org.apache.http.conn.ssl
Class SSLConnectionSocketFactory

java.lang.Object
  org.apache.http.conn.ssl.SSLConnectionSocketFactory

All Implemented Interfaces:

ConnectionSocketFactory, LayeredConnectionSocketFactory

@Contract(threading=SAFE)
public class SSLConnectionSocketFactory
extends Object
implements LayeredConnectionSocketFactory

Layered socket factory for TLS/SSL connections.

SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.

SSLSocketFactory will enable server authentication when supplied with a trust-store file containing one or several trusted certificates. The client secure socket will reject the connection during the SSL session handshake if the target HTTPS server attempts to authenticate itself with a non-trusted certificate.

Use JDK keytool utility to import a trusted certificate and generate a trust-store file:

     keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
    

In special cases the standard trust verification process can be bypassed by using a custom TrustStrategy. This interface is primarily intended for allowing self-signed certificates to be accepted as trusted without having to add them to the trust-store file.

SSLSocketFactory will enable client authentication when supplied with a key-store file containing a private key/public certificate pair. The client secure socket will use the private key to authenticate itself to the target HTTPS server during the SSL session handshake if requested to do so by the server. The target HTTPS server will in its turn verify the certificate presented by the client in order to establish client's authenticity.

Use the following sequence of actions to generate a key-store file

• Use JDK keytool utility to generate a new key

  keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore

  For simplicity use the same password for the key as that of the key-store

• Issue a certificate signing request (CSR)

  keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore

• Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.

• Import the trusted CA root certificate

  keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore

• Import the PKCS#7 file containing the complete certificate chain

  keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore

• Verify the content of the resultant keystore file

  keytool -list -v -keystore my.keystore

Since:

4.3

Field Summary

static X509HostnameVerifier	ALLOW_ALL_HOSTNAME_VERIFIER Deprecated. Use AllowAllHostnameVerifier.INSTANCE.
static X509HostnameVerifier	BROWSER_COMPATIBLE_HOSTNAME_VERIFIER Deprecated. Use BrowserCompatHostnameVerifier.INSTANCE.
static String	SSL
static String	SSLV2
static X509HostnameVerifier	STRICT_HOSTNAME_VERIFIER Deprecated. Use StrictHostnameVerifier.INSTANCE.
static String	TLS

Constructor Summary

SSLConnectionSocketFactory(SSLContext sslContext)

SSLConnectionSocketFactory(SSLContext sslContext, HostnameVerifier hostnameVerifier)

SSLConnectionSocketFactory(SSLContext sslContext, String[] supportedProtocols, String[] supportedCipherSuites, HostnameVerifier hostnameVerifier)

SSLConnectionSocketFactory(SSLContext sslContext, String[] supportedProtocols, String[] supportedCipherSuites, X509HostnameVerifier hostnameVerifier)
Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLContext, String[], String[], javax.net.ssl.HostnameVerifier)

SSLConnectionSocketFactory(SSLContext sslContext, X509HostnameVerifier hostnameVerifier)
Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLContext, javax.net.ssl.HostnameVerifier)

SSLConnectionSocketFactory(SSLSocketFactory socketfactory, HostnameVerifier hostnameVerifier)

SSLConnectionSocketFactory(SSLSocketFactory socketfactory, String[] supportedProtocols, String[] supportedCipherSuites, HostnameVerifier hostnameVerifier)

SSLConnectionSocketFactory(SSLSocketFactory socketfactory, String[] supportedProtocols, String[] supportedCipherSuites, X509HostnameVerifier hostnameVerifier)
Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory, String[], String[], javax.net.ssl.HostnameVerifier)

SSLConnectionSocketFactory(SSLSocketFactory socketfactory, X509HostnameVerifier hostnameVerifier)
Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory, javax.net.ssl.HostnameVerifier)

Method Summary

Socket	connectSocket(int connectTimeout, Socket socket, org.apache.http.HttpHost host, InetSocketAddress remoteAddress, InetSocketAddress localAddress, org.apache.http.protocol.HttpContext context) Connects the socket to the target host with the given resolved remote address.
Socket	createLayeredSocket(Socket socket, String target, int port, org.apache.http.protocol.HttpContext context) Returns a socket connected to the given host that is layered over an existing socket.
Socket	createSocket(org.apache.http.protocol.HttpContext context) Creates new, unconnected socket.
static HostnameVerifier	getDefaultHostnameVerifier()
static SSLConnectionSocketFactory	getSocketFactory() Obtains default SSL socket factory with an SSL context based on the standard JSSE trust material (cacerts file in the security properties directory).
static SSLConnectionSocketFactory	getSystemSocketFactory() Obtains default SSL socket factory with an SSL context based on system properties as described in Java™ Secure Socket Extension (JSSE) Reference Guide.
protected void	prepareSocket(SSLSocket socket) Performs any custom initialization for a newly created SSLSocket (before the SSL handshake happens).

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

TLS

public static final String TLS

See Also:

Constant Field Values

SSL

public static final String SSL

See Also:

Constant Field Values

SSLV2

public static final String SSLV2

See Also:

Constant Field Values

ALLOW_ALL_HOSTNAME_VERIFIER

@Deprecated
public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER

Deprecated. Use AllowAllHostnameVerifier.INSTANCE.

BROWSER_COMPATIBLE_HOSTNAME_VERIFIER

@Deprecated
public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER

Deprecated. Use BrowserCompatHostnameVerifier.INSTANCE.

STRICT_HOSTNAME_VERIFIER

@Deprecated
public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER

Deprecated. Use StrictHostnameVerifier.INSTANCE.

Constructor Detail

SSLConnectionSocketFactory

public SSLConnectionSocketFactory(SSLContext sslContext)

SSLConnectionSocketFactory

@Deprecated
public SSLConnectionSocketFactory(SSLContext sslContext,
                                             X509HostnameVerifier hostnameVerifier)

Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLContext, javax.net.ssl.HostnameVerifier)

SSLConnectionSocketFactory

@Deprecated
public SSLConnectionSocketFactory(SSLContext sslContext,
                                             String[] supportedProtocols,
                                             String[] supportedCipherSuites,
                                             X509HostnameVerifier hostnameVerifier)

Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLContext, String[], String[], javax.net.ssl.HostnameVerifier)

SSLConnectionSocketFactory

@Deprecated
public SSLConnectionSocketFactory(SSLSocketFactory socketfactory,
                                             X509HostnameVerifier hostnameVerifier)

Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory, javax.net.ssl.HostnameVerifier)

SSLConnectionSocketFactory

@Deprecated
public SSLConnectionSocketFactory(SSLSocketFactory socketfactory,
                                             String[] supportedProtocols,
                                             String[] supportedCipherSuites,
                                             X509HostnameVerifier hostnameVerifier)

Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory, String[], String[], javax.net.ssl.HostnameVerifier)

SSLConnectionSocketFactory

public SSLConnectionSocketFactory(SSLContext sslContext,
                                  HostnameVerifier hostnameVerifier)

Since:

4.4

SSLConnectionSocketFactory

public SSLConnectionSocketFactory(SSLContext sslContext,
                                  String[] supportedProtocols,
                                  String[] supportedCipherSuites,
                                  HostnameVerifier hostnameVerifier)

Since:

4.4

SSLConnectionSocketFactory

public SSLConnectionSocketFactory(SSLSocketFactory socketfactory,
                                  HostnameVerifier hostnameVerifier)

Since:

4.4

SSLConnectionSocketFactory

public SSLConnectionSocketFactory(SSLSocketFactory socketfactory,
                                  String[] supportedProtocols,
                                  String[] supportedCipherSuites,
                                  HostnameVerifier hostnameVerifier)

Since:

4.4

Method Detail

getDefaultHostnameVerifier

public static HostnameVerifier getDefaultHostnameVerifier()

Since:

4.4

getSocketFactory

public static SSLConnectionSocketFactory getSocketFactory()
                                                   throws SSLInitializationException

Obtains default SSL socket factory with an SSL context based on the standard JSSE trust material (cacerts file in the security properties directory). System properties are not taken into consideration.

Returns:

default SSL socket factory

Throws:

SSLInitializationException

getSystemSocketFactory

public static SSLConnectionSocketFactory getSystemSocketFactory()
                                                         throws SSLInitializationException

Obtains default SSL socket factory with an SSL context based on system properties as described in Java™ Secure Socket Extension (JSSE) Reference Guide.

Returns:

default system SSL socket factory

Throws:

SSLInitializationException

prepareSocket

protected void prepareSocket(SSLSocket socket)
                      throws IOException

Performs any custom initialization for a newly created SSLSocket (before the SSL handshake happens). The default implementation is a no-op, but could be overridden to, e.g., call SSLSocket.setEnabledCipherSuites(String[]).

Throws:

IOException - may be thrown if overridden

createSocket

public Socket createSocket(org.apache.http.protocol.HttpContext context)
                    throws IOException

Description copied from interface: ConnectionSocketFactory

Creates new, unconnected socket. The socket should subsequently be passed to connectSocket method.

Specified by:

createSocket in interface ConnectionSocketFactory

Returns:

a new socket

Throws:

IOException - if an I/O error occurs while creating the socket

connectSocket

public Socket connectSocket(int connectTimeout,
                            Socket socket,
                            org.apache.http.HttpHost host,
                            InetSocketAddress remoteAddress,
                            InetSocketAddress localAddress,
                            org.apache.http.protocol.HttpContext context)
                     throws IOException

Description copied from interface: ConnectionSocketFactory

Connects the socket to the target host with the given resolved remote address.

Specified by:

connectSocket in interface ConnectionSocketFactory

Parameters:

connectTimeout - connect timeout.

socket - the socket to connect, as obtained from ConnectionSocketFactory.createSocket(HttpContext). null indicates that a new socket should be created and connected.

host - target host as specified by the caller (end user).

remoteAddress - the resolved remote address to connect to.

localAddress - the local address to bind the socket to, or null for any.

context - the actual HTTP context.

Returns:

the connected socket. The returned object may be different from the sock argument if this factory supports a layered protocol.

Throws:

IOException - if an I/O error occurs

createLayeredSocket

public Socket createLayeredSocket(Socket socket,
                                  String target,
                                  int port,
                                  org.apache.http.protocol.HttpContext context)
                           throws IOException

Description copied from interface: LayeredConnectionSocketFactory

Returns a socket connected to the given host that is layered over an existing socket. Used primarily for creating secure sockets through proxies.

Specified by:

createLayeredSocket in interface LayeredConnectionSocketFactory

Parameters:

socket - the existing socket

target - the name of the target host.

port - the port to connect to on the target host.

context - the actual HTTP context.

Returns:

Socket a new socket

Throws:

IOException - if an I/O error occurs while creating the socket