SSLConnectionSocketFactory
.@Contract(threading=SAFE_CONDITIONAL) @Deprecated public class SSLSocketFactory extends Object implements LayeredConnectionSocketFactory, SchemeLayeredSocketFactory, LayeredSchemeSocketFactory, LayeredSocketFactory
SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.
SSLSocketFactory will enable server authentication when supplied with
a trust-store
file containing one or several trusted certificates. The client
secure socket will reject the connection during the SSL session handshake if the target HTTPS
server attempts to authenticate itself with a non-trusted certificate.
Use JDK keytool utility to import a trusted certificate and generate a trust-store file:
keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
In special cases the standard trust verification process can be bypassed by using a custom
TrustStrategy
. This interface is primarily intended for allowing self-signed
certificates to be accepted as trusted without having to add them to the trust-store file.
SSLSocketFactory will enable client authentication when supplied with
a key-store
file containing a private key/public certificate
pair. The client secure socket will use the private key to authenticate
itself to the target HTTPS server during the SSL session handshake if
requested to do so by the server.
The target HTTPS server will in its turn verify the certificate presented
by the client in order to establish client's authenticity.
Use the following sequence of actions to generate a key-store file
Use JDK keytool utility to generate a new key
keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore
For simplicity use the same password for the key as that of the key-store
Issue a certificate signing request (CSR)
keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore
Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.
Import the trusted CA root certificate
keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore
Import the PKCS#7 file containg the complete certificate chain
keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore
Verify the content the resultant keystore file
keytool -list -v -keystore my.keystore
Modifier and Type | Field and Description |
---|---|
static X509HostnameVerifier |
ALLOW_ALL_HOSTNAME_VERIFIER
Deprecated.
|
static X509HostnameVerifier |
BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
Deprecated.
|
static String |
SSL
Deprecated.
|
static String |
SSLV2
Deprecated.
|
static X509HostnameVerifier |
STRICT_HOSTNAME_VERIFIER
Deprecated.
|
static String |
TLS
Deprecated.
|
Constructor and Description |
---|
SSLSocketFactory(KeyStore truststore)
Deprecated.
|
SSLSocketFactory(KeyStore keystore,
String keystorePassword)
Deprecated.
|
SSLSocketFactory(KeyStore keystore,
String keystorePassword,
KeyStore truststore)
Deprecated.
|
SSLSocketFactory(SSLContext sslContext)
Deprecated.
|
SSLSocketFactory(SSLContext sslContext,
HostNameResolver nameResolver)
Deprecated.
|
SSLSocketFactory(SSLContext sslContext,
String[] supportedProtocols,
String[] supportedCipherSuites,
X509HostnameVerifier hostnameVerifier)
Deprecated.
|
SSLSocketFactory(SSLContext sslContext,
X509HostnameVerifier hostnameVerifier)
Deprecated.
|
SSLSocketFactory(SSLSocketFactory socketfactory,
String[] supportedProtocols,
String[] supportedCipherSuites,
X509HostnameVerifier hostnameVerifier)
Deprecated.
|
SSLSocketFactory(SSLSocketFactory socketfactory,
X509HostnameVerifier hostnameVerifier)
Deprecated.
|
SSLSocketFactory(String algorithm,
KeyStore keystore,
String keyPassword,
KeyStore truststore,
SecureRandom random,
HostNameResolver nameResolver)
Deprecated.
|
SSLSocketFactory(String algorithm,
KeyStore keystore,
String keyPassword,
KeyStore truststore,
SecureRandom random,
TrustStrategy trustStrategy,
X509HostnameVerifier hostnameVerifier)
Deprecated.
|
SSLSocketFactory(String algorithm,
KeyStore keystore,
String keyPassword,
KeyStore truststore,
SecureRandom random,
X509HostnameVerifier hostnameVerifier)
Deprecated.
|
SSLSocketFactory(TrustStrategy trustStrategy)
Deprecated.
|
SSLSocketFactory(TrustStrategy trustStrategy,
X509HostnameVerifier hostnameVerifier)
Deprecated.
|
Modifier and Type | Method and Description |
---|---|
Socket |
connectSocket(int connectTimeout,
Socket socket,
org.apache.http.HttpHost host,
InetSocketAddress remoteAddress,
InetSocketAddress localAddress,
org.apache.http.protocol.HttpContext context)
Deprecated.
Connects the socket to the target host with the given resolved remote address.
|
Socket |
connectSocket(Socket socket,
InetSocketAddress remoteAddress,
InetSocketAddress localAddress,
org.apache.http.params.HttpParams params)
Deprecated.
Connects a socket to the target host with the given remote address.
|
Socket |
connectSocket(Socket socket,
String host,
int port,
InetAddress local,
int localPort,
org.apache.http.params.HttpParams params)
Deprecated.
Connects a socket to the given host.
|
Socket |
createLayeredSocket(Socket socket,
String host,
int port,
boolean autoClose)
Deprecated.
Returns a socket connected to the given host that is layered over an
existing socket.
|
Socket |
createLayeredSocket(Socket socket,
String target,
int port,
org.apache.http.protocol.HttpContext context)
Deprecated.
Returns a socket connected to the given host that is layered over an
existing socket.
|
Socket |
createLayeredSocket(Socket socket,
String host,
int port,
org.apache.http.params.HttpParams params)
Deprecated.
Returns a socket connected to the given host that is layered over an
existing socket.
|
Socket |
createSocket()
Deprecated.
Creates a new, unconnected socket.
|
Socket |
createSocket(org.apache.http.protocol.HttpContext context)
Deprecated.
Creates new, unconnected socket.
|
Socket |
createSocket(org.apache.http.params.HttpParams params)
Deprecated.
Creates a new, unconnected socket.
|
Socket |
createSocket(Socket socket,
String host,
int port,
boolean autoClose)
Deprecated.
Returns a socket connected to the given host that is layered over an
existing socket.
|
X509HostnameVerifier |
getHostnameVerifier()
Deprecated.
|
static SSLSocketFactory |
getSocketFactory()
Deprecated.
Obtains default SSL socket factory with an SSL context based on the standard JSSE
trust material (
cacerts file in the security properties directory). |
static SSLSocketFactory |
getSystemSocketFactory()
Deprecated.
Obtains default SSL socket factory with an SSL context based on system properties
as described in
"JavaTM Secure Socket Extension (JSSE) Reference Guide for the JavaTM 2 Platform
Standard Edition 5
|
boolean |
isSecure(Socket sock)
Deprecated.
Checks whether a socket connection is secure.
|
protected void |
prepareSocket(SSLSocket socket)
Deprecated.
Performs any custom initialization for a newly created SSLSocket
(before the SSL handshake happens).
|
void |
setHostnameVerifier(X509HostnameVerifier hostnameVerifier)
Deprecated.
|
public static final String TLS
public static final String SSL
public static final String SSLV2
public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER
public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER
public SSLSocketFactory(String algorithm, KeyStore keystore, String keyPassword, KeyStore truststore, SecureRandom random, HostNameResolver nameResolver) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException
public SSLSocketFactory(String algorithm, KeyStore keystore, String keyPassword, KeyStore truststore, SecureRandom random, TrustStrategy trustStrategy, X509HostnameVerifier hostnameVerifier) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException
public SSLSocketFactory(String algorithm, KeyStore keystore, String keyPassword, KeyStore truststore, SecureRandom random, X509HostnameVerifier hostnameVerifier) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException
public SSLSocketFactory(KeyStore keystore, String keystorePassword, KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException
public SSLSocketFactory(KeyStore keystore, String keystorePassword) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException
public SSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException
public SSLSocketFactory(TrustStrategy trustStrategy, X509HostnameVerifier hostnameVerifier) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException
public SSLSocketFactory(TrustStrategy trustStrategy) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException
public SSLSocketFactory(SSLContext sslContext)
public SSLSocketFactory(SSLContext sslContext, HostNameResolver nameResolver)
public SSLSocketFactory(SSLContext sslContext, X509HostnameVerifier hostnameVerifier)
public SSLSocketFactory(SSLContext sslContext, String[] supportedProtocols, String[] supportedCipherSuites, X509HostnameVerifier hostnameVerifier)
public SSLSocketFactory(SSLSocketFactory socketfactory, X509HostnameVerifier hostnameVerifier)
public SSLSocketFactory(SSLSocketFactory socketfactory, String[] supportedProtocols, String[] supportedCipherSuites, X509HostnameVerifier hostnameVerifier)
public static SSLSocketFactory getSocketFactory() throws SSLInitializationException
cacerts
file in the security properties directory).
System properties are not taken into consideration.SSLInitializationException
public static SSLSocketFactory getSystemSocketFactory() throws SSLInitializationException
SSLInitializationException
public Socket createSocket(org.apache.http.params.HttpParams params) throws IOException
SchemeSocketFactory
SchemeSocketFactory.connectSocket(Socket, InetSocketAddress, InetSocketAddress, HttpParams)
.createSocket
in interface SchemeSocketFactory
params
- Optional parameters. Parameters passed to this method will have no effect.
This method will create a unconnected instance of Socket
class.IOException
- if an I/O error occurs while creating the socketpublic Socket createSocket() throws IOException
SocketFactory
connectSocket
.createSocket
in interface SocketFactory
IOException
- if an I/O error occurs while creating the socketpublic Socket connectSocket(Socket socket, InetSocketAddress remoteAddress, InetSocketAddress localAddress, org.apache.http.params.HttpParams params) throws IOException, UnknownHostException, ConnectTimeoutException
SchemeSocketFactory
Please note that HttpInetSocketAddress
class should
be used in order to pass the target remote address along with the original
HttpHost
value used to resolve the address. The use of
HttpInetSocketAddress
can also ensure that no reverse
DNS lookup will be performed if the target remote address was specified
as an IP address.
connectSocket
in interface SchemeSocketFactory
socket
- the socket to connect, as obtained from
createSocket
.
null
indicates that a new socket
should be created and connected.remoteAddress
- the remote address to connect to.localAddress
- the local address to bind the socket to, or
null
for anyparams
- additional parameters
for connectingsock
argument if this factory supports
a layered protocol.IOException
- if an I/O error occursUnknownHostException
- if the IP address of the target host
can not be determinedConnectTimeoutException
- if the socket cannot be connected
within the time limit defined in the params
HttpInetSocketAddress
public boolean isSecure(Socket sock) throws IllegalArgumentException
Derived classes may override this method to perform runtime checks, for example based on the cypher suite.
isSecure
in interface SchemeSocketFactory
isSecure
in interface SocketFactory
sock
- the connected sockettrue
IllegalArgumentException
- if the argument is invalidpublic Socket createLayeredSocket(Socket socket, String host, int port, org.apache.http.params.HttpParams params) throws IOException, UnknownHostException
SchemeLayeredSocketFactory
createLayeredSocket
in interface SchemeLayeredSocketFactory
socket
- the existing sockethost
- the name of the target host.port
- the port to connect to on the target hostparams
- HTTP parametersIOException
- if an I/O error occurs while creating the socketUnknownHostException
- if the IP address of the host cannot be
determinedpublic Socket createLayeredSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException
LayeredSchemeSocketFactory
createLayeredSocket
in interface LayeredSchemeSocketFactory
socket
- the existing sockethost
- the name of the target host.port
- the port to connect to on the target hostautoClose
- a flag for closing the underling socket when the created
socket is closedIOException
- if an I/O error occurs while creating the socketUnknownHostException
- if the IP address of the host cannot be
determinedpublic void setHostnameVerifier(X509HostnameVerifier hostnameVerifier)
public X509HostnameVerifier getHostnameVerifier()
public Socket connectSocket(Socket socket, String host, int port, InetAddress local, int localPort, org.apache.http.params.HttpParams params) throws IOException, UnknownHostException, ConnectTimeoutException
SocketFactory
connectSocket
in interface SocketFactory
socket
- the socket to connect, as obtained from
createSocket
.
null
indicates that a new socket
should be created and connected.host
- the host to connect toport
- the port to connect to on the hostlocal
- the local address to bind the socket to, or
null
for anylocalPort
- the port on the local machine,
0 or a negative number for anyparams
- additional parameters
for connectingsock
argument if this factory supports
a layered protocol.IOException
- if an I/O error occursUnknownHostException
- if the IP address of the target host
can not be determinedConnectTimeoutException
- if the socket cannot be connected
within the time limit defined in the params
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException
LayeredSocketFactory
createSocket
in interface LayeredSocketFactory
socket
- the existing sockethost
- the host name/IPport
- the port on the hostautoClose
- a flag for closing the underling socket when the created
socket is closedIOException
- if an I/O error occurs while creating the socketUnknownHostException
- if the IP address of the host cannot be
determinedprotected void prepareSocket(SSLSocket socket) throws IOException
SSLSocket.setEnabledCipherSuites(java.lang.String[])
.IOException
- (only if overridden)public Socket createSocket(org.apache.http.protocol.HttpContext context) throws IOException
ConnectionSocketFactory
connectSocket
method.createSocket
in interface ConnectionSocketFactory
IOException
- if an I/O error occurs while creating the socketpublic Socket connectSocket(int connectTimeout, Socket socket, org.apache.http.HttpHost host, InetSocketAddress remoteAddress, InetSocketAddress localAddress, org.apache.http.protocol.HttpContext context) throws IOException
ConnectionSocketFactory
connectSocket
in interface ConnectionSocketFactory
connectTimeout
- connect timeout.socket
- the socket to connect, as obtained from ConnectionSocketFactory.createSocket(HttpContext)
.
null
indicates that a new socket should be created and connected.host
- target host as specified by the caller (end user).remoteAddress
- the resolved remote address to connect to.localAddress
- the local address to bind the socket to, or null
for any.context
- the actual HTTP context.sock
argument if this factory supports
a layered protocol.IOException
- if an I/O error occurspublic Socket createLayeredSocket(Socket socket, String target, int port, org.apache.http.protocol.HttpContext context) throws IOException
LayeredConnectionSocketFactory
createLayeredSocket
in interface LayeredConnectionSocketFactory
socket
- the existing sockettarget
- the name of the target host.port
- the port to connect to on the target host.context
- the actual HTTP context.IOException
- if an I/O error occurs while creating the socketCopyright © 1999–2022 The Apache Software Foundation. All rights reserved.