OLD | NEW |
1 /* | 1 /* |
| 2 * Copyright 2016 The Netty Project |
| 3 * |
| 4 * The Netty Project licenses this file to you under the Apache License, |
| 5 * version 2.0 (the "License"); you may not use this file except in compliance |
| 6 * with the License. You may obtain a copy of the License at: |
| 7 * |
| 8 * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 * |
| 10 * Unless required by applicable law or agreed to in writing, software |
| 11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 13 * License for the specific language governing permissions and limitations |
| 14 * under the License. |
| 15 */ |
| 16 /* |
2 * Licensed to the Apache Software Foundation (ASF) under one or more | 17 * Licensed to the Apache Software Foundation (ASF) under one or more |
3 * contributor license agreements. See the NOTICE file distributed with | 18 * contributor license agreements. See the NOTICE file distributed with |
4 * this work for additional information regarding copyright ownership. | 19 * this work for additional information regarding copyright ownership. |
5 * The ASF licenses this file to You under the Apache License, Version 2.0 | 20 * The ASF licenses this file to You under the Apache License, Version 2.0 |
6 * (the "License"); you may not use this file except in compliance with | 21 * (the "License"); you may not use this file except in compliance with |
7 * the License. You may obtain a copy of the License at | 22 * the License. You may obtain a copy of the License at |
8 * | 23 * |
9 * http://www.apache.org/licenses/LICENSE-2.0 | 24 * http://www.apache.org/licenses/LICENSE-2.0 |
10 * | 25 * |
11 * Unless required by applicable law or agreed to in writing, software | 26 * Unless required by applicable law or agreed to in writing, software |
12 * distributed under the License is distributed on an "AS IS" BASIS, | 27 * distributed under the License is distributed on an "AS IS" BASIS, |
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 28 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
14 * See the License for the specific language governing permissions and | 29 * See the License for the specific language governing permissions and |
15 * limitations under the License. | 30 * limitations under the License. |
16 */ | 31 */ |
17 | 32 |
18 package org.apache.tomcat.jni; | 33 package io.netty.internal.tcnative; |
19 | 34 |
20 /** SSL Context | |
21 * | |
22 * @author Mladen Turk | |
23 */ | |
24 public final class SSLContext { | 35 public final class SSLContext { |
25 | 36 |
| 37 private SSLContext() { } |
26 | 38 |
27 /** | 39 /** |
28 * Initialize new SSL context | 40 * Initialize new SSL context |
29 * @param pool The pool to use. | |
30 * @param protocol The SSL protocol to use. It can be any combination of | 41 * @param protocol The SSL protocol to use. It can be any combination of |
31 * the following: | 42 * the following: |
32 * <PRE> | 43 * <PRE> |
33 * {@link SSL#SSL_PROTOCOL_SSLV2} | 44 * {@link SSL#SSL_PROTOCOL_SSLV2} |
34 * {@link SSL#SSL_PROTOCOL_SSLV3} | 45 * {@link SSL#SSL_PROTOCOL_SSLV3} |
35 * {@link SSL#SSL_PROTOCOL_TLSV1} | 46 * {@link SSL#SSL_PROTOCOL_TLSV1} |
36 * {@link SSL#SSL_PROTOCOL_TLSV1_1} | 47 * {@link SSL#SSL_PROTOCOL_TLSV1_1} |
37 * {@link SSL#SSL_PROTOCOL_TLSV1_2} | 48 * {@link SSL#SSL_PROTOCOL_TLSV1_2} |
38 * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL) | 49 * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL) |
39 * </PRE> | 50 * </PRE> |
40 * @param mode SSL mode to use | 51 * @param mode SSL mode to use |
41 * <PRE> | 52 * <PRE> |
42 * SSL_MODE_CLIENT | 53 * SSL_MODE_CLIENT |
43 * SSL_MODE_SERVER | 54 * SSL_MODE_SERVER |
44 * SSL_MODE_COMBINED | 55 * SSL_MODE_COMBINED |
45 * </PRE> | 56 * </PRE> |
| 57 * @return the SSLContext struct |
| 58 * @throws Exception if an error happened |
46 */ | 59 */ |
47 public static native long make(long pool, int protocol, int mode) | 60 public static native long make(int protocol, int mode) |
48 throws Exception; | 61 throws Exception; |
49 | 62 |
50 /** | 63 /** |
51 * Free the resources used by the Context | 64 * Free the resources used by the Context |
52 * @param ctx Server or Client context to free. | 65 * @param ctx Server or Client context to free. |
53 * @return APR Status code. | 66 * @return APR Status code. |
54 */ | 67 */ |
55 public static native int free(long ctx); | 68 public static native int free(long ctx); |
56 | 69 |
57 /** | 70 /** |
58 * Set Session context id. Usually host:port combination. | 71 * Set Session context id. Usually host:port combination. |
59 * @param ctx Context to use. | 72 * @param ctx Context to use. |
60 * @param id String that uniquely identifies this context. | 73 * @param id String that uniquely identifies this context. |
61 */ | 74 */ |
62 public static native void setContextId(long ctx, String id); | 75 public static native void setContextId(long ctx, String id); |
63 | 76 |
64 /** | 77 /** |
65 * Associate BIOCallback for input or output data capture. | |
66 * <br> | |
67 * First word in the output string will contain error | |
68 * level in the form: | |
69 * <PRE> | |
70 * [ERROR] -- Critical error messages | |
71 * [WARN] -- Warning messages | |
72 * [INFO] -- Informational messages | |
73 * [DEBUG] -- Debugging messaged | |
74 * </PRE> | |
75 * Callback can use that word to determine application logging level | |
76 * by intercepting <b>write</b> call. | |
77 * If the <b>bio</b> is set to 0 no error messages will be displayed. | |
78 * Default is to use the stderr output stream. | |
79 * @param ctx Server or Client context to use. | |
80 * @param bio BIO handle to use, created with SSL.newBIO | |
81 * @param dir BIO direction (1 for input 0 for output). | |
82 */ | |
83 public static native void setBIO(long ctx, long bio, int dir); | |
84 | |
85 /** | |
86 * Set OpenSSL Option. | 78 * Set OpenSSL Option. |
87 * @param ctx Server or Client context to use. | 79 * @param ctx Server or Client context to use. |
88 * @param options See SSL.SSL_OP_* for option flags. | 80 * @param options See SSL.SSL_OP_* for option flags. |
89 */ | 81 */ |
90 public static native void setOptions(long ctx, int options); | 82 public static native void setOptions(long ctx, int options); |
91 | 83 |
92 /** | 84 /** |
93 * Get OpenSSL Option. | 85 * Get OpenSSL Option. |
94 * @param ctx Server or Client context to use. | 86 * @param ctx Server or Client context to use. |
95 * @return options See SSL.SSL_OP_* for option flags. | 87 * @return options See SSL.SSL_OP_* for option flags. |
96 */ | 88 */ |
97 public static native int getOptions(long ctx); | 89 public static native int getOptions(long ctx); |
98 | 90 |
99 /** | 91 /** |
100 * Clears OpenSSL Options. | 92 * Clears OpenSSL Options. |
101 * @param ctx Server or Client context to use. | 93 * @param ctx Server or Client context to use. |
102 * @param options See SSL.SSL_OP_* for option flags. | 94 * @param options See SSL.SSL_OP_* for option flags. |
103 */ | 95 */ |
104 public static native void clearOptions(long ctx, int options); | 96 public static native void clearOptions(long ctx, int options); |
105 | 97 |
106 /** | 98 /** |
107 * Sets the "quiet shutdown" flag for <b>ctx</b> to be | |
108 * <b>mode</b>. SSL objects created from <b>ctx</b> inherit the | |
109 * <b>mode</b> valid at the time and may be 0 or 1. | |
110 * <br> | |
111 * Normally when a SSL connection is finished, the parties must send out | |
112 * "close notify" alert messages using L<SSL_shutdown(3)|SSL_shutdown(3)&
gt; | |
113 * for a clean shutdown. | |
114 * <br> | |
115 * When setting the "quiet shutdown" flag to 1, <b>SSL.shutdown</b> | |
116 * will set the internal flags to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN. | |
117 * (<b>SSL_shutdown</b> then behaves like called with | |
118 * SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.) | |
119 * The session is thus considered to be shutdown, but no "close notify" aler
t | |
120 * is sent to the peer. This behaviour violates the TLS standard. | |
121 * The default is normal shutdown behaviour as described by the TLS standard
. | |
122 * @param ctx Server or Client context to use. | |
123 * @param mode True to set the quiet shutdown. | |
124 */ | |
125 public static native void setQuietShutdown(long ctx, boolean mode); | |
126 | |
127 /** | |
128 * Cipher Suite available for negotiation in SSL handshake. | 99 * Cipher Suite available for negotiation in SSL handshake. |
129 * <br> | 100 * <br> |
130 * This complex directive uses a colon-separated cipher-spec string consisti
ng | 101 * This complex directive uses a colon-separated cipher-spec string consisti
ng |
131 * of OpenSSL cipher specifications to configure the Cipher Suite the client | 102 * of OpenSSL cipher specifications to configure the Cipher Suite the client |
132 * is permitted to negotiate in the SSL handshake phase. Notice that this | 103 * is permitted to negotiate in the SSL handshake phase. Notice that this |
133 * directive can be used both in per-server and per-directory context. | 104 * directive can be used both in per-server and per-directory context. |
134 * In per-server context it applies to the standard SSL handshake when a | 105 * In per-server context it applies to the standard SSL handshake when a |
135 * connection is established. In per-directory context it forces a SSL | 106 * connection is established. In per-directory context it forces a SSL |
136 * renegotiation with the reconfigured Cipher Suite after the HTTP request | 107 * renegotiation with the reconfigured Cipher Suite after the HTTP request |
137 * was read but before the HTTP response is sent. | 108 * was read but before the HTTP response is sent. |
138 * @param ctx Server or Client context to use. | 109 * @param ctx Server or Client context to use. |
139 * @param ciphers An SSL cipher specification. | 110 * @param ciphers An SSL cipher specification. |
| 111 * @return {@code true} if successful |
| 112 * @throws Exception if an error happened |
140 */ | 113 */ |
141 public static native boolean setCipherSuite(long ctx, String ciphers) | 114 public static native boolean setCipherSuite(long ctx, String ciphers) throws
Exception; |
142 throws Exception; | |
143 | |
144 /** | |
145 * Set File of concatenated PEM-encoded CA CRLs or | |
146 * directory of PEM-encoded CA Certificates for Client Auth | |
147 * <br> | |
148 * This directive sets the all-in-one file where you can assemble the | |
149 * Certificate Revocation Lists (CRL) of Certification Authorities (CA) | |
150 * whose clients you deal with. These are used for Client Authentication. | |
151 * Such a file is simply the concatenation of the various PEM-encoded CRL | |
152 * files, in order of preference. | |
153 * <br> | |
154 * The files in this directory have to be PEM-encoded and are accessed throu
gh | |
155 * hash filenames. So usually you can't just place the Certificate files the
re: | |
156 * you also have to create symbolic links named hash-value.N. And you should | |
157 * always make sure this directory contains the appropriate symbolic links. | |
158 * Use the Makefile which comes with mod_ssl to accomplish this task. | |
159 * @param ctx Server or Client context to use. | |
160 * @param file File of concatenated PEM-encoded CA CRLs for Client Auth. | |
161 * @param path Directory of PEM-encoded CA Certificates for Client Auth. | |
162 */ | |
163 public static native boolean setCARevocation(long ctx, String file, | |
164 String path) | |
165 throws Exception; | |
166 | 115 |
167 /** | 116 /** |
168 * Set File of PEM-encoded Server CA Certificates | 117 * Set File of PEM-encoded Server CA Certificates |
169 * <br> | 118 * <br> |
170 * This directive sets the optional all-in-one file where you can assemble t
he | 119 * This directive sets the optional all-in-one file where you can assemble t
he |
171 * certificates of Certification Authorities (CA) which form the certificate | 120 * certificates of Certification Authorities (CA) which form the certificate |
172 * chain of the server certificate. This starts with the issuing CA certific
ate | 121 * chain of the server certificate. This starts with the issuing CA certific
ate |
173 * of of the server certificate and can range up to the root CA certificate. | 122 * of of the server certificate and can range up to the root CA certificate. |
174 * Such a file is simply the concatenation of the various PEM-encoded CA | 123 * Such a file is simply the concatenation of the various PEM-encoded CA |
175 * Certificate files, usually in certificate chain order. | 124 * Certificate files, usually in certificate chain order. |
176 * <br> | 125 * <br> |
177 * But be careful: Providing the certificate chain works only if you are usi
ng | 126 * But be careful: Providing the certificate chain works only if you are usi
ng |
178 * a single (either RSA or DSA) based server certificate. If you are using a | 127 * a single (either RSA or DSA) based server certificate. If you are using a |
179 * coupled RSA+DSA certificate pair, this will work only if actually both | 128 * coupled RSA+DSA certificate pair, this will work only if actually both |
180 * certificates use the same certificate chain. Else the browsers will be | 129 * certificates use the same certificate chain. Else the browsers will be |
181 * confused in this situation. | 130 * confused in this situation. |
182 * @param ctx Server or Client context to use. | 131 * @param ctx Server or Client context to use. |
183 * @param file File of PEM-encoded Server CA Certificates. | 132 * @param file File of PEM-encoded Server CA Certificates. |
184 * @param skipfirst Skip first certificate if chain file is inside | 133 * @param skipfirst Skip first certificate if chain file is inside |
185 * certificate file. | 134 * certificate file. |
| 135 * @return {@code true} if successful |
186 */ | 136 */ |
187 public static native boolean setCertificateChainFile(long ctx, String file, | 137 public static native boolean setCertificateChainFile(long ctx, String file,
boolean skipfirst); |
188 boolean skipfirst); | |
189 /** | 138 /** |
190 * Set BIO of PEM-encoded Server CA Certificates | 139 * Set BIO of PEM-encoded Server CA Certificates |
191 * <p> | 140 * <p> |
192 * This directive sets the optional all-in-one file where you can assemble t
he | 141 * This directive sets the optional all-in-one file where you can assemble t
he |
193 * certificates of Certification Authorities (CA) which form the certificate | 142 * certificates of Certification Authorities (CA) which form the certificate |
194 * chain of the server certificate. This starts with the issuing CA certific
ate | 143 * chain of the server certificate. This starts with the issuing CA certific
ate |
195 * of of the server certificate and can range up to the root CA certificate. | 144 * of of the server certificate and can range up to the root CA certificate. |
196 * Such a file is simply the concatenation of the various PEM-encoded CA | 145 * Such a file is simply the concatenation of the various PEM-encoded CA |
197 * Certificate files, usually in certificate chain order. | 146 * Certificate files, usually in certificate chain order. |
198 * <p> | 147 * <p> |
199 * But be careful: Providing the certificate chain works only if you are usi
ng | 148 * But be careful: Providing the certificate chain works only if you are usi
ng |
200 * a single (either RSA or DSA) based server certificate. If you are using a | 149 * a single (either RSA or DSA) based server certificate. If you are using a |
201 * coupled RSA+DSA certificate pair, this will work only if actually both | 150 * coupled RSA+DSA certificate pair, this will work only if actually both |
202 * certificates use the same certificate chain. Otherwsie the browsers will
be | 151 * certificates use the same certificate chain. Otherwsie the browsers will
be |
203 * confused in this situation. | 152 * confused in this situation. |
204 * @param ctx Server or Client context to use. | 153 * @param ctx Server or Client context to use. |
205 * @param bio BIO of PEM-encoded Server CA Certificates. | 154 * @param bio BIO of PEM-encoded Server CA Certificates. |
206 * @param skipfirst Skip first certificate if chain file is inside | 155 * @param skipfirst Skip first certificate if chain file is inside |
207 * certificate file. | 156 * certificate file. |
| 157 * @return {@code true} if successful |
208 */ | 158 */ |
209 public static native boolean setCertificateChainBio(long ctx, long bio, bool
ean skipfirst); | 159 public static native boolean setCertificateChainBio(long ctx, long bio, bool
ean skipfirst); |
210 | 160 |
211 /** | 161 /** |
212 * Set Certificate | 162 * Set Certificate |
213 * <br> | 163 * <p> |
214 * Point setCertificateFile at a PEM encoded certificate. If | 164 * Point setCertificateFile at a PEM encoded certificate. If |
215 * the certificate is encrypted, then you will be prompted for a | 165 * the certificate is encrypted, then you will be prompted for a |
216 * pass phrase. Note that a kill -HUP will prompt again. A test | 166 * pass phrase. Note that a kill -HUP will prompt again. A test |
217 * certificate can be generated with `make certificate' under | 167 * certificate can be generated with `make certificate' under |
218 * built time. Keep in mind that if you've both a RSA and a DSA | 168 * built time. Keep in mind that if you've both a RSA and a DSA |
219 * certificate you can configure both in parallel (to also allow | 169 * certificate you can configure both in parallel (to also allow |
220 * the use of DSA ciphers, etc.) | 170 * the use of DSA ciphers, etc.) |
221 * <br> | 171 * <p> |
222 * If the key is not combined with the certificate, use key param | 172 * If the key is not combined with the certificate, use key param |
223 * to point at the key file. Keep in mind that if | 173 * to point at the key file. Keep in mind that if |
224 * you've both a RSA and a DSA private key you can configure | 174 * you've both a RSA and a DSA private key you can configure |
225 * both in parallel (to also allow the use of DSA ciphers, etc.) | 175 * both in parallel (to also allow the use of DSA ciphers, etc.) |
226 * @param ctx Server or Client context to use. | 176 * @param ctx Server or Client context to use. |
227 * @param cert Certificate file. | 177 * @param cert Certificate file. |
228 * @param key Private Key file to use if not in cert. | 178 * @param key Private Key file to use if not in cert. |
229 * @param password Certificate password. If null and certificate | 179 * @param password Certificate password. If null and certificate |
230 * is encrypted, password prompt will be displayed. | 180 * is encrypted, password prompt will be displayed. |
231 * @param idx Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA. | 181 * @return {@code true} if successful |
| 182 * @throws Exception if an error happened |
232 */ | 183 */ |
233 public static native boolean setCertificate(long ctx, String cert, | 184 public static native boolean setCertificate(long ctx, String cert, String ke
y, String password) throws Exception; |
234 String key, String password, | |
235 int idx) | |
236 throws Exception; | |
237 | 185 |
238 /** | 186 /** |
239 * Set Certificate | 187 * Set Certificate |
240 * <br> | 188 * <p> |
241 * Point setCertificate at a PEM encoded certificate stored in a BIO. If | 189 * Point setCertificate at a PEM encoded certificate stored in a BIO. If |
242 * the certificate is encrypted, then you will be prompted for a | 190 * the certificate is encrypted, then you will be prompted for a |
243 * pass phrase. Note that a kill -HUP will prompt again. A test | 191 * pass phrase. Note that a kill -HUP will prompt again. A test |
244 * certificate can be generated with `make certificate' under | 192 * certificate can be generated with `make certificate' under |
245 * built time. Keep in mind that if you've both a RSA and a DSA | 193 * built time. Keep in mind that if you've both a RSA and a DSA |
246 * certificate you can configure both in parallel (to also allow | 194 * certificate you can configure both in parallel (to also allow |
247 * the use of DSA ciphers, etc.) | 195 * the use of DSA ciphers, etc.) |
248 * <br> | 196 * <p> |
249 * If the key is not combined with the certificate, use key param | 197 * If the key is not combined with the certificate, use key param |
250 * to point at the key file. Keep in mind that if | 198 * to point at the key file. Keep in mind that if |
251 * you've both a RSA and a DSA private key you can configure | 199 * you've both a RSA and a DSA private key you can configure |
252 * both in parallel (to also allow the use of DSA ciphers, etc.) | 200 * both in parallel (to also allow the use of DSA ciphers, etc.) |
253 * @param ctx Server or Client context to use. | 201 * @param ctx Server or Client context to use. |
254 * @param certBio Certificate BIO. | 202 * @param certBio Certificate BIO. |
255 * @param keyBio Private Key BIO to use if not in cert. | 203 * @param keyBio Private Key BIO to use if not in cert. |
256 * @param password Certificate password. If null and certificate | 204 * @param password Certificate password. If null and certificate |
257 * is encrypted, password prompt will be displayed. | 205 * is encrypted, password prompt will be displayed. |
258 * @param idx Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA. | 206 * @return {@code true} if successful |
| 207 * @throws Exception if an error happened |
259 */ | 208 */ |
260 public static native boolean setCertificateBio( | 209 public static native boolean setCertificateBio(long ctx, long certBio, long
keyBio, String password) throws Exception; |
261 long ctx, long certBio, long keyBio, String password, int idx) throw
s Exception; | |
262 | 210 |
263 /** | 211 /** |
264 * Set the size of the internal session cache. | 212 * Set the size of the internal session cache. |
265 * http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html | 213 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_set_c
ache_size.html">man SSL_CTX_sess_set_cache_size</a> |
| 214 * @param ctx Server or Client context to use. |
| 215 * @param size the size of the cache |
| 216 * @return the previous set value |
266 */ | 217 */ |
267 public static native long setSessionCacheSize(long ctx, long size); | 218 public static native long setSessionCacheSize(long ctx, long size); |
268 | 219 |
269 /** | 220 /** |
270 * Get the size of the internal session cache. | 221 * Get the size of the internal session cache. |
271 * http://www.openssl.org/docs/ssl/SSL_CTX_sess_get_cache_size.html | 222 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_get_c
ache_size.html">man SSL_CTX_sess_get_cache_size</a> |
| 223 * @param ctx Server or Client context to use. |
| 224 * @return the current value |
272 */ | 225 */ |
273 public static native long getSessionCacheSize(long ctx); | 226 public static native long getSessionCacheSize(long ctx); |
274 | 227 |
275 /** | 228 /** |
276 * Set the timeout for the internal session cache in seconds. | 229 * Set the timeout for the internal session cache in seconds. |
277 * http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html | 230 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_timeou
t.html">man SSL_CTX_set_timeout</a> |
| 231 * @param ctx Server or Client context to use. |
| 232 * @param timeoutSeconds the timeout of the cache |
| 233 * @return the previous set value |
278 */ | 234 */ |
279 public static native long setSessionCacheTimeout(long ctx, long timeoutSecon
ds); | 235 public static native long setSessionCacheTimeout(long ctx, long timeoutSecon
ds); |
280 | 236 |
281 /** | 237 /** |
282 * Get the timeout for the internal session cache in seconds. | 238 * Get the timeout for the internal session cache in seconds. |
283 * http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html | 239 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_get_timeou
t.html">man SSL_CTX_get_timeout</a> |
| 240 * @param ctx Server or Client context to use |
| 241 * @return the current value |
284 */ | 242 */ |
285 public static native long getSessionCacheTimeout(long ctx); | 243 public static native long getSessionCacheTimeout(long ctx); |
286 | 244 |
287 /** | 245 /** |
288 * Set the mode of the internal session cache and return the previous used m
ode. | 246 * Set the mode of the internal session cache and return the previous used m
ode. |
| 247 * @param ctx Server or Client context to use |
| 248 * @param mode the mode of the cache |
| 249 * @return the previous set value |
289 */ | 250 */ |
290 public static native long setSessionCacheMode(long ctx, long mode); | 251 public static native long setSessionCacheMode(long ctx, long mode); |
291 | 252 |
292 /** | 253 /** |
293 * Get the mode of the current used internal session cache. | 254 * Get the mode of the current used internal session cache. |
| 255 * |
| 256 * @param ctx Server or Client context to use |
| 257 * @return the current mode |
294 */ | 258 */ |
295 public static native long getSessionCacheMode(long ctx); | 259 public static native long getSessionCacheMode(long ctx); |
296 | 260 |
297 /** | 261 /** |
298 * Session resumption statistics methods. | 262 * Session resumption statistics methods. |
299 * http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html | 263 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 264 * @param ctx Server or Client context to use |
| 265 * @return the current number |
300 */ | 266 */ |
301 public static native long sessionAccept(long ctx); | 267 public static native long sessionAccept(long ctx); |
| 268 |
| 269 /** |
| 270 * Session resumption statistics methods. |
| 271 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 272 * @param ctx Server or Client context to use |
| 273 * @return the current number |
| 274 */ |
302 public static native long sessionAcceptGood(long ctx); | 275 public static native long sessionAcceptGood(long ctx); |
| 276 |
| 277 /** |
| 278 * Session resumption statistics methods. |
| 279 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 280 * @param ctx Server or Client context to use |
| 281 * @return the current number |
| 282 */ |
303 public static native long sessionAcceptRenegotiate(long ctx); | 283 public static native long sessionAcceptRenegotiate(long ctx); |
| 284 |
| 285 /** |
| 286 * Session resumption statistics methods. |
| 287 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 288 * @param ctx Server or Client context to use |
| 289 * @return the current number |
| 290 */ |
304 public static native long sessionCacheFull(long ctx); | 291 public static native long sessionCacheFull(long ctx); |
| 292 |
| 293 /** |
| 294 * Session resumption statistics methods. |
| 295 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 296 * @param ctx Server or Client context to use |
| 297 * @return the current number |
| 298 */ |
305 public static native long sessionCbHits(long ctx); | 299 public static native long sessionCbHits(long ctx); |
| 300 |
| 301 /** |
| 302 * Session resumption statistics methods. |
| 303 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 304 * @param ctx Server or Client context to use |
| 305 * @return the current number |
| 306 */ |
306 public static native long sessionConnect(long ctx); | 307 public static native long sessionConnect(long ctx); |
| 308 |
| 309 /** |
| 310 * Session resumption statistics methods. |
| 311 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 312 * @param ctx Server or Client context to use |
| 313 * @return the current number |
| 314 */ |
307 public static native long sessionConnectGood(long ctx); | 315 public static native long sessionConnectGood(long ctx); |
| 316 |
| 317 /** |
| 318 * Session resumption statistics methods. |
| 319 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 320 * @param ctx Server or Client context to use |
| 321 * @return the current number |
| 322 */ |
308 public static native long sessionConnectRenegotiate(long ctx); | 323 public static native long sessionConnectRenegotiate(long ctx); |
| 324 |
| 325 /** |
| 326 * Session resumption statistics methods. |
| 327 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 328 * @param ctx Server or Client context to use |
| 329 * @return the current number |
| 330 */ |
309 public static native long sessionHits(long ctx); | 331 public static native long sessionHits(long ctx); |
| 332 |
| 333 /** |
| 334 * Session resumption statistics methods. |
| 335 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 336 * @param ctx Server or Client context to use |
| 337 * @return the current number |
| 338 */ |
310 public static native long sessionMisses(long ctx); | 339 public static native long sessionMisses(long ctx); |
| 340 |
| 341 /** |
| 342 * Session resumption statistics methods. |
| 343 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 344 * @param ctx Server or Client context to use |
| 345 * @return the current number |
| 346 */ |
311 public static native long sessionNumber(long ctx); | 347 public static native long sessionNumber(long ctx); |
| 348 |
| 349 /** |
| 350 * Session resumption statistics methods. |
| 351 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_numbe
r.html">man SSL_CTX_sess_number</a> |
| 352 * @param ctx Server or Client context to use |
| 353 * @return the current number |
| 354 */ |
312 public static native long sessionTimeouts(long ctx); | 355 public static native long sessionTimeouts(long ctx); |
313 | 356 |
314 /** | 357 /** |
315 * Set TLS session keys. | 358 * TLS session ticket key resumption statistics. |
| 359 * |
| 360 * @param ctx Server or Client context to use |
| 361 * @return the current number |
| 362 */ |
| 363 public static native long sessionTicketKeyNew(long ctx); |
| 364 |
| 365 /** |
| 366 * TLS session ticket key resumption statistics. |
| 367 * |
| 368 * @param ctx Server or Client context to use |
| 369 * @return the current number |
| 370 */ |
| 371 public static native long sessionTicketKeyResume(long ctx); |
| 372 |
| 373 /** |
| 374 * TLS session ticket key resumption statistics. |
| 375 * |
| 376 * @param ctx Server or Client context to use |
| 377 * @return the current number |
| 378 */ |
| 379 public static native long sessionTicketKeyRenew(long ctx); |
| 380 |
| 381 /** |
| 382 * TLS session ticket key resumption statistics. |
| 383 * |
| 384 * @param ctx Server or Client context to use |
| 385 * @return the current number |
| 386 */ |
| 387 public static native long sessionTicketKeyFail(long ctx); |
| 388 |
| 389 /** |
| 390 * Set TLS session ticket keys. |
| 391 * |
| 392 * <p> The first key in the list is the primary key. Tickets dervied from th
e other keys |
| 393 * in the list will be accepted but updated to a new ticket using the primar
y key. This |
| 394 * is useful for implementing ticket key rotation. |
| 395 * See <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a> |
| 396 * |
| 397 * @param ctx Server or Client context to use |
| 398 * @param keys the {@link SessionTicketKey}s |
316 */ | 399 */ |
317 public static void setSessionTicketKeys(long ctx, SessionTicketKey[] keys) { | 400 public static void setSessionTicketKeys(long ctx, SessionTicketKey[] keys) { |
318 if (keys == null || keys.length == 0) { | 401 if (keys == null || keys.length == 0) { |
319 throw new IllegalArgumentException("Length of the keys should be lon
ger than 0."); | 402 throw new IllegalArgumentException("Length of the keys should be lon
ger than 0."); |
320 } | 403 } |
321 byte[] binaryKeys = new byte[keys.length * SessionTicketKey.TICKET_KEY_S
IZE]; | 404 byte[] binaryKeys = new byte[keys.length * SessionTicketKey.TICKET_KEY_S
IZE]; |
322 for (int i = 0; i < keys.length; i++) { | 405 for (int i = 0; i < keys.length; i++) { |
323 SessionTicketKey key = keys[i]; | 406 SessionTicketKey key = keys[i]; |
324 int dstCurPos = SessionTicketKey.TICKET_KEY_SIZE * i; | 407 int dstCurPos = SessionTicketKey.TICKET_KEY_SIZE * i; |
325 System.arraycopy(key.getName(), 0, binaryKeys, dstCurPos, SessionTic
ketKey.NAME_SIZE); | 408 System.arraycopy(key.name, 0, binaryKeys, dstCurPos, SessionTicketKe
y.NAME_SIZE); |
326 dstCurPos += SessionTicketKey.NAME_SIZE; | 409 dstCurPos += SessionTicketKey.NAME_SIZE; |
327 System.arraycopy(key.getHmacKey(), 0, binaryKeys, dstCurPos, Session
TicketKey.HMAC_KEY_SIZE); | 410 System.arraycopy(key.hmacKey, 0, binaryKeys, dstCurPos, SessionTicke
tKey.HMAC_KEY_SIZE); |
328 dstCurPos += SessionTicketKey.HMAC_KEY_SIZE; | 411 dstCurPos += SessionTicketKey.HMAC_KEY_SIZE; |
329 System.arraycopy(key.getAesKey(), 0, binaryKeys, dstCurPos, SessionT
icketKey.AES_KEY_SIZE); | 412 System.arraycopy(key.aesKey, 0, binaryKeys, dstCurPos, SessionTicket
Key.AES_KEY_SIZE); |
330 } | 413 } |
331 setSessionTicketKeys0(ctx, binaryKeys); | 414 setSessionTicketKeys0(ctx, binaryKeys); |
332 } | 415 } |
333 | 416 |
334 /** | 417 /** |
335 * Set TLS session keys. This allows us to share keys across TFEs. | 418 * Set TLS session keys. |
336 */ | |
337 @Deprecated | |
338 public static void setSessionTicketKeys(long ctx, byte[] keys) { | |
339 if (keys.length % SessionTicketKey.TICKET_KEY_SIZE != 0) { | |
340 throw new IllegalArgumentException("Session ticket keys provided wer
e wrong size. keys.length % " + SessionTicketKey.TICKET_KEY_SIZE + " must be 0")
; | |
341 } | |
342 setSessionTicketKeys0(ctx, keys); | |
343 } | |
344 /** | |
345 * Set TLS session keys. This allows us to share keys across TFEs. | |
346 */ | 419 */ |
347 private static native void setSessionTicketKeys0(long ctx, byte[] keys); | 420 private static native void setSessionTicketKeys0(long ctx, byte[] keys); |
348 | 421 |
349 /** | 422 /** |
350 * Set File and Directory of concatenated PEM-encoded CA Certificates | 423 * Set concatenated PEM-encoded CA Certificates for Client Auth |
351 * for Client Auth | |
352 * <br> | 424 * <br> |
353 * This directive sets the all-in-one file where you can assemble the | 425 * This directive sets the all-in-one BIO where you can assemble the |
354 * Certificates of Certification Authorities (CA) whose clients you deal wit
h. | 426 * Certificates of Certification Authorities (CA) whose clients you deal wit
h. |
355 * These are used for Client Authentication. Such a file is simply the | 427 * These are used for Client Authentication. Such a BIO is simply the |
356 * concatenation of the various PEM-encoded Certificate files, in order of | 428 * concatenation of the various PEM-encoded Certificate files, in order of |
357 * preference. This can be used alternatively and/or additionally to | 429 * preference. This can be used alternatively and/or additionally to |
358 * path. | 430 * path. |
359 * <br> | 431 * <br> |
360 * The files in this directory have to be PEM-encoded and are accessed throu
gh | 432 * @param ctx Server context to use. |
361 * hash filenames. So usually you can't just place the Certificate files the
re: | 433 * @param certBio Directory of PEM-encoded CA Certificates for Client Auth. |
362 * you also have to create symbolic links named hash-value.N. And you should | 434 * @return {@code true} if successful, {@code false} otherwise. |
363 * always make sure this directory contains the appropriate symbolic links. | |
364 * Use the Makefile which comes with mod_ssl to accomplish this task. | |
365 * @param ctx Server or Client context to use. | |
366 * @param file File of concatenated PEM-encoded CA Certificates for | |
367 * Client Auth. | |
368 * @param path Directory of PEM-encoded CA Certificates for Client Auth. | |
369 */ | 435 */ |
370 public static native boolean setCACertificate(long ctx, String file, | 436 public static native boolean setCACertificateBio(long ctx, long certBio); |
371 String path) | |
372 throws Exception; | |
373 | |
374 /** | |
375 * Set file for randomness | |
376 * @param ctx Server or Client context to use. | |
377 * @param file random file. | |
378 */ | |
379 public static native void setRandom(long ctx, String file); | |
380 | |
381 /** | |
382 * Set SSL connection shutdown type | |
383 * <br> | |
384 * The following levels are available for level: | |
385 * <PRE> | |
386 * SSL_SHUTDOWN_TYPE_STANDARD | |
387 * SSL_SHUTDOWN_TYPE_UNCLEAN | |
388 * SSL_SHUTDOWN_TYPE_ACCURATE | |
389 * </PRE> | |
390 * @param ctx Server or Client context to use. | |
391 * @param type Shutdown type to use. | |
392 */ | |
393 public static native void setShutdownType(long ctx, int type); | |
394 | 437 |
395 /** | 438 /** |
396 * Set Type of Client Certificate verification and Maximum depth of CA Certi
ficates | 439 * Set Type of Client Certificate verification and Maximum depth of CA Certi
ficates |
397 * in Client Certificate verification. | 440 * in Client Certificate verification. |
398 * <br> | 441 * <br> |
399 * This directive sets the Certificate verification level for the Client | 442 * This directive sets the Certificate verification level for the Client |
400 * Authentication. Notice that this directive can be used both in per-server | 443 * Authentication. Notice that this directive can be used both in per-server |
401 * and per-directory context. In per-server context it applies to the client | 444 * and per-directory context. In per-server context it applies to the client |
402 * authentication process used in the standard SSL handshake when a connecti
on | 445 * authentication process used in the standard SSL handshake when a connecti
on |
403 * is established. In per-directory context it forces a SSL renegotiation wi
th | 446 * is established. In per-directory context it forces a SSL renegotiation wi
th |
404 * the reconfigured client verification level after the HTTP request was rea
d | 447 * the reconfigured client verification level after the HTTP request was rea
d |
405 * but before the HTTP response is sent. | 448 * but before the HTTP response is sent. |
406 * <br> | 449 * <br> |
407 * The following levels are available for level: | 450 * The following levels are available for level: |
408 * <PRE> | 451 * <ul> |
409 * SSL_CVERIFY_NONE - No client Certificate is required at all | 452 * <li>{@link SSL#SSL_CVERIFY_IGNORED} - The level is ignored. Only depth wi
ll change.</li> |
410 * SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate | 453 * <li>{@link SSL#SSL_CVERIFY_NONE} - No client Certificate is required at a
ll</li> |
411 * SSL_CVERIFY_REQUIRE - The client has to present a valid Certificat
e | 454 * <li>{@link SSL#SSL_CVERIFY_OPTIONAL} - The client may present a valid Cer
tificate</li> |
412 * SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate | 455 * <li>{@link SSL#SSL_CVERIFY_REQUIRED} - The client has to present a valid
Certificate</li> |
413 * but it need not to be (successfully) verifia
ble | 456 * </ul> |
414 * </PRE> | |
415 * <br> | |
416 * The depth actually is the maximum number of intermediate certificate issu
ers, | 457 * The depth actually is the maximum number of intermediate certificate issu
ers, |
417 * i.e. the number of CA certificates which are max allowed to be followed w
hile | 458 * i.e. the number of CA certificates which are max allowed to be followed w
hile |
418 * verifying the client certificate. A depth of 0 means that self-signed cli
ent | 459 * verifying the client certificate. A depth of 0 means that self-signed cli
ent |
419 * certificates are accepted only, the default depth of 1 means the client | 460 * certificates are accepted only, the default depth of 1 means the client |
420 * certificate can be self-signed or has to be signed by a CA which is direc
tly | 461 * certificate can be self-signed or has to be signed by a CA which is direc
tly |
421 * known to the server (i.e. the CA's certificate is under | 462 * known to the server (i.e. the CA's certificate is under |
422 * <code>setCACertificatePath</code>), etc. | 463 * <code>setCACertificatePath</code>), etc. |
423 * @param ctx Server or Client context to use. | 464 * @param ctx Server or Client context to use. |
424 * @param level Type of Client Certificate verification. | 465 * @param level Type of Client Certificate verification. |
425 * @param depth Maximum depth of CA Certificates in Client Certificate | 466 * @param depth Maximum depth of CA Certificates in Client Certificate |
426 * verification. | 467 * verification. |
427 */ | 468 */ |
428 public static native void setVerify(long ctx, int level, int depth); | 469 public static native void setVerify(long ctx, int level, int depth); |
429 | 470 |
430 /** | 471 /** |
431 * Allow to hook {@link CertificateVerifier} into the handshake processing. | 472 * Allow to hook {@link CertificateVerifier} into the handshake processing. |
432 * This will call {@code SSL_CTX_set_cert_verify_callback} and so replace th
e default verification | 473 * This will call {@code SSL_CTX_set_cert_verify_callback} and so replace th
e default verification |
433 * callback used by openssl | 474 * callback used by openssl |
434 * @param ctx Server or Client context to use. | 475 * @param ctx Server or Client context to use. |
435 * @param verifier the verifier to call during handshake. | 476 * @param verifier the verifier to call during handshake. |
436 */ | 477 */ |
437 public static native void setCertVerifyCallback(long ctx, CertificateVerifie
r verifier); | 478 public static native void setCertVerifyCallback(long ctx, CertificateVerifie
r verifier); |
438 | 479 |
439 /** | 480 /** |
440 * Set next protocol for next protocol negotiation extension | 481 * Allow to hook {@link CertificateRequestedCallback} into the certificate c
hoosing process. |
441 * @param ctx Server context to use. | 482 * This will call {@code SSL_CTX_set_client_cert_cb} and so replace the defa
ult verification |
442 * @param nextProtos comma delimited list of protocols in priority order | 483 * callback used by openssl |
443 * | 484 * @param ctx Server or Client context to use. |
444 * @deprecated use {@link #setNpnProtos(long, String[], int)} | 485 * @param callback the callback to call during certificate selection. |
445 */ | 486 */ |
446 @Deprecated | 487 public static native void setCertRequestedCallback(long ctx, CertificateRequ
estedCallback callback); |
447 public static void setNextProtos(long ctx, String nextProtos) { | |
448 setNpnProtos(ctx, nextProtos.split(","), SSL.SSL_SELECTOR_FAILURE_CHOOSE
_MY_LAST_PROTOCOL); | |
449 } | |
450 | 488 |
451 /** | 489 /** |
452 * Set next protocol for next protocol negotiation extension | 490 * Set next protocol for next protocol negotiation extension |
453 * @param ctx Server context to use. | 491 * @param ctx Server context to use. |
454 * @param nextProtos protocols in priority order | 492 * @param nextProtos protocols in priority order |
455 * @param selectorFailureBehavior see {@link SSL#SSL_SELECTOR_FAILURE_NO_ADV
ERTISE} | 493 * @param selectorFailureBehavior see {@link SSL#SSL_SELECTOR_FAILURE_NO_ADV
ERTISE} |
456 * and {@link SSL#SSL_SELECTOR_FAILURE_CHOOSE
_MY_LAST_PROTOCOL} | 494 * and {@link SSL#SSL_SELECTOR_FAILURE_CHOOSE
_MY_LAST_PROTOCOL} |
457 */ | 495 */ |
458 public static native void setNpnProtos(long ctx, String[] nextProtos, int se
lectorFailureBehavior); | 496 public static native void setNpnProtos(long ctx, String[] nextProtos, int se
lectorFailureBehavior); |
459 | 497 |
460 /** | 498 /** |
461 * Set application layer protocol for application layer protocol negotiation
extension | 499 * Set application layer protocol for application layer protocol negotiation
extension |
462 * @param ctx Server context to use. | 500 * @param ctx Server context to use. |
463 * @param alpnProtos protocols in priority order | 501 * @param alpnProtos protocols in priority order |
464 * @param selectorFailureBehavior see {@link SSL#SSL_SELECTOR_FAILURE_NO_ADV
ERTISE} | 502 * @param selectorFailureBehavior see {@link SSL#SSL_SELECTOR_FAILURE_NO_ADV
ERTISE} |
465 * and {@link SSL#SSL_SELECTOR_FAILURE_CHOOSE
_MY_LAST_PROTOCOL} | 503 * and {@link SSL#SSL_SELECTOR_FAILURE_CHOOSE
_MY_LAST_PROTOCOL} |
466 */ | 504 */ |
467 public static native void setAlpnProtos(long ctx, String[] alpnProtos, int s
electorFailureBehavior); | 505 public static native void setAlpnProtos(long ctx, String[] alpnProtos, int s
electorFailureBehavior); |
468 | 506 |
469 /** | 507 /** |
470 * Set DH parameters | 508 * Set length of the DH to use. |
| 509 * |
471 * @param ctx Server context to use. | 510 * @param ctx Server context to use. |
472 * @param cert DH param file (can be generated from e.g. {@code openssl dhpa
ram -rand - 2048 > dhparam.pem} - | 511 * @param length the length. |
473 * see the <a href="https://www.openssl.org/docs/apps/dhparam.ht
ml">OpenSSL documentation</a>). | |
474 */ | 512 */ |
475 public static native void setTmpDH(long ctx, String cert) | 513 public static native void setTmpDHLength(long ctx, int length); |
476 throws Exception; | |
477 | |
478 /** | |
479 * Set ECDH elliptic curve by name | |
480 * @param ctx Server context to use. | |
481 * @param curveName the name of the elliptic curve to use | |
482 * (available names can be obtained from {@code openssl ecparam
-list_curves}). | |
483 */ | |
484 public static native void setTmpECDHByCurveName(long ctx, String curveName) | |
485 throws Exception; | |
486 | 514 |
487 /** | 515 /** |
488 * Set the context within which session be reused (server side only) | 516 * Set the context within which session be reused (server side only). |
489 * http://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html | 517 * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_sessio
n_id_context.html">man SSL_CTX_set_session_id_context</a> |
490 * | 518 * |
491 * @param ctx Server context to use. | 519 * @param ctx Server context to use. |
492 * @param sidCtx can be any kind of binary data, it is therefore possible to
use e.g. the name | 520 * @param sidCtx can be any kind of binary data, it is therefore possible to
use e.g. the name |
493 * of the application and/or the hostname and/or service name | 521 * of the application and/or the hostname and/or service name |
494 * @return {@code true} if success, {@code false} otherwise. | 522 * @return {@code true} if success, {@code false} otherwise. |
495 */ | 523 */ |
496 public static native boolean setSessionIdContext(long ctx, byte[] sidCtx); | 524 public static native boolean setSessionIdContext(long ctx, byte[] sidCtx); |
| 525 |
| 526 /** |
| 527 * Call SSL_CTX_set_mode |
| 528 * |
| 529 * @param ctx context to use |
| 530 * @param mode the mode |
| 531 * @return the set mode. |
| 532 */ |
| 533 public static native int setMode(long ctx, int mode); |
| 534 |
| 535 /** |
| 536 * Call SSL_CTX_get_mode |
| 537 * |
| 538 * @param ctx context to use |
| 539 * @return the mode. |
| 540 */ |
| 541 public static native int getMode(long ctx); |
497 } | 542 } |
OLD | NEW |