the range of TLS versions enabled by this server by SSLVersionRange. See also: SSL_VersionRangeSet in /usr/include/nss3/ssl.h
    • VersionRangeSetNative

      private static int VersionRangeSetNative(SSLFDProxy fd, int min_ssl, int max_ssl)
      Set the range of TLS versions enabled by this server. The integer parameters are values of the SSLVersion enum. See also: SSL_VersionRangeSet in /usr/include/nss3/ssl.h
    • VersionRangeGet

      public static SSLVersionRange VersionRangeGet(SSLFDProxy fd) throws Exception
      Get the range of TLS versions enabled by this server. See also: SSL_VersionRangeSet in /usr/include/nss3/ssl.h
      Throws:
      Exception
    • VersionRangeSetDefault

      public static int VersionRangeSetDefault(SSLVersionRange range)
      Set the range of TLS versions enabled by default, for all future PRFileDesc's of the default protocol variant type, STREAM. See also: SSL_VersionRangeSetDefault in /usr/include/nss3/ssl.h
    • VersionRangeSetDefault

      public static int VersionRangeSetDefault(SSLProtocolVariant variant, SSLVersionRange range)
      Set the range of TLS versions enabled by default, for all future PRFileDesc's of the specified protocol variant. See also: SSL_VersionRangeSetDefault in /usr/include/nss3/ssl.h
    • VersionRangeSetDefaultNative

      private static int VersionRangeSetDefaultNative(int variant_ssl, int min_ssl, int max_ssl)
      Set the range of default TLS versions enabled in all future PRFileDesc's. The integer parameters are values of the SSLVersion enum. See also: SSL_VersionRangeSet in /usr/include/nss3/ssl.h
    • VersionRangeGetDefault

      public static SSLVersionRange VersionRangeGetDefault()
      Get the range of TLS versions enabled in all future PRFileDesc's of the default STREAM protocol variant.. See also: SSL_VersionRangeGetDefault in /usr/include/nss3/ssl.h
    • VersionRangeGetDefault

      public static SSLVersionRange VersionRangeGetDefault(SSLProtocolVariant variant)
      Get the range of TLS versions enabled in all future PRFileDesc's of the specified protocol variant. See also: SSL_VersionRangeGetDefault in /usr/include/nss3/ssl.h
    • VersionRangeGetDefaultNative

      private static SSLVersionRange VersionRangeGetDefaultNative(int variant)
    • SecurityStatus

      public static SecurityStatusResult SecurityStatus(SSLFDProxy fd)
      Check the security status of a SSL handshake. See also: SSL_SecurityStatus in /usr/include/nss3/ssl.h
    • GetChannelInfo

      public static SSLChannelInfo GetChannelInfo(SSLFDProxy fd)
      Inquire for SSL Channel Information after the handshake has completed. See also: SSL_GetChannelInfo in /usr/include/nss3/ssl.h
    • GetPreliminaryChannelInfo

      public static SSLPreliminaryChannelInfo GetPreliminaryChannelInfo(SSLFDProxy fd)
      Inquire for SSL Channel Information before the handshake has completed. See also: SSL_GetPreliminaryChannelInfo in /usr/include/nss3/ssl.h
    • ResetHandshake

      public static int ResetHandshake(SSLFDProxy fd, boolean asServer)
      Reset the handshake status, optionally handshaking as a server. See also: SSL_ResetHandshake in /usr/include/nss3/ssl.h
    • ReHandshake

      public static int ReHandshake(SSLFDProxy fd, boolean flushCache)
      Rehandshake an existing socket, optionally flushing the cache line. See also: SSL_ReHandshake in /usr/include/nss3/ssl.h
    • ForceHandshake

      public static int ForceHandshake(SSLFDProxy fd)
      Force a handshake to occur if not started, else step one. See also: SSL_ForceHandshake in /usr/include/nss3/ssl.h
    • ConfigSecureServer

      @Deprecated public static int ConfigSecureServer(SSLFDProxy fd, PK11Cert cert, PK11PrivKey key, int kea)
      Deprecated.
      replaced with ConfigServerCert See also: SSL_ConfigSecureServer in /usr/include/nss3/ssl.h
      Configure the certificate and private key for a server socket.
    • ConfigServerCert

      public static int ConfigServerCert(SSLFDProxy fd, PK11Cert cert, PK11PrivKey key)
      Configure the certificate and private key for a server socket. This form assumes no additional data is passed. See also: SSL_ConfigServerCert in /usr/include/nss3/ssl.h
    • ConfigServerSessionIDCache

      public static int ConfigServerSessionIDCache(int maxCacheEntries, long timeout, long ssl3_timeout, String directory)
      Configure the server's session cache. See also: SSL_ConfigServerSessionIDCache in /usr/include/nss3/ssl.h
    • InvalidateSession

      public static int InvalidateSession(SSLFDProxy fd)
      Invalidate the SSL session associated with this socket. See also: SSL_InvalidateSession in /usr/include/nss3/ssl.h
    • PeerCertificate

      public static PK11Cert PeerCertificate(SSLFDProxy fd)
      Introspect the peer's certificate. See also: SSL_PeerCertificate in /usr/include/nss3/ssl.h
    • PeerCertificateChain

      public static PK11Cert[] PeerCertificateChain(SSLFDProxy fd) throws Exception
      Introspect the peer's certificate chain. See also: SSL_PeerCertificateChain in /usr/include/nss3/ssl.h
      Throws:
      Exception
    • SendCertificateRequest

      public static int SendCertificateRequest(SSLFDProxy fd)
      Send the TLS 1.3 Certificate Request as a server; experimental. See also: SSL_SendCertificateRequest in /usr/include/nss3/sslexp.h
    • KeyUpdate

      public static int KeyUpdate(SSLFDProxy fd, boolean requestUpdate)
      Send the TLS 1.3 KeyUpdate Request; experimental. See also: SSL_KeyUpdate in /usr/include/nss3/sslexp.h
    • AttachClientCertCallback

      public static int AttachClientCertCallback(SSLFDProxy fd)
      Use client authentication; set client certificate from SSLFDProxy. See also: SSL_GetClientAuthDataHook in /usr/include/nss3/ssl.h, org.mozilla.jss.nss.SSLFDProxy.SetClientCert(...)
    • EnableAlertLogging

      public static int EnableAlertLogging(SSLFDProxy fd)
      Enable recording of alerts in the SSLFDProxy object. See also: SSL_AlertReceivedCallback in /usr/include/nss3/ssl.h, SSL_AlertSentCallback in /usr/include/nss3/ssl.h
    • EnableAlertLoggingNative

      private static int EnableAlertLoggingNative(SSLFDProxy fd)
    • ConfigJSSDefaultCertAuthCallback

      public static int ConfigJSSDefaultCertAuthCallback(SSLFDProxy fd)
      Use the default JSS certificate checking handler (which understands CryptoManager OCSP status). See also: SSL_AuthCertificateHook in /usr/include/nss3/ssl.h and JSSL_DefaultCertAuthCallback in jss/ssl/callbacks.c
    • ConfigAsyncTrustManagerCertAuthCallback

      public static int ConfigAsyncTrustManagerCertAuthCallback(SSLFDProxy fd)
      Use an asynchronous certificate checking handler which allows us to invoke an arbitrary number of TrustManagers. This makes functions like SSL_ForceHandshake, PR_Read, and PR_Write return back to the caller when cert auth is required. We set the SSLFDProxy.needCertValidation field to true in this case. Set this field to false and call SSL_AuthCertificateComplete with the status code of the error (0 if the cert is valid), and resume handshaking. See also: SSL_AuthCertificateHook in /usr/include/nss3/ssl.h and JSSL_SSLFDAsyncCertAuthCallback in jss/nss/SSLFDProxy.c
    • ConfigSyncTrustManagerCertAuthCallback

      public static int ConfigSyncTrustManagerCertAuthCallback(SSLFDProxy fd)
      Use a synchronous certificate checking handler based off the SSLFDProxy proper. This allows us to invoke an arbitrary number of TrustManagers, but with the caveat that it needs to be synchronous and respond via the auth callback hook. This should only be called on the server side of the connection, because it doesn't support the superior async method. See also: SSL_AuthCertificateHook in /usr/include/nss3/ssl.h and JSSL_SSLFDSyncCertAuthCallback in jss/nss/SSLFDProxy.c
    • ConfigAsyncBadCertCallback

      public static int ConfigAsyncBadCertCallback(SSLFDProxy fd)
      Use an asynchronous bad certificate handler which allows us to approve rejected certificates. This allows us to bypass the hostname check failure caused by the Java socket having no knowledge of the hostname we use for certificate validation; no HostnameVerifier is passed in. As a result, NSS has no value for the hostname and validation will fail. Note: This does NOT work for server-side connections. See also: SSL_BadCertHook in /usr/include/nss3/ssl.h and JSSL_SSLFDAsyncBadCertCallback in jss/nss/SSLFDProxy.c
    • ConfigSyncBadCertCallback

      public static int ConfigSyncBadCertCallback(SSLFDProxy fd)
      Use a synchronous bad certificate handler which allows us to approve rejected certificates. This allows us to bypass the hostname check failure caused by the Java socket having no knowledge of the hostname we use for certificate validation; no HostnameVerifier is passed in. As a result, NSS has no value for the hostname and validation will fail. See also: SSL_BadCertHook in /usr/include/nss3/ssl.h and JSSL_SSLFDSyncBadCertCallback in jss/nss/SSLFDProxy.c
    • AuthCertificateComplete

      public static int AuthCertificateComplete(SSLFDProxy fd, int error)
      Inform NSS that the asynchronous certificate check handler has completed, allowing us to continue the handshake. This is also used for the async bad certificate handler as well. See also: SSL_AuthCertificateComplete in /usr/include/nss3/ssl.h
    • RemoveCallbacks

      public static void RemoveCallbacks(SSLFDProxy fd)
      Removes all enabled callbacks.
    • EnableHandshakeCallback

      public static int EnableHandshakeCallback(SSLFDProxy fd)
    • getSSLRequestCertificate

      private static int getSSLRequestCertificate()
    • getSSLRequireCertificate

      private static int getSSLRequireCertificate()
    • getSSLSECSuccess

      private static int getSSLSECSuccess()
    • getSSLSECFailure

      private static int getSSLSECFailure()
    • getSSLSECWouldBlock

      private static int getSSLSECWouldBlock()
    • getSSLEnablePostHandshakeAuth

      private static int getSSLEnablePostHandshakeAuth()
    • getSSLEnableRenegotiation

      private static int getSSLEnableRenegotiation()
    • getSSLRequireSafeNegotiation

      private static int getSSLRequireSafeNegotiation()
    • getSSLRenegotiateNever

      private static int getSSLRenegotiateNever()
    • getSSLRenegotiateUnrestricted

      private static int getSSLRenegotiateUnrestricted()
    • getSSLRenegotiateRequiresXtn

      private static int getSSLRenegotiateRequiresXtn()
    • getSSLRenegotiateTransitional

      private static int getSSLRenegotiateTransitional()
    • getSSLEnableFallbackSCSV

      private static int getSSLEnableFallbackSCSV()
    • getSSLRequireNever

      private static int getSSLRequireNever()
    • getSSLRequireAlways

      private static int getSSLRequireAlways()
    • getSSLRequireFirstHandshake

      private static int getSSLRequireFirstHandshake()
    • getSSLRequireNoError

      private static int getSSLRequireNoError()