Package org.conscrypt

Class OpenSSLSocketImpl

java.lang.Object
java.net.Socket
javax.net.ssl.SSLSocket
org.conscrypt.OpenSSLSocketImpl
All Implemented Interfaces:
Closeable, AutoCloseable, NativeCrypto.SSLHandshakeCallbacks
Direct Known Subclasses:
OpenSSLSocketImplWrapper
public class OpenSSLSocketImpl
extends SSLSocket
implements NativeCrypto.SSLHandshakeCallbacks
Implementation of the class OpenSSLSocketImpl based on OpenSSL.

Extensions to SSLSocket include:

  • handshake timeout
  • session tickets
  • Server Name Indication

  • Constructor Details

  • Method Details

    • startHandshake

      public void startHandshake() throws IOException
      Starts a TLS/SSL handshake on this connection using some native methods from the OpenSSL library. It can negotiate new encryption keys, change cipher suites, or initiate a new session. The certificate chain is verified if the correspondent property in java.Security is set. All listeners are notified at the end of the TLS/SSL handshake.
      Specified by:
      startHandshake in class SSLSocket
      Throws:
      IOException - if an error occurs.

    • clientCertificateRequested

      public void clientCertificateRequested​(byte[] keyTypeBytes, byte[][] asn1DerEncodedPrincipals) throws CertificateEncodingException, SSLException
      Description copied from interface: NativeCrypto.SSLHandshakeCallbacks
      Called on an SSL client when the server requests (or requires a certificate). The client can respond by using SSL_use_certificate and SSL_use_PrivateKey to set a certificate if has an appropriate one available, similar to how the server provides its certificate.
      Specified by:
      clientCertificateRequested in interface NativeCrypto.SSLHandshakeCallbacks
      Parameters:
      keyTypeBytes - key types supported by the server, convertible to strings with #keyType
      asn1DerEncodedPrincipals - CAs known to the server
      Throws:
      CertificateEncodingException
      SSLException

    • handshakeCompleted

      public void handshakeCompleted()
      Description copied from interface: NativeCrypto.SSLHandshakeCallbacks
      Called when SSL handshake is completed. Note that this can be after SSL_do_handshake returns when handshake cutthrough is enabled.
      Specified by:
      handshakeCompleted in interface NativeCrypto.SSLHandshakeCallbacks

    • verifyCertificateChain

      public void verifyCertificateChain​(byte[][] bytes, String authMethod) throws CertificateException
      Description copied from interface: NativeCrypto.SSLHandshakeCallbacks
      Verify that we trust the certificate chain is trusted.
      Specified by:
      verifyCertificateChain in interface NativeCrypto.SSLHandshakeCallbacks
      Parameters:
      bytes - A chain of ASN.1 DER encoded certificates
      authMethod - auth algorithm name
      Throws:
      CertificateException - if the certificate is untrusted

    • getInputStream

      public InputStream getInputStream() throws IOException
      Description copied from class: Socket
      Returns an input stream to read data from this socket.
      Overrides:
      getInputStream in class Socket
      Returns:
      the byte-oriented input stream.
      Throws:
      IOException - if an error occurs while creating the input stream or the socket is in an invalid state.

    • getOutputStream

      public OutputStream getOutputStream() throws IOException
      Description copied from class: Socket
      Returns an output stream to write data into this socket.
      Overrides:
      getOutputStream in class Socket
      Returns:
      the byte-oriented output stream.
      Throws:
      IOException - if an error occurs while creating the output stream or the socket is in an invalid state.

    • getSession

      public SSLSession getSession()
      Description copied from class: SSLSocket
      Returns the SSLSession for this connection. If necessary, a handshake will be initiated, in which case this method will block until the handshake has been established. If the handshake fails, an invalid session object will be returned.
      Specified by:
      getSession in class SSLSocket
      Returns:
      the session object.

    • addHandshakeCompletedListener

      public void addHandshakeCompletedListener​(HandshakeCompletedListener listener)
      Description copied from class: SSLSocket
      Registers the specified listener to receive notification on completion of a handshake on this connection.
      Specified by:
      addHandshakeCompletedListener in class SSLSocket
      Parameters:
      listener - the listener to register.

    • removeHandshakeCompletedListener

      public void removeHandshakeCompletedListener​(HandshakeCompletedListener listener)
      Description copied from class: SSLSocket
      Removes the specified handshake completion listener.
      Specified by:
      removeHandshakeCompletedListener in class SSLSocket
      Parameters:
      listener - the listener to remove.

    • getEnableSessionCreation

      public boolean getEnableSessionCreation()
      Description copied from class: SSLSocket
      Returns whether new SSL sessions may be created by this socket or if existing sessions must be reused.
      Specified by:
      getEnableSessionCreation in class SSLSocket
      Returns:
      true if new sessions may be created, otherwise false.

    • setEnableSessionCreation

      public void setEnableSessionCreation​(boolean flag)
      Description copied from class: SSLSocket
      Sets whether new SSL sessions may be created by this socket or if existing sessions must be reused. If flag is false and there are no sessions to resume, handshaking will fail.
      Specified by:
      setEnableSessionCreation in class SSLSocket
      Parameters:
      flag - true if new sessions may be created.

    • getSupportedCipherSuites

      public String[] getSupportedCipherSuites()
      Description copied from class: SSLSocket
      Returns the names of the supported cipher suites.
      Specified by:
      getSupportedCipherSuites in class SSLSocket

    • getEnabledCipherSuites

      public String[] getEnabledCipherSuites()
      Description copied from class: SSLSocket
      Returns the names of the enabled cipher suites.
      Specified by:
      getEnabledCipherSuites in class SSLSocket

    • setEnabledCipherSuites

      public void setEnabledCipherSuites​(String[] suites)
      Description copied from class: SSLSocket
      Sets the names of the cipher suites to be enabled. Only cipher suites returned by SSLSocket.getSupportedCipherSuites() are allowed.
      Specified by:
      setEnabledCipherSuites in class SSLSocket
      Parameters:
      suites - the names of the to be enabled cipher suites.

    • getSupportedProtocols

      public String[] getSupportedProtocols()
      Description copied from class: SSLSocket
      Returns the names of the supported protocols.
      Specified by:
      getSupportedProtocols in class SSLSocket

    • getEnabledProtocols

      public String[] getEnabledProtocols()
      Description copied from class: SSLSocket
      Returns the names of the enabled protocols.
      Specified by:
      getEnabledProtocols in class SSLSocket

    • setEnabledProtocols

      public void setEnabledProtocols​(String[] protocols)
      Description copied from class: SSLSocket
      Sets the names of the protocols to be enabled. Only protocols returned by SSLSocket.getSupportedProtocols() are allowed.
      Specified by:
      setEnabledProtocols in class SSLSocket
      Parameters:
      protocols - the names of the to be enabled protocols.

    • setUseSessionTickets

      public void setUseSessionTickets​(boolean useSessionTickets)
      This method enables session ticket support.
      Parameters:
      useSessionTickets - True to enable session tickets

    • setHostname

      public void setHostname​(String hostname)
      This method enables Server Name Indication
      Parameters:
      hostname - the desired SNI hostname, or null to disable

    • setChannelIdEnabled

      public void setChannelIdEnabled​(boolean enabled)
      Enables/disables TLS Channel ID for this server socket.

      This method needs to be invoked before the handshake starts.

      Throws:
      IllegalStateException - if this is a client socket or if the handshake has already started.

    • getChannelId

      public byte[] getChannelId() throws SSLException
      Gets the TLS Channel ID for this server socket. Channel ID is only available once the handshake completes.
      Returns:
      channel ID or null if not available.
      Throws:
      IllegalStateException - if this is a client socket or if the handshake has not yet completed.
      SSLException - if channel ID is available but could not be obtained.

    • setChannelIdPrivateKey

      public void setChannelIdPrivateKey​(PrivateKey privateKey)
      Sets the PrivateKey to be used for TLS Channel ID by this client socket.

      This method needs to be invoked before the handshake starts.

      Parameters:
      privateKey - private key (enables TLS Channel ID) or null for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).
      Throws:
      IllegalStateException - if this is a server socket or if the handshake has already started.

    • getUseClientMode

      public boolean getUseClientMode()
      Description copied from class: SSLSocket
      Returns true if this connection will act in client mode when handshaking.
      Specified by:
      getUseClientMode in class SSLSocket

    • setUseClientMode

      public void setUseClientMode​(boolean mode)
      Description copied from class: SSLSocket
      Sets whether this connection should act in client mode when handshaking.
      Specified by:
      setUseClientMode in class SSLSocket
      Parameters:
      mode - true if this connection should act in client mode, false if not.

    • getWantClientAuth

      public boolean getWantClientAuth()
      Description copied from class: SSLSocket
      Returns true if the server should request client authentication. This does not apply to sockets in client mode.
      Specified by:
      getWantClientAuth in class SSLSocket

    • getNeedClientAuth

      public boolean getNeedClientAuth()
      Description copied from class: SSLSocket
      Returns true if the server socket should require client authentication. This does not apply to sockets in client mode.
      Specified by:
      getNeedClientAuth in class SSLSocket

    • setNeedClientAuth

      public void setNeedClientAuth​(boolean need)
      Description copied from class: SSLSocket
      Sets whether the server should require client authentication. This does not apply to sockets in client mode. Client authentication is one of the following:
      • authentication required
      • authentication requested
      • no authentication needed
      This method overrides the setting of SSLSocket.setWantClientAuth(boolean).
      Specified by:
      setNeedClientAuth in class SSLSocket

    • setWantClientAuth

      public void setWantClientAuth​(boolean want)
      Description copied from class: SSLSocket
      Sets whether the server should request client authentication. Unlike SSLSocket.setNeedClientAuth(boolean) this won't stop the negotiation if the client doesn't authenticate. This does not apply to sockets in client mode.The client authentication is one of:
      • authentication required
      • authentication requested
      • no authentication needed
      This method overrides the setting of SSLSocket.setNeedClientAuth(boolean).
      Specified by:
      setWantClientAuth in class SSLSocket

    • sendUrgentData

      public void sendUrgentData​(int data) throws IOException
      Description copied from class: Socket
      Sends the given single byte data which is represented by the lowest octet of value as "TCP urgent data".
      Overrides:
      sendUrgentData in class Socket
      Parameters:
      data - the byte of urgent data to be sent.
      Throws:
      IOException - if an error occurs while sending urgent data.

    • setOOBInline

      public void setOOBInline​(boolean on) throws SocketException
      Description copied from class: Socket
      Sets this socket's SocketOptions.SO_OOBINLINE option.
      Overrides:
      setOOBInline in class Socket
      Throws:
      SocketException

    • setSoTimeout

      public void setSoTimeout​(int readTimeoutMilliseconds) throws SocketException
      Description copied from class: Socket
      Sets this socket's read timeout in milliseconds. Use 0 for no timeout. To take effect, this option must be set before the blocking method was called.
      Overrides:
      setSoTimeout in class Socket
      Throws:
      SocketException

    • getSoTimeout

      public int getSoTimeout() throws SocketException
      Description copied from class: Socket
      Returns this socket's receive timeout.
      Overrides:
      getSoTimeout in class Socket
      Throws:
      SocketException

    • setSoWriteTimeout

      public void setSoWriteTimeout​(int writeTimeoutMilliseconds) throws SocketException
      Note write timeouts are not part of the javax.net.ssl.SSLSocket API
      Throws:
      SocketException

    • getSoWriteTimeout

      public int getSoWriteTimeout() throws SocketException
      Note write timeouts are not part of the javax.net.ssl.SSLSocket API
      Throws:
      SocketException

    • setHandshakeTimeout

      public void setHandshakeTimeout​(int handshakeTimeoutMilliseconds) throws SocketException
      Set the handshake timeout on this socket. This timeout is specified in milliseconds and will be used only during the handshake process.
      Throws:
      SocketException

    • close

      public void close() throws IOException
      Description copied from class: Socket
      Closes the socket. It is not possible to reconnect or rebind to this socket thereafter which means a new socket instance has to be created.
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable
      Overrides:
      close in class Socket
      Throws:
      IOException - if an error occurs while closing the socket.

    • finalize

      protected void finalize() throws Throwable
      Description copied from class: Object
      Invoked when the garbage collector has detected that this instance is no longer reachable. The default implementation does nothing, but this method can be overridden to free resources.

      Note that objects that override finalize are significantly more expensive than objects that don't. Finalizers may be run a long time after the object is no longer reachable, depending on memory pressure, so it's a bad idea to rely on them for cleanup. Note also that finalizers are run on a single VM-wide finalizer thread, so doing blocking work in a finalizer is a bad idea. A finalizer is usually only necessary for a class that has a native peer and needs to call a native method to destroy that peer. Even then, it's better to provide an explicit close method (and implement Closeable), and insist that callers manually dispose of instances. This works well for something like files, but less well for something like a BigInteger where typical calling code would have to deal with lots of temporaries. Unfortunately, code that creates lots of temporaries is the worst kind of code from the point of view of the single finalizer thread.

      If you must use finalizers, consider at least providing your own ReferenceQueue and having your own thread process that queue.

      Unlike constructors, finalizers are not automatically chained. You are responsible for calling super.finalize() yourself.

      Uncaught exceptions thrown by finalizers are ignored and do not terminate the finalizer thread. See Effective Java Item 7, "Avoid finalizers" for more.

      Overrides:
      finalize in class Object
      Throws:
      Throwable

    • getFileDescriptor$

      public FileDescriptor getFileDescriptor$()
      Overrides:
      getFileDescriptor$ in class Socket

    • getNpnSelectedProtocol

      public byte[] getNpnSelectedProtocol()
      Returns the protocol agreed upon by client and server, or null if no protocol was agreed upon.

    • getAlpnSelectedProtocol

      public byte[] getAlpnSelectedProtocol()
      Returns the protocol agreed upon by client and server, or null if no protocol was agreed upon.

    • setNpnProtocols

      public void setNpnProtocols​(byte[] npnProtocols)
      Sets the list of protocols this peer is interested in. If null no protocols will be used.
      Parameters:
      npnProtocols - a non-empty array of protocol names. From SSL_select_next_proto, "vector of 8-bit, length prefixed byte strings. The length byte itself is not included in the length. A byte string of length 0 is invalid. No byte string may be truncated.".

    • setAlpnProtocols

      public void setAlpnProtocols​(byte[] alpnProtocols)
      Sets the list of protocols this peer is interested in. If the list is null, no protocols will be used.
      Parameters:
      alpnProtocols - a non-empty array of protocol names. From SSL_select_next_proto, "vector of 8-bit, length prefixed byte strings. The length byte itself is not included in the length. A byte string of length 0 is invalid. No byte string may be truncated.".