Package org.mozilla.jss.ssl
Class SSLServerSocket
java.lang.Object
java.net.ServerSocket
org.mozilla.jss.ssl.SSLServerSocket
- All Implemented Interfaces:
Closeable
,AutoCloseable
SSL server socket.
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate Object
private SocketBase
static final int
The default size of the listen queue.private boolean
private boolean
private boolean
private SocketProxy
private static final String
private static final String
-
Constructor Summary
ConstructorsConstructorDescriptionSSLServerSocket
(int port) Creates a server socket listening on the given port.SSLServerSocket
(int port, int backlog) Creates a server socket listening on the given port.SSLServerSocket
(int port, int backlog, InetAddress bindAddr) Creates a server socket listening on the given port.SSLServerSocket
(int port, int backlog, InetAddress bindAddr, SSLCertificateApprovalCallback certApprovalCallback) Creates a server socket listening on the given port.SSLServerSocket
(int port, int backlog, InetAddress bindAddr, SSLCertificateApprovalCallback certApprovalCallback, boolean reuseAddr) Creates a server socket listening on the given port. -
Method Summary
Modifier and TypeMethodDescriptionprivate void
accept()
Accepts a connection.static void
Empties the SSL client session ID cache.void
close()
Closes this socket.static void
configServerSessionIDCache
(int maxSidEntries, int ssl2EntryTimeout, int ssl3EntryTimeout, String cacheFileDirectory) Configures the session ID cache.void
enableFDX
(boolean enable) Enable simultaneous read/write by separate read and write threads (full duplex) for this socket.void
enableRenegotiation
(int mode) Enables the mode of renegotiation that the peer must use.void
enableRequireSafeNegotiation
(boolean enable) For this socket require that the peer must send Signaling Cipher Suite Value (SCSV) or Renegotiation Info (RI) extension in ALL handshakes.void
enableRollbackDetection
(boolean enable) Enable rollback detection for this socket.void
enableSessionTickets
(boolean enable) Enables Session tickets on this socket.void
enableSSL2
(boolean enable) Enables SSL v2 on this socket.void
enableSSL3
(boolean enable) Enables SSL v3 on this socket.void
enableStepDown
(boolean enable) This option, enableStepDown, is concerned with the generation of step-down keys which are used with export suites.void
enableTLS
(boolean enable) Enables TLS on this socket.void
enableV2CompatibleHello
(boolean enable) Enable sending v3 client hello in v2 format for this socket.protected void
finalize()
Deprecated.finalize() in Object has been deprecatedint
boolean
int
Returns the current value of the SO_TIMEOUT socket option.void
requestClientAuth
(boolean b) Enables/disables the request of client authentication.void
requireClientAuth
(boolean require, boolean onRedo) Deprecated.use requireClientAuth(int)void
requireClientAuth
(int mode) Sets whether the socket requires client authentication from the remote peer.void
setClientCert
(X509Certificate cert) Sets the certificate to use for client authentication.void
setClientCertNickname
(String nick) Sets the nickname of the certificate to use for client authentication.void
setNeedClientAuth
(boolean b) Deprecated.As of JSS 3.0.void
setNeedClientAuthNoExpiryCheck
(boolean b) Deprecated.As of JSS 3.0.void
setReuseAddress
(boolean reuse) void
setServerCert
(X509Certificate certnickname) Sets the certificate to use for server authentication.void
setServerCertNickname
(String nick) Sets the certificate to use for server authentication.void
setSoTimeout
(int timeout) Sets the SO_TIMEOUT socket option.void
setUseClientMode
(boolean b) Determines whether this end of the socket is the client or the server for purposes of the SSL protocol.private byte[]
socketAccept
(SSLSocket s, int timeout, boolean handshakeAsClient) private void
socketListen
(int backlog) toString()
Returns the addresses and ports of this socket or an error message if the socket is not in a valid state.void
useCache
(boolean b) Enables/disables the session cache.Methods inherited from class java.net.ServerSocket
bind, bind, getChannel, getLocalSocketAddress, getOption, getReceiveBufferSize, implAccept, isBound, isClosed, setOption, setPerformancePreferences, setReceiveBufferSize, setSocketFactory, supportedOptions
-
Field Details
-
sockProxy
-
handshakeAsClient
private boolean handshakeAsClient -
base
-
isClosed
private boolean isClosed -
inAccept
private boolean inAccept -
acceptLock
-
DEFAULT_BACKLOG
public static final int DEFAULT_BACKLOGThe default size of the listen queue.- See Also:
-
UNIX_TEMP_DIR
- See Also:
-
WINDOWS_TEMP_DIR
- See Also:
-
-
Constructor Details
-
SSLServerSocket
Creates a server socket listening on the given port. The listen queue will be of size DEFAULT_BACKLOG.- Throws:
IOException
-
SSLServerSocket
Creates a server socket listening on the given port.- Parameters:
backlog
- The size of the socket's listen queue.- Throws:
IOException
-
SSLServerSocket
Creates a server socket listening on the given port.- Parameters:
backlog
- The size of the socket's listen queue.bindAddr
- The local address to which to bind. If null, an unspecified local address will be bound to.- Throws:
IOException
-
SSLServerSocket
public SSLServerSocket(int port, int backlog, InetAddress bindAddr, SSLCertificateApprovalCallback certApprovalCallback) throws IOException Creates a server socket listening on the given port.- Parameters:
backlog
- The size of the socket's listen queue.bindAddr
- The local address to which to bind. If null, an unspecified local address will be bound to.certApprovalCallback
- Will get called to approve any certificate presented by the client.- Throws:
IOException
-
SSLServerSocket
public SSLServerSocket(int port, int backlog, InetAddress bindAddr, SSLCertificateApprovalCallback certApprovalCallback, boolean reuseAddr) throws IOException Creates a server socket listening on the given port.- Parameters:
backlog
- The size of the socket's listen queue.bindAddr
- The local address to which to bind. If null, an unspecified local address will be bound to.certApprovalCallback
- Will get called to approve any certificate presented by the client.reuseAddr
- Reuse the local bind port; this parameter sets theSO_REUSEADDR
option on the socket before callingbind()
. The default isfalse
for backward compatibility.- Throws:
IOException
-
-
Method Details
-
socketListen
- Throws:
SocketException
-
accept
Accepts a connection. This call will block until a connection is made or the timeout is reached.- Overrides:
accept
in classServerSocket
- Returns:
- java.net.Socket Local socket for client communication
- Throws:
IOException
- If an input or output exception occurredSocketTimeoutException
- If the socket times out trying to connectSSLSocketException
- JSS subclass of java.net.SocketException
-
setSoTimeout
public void setSoTimeout(int timeout) Sets the SO_TIMEOUT socket option.- Overrides:
setSoTimeout
in classServerSocket
- Parameters:
timeout
- The timeout time in milliseconds.
-
getSoTimeout
public int getSoTimeout()Returns the current value of the SO_TIMEOUT socket option.- Overrides:
getSoTimeout
in classServerSocket
- Returns:
- The timeout time in milliseconds.
-
setReuseAddress
- Overrides:
setReuseAddress
in classServerSocket
- Throws:
SocketException
-
getReuseAddress
- Overrides:
getReuseAddress
in classServerSocket
- Throws:
SocketException
-
abortAccept
- Throws:
SocketException
-
socketAccept
private byte[] socketAccept(SSLSocket s, int timeout, boolean handshakeAsClient) throws SocketException, SocketTimeoutException -
clearSessionCache
public static void clearSessionCache()Empties the SSL client session ID cache. -
finalize
Deprecated.finalize() in Object has been deprecated -
getLocalPort
public int getLocalPort()- Overrides:
getLocalPort
in classServerSocket
- Returns:
- The local port.
-
close
Closes this socket.- Specified by:
close
in interfaceAutoCloseable
- Specified by:
close
in interfaceCloseable
- Overrides:
close
in classServerSocket
- Throws:
IOException
-
configServerSessionIDCache
public static void configServerSessionIDCache(int maxSidEntries, int ssl2EntryTimeout, int ssl3EntryTimeout, String cacheFileDirectory) throws SocketException Configures the session ID cache.- Parameters:
maxSidEntries
- The maximum number of entries in the cache. If 0 is passed, the default of 10,000 is used.ssl2EntryTimeout
- The lifetime in seconds of an SSL2 session. The minimum timeout value is 5 seconds and the maximum is 24 hours. Values outside this range are replaced by the server default value of 100 seconds.ssl3EntryTimeout
- The lifetime in seconds of an SSL3 session. The minimum timeout value is 5 seconds and the maximum is 24 hours. Values outside this range are replaced by the server default value of 100 seconds.cacheFileDirectory
- The pathname of the directory that will contain the session cache. If null is passed, the server default is used:/tmp
on Unix and\\temp
on Windows.- Throws:
SocketException
-
setServerCertNickname
Sets the certificate to use for server authentication.- Throws:
SocketException
-
setServerCert
Sets the certificate to use for server authentication.- Throws:
SocketException
-
requestClientAuth
Enables/disables the request of client authentication. This is only meaningful for the server end of the SSL connection. During the next handshake, the remote peer will be asked to authenticate itself.- Throws:
SocketException
- See Also:
-
setNeedClientAuth
Deprecated.As of JSS 3.0. This method is misnamed. UserequestClientAuth
instead.- Throws:
SocketException
-
setNeedClientAuthNoExpiryCheck
Deprecated.As of JSS 3.0. This method is misnamed. UserequestClientAuthNoExpiryCheck
instead.Enables/disables the request of client authentication. This is only meaningful for the server end of the SSL connection. During the next handshake, the remote peer will be asked to authenticate itself.In addition, the client certificate's expiration will not prevent it from being accepted.
- Throws:
SocketException
- See Also:
-
enableSSL2
Enables SSL v2 on this socket. It is enabled by default, unless the default has been changed withSSLSocket.enableSSL2Default
.- Throws:
SocketException
-
enableSSL3
Enables SSL v3 on this socket. It is enabled by default, unless the default has been changed withSSLSocket.enableSSL3Default
.- Throws:
SocketException
-
enableTLS
Enables TLS on this socket. It is enabled by default, unless the default has been changed withSSLSocket.enableTLSDefault
.- Throws:
SocketException
-
enableSessionTickets
Enables Session tickets on this socket. It is disabled by default, unless the default has been changed withSSLSocket.enableSessionTicketsDefault
.- Throws:
SocketException
-
enableRenegotiation
Enables the mode of renegotiation that the peer must use. The default is never renegotiate at all unless the default has been changed withSSLSocket.enableRenegotiationDefault
.- Parameters:
mode
- One of: SSLSocket.SSL_RENEGOTIATE_NEVER - Never renegotiate at all. SSLSocket.SSL_RENEGOTIATE_UNRESTRICTED - Renegotiate without restriction, whether or not the peer's hello bears the TLS renegotiation info extension. Vulnerable, as in the past. SSLSocket.SSL_RENEGOTIATE_REQUIRES_XTN - Only renegotiate if the peer's hello bears the TLS renegotiation_info extension. This is safe renegotiation. SSLSocket.SSL_RENEGOTIATE_TRANSITIONAL - Disallow unsafe renegotiation in server sockets only, but allow clients to continue to renegotiate with vulnerable servers. This value should only be used during the transition period when few servers have been upgraded.- Throws:
SocketException
-
enableRequireSafeNegotiation
For this socket require that the peer must send Signaling Cipher Suite Value (SCSV) or Renegotiation Info (RI) extension in ALL handshakes. It is disabled by default, unless the default has been changed withSSLSocket.enableRequireSafeNegotiationDefault
.- Throws:
SocketException
-
enableRollbackDetection
Enable rollback detection for this socket. It is enabled by default, unless the default has been changed withSSLSocket.enableRollbackDetectionDefault
.- Throws:
SocketException
-
enableStepDown
This option, enableStepDown, is concerned with the generation of step-down keys which are used with export suites. If the server cert's public key is 512 bits or less, this option is ignored because step-down keys don't need to be generated. If the server cert's public key is more than 512 bits, this option has the following effect: enable=true: generate step-down keys enable=false: don't generate step-down keys; disable export cipher suites This option is enabled by default; unless the default has been changed withSSLSocket.enableStepDownDefault
.- Throws:
SocketException
-
enableFDX
Enable simultaneous read/write by separate read and write threads (full duplex) for this socket. It is disabled by default, unless the default has been changed withSSLSocket.enableFDXDefault
.- Throws:
SocketException
-
enableV2CompatibleHello
Enable sending v3 client hello in v2 format for this socket. It is enabled by default, unless the default has been changed withSSLSocket.enableV2CompatibleHelloDefault
.- Throws:
SocketException
-
getSSLOptions
- Returns:
- a String listing the current SSLOptions for this socket.
-
getInetAddress
- Overrides:
getInetAddress
in classServerSocket
- Returns:
- the local address of this server socket.
-
requireClientAuth
Deprecated.use requireClientAuth(int)Sets whether the socket requires client authentication from the remote peer. If requestClientAuth() has not already been called, this method will tell the socket to request client auth as well as requiring it.- Throws:
SocketException
-
requireClientAuth
Sets whether the socket requires client authentication from the remote peer. If requestClientAuth() has not already been called, this method will tell the socket to request client auth as well as requiring it.- Parameters:
mode
- One of: SSLSocket.SSL_REQUIRE_NEVER, SSLSocket.SSL_REQUIRE_ALWAYS, SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE, SSLSocket.SSL_REQUIRE_NO_ERROR- Throws:
SocketException
-
setClientCertNickname
Sets the nickname of the certificate to use for client authentication.- Throws:
SocketException
-
setClientCert
Sets the certificate to use for client authentication.- Throws:
SocketException
-
setUseClientMode
public void setUseClientMode(boolean b) Determines whether this end of the socket is the client or the server for purposes of the SSL protocol. By default, it is the server.- Parameters:
b
- true if this end of the socket is the SSL slient, false if it is the SSL server.
-
useCache
Enables/disables the session cache. By default, the session cache is enabled.- Throws:
SocketException
-
toString
Returns the addresses and ports of this socket or an error message if the socket is not in a valid state.- Overrides:
toString
in classServerSocket
-