SSLServerSocketImpl.java revision 12745:f068a4ffddd2
1/* 2 * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27package sun.security.ssl; 28 29import java.io.IOException; 30import java.net.InetAddress; 31import java.net.Socket; 32 33import java.security.AlgorithmConstraints; 34 35import java.util.*; 36 37import javax.net.ssl.SSLException; 38import javax.net.ssl.SSLServerSocket; 39import javax.net.ssl.SSLParameters; 40import javax.net.ssl.SNIMatcher; 41 42 43/** 44 * This class provides a simple way for servers to support conventional 45 * use of the Secure Sockets Layer (SSL). Application code uses an 46 * SSLServerSocketImpl exactly like it uses a regular TCP ServerSocket; the 47 * difference is that the connections established are secured using SSL. 48 * 49 * <P> Also, the constructors take an explicit authentication context 50 * parameter, giving flexibility with respect to how the server socket 51 * authenticates itself. That policy flexibility is not exposed through 52 * the standard SSLServerSocketFactory API. 53 * 54 * <P> System security defaults prevent server sockets from accepting 55 * connections if they the authentication context has not been given 56 * a certificate chain and its matching private key. If the clients 57 * of your application support "anonymous" cipher suites, you may be 58 * able to configure a server socket to accept those suites. 59 * 60 * @see SSLSocketImpl 61 * @see SSLServerSocketFactoryImpl 62 * 63 * @author David Brownell 64 */ 65final 66class SSLServerSocketImpl extends SSLServerSocket 67{ 68 private SSLContextImpl sslContext; 69 70 /* Do newly accepted connections require clients to authenticate? */ 71 private ClientAuthType clientAuthType = ClientAuthType.CLIENT_AUTH_NONE; 72 73 /* Do new connections created here use the "server" mode of SSL? */ 74 private boolean useServerMode = true; 75 76 /* Can new connections created establish new sessions? */ 77 private boolean enableSessionCreation = true; 78 79 /* what cipher suites to use by default */ 80 private CipherSuiteList enabledCipherSuites = null; 81 82 /* which protocol to use by default */ 83 private ProtocolList enabledProtocols = null; 84 85 // the endpoint identification protocol to use by default 86 private String identificationProtocol = null; 87 88 // The cryptographic algorithm constraints 89 private AlgorithmConstraints algorithmConstraints = null; 90 91 // The server name indication 92 Collection<SNIMatcher> sniMatchers = 93 Collections.<SNIMatcher>emptyList(); 94 95 /* 96 * Whether local cipher suites preference in server side should be 97 * honored during handshaking? 98 */ 99 private boolean preferLocalCipherSuites = false; 100 101 /** 102 * Create an SSL server socket on a port, using a non-default 103 * authentication context and a specified connection backlog. 104 * 105 * @param port the port on which to listen 106 * @param backlog how many connections may be pending before 107 * the system should start rejecting new requests 108 * @param context authentication context for this server 109 */ 110 SSLServerSocketImpl(int port, int backlog, SSLContextImpl context) 111 throws IOException, SSLException 112 { 113 super(port, backlog); 114 initServer(context); 115 } 116 117 118 /** 119 * Create an SSL server socket on a port, using a specified 120 * authentication context and a specified backlog of connections 121 * as well as a particular specified network interface. This 122 * constructor is used on multihomed hosts, such as those used 123 * for firewalls or as routers, to control through which interface 124 * a network service is provided. 125 * 126 * @param port the port on which to listen 127 * @param backlog how many connections may be pending before 128 * the system should start rejecting new requests 129 * @param address the address of the network interface through 130 * which connections will be accepted 131 * @param context authentication context for this server 132 */ 133 SSLServerSocketImpl( 134 int port, 135 int backlog, 136 InetAddress address, 137 SSLContextImpl context) 138 throws IOException 139 { 140 super(port, backlog, address); 141 initServer(context); 142 } 143 144 145 /** 146 * Creates an unbound server socket. 147 */ 148 SSLServerSocketImpl(SSLContextImpl context) throws IOException { 149 super(); 150 initServer(context); 151 } 152 153 154 /** 155 * Initializes the server socket. 156 */ 157 private void initServer(SSLContextImpl context) throws SSLException { 158 if (context == null) { 159 throw new SSLException("No Authentication context given"); 160 } 161 sslContext = context; 162 enabledCipherSuites = sslContext.getDefaultCipherSuiteList(true); 163 enabledProtocols = sslContext.getDefaultProtocolList(true); 164 } 165 166 /** 167 * Returns the names of the cipher suites which could be enabled for use 168 * on an SSL connection. Normally, only a subset of these will actually 169 * be enabled by default, since this list may include cipher suites which 170 * do not support the mutual authentication of servers and clients, or 171 * which do not protect data confidentiality. Servers may also need 172 * certain kinds of certificates to use certain cipher suites. 173 * 174 * @return an array of cipher suite names 175 */ 176 @Override 177 public String[] getSupportedCipherSuites() { 178 return sslContext.getSupportedCipherSuiteList().toStringArray(); 179 } 180 181 /** 182 * Returns the list of cipher suites which are currently enabled 183 * for use by newly accepted connections. A null return indicates 184 * that the system defaults are in effect. 185 */ 186 @Override 187 public synchronized String[] getEnabledCipherSuites() { 188 return enabledCipherSuites.toStringArray(); 189 } 190 191 /** 192 * Controls which particular SSL cipher suites are enabled for use 193 * by accepted connections. 194 * 195 * @param suites Names of all the cipher suites to enable; null 196 * means to accept system defaults. 197 */ 198 @Override 199 public synchronized void setEnabledCipherSuites(String[] suites) { 200 enabledCipherSuites = new CipherSuiteList(suites); 201 } 202 203 @Override 204 public String[] getSupportedProtocols() { 205 return sslContext.getSuportedProtocolList().toStringArray(); 206 } 207 208 /** 209 * Controls which protocols are enabled for use. 210 * The protocols must have been listed by 211 * getSupportedProtocols() as being supported. 212 * 213 * @param protocols protocols to enable. 214 * @exception IllegalArgumentException when one of the protocols 215 * named by the parameter is not supported. 216 */ 217 @Override 218 public synchronized void setEnabledProtocols(String[] protocols) { 219 enabledProtocols = new ProtocolList(protocols); 220 } 221 222 @Override 223 public synchronized String[] getEnabledProtocols() { 224 return enabledProtocols.toStringArray(); 225 } 226 227 /** 228 * Controls whether the connections which are accepted must include 229 * client authentication. 230 */ 231 @Override 232 public void setNeedClientAuth(boolean flag) { 233 clientAuthType = (flag ? ClientAuthType.CLIENT_AUTH_REQUIRED : 234 ClientAuthType.CLIENT_AUTH_NONE); 235 } 236 237 @Override 238 public boolean getNeedClientAuth() { 239 return (clientAuthType == ClientAuthType.CLIENT_AUTH_REQUIRED); 240 } 241 242 /** 243 * Controls whether the connections which are accepted should request 244 * client authentication. 245 */ 246 @Override 247 public void setWantClientAuth(boolean flag) { 248 clientAuthType = (flag ? ClientAuthType.CLIENT_AUTH_REQUESTED : 249 ClientAuthType.CLIENT_AUTH_NONE); 250 } 251 252 @Override 253 public boolean getWantClientAuth() { 254 return (clientAuthType == ClientAuthType.CLIENT_AUTH_REQUESTED); 255 } 256 257 /** 258 * Makes the returned sockets act in SSL "client" mode, not the usual 259 * server mode. The canonical example of why this is needed is for 260 * FTP clients, which accept connections from servers and should be 261 * rejoining the already-negotiated SSL connection. 262 */ 263 @Override 264 public void setUseClientMode(boolean flag) { 265 /* 266 * If we need to change the socket mode and the enabled 267 * protocols haven't specifically been set by the user, 268 * change them to the corresponding default ones. 269 */ 270 if (useServerMode != (!flag) && 271 sslContext.isDefaultProtocolList(enabledProtocols)) { 272 enabledProtocols = sslContext.getDefaultProtocolList(!flag); 273 } 274 275 useServerMode = !flag; 276 } 277 278 @Override 279 public boolean getUseClientMode() { 280 return !useServerMode; 281 } 282 283 284 /** 285 * Controls whether new connections may cause creation of new SSL 286 * sessions. 287 */ 288 @Override 289 public void setEnableSessionCreation(boolean flag) { 290 enableSessionCreation = flag; 291 } 292 293 /** 294 * Returns true if new connections may cause creation of new SSL 295 * sessions. 296 */ 297 @Override 298 public boolean getEnableSessionCreation() { 299 return enableSessionCreation; 300 } 301 302 /** 303 * Returns the SSLParameters in effect for newly accepted connections. 304 */ 305 @Override 306 public synchronized SSLParameters getSSLParameters() { 307 SSLParameters params = super.getSSLParameters(); 308 309 // the super implementation does not handle the following parameters 310 params.setEndpointIdentificationAlgorithm(identificationProtocol); 311 params.setAlgorithmConstraints(algorithmConstraints); 312 params.setSNIMatchers(sniMatchers); 313 params.setUseCipherSuitesOrder(preferLocalCipherSuites); 314 315 316 return params; 317 } 318 319 /** 320 * Applies SSLParameters to newly accepted connections. 321 */ 322 @Override 323 public synchronized void setSSLParameters(SSLParameters params) { 324 super.setSSLParameters(params); 325 326 // the super implementation does not handle the following parameters 327 identificationProtocol = params.getEndpointIdentificationAlgorithm(); 328 algorithmConstraints = params.getAlgorithmConstraints(); 329 preferLocalCipherSuites = params.getUseCipherSuitesOrder(); 330 Collection<SNIMatcher> matchers = params.getSNIMatchers(); 331 if (matchers != null) { 332 sniMatchers = params.getSNIMatchers(); 333 } 334 } 335 336 /** 337 * Accept a new SSL connection. This server identifies itself with 338 * information provided in the authentication context which was 339 * presented during construction. 340 */ 341 @Override 342 public Socket accept() throws IOException { 343 SSLSocketImpl s = new SSLSocketImpl(sslContext, useServerMode, 344 enabledCipherSuites, clientAuthType, enableSessionCreation, 345 enabledProtocols, identificationProtocol, algorithmConstraints, 346 sniMatchers, preferLocalCipherSuites); 347 348 implAccept(s); 349 s.doneConnect(); 350 return s; 351 } 352 353 /** 354 * Provides a brief description of this SSL socket. 355 */ 356 @Override 357 public String toString() { 358 return "[SSL: "+ super.toString() + "]"; 359 } 360} 361