Package com.browserup.bup.mitm.util

Class SslUtil

  • public class SslUtil
extends java.lang.Object
    Utility for creating SSLContexts.

    • Constructor Summary

      Constructors 
      Constructor Description
      SslUtil()  

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static java.util.List<java.lang.String> getBuiltInCipherList()
      Returns ciphers from the hard-coded list of "reasonable" default ciphers in DEFAULT_CIPHERS_LIST_RESOURCE.
      static java.util.List<java.lang.String> getDefaultCipherList()
      Returns a reasonable default cipher list for new client and server SSL connections.
      static java.util.List<java.lang.String> getEnabledJdkCipherSuites()
      Returns the list of default "enabled" ciphers for server TLS connections, as reported by the default Java security provider.
      static java.security.cert.X509Certificate getServerCertificate​(javax.net.ssl.SSLSession sslSession)
      Returns the X509Certificate for the server this session is connected to.
      static io.netty.handler.ssl.SslContext getUpstreamServerSslContext​(java.util.Collection<java.lang.String> cipherSuites, TrustSource trustSource)
      Creates a netty SslContext for use when connecting to upstream servers.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • SslUtil

        public SslUtil()

    • Method Detail

      • getUpstreamServerSslContext

        public static io.netty.handler.ssl.SslContext getUpstreamServerSslContext​(java.util.Collection<java.lang.String> cipherSuites,
                                                                          TrustSource trustSource)
        Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs from the trustSource. When trustSource is true, no upstream certificate verification will be performed. This will make it possible for attackers to MITM communications with the upstream server, so always supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated certificates).
        Parameters:
        cipherSuites - cipher suites to allow when connecting to the upstream server
        trustSource - the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
        Returns:
        an SSLContext to connect to upstream servers with

      • getServerCertificate

        public static java.security.cert.X509Certificate getServerCertificate​(javax.net.ssl.SSLSession sslSession)
        Returns the X509Certificate for the server this session is connected to. The certificate may be null.
        Parameters:
        sslSession - SSL session connected to upstream server
        Returns:
        the X.509 certificate from the upstream server, or null if no certificate is available

      • getEnabledJdkCipherSuites

        public static java.util.List<java.lang.String> getEnabledJdkCipherSuites()
        Returns the list of default "enabled" ciphers for server TLS connections, as reported by the default Java security provider. This is most likely a subset of "available" ciphers.
        Returns:
        list of default server ciphers, or an empty list if the default cipher list cannot be loaded

      • getDefaultCipherList

        public static java.util.List<java.lang.String> getDefaultCipherList()
        Returns a reasonable default cipher list for new client and server SSL connections. Not all of the ciphers may be supported by the underlying SSL implementation (OpenSsl or JDK). The default list itself may also vary between OpenSsl and JDK implementations. See defaultCipherList for implementation details.
        Returns:
        default ciphers for client and server connections