Class SSLSocketFactory
- All Implemented Interfaces:
LayeredSocketFactory,SocketFactory
public class SSLSocketFactory extends Object implements LayeredSocketFactory
SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.
SSLSocketFactory will enable server authentication when supplied with
a truststore file containg one or several trusted
certificates. The client secure socket will reject the connection during
the SSL session handshake if the target HTTPS server attempts to
authenticate itself with a non-trusted certificate.
Use JDK keytool utility to import a trusted certificate and generate a truststore file:
keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
SSLSocketFactory will enable client authentication when supplied with
a keystore file containg a private key/public certificate
pair. The client secure socket will use the private key to authenticate
itself to the target HTTPS server during the SSL session handshake if
requested to do so by the server.
The target HTTPS server will in its turn verify the certificate presented
by the client in order to establish client's authenticity
Use the following sequence of actions to generate a keystore file
-
Use JDK keytool utility to generate a new key
keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore
For simplicity use the same password for the key as that of the keystore -
Issue a certificate signing request (CSR)
keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore
-
Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.
-
Import the trusted CA root certificate
keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore
-
Import the PKCS#7 file containg the complete certificate chain
keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore
-
Verify the content the resultant keystore file
keytool -list -v -keystore my.keystore
- Author:
- Oleg Kalnichevski, Julius Davies
-
Field Summary
Fields Modifier and Type Field Description static X509HostnameVerifierALLOW_ALL_HOSTNAME_VERIFIERstatic X509HostnameVerifierBROWSER_COMPATIBLE_HOSTNAME_VERIFIERstatic StringSSLstatic StringSSLV2static X509HostnameVerifierSTRICT_HOSTNAME_VERIFIERstatic StringTLS -
Constructor Summary
Constructors Constructor Description SSLSocketFactory(String algorithm, KeyStore keystore, String keystorePassword, KeyStore truststore, SecureRandom random, HostNameResolver nameResolver)SSLSocketFactory(KeyStore truststore)SSLSocketFactory(KeyStore keystore, String keystorePassword)SSLSocketFactory(KeyStore keystore, String keystorePassword, KeyStore truststore)SSLSocketFactory(SSLSocketFactory socketfactory)Constructs an HttpClient SSLSocketFactory backed by the given JSSE SSLSocketFactory. -
Method Summary
Modifier and Type Method Description SocketconnectSocket(Socket sock, String host, int port, InetAddress localAddress, int localPort, HttpParams params)Connects a socket to the given host.SocketcreateSocket()Creates a new, unconnected socket.SocketcreateSocket(Socket socket, String host, int port, boolean autoClose)Returns a socket connected to the given host that is layered over an existing socket.X509HostnameVerifiergetHostnameVerifier()static SSLSocketFactorygetSocketFactory()Gets an singleton instance of the SSLProtocolSocketFactory.booleanisSecure(Socket sock)Checks whether a socket connection is secure.voidsetHostnameVerifier(X509HostnameVerifier hostnameVerifier)
-
Field Details
-
TLS
- See Also:
- Constant Field Values
-
SSL
- See Also:
- Constant Field Values
-
SSLV2
- See Also:
- Constant Field Values
-
ALLOW_ALL_HOSTNAME_VERIFIER
-
BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
-
STRICT_HOSTNAME_VERIFIER
-
-
Constructor Details
-
SSLSocketFactory
public SSLSocketFactory(String algorithm, KeyStore keystore, String keystorePassword, KeyStore truststore, SecureRandom random, HostNameResolver nameResolver) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException -
SSLSocketFactory
public SSLSocketFactory(KeyStore keystore, String keystorePassword, KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException -
SSLSocketFactory
public SSLSocketFactory(KeyStore keystore, String keystorePassword) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException -
SSLSocketFactory
public SSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException -
SSLSocketFactory
Constructs an HttpClient SSLSocketFactory backed by the given JSSE SSLSocketFactory.
-
-
Method Details
-
getSocketFactory
Gets an singleton instance of the SSLProtocolSocketFactory.- Returns:
- a SSLProtocolSocketFactory
-
createSocket
Description copied from interface:SocketFactoryCreates a new, unconnected socket. The socket should subsequently be passed toconnectSocket.- Specified by:
createSocketin interfaceSocketFactory- Returns:
- a new socket
- Throws:
IOException- if an I/O error occurs while creating the socket
-
connectSocket
public Socket connectSocket(Socket sock, String host, int port, InetAddress localAddress, int localPort, HttpParams params) throws IOExceptionDescription copied from interface:SocketFactoryConnects a socket to the given host.- Specified by:
connectSocketin interfaceSocketFactory- Parameters:
sock- the socket to connect, as obtained fromcreateSocket.nullindicates that a new socket should be created and connected.host- the host to connect toport- the port to connect to on the hostlocalAddress- the local address to bind the socket to, ornullfor anylocalPort- the port on the local machine, 0 or a negative number for anyparams- additionalparametersfor connecting- Returns:
- the connected socket. The returned object may be different
from the
sockargument if this factory supports a layered protocol. - Throws:
IOException- if an I/O error occursUnknownHostException- if the IP address of the target host can not be determinedConnectTimeoutException- if the socket cannot be connected within the time limit defined in theparams
-
isSecure
Checks whether a socket connection is secure. This factory creates TLS/SSL socket connections which, by default, are considered secure.
Derived classes may override this method to perform runtime checks, for example based on the cypher suite.- Specified by:
isSecurein interfaceSocketFactory- Parameters:
sock- the connected socket- Returns:
true- Throws:
IllegalArgumentException- if the argument is invalid
-
createSocket
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostExceptionDescription copied from interface:LayeredSocketFactoryReturns a socket connected to the given host that is layered over an existing socket. Used primarily for creating secure sockets through proxies.- Specified by:
createSocketin interfaceLayeredSocketFactory- Parameters:
socket- the existing sockethost- the host name/IPport- the port on the hostautoClose- a flag for closing the underling socket when the created socket is closed- Returns:
- Socket a new socket
- Throws:
IOException- if an I/O error occurs while creating the socketUnknownHostException- if the IP address of the host cannot be determined
-
setHostnameVerifier
-
getHostnameVerifier
-