You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by ol...@apache.org on 2013/10/02 14:54:26 UTC
svn commit: r1528452 - in
/httpcomponents/httpasyncclient/trunk/httpasyncclient/src:
examples/org/apache/http/examples/nio/client/
main/java/org/apache/http/impl/nio/client/
main/java/org/apache/http/nio/conn/ssl/
Author: olegk
Date: Wed Oct 2 12:54:26 2013
New Revision: 1528452
URL: http://svn.apache.org/r1528452
Log:
Support for SSL protocol and cypher suites; Ensure X509HostnameVerifier is never null
Modified:
httpcomponents/httpasyncclient/trunk/httpasyncclient/src/examples/org/apache/http/examples/nio/client/AsyncClientCustomSSL.java
httpcomponents/httpasyncclient/trunk/httpasyncclient/src/main/java/org/apache/http/impl/nio/client/HttpAsyncClientBuilder.java
httpcomponents/httpasyncclient/trunk/httpasyncclient/src/main/java/org/apache/http/nio/conn/ssl/SSLIOSessionStrategy.java
Modified: httpcomponents/httpasyncclient/trunk/httpasyncclient/src/examples/org/apache/http/examples/nio/client/AsyncClientCustomSSL.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpasyncclient/trunk/httpasyncclient/src/examples/org/apache/http/examples/nio/client/AsyncClientCustomSSL.java?rev=1528452&r1=1528451&r2=1528452&view=diff
==============================================================================
--- httpcomponents/httpasyncclient/trunk/httpasyncclient/src/examples/org/apache/http/examples/nio/client/AsyncClientCustomSSL.java (original)
+++ httpcomponents/httpasyncclient/trunk/httpasyncclient/src/examples/org/apache/http/examples/nio/client/AsyncClientCustomSSL.java Wed Oct 2 12:54:26 2013
@@ -35,8 +35,8 @@ import javax.net.ssl.SSLContext;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
-import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLContexts;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
import org.apache.http.impl.nio.client.HttpAsyncClients;
import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
@@ -55,11 +55,16 @@ public class AsyncClientCustomSSL {
} finally {
instream.close();
}
+ // Trust own CA and all self-signed certs
SSLContext sslcontext = SSLContexts.custom()
- .loadTrustMaterial(trustStore)
+ .loadTrustMaterial(trustStore, new TrustSelfSignedStrategy())
.build();
- SSLIOSessionStrategy sslSessionStrategy = new SSLIOSessionStrategy(sslcontext,
- SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
+ // Allow TLSv1 protocol only
+ SSLIOSessionStrategy sslSessionStrategy = new SSLIOSessionStrategy(
+ sslcontext,
+ new String[] { "TLSv1" },
+ null,
+ SSLIOSessionStrategy.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
CloseableHttpAsyncClient httpclient = HttpAsyncClients.custom()
.setSSLStrategy(sslSessionStrategy)
.build();
Modified: httpcomponents/httpasyncclient/trunk/httpasyncclient/src/main/java/org/apache/http/impl/nio/client/HttpAsyncClientBuilder.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpasyncclient/trunk/httpasyncclient/src/main/java/org/apache/http/impl/nio/client/HttpAsyncClientBuilder.java?rev=1528452&r1=1528451&r2=1528452&view=diff
==============================================================================
--- httpcomponents/httpasyncclient/trunk/httpasyncclient/src/main/java/org/apache/http/impl/nio/client/HttpAsyncClientBuilder.java (original)
+++ httpcomponents/httpasyncclient/trunk/httpasyncclient/src/main/java/org/apache/http/impl/nio/client/HttpAsyncClientBuilder.java Wed Oct 2 12:54:26 2013
@@ -63,6 +63,7 @@ import org.apache.http.conn.ConnectionKe
import org.apache.http.conn.SchemePortResolver;
import org.apache.http.conn.routing.HttpRoutePlanner;
import org.apache.http.conn.ssl.SSLContexts;
+import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.cookie.CookieSpecProvider;
import org.apache.http.impl.DefaultConnectionReuseStrategy;
import org.apache.http.impl.NoConnectionReuseStrategy;
@@ -101,6 +102,7 @@ import org.apache.http.protocol.HttpProc
import org.apache.http.protocol.RequestContent;
import org.apache.http.protocol.RequestTargetHost;
import org.apache.http.protocol.RequestUserAgent;
+import org.apache.http.util.TextUtils;
import org.apache.http.util.VersionInfo;
@NotThreadSafe
@@ -117,6 +119,7 @@ public class HttpAsyncClientBuilder {
private NHttpClientConnectionManager connManager;
private SchemePortResolver schemePortResolver;
private SchemeIOSessionStrategy sslStrategy;
+ private X509HostnameVerifier hostnameVerifier;
private SSLContext sslcontext;
private ConnectionReuseStrategy reuseStrategy;
private ConnectionKeepAliveStrategy keepAliveStrategy;
@@ -359,6 +362,13 @@ public class HttpAsyncClientBuilder {
return this;
}
+ private static String[] split(final String s) {
+ if (TextUtils.isBlank(s)) {
+ return null;
+ }
+ return s.split(" *, *");
+ }
+
public CloseableHttpAsyncClient build() {
NHttpClientConnectionManager connManager = this.connManager;
if (connManager == null) {
@@ -372,7 +382,12 @@ public class HttpAsyncClientBuilder {
sslcontext = SSLContexts.createSystemDefault();
}
}
- sslStrategy = new SSLIOSessionStrategy(sslcontext);
+ final String[] supportedProtocols = systemProperties ? split(
+ System.getProperty("https.protocols")) : null;
+ final String[] supportedCipherSuites = systemProperties ? split(
+ System.getProperty("https.cipherSuites")) : null;
+ sslStrategy = new SSLIOSessionStrategy(
+ sslcontext, supportedProtocols, supportedCipherSuites, hostnameVerifier);
}
final ConnectingIOReactor ioreactor = IOReactorUtils.create(
defaultIOReactorConfig != null ? defaultIOReactorConfig : IOReactorConfig.DEFAULT);
Modified: httpcomponents/httpasyncclient/trunk/httpasyncclient/src/main/java/org/apache/http/nio/conn/ssl/SSLIOSessionStrategy.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpasyncclient/trunk/httpasyncclient/src/main/java/org/apache/http/nio/conn/ssl/SSLIOSessionStrategy.java?rev=1528452&r1=1528451&r2=1528452&view=diff
==============================================================================
--- httpcomponents/httpasyncclient/trunk/httpasyncclient/src/main/java/org/apache/http/nio/conn/ssl/SSLIOSessionStrategy.java (original)
+++ httpcomponents/httpasyncclient/trunk/httpasyncclient/src/main/java/org/apache/http/nio/conn/ssl/SSLIOSessionStrategy.java Wed Oct 2 12:54:26 2013
@@ -37,15 +37,19 @@ import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import org.apache.http.HttpHost;
+import org.apache.http.conn.ssl.AllowAllHostnameVerifier;
import org.apache.http.conn.ssl.BrowserCompatHostnameVerifier;
import org.apache.http.conn.ssl.SSLContexts;
+import org.apache.http.conn.ssl.StrictHostnameVerifier;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.nio.conn.SchemeIOSessionStrategy;
import org.apache.http.nio.reactor.IOSession;
import org.apache.http.nio.reactor.ssl.SSLIOSession;
import org.apache.http.nio.reactor.ssl.SSLMode;
import org.apache.http.nio.reactor.ssl.SSLSetupHandler;
+import org.apache.http.util.Args;
import org.apache.http.util.Asserts;
+import org.apache.http.util.TextUtils;
/**
* TLS/SSL transport level security strategy.
@@ -54,25 +58,61 @@ import org.apache.http.util.Asserts;
*/
public class SSLIOSessionStrategy implements SchemeIOSessionStrategy {
+ public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER =
+ new AllowAllHostnameVerifier();
+
+ public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER =
+ new BrowserCompatHostnameVerifier();
+
+ public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER =
+ new StrictHostnameVerifier();
+
+ private static String[] split(final String s) {
+ if (TextUtils.isBlank(s)) {
+ return null;
+ }
+ return s.split(" *, *");
+ }
+
public static SSLIOSessionStrategy getDefaultStrategy() {
- return new SSLIOSessionStrategy(SSLContexts.createDefault());
+ return new SSLIOSessionStrategy(
+ SSLContexts.createDefault(),
+ BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
public static SSLIOSessionStrategy getSystemDefaultStrategy() {
- return new SSLIOSessionStrategy(SSLContexts.createSystemDefault());
+ return new SSLIOSessionStrategy(
+ SSLContexts.createSystemDefault(),
+ split(System.getProperty("https.protocols")),
+ split(System.getProperty("https.cipherSuites")),
+ BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
private final SSLContext sslContext;
+ private final String[] supportedProtocols;
+ private final String[] supportedCipherSuites;
private final X509HostnameVerifier hostnameVerifier;
- public SSLIOSessionStrategy(final SSLContext sslContext, final X509HostnameVerifier hostnameVerifier) {
+ public SSLIOSessionStrategy(
+ final SSLContext sslContext,
+ final String[] supportedProtocols,
+ final String[] supportedCipherSuites,
+ final X509HostnameVerifier hostnameVerifier) {
super();
- this.sslContext = sslContext;
- this.hostnameVerifier = hostnameVerifier;
+ this.sslContext = Args.notNull(sslContext, "SSL context");
+ this.supportedProtocols = supportedProtocols;
+ this.supportedCipherSuites = supportedCipherSuites;
+ this.hostnameVerifier = hostnameVerifier != null ? hostnameVerifier : BROWSER_COMPATIBLE_HOSTNAME_VERIFIER;
+ }
+
+ public SSLIOSessionStrategy(
+ final SSLContext sslcontext,
+ final X509HostnameVerifier hostnameVerifier) {
+ this(sslcontext, null, null, hostnameVerifier);
}
public SSLIOSessionStrategy(final SSLContext sslcontext) {
- this(sslcontext, new BrowserCompatHostnameVerifier());
+ this(sslcontext, null, null, BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
public SSLIOSession upgrade(final HttpHost host, final IOSession iosession) throws IOException {
@@ -85,6 +125,12 @@ public class SSLIOSessionStrategy implem
public void initalize(
final SSLEngine sslengine) throws SSLException {
+ if (supportedProtocols != null) {
+ sslengine.setEnabledProtocols(supportedProtocols);
+ }
+ if (supportedCipherSuites != null) {
+ sslengine.setEnabledCipherSuites(supportedCipherSuites);
+ }
initializeEngine(sslengine);
}