SSLServerSocketImpl.java revision 12745:f068a4ffddd2 
1/*
2 * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.  Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27package sun.security.ssl;
28
29import java.io.IOException;
30import java.net.InetAddress;
31import java.net.Socket;
32
33import java.security.AlgorithmConstraints;
34
35import java.util.*;
36
37import javax.net.ssl.SSLException;
38import javax.net.ssl.SSLServerSocket;
39import javax.net.ssl.SSLParameters;
40import javax.net.ssl.SNIMatcher;
41
42
43/**
44 * This class provides a simple way for servers to support conventional
45 * use of the Secure Sockets Layer (SSL).  Application code uses an
46 * SSLServerSocketImpl exactly like it uses a regular TCP ServerSocket; the
47 * difference is that the connections established are secured using SSL.
48 *
49 * <P> Also, the constructors take an explicit authentication context
50 * parameter, giving flexibility with respect to how the server socket
51 * authenticates itself.  That policy flexibility is not exposed through
52 * the standard SSLServerSocketFactory API.
53 *
54 * <P> System security defaults prevent server sockets from accepting
55 * connections if they the authentication context has not been given
56 * a certificate chain and its matching private key.  If the clients
57 * of your application support "anonymous" cipher suites, you may be
58 * able to configure a server socket to accept those suites.
59 *
60 * @see SSLSocketImpl
61 * @see SSLServerSocketFactoryImpl
62 *
63 * @author David Brownell
64 */
65final
66class SSLServerSocketImpl extends SSLServerSocket
67{
68    private SSLContextImpl      sslContext;
69
70    /* Do newly accepted connections require clients to authenticate? */
71    private ClientAuthType    clientAuthType = ClientAuthType.CLIENT_AUTH_NONE;
72
73    /* Do new connections created here use the "server" mode of SSL? */
74    private boolean             useServerMode = true;
75
76    /* Can new connections created establish new sessions? */
77    private boolean             enableSessionCreation = true;
78
79    /* what cipher suites to use by default */
80    private CipherSuiteList     enabledCipherSuites = null;
81
82    /* which protocol to use by default */
83    private ProtocolList        enabledProtocols = null;
84
85    // the endpoint identification protocol to use by default
86    private String              identificationProtocol = null;
87
88    // The cryptographic algorithm constraints
89    private AlgorithmConstraints    algorithmConstraints = null;
90
91    // The server name indication
92    Collection<SNIMatcher>      sniMatchers =
93                                    Collections.<SNIMatcher>emptyList();
94
95    /*
96     * Whether local cipher suites preference in server side should be
97     * honored during handshaking?
98     */
99    private boolean             preferLocalCipherSuites = false;
100
101    /**
102     * Create an SSL server socket on a port, using a non-default
103     * authentication context and a specified connection backlog.
104     *
105     * @param port the port on which to listen
106     * @param backlog how many connections may be pending before
107     *          the system should start rejecting new requests
108     * @param context authentication context for this server
109     */
110    SSLServerSocketImpl(int port, int backlog, SSLContextImpl context)
111    throws IOException, SSLException
112    {
113        super(port, backlog);
114        initServer(context);
115    }
116
117
118    /**
119     * Create an SSL server socket on a port, using a specified
120     * authentication context and a specified backlog of connections
121     * as well as a particular specified network interface.  This
122     * constructor is used on multihomed hosts, such as those used
123     * for firewalls or as routers, to control through which interface
124     * a network service is provided.
125     *
126     * @param port the port on which to listen
127     * @param backlog how many connections may be pending before
128     *          the system should start rejecting new requests
129     * @param address the address of the network interface through
130     *          which connections will be accepted
131     * @param context authentication context for this server
132     */
133    SSLServerSocketImpl(
134        int             port,
135        int             backlog,
136        InetAddress     address,
137        SSLContextImpl  context)
138        throws IOException
139    {
140        super(port, backlog, address);
141        initServer(context);
142    }
143
144
145    /**
146     * Creates an unbound server socket.
147     */
148    SSLServerSocketImpl(SSLContextImpl context) throws IOException {
149        super();
150        initServer(context);
151    }
152
153
154    /**
155     * Initializes the server socket.
156     */
157    private void initServer(SSLContextImpl context) throws SSLException {
158        if (context == null) {
159            throw new SSLException("No Authentication context given");
160        }
161        sslContext = context;
162        enabledCipherSuites = sslContext.getDefaultCipherSuiteList(true);
163        enabledProtocols = sslContext.getDefaultProtocolList(true);
164    }
165
166    /**
167     * Returns the names of the cipher suites which could be enabled for use
168     * on an SSL connection.  Normally, only a subset of these will actually
169     * be enabled by default, since this list may include cipher suites which
170     * do not support the mutual authentication of servers and clients, or
171     * which do not protect data confidentiality.  Servers may also need
172     * certain kinds of certificates to use certain cipher suites.
173     *
174     * @return an array of cipher suite names
175     */
176    @Override
177    public String[] getSupportedCipherSuites() {
178        return sslContext.getSupportedCipherSuiteList().toStringArray();
179    }
180
181    /**
182     * Returns the list of cipher suites which are currently enabled
183     * for use by newly accepted connections.  A null return indicates
184     * that the system defaults are in effect.
185     */
186    @Override
187    public synchronized String[] getEnabledCipherSuites() {
188        return enabledCipherSuites.toStringArray();
189    }
190
191    /**
192     * Controls which particular SSL cipher suites are enabled for use
193     * by accepted connections.
194     *
195     * @param suites Names of all the cipher suites to enable; null
196     *  means to accept system defaults.
197     */
198    @Override
199    public synchronized void setEnabledCipherSuites(String[] suites) {
200        enabledCipherSuites = new CipherSuiteList(suites);
201    }
202
203    @Override
204    public String[] getSupportedProtocols() {
205        return sslContext.getSuportedProtocolList().toStringArray();
206    }
207
208    /**
209     * Controls which protocols are enabled for use.
210     * The protocols must have been listed by
211     * getSupportedProtocols() as being supported.
212     *
213     * @param protocols protocols to enable.
214     * @exception IllegalArgumentException when one of the protocols
215     *  named by the parameter is not supported.
216     */
217    @Override
218    public synchronized void setEnabledProtocols(String[] protocols) {
219        enabledProtocols = new ProtocolList(protocols);
220    }
221
222    @Override
223    public synchronized String[] getEnabledProtocols() {
224        return enabledProtocols.toStringArray();
225    }
226
227    /**
228     * Controls whether the connections which are accepted must include
229     * client authentication.
230     */
231    @Override
232    public void setNeedClientAuth(boolean flag) {
233        clientAuthType = (flag ? ClientAuthType.CLIENT_AUTH_REQUIRED :
234                ClientAuthType.CLIENT_AUTH_NONE);
235    }
236
237    @Override
238    public boolean getNeedClientAuth() {
239        return (clientAuthType == ClientAuthType.CLIENT_AUTH_REQUIRED);
240    }
241
242    /**
243     * Controls whether the connections which are accepted should request
244     * client authentication.
245     */
246    @Override
247    public void setWantClientAuth(boolean flag) {
248        clientAuthType = (flag ? ClientAuthType.CLIENT_AUTH_REQUESTED :
249                ClientAuthType.CLIENT_AUTH_NONE);
250    }
251
252    @Override
253    public boolean getWantClientAuth() {
254        return (clientAuthType == ClientAuthType.CLIENT_AUTH_REQUESTED);
255    }
256
257    /**
258     * Makes the returned sockets act in SSL "client" mode, not the usual
259     * server mode.  The canonical example of why this is needed is for
260     * FTP clients, which accept connections from servers and should be
261     * rejoining the already-negotiated SSL connection.
262     */
263    @Override
264    public void setUseClientMode(boolean flag) {
265        /*
266         * If we need to change the socket mode and the enabled
267         * protocols haven't specifically been set by the user,
268         * change them to the corresponding default ones.
269         */
270        if (useServerMode != (!flag) &&
271                sslContext.isDefaultProtocolList(enabledProtocols)) {
272            enabledProtocols = sslContext.getDefaultProtocolList(!flag);
273        }
274
275        useServerMode = !flag;
276    }
277
278    @Override
279    public boolean getUseClientMode() {
280        return !useServerMode;
281    }
282
283
284    /**
285     * Controls whether new connections may cause creation of new SSL
286     * sessions.
287     */
288    @Override
289    public void setEnableSessionCreation(boolean flag) {
290        enableSessionCreation = flag;
291    }
292
293    /**
294     * Returns true if new connections may cause creation of new SSL
295     * sessions.
296     */
297    @Override
298    public boolean getEnableSessionCreation() {
299        return enableSessionCreation;
300    }
301
302    /**
303     * Returns the SSLParameters in effect for newly accepted connections.
304     */
305    @Override
306    public synchronized SSLParameters getSSLParameters() {
307        SSLParameters params = super.getSSLParameters();
308
309        // the super implementation does not handle the following parameters
310        params.setEndpointIdentificationAlgorithm(identificationProtocol);
311        params.setAlgorithmConstraints(algorithmConstraints);
312        params.setSNIMatchers(sniMatchers);
313        params.setUseCipherSuitesOrder(preferLocalCipherSuites);
314
315
316        return params;
317    }
318
319    /**
320     * Applies SSLParameters to newly accepted connections.
321     */
322    @Override
323    public synchronized void setSSLParameters(SSLParameters params) {
324        super.setSSLParameters(params);
325
326        // the super implementation does not handle the following parameters
327        identificationProtocol = params.getEndpointIdentificationAlgorithm();
328        algorithmConstraints = params.getAlgorithmConstraints();
329        preferLocalCipherSuites = params.getUseCipherSuitesOrder();
330        Collection<SNIMatcher> matchers = params.getSNIMatchers();
331        if (matchers != null) {
332            sniMatchers = params.getSNIMatchers();
333        }
334    }
335
336    /**
337     * Accept a new SSL connection.  This server identifies itself with
338     * information provided in the authentication context which was
339     * presented during construction.
340     */
341    @Override
342    public Socket accept() throws IOException {
343        SSLSocketImpl s = new SSLSocketImpl(sslContext, useServerMode,
344            enabledCipherSuites, clientAuthType, enableSessionCreation,
345            enabledProtocols, identificationProtocol, algorithmConstraints,
346            sniMatchers, preferLocalCipherSuites);
347
348        implAccept(s);
349        s.doneConnect();
350        return s;
351    }
352
353    /**
354     * Provides a brief description of this SSL socket.
355     */
356    @Override
357    public String toString() {
358        return "[SSL: "+ super.toString() + "]";
359    }
360}
361