io.netty.internal.tcnative

类 SSLContext

java.lang.Object

io.netty.internal.tcnative.SSLContext

public final class SSLContext
extends java.lang.Object

方法概要

方法

限定符和类型	方法和说明
static void	clearOptions(long ctx, int options) Clears OpenSSL Options.
static void	disableOcsp(long ctx) Disables OCSP stapling on the given SSLContext.
static void	enableOcsp(long ctx, boolean client) Enables OCSP stapling for the given SSLContext or throws an exception if OCSP stapling is not supported.
static int	free(long ctx) Free the resources used by the Context
static int	getMode(long ctx) Call SSL_CTX_get_mode
static int	getOptions(long ctx) Get OpenSSL Option.
static long	getSessionCacheMode(long ctx) Get the mode of the current used internal session cache.
static long	getSessionCacheSize(long ctx) Get the size of the internal session cache.
static long	getSessionCacheTimeout(long ctx) Get the timeout for the internal session cache in seconds.
static long	make(int protocol, int mode) Initialize new SSL context
static long	sessionAccept(long ctx) Session resumption statistics methods.
static long	sessionAcceptGood(long ctx) Session resumption statistics methods.
static long	sessionAcceptRenegotiate(long ctx) Session resumption statistics methods.
static long	sessionCacheFull(long ctx) Session resumption statistics methods.
static long	sessionCbHits(long ctx) Session resumption statistics methods.
static long	sessionConnect(long ctx) Session resumption statistics methods.
static long	sessionConnectGood(long ctx) Session resumption statistics methods.
static long	sessionConnectRenegotiate(long ctx) Session resumption statistics methods.
static long	sessionHits(long ctx) Session resumption statistics methods.
static long	sessionMisses(long ctx) Session resumption statistics methods.
static long	sessionNumber(long ctx) Session resumption statistics methods.
static long	sessionTicketKeyFail(long ctx) TLS session ticket key resumption statistics.
static long	sessionTicketKeyNew(long ctx) TLS session ticket key resumption statistics.
static long	sessionTicketKeyRenew(long ctx) TLS session ticket key resumption statistics.
static long	sessionTicketKeyResume(long ctx) TLS session ticket key resumption statistics.
static long	sessionTimeouts(long ctx) Session resumption statistics methods.
static void	setAlpnProtos(long ctx, java.lang.String[] alpnProtos, int selectorFailureBehavior) Set application layer protocol for application layer protocol negotiation extension
static boolean	setCACertificateBio(long ctx, long certBio) Set concatenated PEM-encoded CA Certificates for Client Auth This directive sets the all-in-one BIO where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with.
static boolean	setCertificate(long ctx, java.lang.String cert, java.lang.String key, java.lang.String password) Set Certificate Point setCertificateFile at a PEM encoded certificate.
static boolean	setCertificateBio(long ctx, long certBio, long keyBio, java.lang.String password) Set Certificate Point setCertificate at a PEM encoded certificate stored in a BIO.
static boolean	setCertificateChainBio(long ctx, long bio, boolean skipfirst) Set BIO of PEM-encoded Server CA Certificates This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate.
static boolean	setCertificateChainFile(long ctx, java.lang.String file, boolean skipfirst) Set File of PEM-encoded Server CA Certificates This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate.
static void	setCertRequestedCallback(long ctx, CertificateRequestedCallback callback) Allow to hook CertificateRequestedCallback into the certificate choosing process.
static void	setCertVerifyCallback(long ctx, CertificateVerifier verifier) Allow to hook CertificateVerifier into the handshake processing.
static boolean	setCipherSuite(long ctx, java.lang.String ciphers) Cipher Suite available for negotiation in SSL handshake.
static void	setContextId(long ctx, java.lang.String id) Set Session context id.
static int	setMode(long ctx, int mode) Call SSL_CTX_set_mode
static void	setNpnProtos(long ctx, java.lang.String[] nextProtos, int selectorFailureBehavior) Set next protocol for next protocol negotiation extension
static void	setOptions(long ctx, int options) Set OpenSSL Option.
static long	setSessionCacheMode(long ctx, long mode) Set the mode of the internal session cache and return the previous used mode.
static long	setSessionCacheSize(long ctx, long size) Set the size of the internal session cache.
static long	setSessionCacheTimeout(long ctx, long timeoutSeconds) Set the timeout for the internal session cache in seconds.
static boolean	setSessionIdContext(long ctx, byte[] sidCtx) Set the context within which session be reused (server side only).
static void	setSessionTicketKeys(long ctx, SessionTicketKey[] keys) Set TLS session ticket keys.
static void	setSniHostnameMatcher(long ctx, SniHostNameMatcher matcher) Allow to hook SniHostNameMatcher into the sni processing.
static void	setTmpDHLength(long ctx, int length) Set length of the DH to use.
static void	setVerify(long ctx, int level, int depth) Set Type of Client Certificate verification and Maximum depth of CA Certificates in Client Certificate verification.

从类继承的方法 java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

方法详细资料

make

public static long make(int protocol,
        int mode)
                 throws java.lang.Exception

Initialize new SSL context

参数:

protocol - The SSL protocol to use. It can be any combination of the following:

 SSL.SSL_PROTOCOL_SSLV2
 SSL.SSL_PROTOCOL_SSLV3
 SSL.SSL_PROTOCOL_TLSV1
 SSL.SSL_PROTOCOL_TLSV1_1
 SSL.SSL_PROTOCOL_TLSV1_2
 SSL.SSL_PROTOCOL_ALL ( == all TLS versions, no SSL)
 

mode - SSL mode to use

 SSL_MODE_CLIENT
 SSL_MODE_SERVER
 SSL_MODE_COMBINED
 

返回:

the SSLContext struct

抛出:

java.lang.Exception - if an error happened

free

public static int free(long ctx)

Free the resources used by the Context

参数:

ctx - Server or Client context to free.

返回:

APR Status code.

setContextId

public static void setContextId(long ctx,
                java.lang.String id)

Set Session context id. Usually host:port combination.

参数:

ctx - Context to use.

id - String that uniquely identifies this context.

setOptions

public static void setOptions(long ctx,
              int options)

Set OpenSSL Option.

参数:

ctx - Server or Client context to use.

options - See SSL.SSL_OP_* for option flags.

getOptions

public static int getOptions(long ctx)

Get OpenSSL Option.

参数:

ctx - Server or Client context to use.

返回:

options See SSL.SSL_OP_* for option flags.

clearOptions

public static void clearOptions(long ctx,
                int options)

Clears OpenSSL Options.

参数:

ctx - Server or Client context to use.

options - See SSL.SSL_OP_* for option flags.

setCipherSuite

public static boolean setCipherSuite(long ctx,
                     java.lang.String ciphers)
                              throws java.lang.Exception

Cipher Suite available for negotiation in SSL handshake.
This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.

参数:

ctx - Server or Client context to use.

ciphers - An SSL cipher specification.

返回:

true if successful

抛出:

java.lang.Exception - if an error happened

setCertificateChainFile

public static boolean setCertificateChainFile(long ctx,
                              java.lang.String file,
                              boolean skipfirst)

Set File of PEM-encoded Server CA Certificates
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order.
But be careful: Providing the certificate chain works only if you are using a single (either RSA or DSA) based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Else the browsers will be confused in this situation.

参数:

ctx - Server or Client context to use.

file - File of PEM-encoded Server CA Certificates.

skipfirst - Skip first certificate if chain file is inside certificate file.

返回:

true if successful

setCertificateChainBio

public static boolean setCertificateChainBio(long ctx,
                             long bio,
                             boolean skipfirst)

Set BIO of PEM-encoded Server CA Certificates

This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order.

But be careful: Providing the certificate chain works only if you are using a single (either RSA or DSA) based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Otherwsie the browsers will be confused in this situation.

参数:

ctx - Server or Client context to use.

bio - BIO of PEM-encoded Server CA Certificates.

skipfirst - Skip first certificate if chain file is inside certificate file.

返回:

true if successful

setCertificate

public static boolean setCertificate(long ctx,
                     java.lang.String cert,
                     java.lang.String key,
                     java.lang.String password)
                              throws java.lang.Exception

Set Certificate

Point setCertificateFile at a PEM encoded certificate. If the certificate is encrypted, then you will be prompted for a pass phrase. Note that a kill -HUP will prompt again. A test certificate can be generated with `make certificate' under built time. Keep in mind that if you've both a RSA and a DSA certificate you can configure both in parallel (to also allow the use of DSA ciphers, etc.)

If the key is not combined with the certificate, use key param to point at the key file. Keep in mind that if you've both a RSA and a DSA private key you can configure both in parallel (to also allow the use of DSA ciphers, etc.)

参数:

ctx - Server or Client context to use.

cert - Certificate file.

key - Private Key file to use if not in cert.

password - Certificate password. If null and certificate is encrypted, password prompt will be displayed.

返回:

true if successful

抛出:

java.lang.Exception - if an error happened

setCertificateBio

public static boolean setCertificateBio(long ctx,
                        long certBio,
                        long keyBio,
                        java.lang.String password)
                                 throws java.lang.Exception

Set Certificate

Point setCertificate at a PEM encoded certificate stored in a BIO. If the certificate is encrypted, then you will be prompted for a pass phrase. Note that a kill -HUP will prompt again. A test certificate can be generated with `make certificate' under built time. Keep in mind that if you've both a RSA and a DSA certificate you can configure both in parallel (to also allow the use of DSA ciphers, etc.)

If the key is not combined with the certificate, use key param to point at the key file. Keep in mind that if you've both a RSA and a DSA private key you can configure both in parallel (to also allow the use of DSA ciphers, etc.)

参数:

ctx - Server or Client context to use.

certBio - Certificate BIO.

keyBio - Private Key BIO to use if not in cert.

password - Certificate password. If null and certificate is encrypted, password prompt will be displayed.

返回:

true if successful

抛出:

java.lang.Exception - if an error happened

setSessionCacheSize

public static long setSessionCacheSize(long ctx,
                       long size)

Set the size of the internal session cache. See man SSL_CTX_sess_set_cache_size

参数:

ctx - Server or Client context to use.

size - the size of the cache

返回:

the previous set value

getSessionCacheSize

public static long getSessionCacheSize(long ctx)

Get the size of the internal session cache. See man SSL_CTX_sess_get_cache_size

参数:

ctx - Server or Client context to use.

返回:

the current value

setSessionCacheTimeout

public static long setSessionCacheTimeout(long ctx,
                          long timeoutSeconds)

Set the timeout for the internal session cache in seconds. See man SSL_CTX_set_timeout

参数:

ctx - Server or Client context to use.

timeoutSeconds - the timeout of the cache

返回:

the previous set value

getSessionCacheTimeout

public static long getSessionCacheTimeout(long ctx)

Get the timeout for the internal session cache in seconds. See man SSL_CTX_get_timeout

参数:

ctx - Server or Client context to use

返回:

the current value

setSessionCacheMode

public static long setSessionCacheMode(long ctx,
                       long mode)

Set the mode of the internal session cache and return the previous used mode.

参数:

ctx - Server or Client context to use

mode - the mode of the cache

返回:

the previous set value

getSessionCacheMode

public static long getSessionCacheMode(long ctx)

Get the mode of the current used internal session cache.

参数:

ctx - Server or Client context to use

返回:

the current mode

sessionAccept

public static long sessionAccept(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionAcceptGood

public static long sessionAcceptGood(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionAcceptRenegotiate

public static long sessionAcceptRenegotiate(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionCacheFull

public static long sessionCacheFull(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionCbHits

public static long sessionCbHits(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionConnect

public static long sessionConnect(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionConnectGood

public static long sessionConnectGood(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionConnectRenegotiate

public static long sessionConnectRenegotiate(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionHits

public static long sessionHits(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionMisses

public static long sessionMisses(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionNumber

public static long sessionNumber(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionTimeouts

public static long sessionTimeouts(long ctx)

Session resumption statistics methods. See man SSL_CTX_sess_number

参数:

ctx - Server or Client context to use

返回:

the current number

sessionTicketKeyNew

public static long sessionTicketKeyNew(long ctx)

TLS session ticket key resumption statistics.

参数:

ctx - Server or Client context to use

返回:

the current number

sessionTicketKeyResume

public static long sessionTicketKeyResume(long ctx)

TLS session ticket key resumption statistics.

参数:

ctx - Server or Client context to use

返回:

the current number

sessionTicketKeyRenew

public static long sessionTicketKeyRenew(long ctx)

TLS session ticket key resumption statistics.

参数:

ctx - Server or Client context to use

返回:

the current number

sessionTicketKeyFail

public static long sessionTicketKeyFail(long ctx)

TLS session ticket key resumption statistics.

参数:

ctx - Server or Client context to use

返回:

the current number

setSessionTicketKeys

public static void setSessionTicketKeys(long ctx,
                        SessionTicketKey[] keys)

Set TLS session ticket keys.

The first key in the list is the primary key. Tickets dervied from the other keys in the list will be accepted but updated to a new ticket using the primary key. This is useful for implementing ticket key rotation. See RFC 5077

参数:

ctx - Server or Client context to use

keys - the SessionTicketKeys

setCACertificateBio

public static boolean setCACertificateBio(long ctx,
                          long certBio)

Set concatenated PEM-encoded CA Certificates for Client Auth
This directive sets the all-in-one BIO where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with. These are used for Client Authentication. Such a BIO is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to path.

参数:

ctx - Server context to use.

certBio - Directory of PEM-encoded CA Certificates for Client Auth.

返回:

true if successful, false otherwise.

setVerify

public static void setVerify(long ctx,
             int level,
             int depth)

Set Type of Client Certificate verification and Maximum depth of CA Certificates in Client Certificate verification.
This directive sets the Certificate verification level for the Client Authentication. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.
The following levels are available for level:

• SSL.SSL_CVERIFY_IGNORED - The level is ignored. Only depth will change.
• SSL.SSL_CVERIFY_NONE - No client Certificate is required at all
• SSL.SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate
• SSL.SSL_CVERIFY_REQUIRED - The client has to present a valid Certificate

The depth actually is the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are max allowed to be followed while verifying the client certificate. A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under setCACertificatePath), etc.

参数:

ctx - Server or Client context to use.

level - Type of Client Certificate verification.

depth - Maximum depth of CA Certificates in Client Certificate verification.

setCertVerifyCallback

public static void setCertVerifyCallback(long ctx,
                         CertificateVerifier verifier)

Allow to hook CertificateVerifier into the handshake processing. This will call SSL_CTX_set_cert_verify_callback and so replace the default verification callback used by openssl

参数:

ctx - Server or Client context to use.

verifier - the verifier to call during handshake.

setCertRequestedCallback

public static void setCertRequestedCallback(long ctx,
                            CertificateRequestedCallback callback)

Allow to hook CertificateRequestedCallback into the certificate choosing process. This will call SSL_CTX_set_client_cert_cb and so replace the default verification callback used by openssl

参数:

ctx - Server or Client context to use.

callback - the callback to call during certificate selection.

setSniHostnameMatcher

public static void setSniHostnameMatcher(long ctx,
                         SniHostNameMatcher matcher)

Allow to hook SniHostNameMatcher into the sni processing. This will call SSL_CTX_set_tlsext_servername_callback and so replace the default callback used by openssl

参数:

ctx - Server or Client context to use.

matcher - the matcher to call during sni hostname matching.

setNpnProtos

public static void setNpnProtos(long ctx,
                java.lang.String[] nextProtos,
                int selectorFailureBehavior)

Set next protocol for next protocol negotiation extension

参数:

ctx - Server context to use.

nextProtos - protocols in priority order

selectorFailureBehavior - see SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE and SSL.SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL

setAlpnProtos

public static void setAlpnProtos(long ctx,
                 java.lang.String[] alpnProtos,
                 int selectorFailureBehavior)

Set application layer protocol for application layer protocol negotiation extension

参数:

ctx - Server context to use.

alpnProtos - protocols in priority order

selectorFailureBehavior - see SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE and SSL.SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL

setTmpDHLength

public static void setTmpDHLength(long ctx,
                  int length)

Set length of the DH to use.

参数:

ctx - Server context to use.

length - the length.

setSessionIdContext

public static boolean setSessionIdContext(long ctx,
                          byte[] sidCtx)

Set the context within which session be reused (server side only). See man SSL_CTX_set_session_id_context

参数:

ctx - Server context to use.

sidCtx - can be any kind of binary data, it is therefore possible to use e.g. the name of the application and/or the hostname and/or service name

返回:

true if success, false otherwise.

setMode

public static int setMode(long ctx,
          int mode)

Call SSL_CTX_set_mode

参数:

ctx - context to use

mode - the mode

返回:

the set mode.

getMode

public static int getMode(long ctx)

Call SSL_CTX_get_mode

参数:

ctx - context to use

返回:

the mode.

enableOcsp

public static void enableOcsp(long ctx,
              boolean client)

Enables OCSP stapling for the given SSLContext or throws an exception if OCSP stapling is not supported.

SSL_set_tlsext_status_type

Search for OCSP

disableOcsp

public static void disableOcsp(long ctx)

Disables OCSP stapling on the given SSLContext.

SSL_set_tlsext_status_type

Search for OCSP