| Index: java/io/netty/internal/tcnative/SSLContext.java
|
| diff --git a/java/src/org/apache/tomcat/jni/SSLContext.java b/java/io/netty/internal/tcnative/SSLContext.java
|
| similarity index 61%
|
| rename from java/src/org/apache/tomcat/jni/SSLContext.java
|
| rename to java/io/netty/internal/tcnative/SSLContext.java
|
| index a40d318d50c5c6c33a664fa4d6c9d13219867fd8..80d4aae3f7276dde74034a91883855b595bf0bb1 100644
|
| --- a/java/src/org/apache/tomcat/jni/SSLContext.java
|
| +++ b/java/io/netty/internal/tcnative/SSLContext.java
|
| @@ -1,4 +1,19 @@
|
| /*
|
| + * Copyright 2016 The Netty Project
|
| + *
|
| + * The Netty Project licenses this file to you under the Apache License,
|
| + * version 2.0 (the "License"); you may not use this file except in compliance
|
| + * with the License. You may obtain a copy of the License at:
|
| + *
|
| + * http://www.apache.org/licenses/LICENSE-2.0
|
| + *
|
| + * Unless required by applicable law or agreed to in writing, software
|
| + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
| + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
| + * License for the specific language governing permissions and limitations
|
| + * under the License.
|
| + */
|
| +/*
|
| * Licensed to the Apache Software Foundation (ASF) under one or more
|
| * contributor license agreements. See the NOTICE file distributed with
|
| * this work for additional information regarding copyright ownership.
|
| @@ -15,18 +30,14 @@
|
| * limitations under the License.
|
| */
|
|
|
| -package org.apache.tomcat.jni;
|
| +package io.netty.internal.tcnative;
|
|
|
| -/** SSL Context
|
| - *
|
| - * @author Mladen Turk
|
| - */
|
| public final class SSLContext {
|
|
|
| + private SSLContext() { }
|
|
|
| /**
|
| * Initialize new SSL context
|
| - * @param pool The pool to use.
|
| * @param protocol The SSL protocol to use. It can be any combination of
|
| * the following:
|
| * <PRE>
|
| @@ -43,8 +54,10 @@ public final class SSLContext {
|
| * SSL_MODE_SERVER
|
| * SSL_MODE_COMBINED
|
| * </PRE>
|
| + * @return the SSLContext struct
|
| + * @throws Exception if an error happened
|
| */
|
| - public static native long make(long pool, int protocol, int mode)
|
| + public static native long make(int protocol, int mode)
|
| throws Exception;
|
|
|
| /**
|
| @@ -62,27 +75,6 @@ public final class SSLContext {
|
| public static native void setContextId(long ctx, String id);
|
|
|
| /**
|
| - * Associate BIOCallback for input or output data capture.
|
| - * <br>
|
| - * First word in the output string will contain error
|
| - * level in the form:
|
| - * <PRE>
|
| - * [ERROR] -- Critical error messages
|
| - * [WARN] -- Warning messages
|
| - * [INFO] -- Informational messages
|
| - * [DEBUG] -- Debugging messaged
|
| - * </PRE>
|
| - * Callback can use that word to determine application logging level
|
| - * by intercepting <b>write</b> call.
|
| - * If the <b>bio</b> is set to 0 no error messages will be displayed.
|
| - * Default is to use the stderr output stream.
|
| - * @param ctx Server or Client context to use.
|
| - * @param bio BIO handle to use, created with SSL.newBIO
|
| - * @param dir BIO direction (1 for input 0 for output).
|
| - */
|
| - public static native void setBIO(long ctx, long bio, int dir);
|
| -
|
| - /**
|
| * Set OpenSSL Option.
|
| * @param ctx Server or Client context to use.
|
| * @param options See SSL.SSL_OP_* for option flags.
|
| @@ -104,27 +96,6 @@ public final class SSLContext {
|
| public static native void clearOptions(long ctx, int options);
|
|
|
| /**
|
| - * Sets the "quiet shutdown" flag for <b>ctx</b> to be
|
| - * <b>mode</b>. SSL objects created from <b>ctx</b> inherit the
|
| - * <b>mode</b> valid at the time and may be 0 or 1.
|
| - * <br>
|
| - * Normally when a SSL connection is finished, the parties must send out
|
| - * "close notify" alert messages using L<SSL_shutdown(3)|SSL_shutdown(3)>
|
| - * for a clean shutdown.
|
| - * <br>
|
| - * When setting the "quiet shutdown" flag to 1, <b>SSL.shutdown</b>
|
| - * will set the internal flags to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.
|
| - * (<b>SSL_shutdown</b> then behaves like called with
|
| - * SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.)
|
| - * The session is thus considered to be shutdown, but no "close notify" alert
|
| - * is sent to the peer. This behaviour violates the TLS standard.
|
| - * The default is normal shutdown behaviour as described by the TLS standard.
|
| - * @param ctx Server or Client context to use.
|
| - * @param mode True to set the quiet shutdown.
|
| - */
|
| - public static native void setQuietShutdown(long ctx, boolean mode);
|
| -
|
| - /**
|
| * Cipher Suite available for negotiation in SSL handshake.
|
| * <br>
|
| * This complex directive uses a colon-separated cipher-spec string consisting
|
| @@ -137,32 +108,10 @@ public final class SSLContext {
|
| * was read but before the HTTP response is sent.
|
| * @param ctx Server or Client context to use.
|
| * @param ciphers An SSL cipher specification.
|
| + * @return {@code true} if successful
|
| + * @throws Exception if an error happened
|
| */
|
| - public static native boolean setCipherSuite(long ctx, String ciphers)
|
| - throws Exception;
|
| -
|
| - /**
|
| - * Set File of concatenated PEM-encoded CA CRLs or
|
| - * directory of PEM-encoded CA Certificates for Client Auth
|
| - * <br>
|
| - * This directive sets the all-in-one file where you can assemble the
|
| - * Certificate Revocation Lists (CRL) of Certification Authorities (CA)
|
| - * whose clients you deal with. These are used for Client Authentication.
|
| - * Such a file is simply the concatenation of the various PEM-encoded CRL
|
| - * files, in order of preference.
|
| - * <br>
|
| - * The files in this directory have to be PEM-encoded and are accessed through
|
| - * hash filenames. So usually you can't just place the Certificate files there:
|
| - * you also have to create symbolic links named hash-value.N. And you should
|
| - * always make sure this directory contains the appropriate symbolic links.
|
| - * Use the Makefile which comes with mod_ssl to accomplish this task.
|
| - * @param ctx Server or Client context to use.
|
| - * @param file File of concatenated PEM-encoded CA CRLs for Client Auth.
|
| - * @param path Directory of PEM-encoded CA Certificates for Client Auth.
|
| - */
|
| - public static native boolean setCARevocation(long ctx, String file,
|
| - String path)
|
| - throws Exception;
|
| + public static native boolean setCipherSuite(long ctx, String ciphers) throws Exception;
|
|
|
| /**
|
| * Set File of PEM-encoded Server CA Certificates
|
| @@ -183,9 +132,9 @@ public final class SSLContext {
|
| * @param file File of PEM-encoded Server CA Certificates.
|
| * @param skipfirst Skip first certificate if chain file is inside
|
| * certificate file.
|
| + * @return {@code true} if successful
|
| */
|
| - public static native boolean setCertificateChainFile(long ctx, String file,
|
| - boolean skipfirst);
|
| + public static native boolean setCertificateChainFile(long ctx, String file, boolean skipfirst);
|
| /**
|
| * Set BIO of PEM-encoded Server CA Certificates
|
| * <p>
|
| @@ -205,12 +154,13 @@ public final class SSLContext {
|
| * @param bio BIO of PEM-encoded Server CA Certificates.
|
| * @param skipfirst Skip first certificate if chain file is inside
|
| * certificate file.
|
| + * @return {@code true} if successful
|
| */
|
| public static native boolean setCertificateChainBio(long ctx, long bio, boolean skipfirst);
|
|
|
| /**
|
| * Set Certificate
|
| - * <br>
|
| + * <p>
|
| * Point setCertificateFile at a PEM encoded certificate. If
|
| * the certificate is encrypted, then you will be prompted for a
|
| * pass phrase. Note that a kill -HUP will prompt again. A test
|
| @@ -218,7 +168,7 @@ public final class SSLContext {
|
| * built time. Keep in mind that if you've both a RSA and a DSA
|
| * certificate you can configure both in parallel (to also allow
|
| * the use of DSA ciphers, etc.)
|
| - * <br>
|
| + * <p>
|
| * If the key is not combined with the certificate, use key param
|
| * to point at the key file. Keep in mind that if
|
| * you've both a RSA and a DSA private key you can configure
|
| @@ -228,16 +178,14 @@ public final class SSLContext {
|
| * @param key Private Key file to use if not in cert.
|
| * @param password Certificate password. If null and certificate
|
| * is encrypted, password prompt will be displayed.
|
| - * @param idx Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA.
|
| + * @return {@code true} if successful
|
| + * @throws Exception if an error happened
|
| */
|
| - public static native boolean setCertificate(long ctx, String cert,
|
| - String key, String password,
|
| - int idx)
|
| - throws Exception;
|
| + public static native boolean setCertificate(long ctx, String cert, String key, String password) throws Exception;
|
|
|
| /**
|
| * Set Certificate
|
| - * <br>
|
| + * <p>
|
| * Point setCertificate at a PEM encoded certificate stored in a BIO. If
|
| * the certificate is encrypted, then you will be prompted for a
|
| * pass phrase. Note that a kill -HUP will prompt again. A test
|
| @@ -245,7 +193,7 @@ public final class SSLContext {
|
| * built time. Keep in mind that if you've both a RSA and a DSA
|
| * certificate you can configure both in parallel (to also allow
|
| * the use of DSA ciphers, etc.)
|
| - * <br>
|
| + * <p>
|
| * If the key is not combined with the certificate, use key param
|
| * to point at the key file. Keep in mind that if
|
| * you've both a RSA and a DSA private key you can configure
|
| @@ -255,64 +203,199 @@ public final class SSLContext {
|
| * @param keyBio Private Key BIO to use if not in cert.
|
| * @param password Certificate password. If null and certificate
|
| * is encrypted, password prompt will be displayed.
|
| - * @param idx Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA.
|
| + * @return {@code true} if successful
|
| + * @throws Exception if an error happened
|
| */
|
| - public static native boolean setCertificateBio(
|
| - long ctx, long certBio, long keyBio, String password, int idx) throws Exception;
|
| + public static native boolean setCertificateBio(long ctx, long certBio, long keyBio, String password) throws Exception;
|
|
|
| /**
|
| * Set the size of the internal session cache.
|
| - * http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_set_cache_size.html">man SSL_CTX_sess_set_cache_size</a>
|
| + * @param ctx Server or Client context to use.
|
| + * @param size the size of the cache
|
| + * @return the previous set value
|
| */
|
| public static native long setSessionCacheSize(long ctx, long size);
|
|
|
| /**
|
| * Get the size of the internal session cache.
|
| - * http://www.openssl.org/docs/ssl/SSL_CTX_sess_get_cache_size.html
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_get_cache_size.html">man SSL_CTX_sess_get_cache_size</a>
|
| + * @param ctx Server or Client context to use.
|
| + * @return the current value
|
| */
|
| public static native long getSessionCacheSize(long ctx);
|
|
|
| /**
|
| * Set the timeout for the internal session cache in seconds.
|
| - * http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_timeout.html">man SSL_CTX_set_timeout</a>
|
| + * @param ctx Server or Client context to use.
|
| + * @param timeoutSeconds the timeout of the cache
|
| + * @return the previous set value
|
| */
|
| public static native long setSessionCacheTimeout(long ctx, long timeoutSeconds);
|
|
|
| /**
|
| * Get the timeout for the internal session cache in seconds.
|
| - * http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_get_timeout.html">man SSL_CTX_get_timeout</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current value
|
| */
|
| public static native long getSessionCacheTimeout(long ctx);
|
|
|
| /**
|
| * Set the mode of the internal session cache and return the previous used mode.
|
| + * @param ctx Server or Client context to use
|
| + * @param mode the mode of the cache
|
| + * @return the previous set value
|
| */
|
| public static native long setSessionCacheMode(long ctx, long mode);
|
|
|
| /**
|
| * Get the mode of the current used internal session cache.
|
| + *
|
| + * @param ctx Server or Client context to use
|
| + * @return the current mode
|
| */
|
| public static native long getSessionCacheMode(long ctx);
|
|
|
| /**
|
| * Session resumption statistics methods.
|
| - * http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| */
|
| public static native long sessionAccept(long ctx);
|
| +
|
| + /**
|
| + * Session resumption statistics methods.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| public static native long sessionAcceptGood(long ctx);
|
| +
|
| + /**
|
| + * Session resumption statistics methods.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| public static native long sessionAcceptRenegotiate(long ctx);
|
| +
|
| + /**
|
| + * Session resumption statistics methods.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| public static native long sessionCacheFull(long ctx);
|
| +
|
| + /**
|
| + * Session resumption statistics methods.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| public static native long sessionCbHits(long ctx);
|
| +
|
| + /**
|
| + * Session resumption statistics methods.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| public static native long sessionConnect(long ctx);
|
| +
|
| + /**
|
| + * Session resumption statistics methods.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| public static native long sessionConnectGood(long ctx);
|
| +
|
| + /**
|
| + * Session resumption statistics methods.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| public static native long sessionConnectRenegotiate(long ctx);
|
| +
|
| + /**
|
| + * Session resumption statistics methods.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| public static native long sessionHits(long ctx);
|
| +
|
| + /**
|
| + * Session resumption statistics methods.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| public static native long sessionMisses(long ctx);
|
| +
|
| + /**
|
| + * Session resumption statistics methods.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| public static native long sessionNumber(long ctx);
|
| +
|
| + /**
|
| + * Session resumption statistics methods.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_sess_number.html">man SSL_CTX_sess_number</a>
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| public static native long sessionTimeouts(long ctx);
|
|
|
| /**
|
| - * Set TLS session keys.
|
| + * TLS session ticket key resumption statistics.
|
| + *
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| + public static native long sessionTicketKeyNew(long ctx);
|
| +
|
| + /**
|
| + * TLS session ticket key resumption statistics.
|
| + *
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| + public static native long sessionTicketKeyResume(long ctx);
|
| +
|
| + /**
|
| + * TLS session ticket key resumption statistics.
|
| + *
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| + public static native long sessionTicketKeyRenew(long ctx);
|
| +
|
| + /**
|
| + * TLS session ticket key resumption statistics.
|
| + *
|
| + * @param ctx Server or Client context to use
|
| + * @return the current number
|
| + */
|
| + public static native long sessionTicketKeyFail(long ctx);
|
| +
|
| + /**
|
| + * Set TLS session ticket keys.
|
| + *
|
| + * <p> The first key in the list is the primary key. Tickets dervied from the other keys
|
| + * in the list will be accepted but updated to a new ticket using the primary key. This
|
| + * is useful for implementing ticket key rotation.
|
| + * See <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a>
|
| + *
|
| + * @param ctx Server or Client context to use
|
| + * @param keys the {@link SessionTicketKey}s
|
| */
|
| public static void setSessionTicketKeys(long ctx, SessionTicketKey[] keys) {
|
| if (keys == null || keys.length == 0) {
|
| @@ -322,75 +405,35 @@ public final class SSLContext {
|
| for (int i = 0; i < keys.length; i++) {
|
| SessionTicketKey key = keys[i];
|
| int dstCurPos = SessionTicketKey.TICKET_KEY_SIZE * i;
|
| - System.arraycopy(key.getName(), 0, binaryKeys, dstCurPos, SessionTicketKey.NAME_SIZE);
|
| + System.arraycopy(key.name, 0, binaryKeys, dstCurPos, SessionTicketKey.NAME_SIZE);
|
| dstCurPos += SessionTicketKey.NAME_SIZE;
|
| - System.arraycopy(key.getHmacKey(), 0, binaryKeys, dstCurPos, SessionTicketKey.HMAC_KEY_SIZE);
|
| + System.arraycopy(key.hmacKey, 0, binaryKeys, dstCurPos, SessionTicketKey.HMAC_KEY_SIZE);
|
| dstCurPos += SessionTicketKey.HMAC_KEY_SIZE;
|
| - System.arraycopy(key.getAesKey(), 0, binaryKeys, dstCurPos, SessionTicketKey.AES_KEY_SIZE);
|
| + System.arraycopy(key.aesKey, 0, binaryKeys, dstCurPos, SessionTicketKey.AES_KEY_SIZE);
|
| }
|
| setSessionTicketKeys0(ctx, binaryKeys);
|
| }
|
|
|
| /**
|
| - * Set TLS session keys. This allows us to share keys across TFEs.
|
| - */
|
| - @Deprecated
|
| - public static void setSessionTicketKeys(long ctx, byte[] keys) {
|
| - if (keys.length % SessionTicketKey.TICKET_KEY_SIZE != 0) {
|
| - throw new IllegalArgumentException("Session ticket keys provided were wrong size. keys.length % " + SessionTicketKey.TICKET_KEY_SIZE + " must be 0");
|
| - }
|
| - setSessionTicketKeys0(ctx, keys);
|
| - }
|
| - /**
|
| - * Set TLS session keys. This allows us to share keys across TFEs.
|
| + * Set TLS session keys.
|
| */
|
| private static native void setSessionTicketKeys0(long ctx, byte[] keys);
|
|
|
| /**
|
| - * Set File and Directory of concatenated PEM-encoded CA Certificates
|
| - * for Client Auth
|
| + * Set concatenated PEM-encoded CA Certificates for Client Auth
|
| * <br>
|
| - * This directive sets the all-in-one file where you can assemble the
|
| + * This directive sets the all-in-one BIO where you can assemble the
|
| * Certificates of Certification Authorities (CA) whose clients you deal with.
|
| - * These are used for Client Authentication. Such a file is simply the
|
| + * These are used for Client Authentication. Such a BIO is simply the
|
| * concatenation of the various PEM-encoded Certificate files, in order of
|
| * preference. This can be used alternatively and/or additionally to
|
| * path.
|
| * <br>
|
| - * The files in this directory have to be PEM-encoded and are accessed through
|
| - * hash filenames. So usually you can't just place the Certificate files there:
|
| - * you also have to create symbolic links named hash-value.N. And you should
|
| - * always make sure this directory contains the appropriate symbolic links.
|
| - * Use the Makefile which comes with mod_ssl to accomplish this task.
|
| - * @param ctx Server or Client context to use.
|
| - * @param file File of concatenated PEM-encoded CA Certificates for
|
| - * Client Auth.
|
| - * @param path Directory of PEM-encoded CA Certificates for Client Auth.
|
| - */
|
| - public static native boolean setCACertificate(long ctx, String file,
|
| - String path)
|
| - throws Exception;
|
| -
|
| - /**
|
| - * Set file for randomness
|
| - * @param ctx Server or Client context to use.
|
| - * @param file random file.
|
| - */
|
| - public static native void setRandom(long ctx, String file);
|
| -
|
| - /**
|
| - * Set SSL connection shutdown type
|
| - * <br>
|
| - * The following levels are available for level:
|
| - * <PRE>
|
| - * SSL_SHUTDOWN_TYPE_STANDARD
|
| - * SSL_SHUTDOWN_TYPE_UNCLEAN
|
| - * SSL_SHUTDOWN_TYPE_ACCURATE
|
| - * </PRE>
|
| - * @param ctx Server or Client context to use.
|
| - * @param type Shutdown type to use.
|
| + * @param ctx Server context to use.
|
| + * @param certBio Directory of PEM-encoded CA Certificates for Client Auth.
|
| + * @return {@code true} if successful, {@code false} otherwise.
|
| */
|
| - public static native void setShutdownType(long ctx, int type);
|
| + public static native boolean setCACertificateBio(long ctx, long certBio);
|
|
|
| /**
|
| * Set Type of Client Certificate verification and Maximum depth of CA Certificates
|
| @@ -405,14 +448,12 @@ public final class SSLContext {
|
| * but before the HTTP response is sent.
|
| * <br>
|
| * The following levels are available for level:
|
| - * <PRE>
|
| - * SSL_CVERIFY_NONE - No client Certificate is required at all
|
| - * SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate
|
| - * SSL_CVERIFY_REQUIRE - The client has to present a valid Certificate
|
| - * SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate
|
| - * but it need not to be (successfully) verifiable
|
| - * </PRE>
|
| - * <br>
|
| + * <ul>
|
| + * <li>{@link SSL#SSL_CVERIFY_IGNORED} - The level is ignored. Only depth will change.</li>
|
| + * <li>{@link SSL#SSL_CVERIFY_NONE} - No client Certificate is required at all</li>
|
| + * <li>{@link SSL#SSL_CVERIFY_OPTIONAL} - The client may present a valid Certificate</li>
|
| + * <li>{@link SSL#SSL_CVERIFY_REQUIRED} - The client has to present a valid Certificate</li>
|
| + * </ul>
|
| * The depth actually is the maximum number of intermediate certificate issuers,
|
| * i.e. the number of CA certificates which are max allowed to be followed while
|
| * verifying the client certificate. A depth of 0 means that self-signed client
|
| @@ -437,16 +478,13 @@ public final class SSLContext {
|
| public static native void setCertVerifyCallback(long ctx, CertificateVerifier verifier);
|
|
|
| /**
|
| - * Set next protocol for next protocol negotiation extension
|
| - * @param ctx Server context to use.
|
| - * @param nextProtos comma delimited list of protocols in priority order
|
| - *
|
| - * @deprecated use {@link #setNpnProtos(long, String[], int)}
|
| + * Allow to hook {@link CertificateRequestedCallback} into the certificate choosing process.
|
| + * This will call {@code SSL_CTX_set_client_cert_cb} and so replace the default verification
|
| + * callback used by openssl
|
| + * @param ctx Server or Client context to use.
|
| + * @param callback the callback to call during certificate selection.
|
| */
|
| - @Deprecated
|
| - public static void setNextProtos(long ctx, String nextProtos) {
|
| - setNpnProtos(ctx, nextProtos.split(","), SSL.SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL);
|
| - }
|
| + public static native void setCertRequestedCallback(long ctx, CertificateRequestedCallback callback);
|
|
|
| /**
|
| * Set next protocol for next protocol negotiation extension
|
| @@ -467,26 +505,16 @@ public final class SSLContext {
|
| public static native void setAlpnProtos(long ctx, String[] alpnProtos, int selectorFailureBehavior);
|
|
|
| /**
|
| - * Set DH parameters
|
| - * @param ctx Server context to use.
|
| - * @param cert DH param file (can be generated from e.g. {@code openssl dhparam -rand - 2048 > dhparam.pem} -
|
| - * see the <a href="https://www.openssl.org/docs/apps/dhparam.html">OpenSSL documentation</a>).
|
| - */
|
| - public static native void setTmpDH(long ctx, String cert)
|
| - throws Exception;
|
| -
|
| - /**
|
| - * Set ECDH elliptic curve by name
|
| + * Set length of the DH to use.
|
| + *
|
| * @param ctx Server context to use.
|
| - * @param curveName the name of the elliptic curve to use
|
| - * (available names can be obtained from {@code openssl ecparam -list_curves}).
|
| + * @param length the length.
|
| */
|
| - public static native void setTmpECDHByCurveName(long ctx, String curveName)
|
| - throws Exception;
|
| + public static native void setTmpDHLength(long ctx, int length);
|
|
|
| /**
|
| - * Set the context within which session be reused (server side only)
|
| - * http://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html
|
| + * Set the context within which session be reused (server side only).
|
| + * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_session_id_context.html">man SSL_CTX_set_session_id_context</a>
|
| *
|
| * @param ctx Server context to use.
|
| * @param sidCtx can be any kind of binary data, it is therefore possible to use e.g. the name
|
| @@ -494,4 +522,21 @@ public final class SSLContext {
|
| * @return {@code true} if success, {@code false} otherwise.
|
| */
|
| public static native boolean setSessionIdContext(long ctx, byte[] sidCtx);
|
| +
|
| + /**
|
| + * Call SSL_CTX_set_mode
|
| + *
|
| + * @param ctx context to use
|
| + * @param mode the mode
|
| + * @return the set mode.
|
| + */
|
| + public static native int setMode(long ctx, int mode);
|
| +
|
| + /**
|
| + * Call SSL_CTX_get_mode
|
| + *
|
| + * @param ctx context to use
|
| + * @return the mode.
|
| + */
|
| + public static native int getMode(long ctx);
|
| }
|
|
|
Chromium Code Reviews
Issue 2842333002:
Updated netty-tcnative to version 2.0.0.Final (Closed)
