Class TLSUtils


  • public class TLSUtils
    extends java.lang.Object
    • Method Detail

      • setEnabledTlsProtocolsToRecommended

        public static <B extends ConnectionConfiguration.Builder<B,​?>> B setEnabledTlsProtocolsToRecommended​(B builder)
        Enable the recommended TLS protocols.
        Type Parameters:
        B - Type of the ConnectionConfiguration builder.
        Parameters:
        builder - the configuration builder to apply this setting to
        Returns:
        the given builder
      • setTLSOnly

        @Deprecated
        public static <B extends ConnectionConfiguration.Builder<B,​?>> B setTLSOnly​(B builder)
        Enable only TLS. Connections created with the given ConnectionConfiguration will only support TLS.

        According to the Encrypted XMPP Manifesto, TLSv1.2 shall be deployed, providing fallback support for SSLv3 and TLSv1.1. This method goes one step beyond and upgrades the handshake to use TLSv1 or better. This method requires the underlying OS to support all of TLSv1.2 , 1.1 and 1.0.

        Type Parameters:
        B - Type of the ConnectionConfiguration builder.
        Parameters:
        builder - the configuration builder to apply this setting to
        Returns:
        the given builder
      • acceptAllCertificates

        public static <B extends ConnectionConfiguration.Builder<B,​?>> B acceptAllCertificates​(B builder)
        Accept all TLS certificates.

        Warning: Use with care. This method make the Connection use TLSUtils.AcceptAllTrustManager and essentially invalidates all security guarantees provided by TLS. Only use this method if you understand the implications.

        Type Parameters:
        B - Type of the ConnectionConfiguration builder.
        Parameters:
        builder - a connection configuration builder.
        Returns:
        the given builder.
      • disableHostnameVerificationForTlsCertificates

        public static <B extends ConnectionConfiguration.Builder<B,​?>> B disableHostnameVerificationForTlsCertificates​(B builder)
        Disable the hostname verification of TLS certificates.

        Warning: Use with care. This disables hostname verification of TLS certificates and essentially invalidates all security guarantees provided by TLS. Only use this method if you understand the implications.

        Type Parameters:
        B - Type of the ConnectionConfiguration builder.
        Parameters:
        builder - a connection configuration builder.
        Returns:
        the given builder.
      • getChannelBindingTlsServerEndPoint

        public static byte[] getChannelBindingTlsServerEndPoint​(javax.net.ssl.SSLSession sslSession)
                                                         throws javax.net.ssl.SSLPeerUnverifiedException,
                                                                java.security.cert.CertificateEncodingException,
                                                                java.security.NoSuchAlgorithmException
        Get the channel binding data for the 'tls-server-end-point' channel binding type. This channel binding type is defined in RFC 5929 § 4.
        Parameters:
        sslSession - the SSL/TLS session from which the data should be retrieved.
        Returns:
        the channel binding data.
        Throws:
        javax.net.ssl.SSLPeerUnverifiedException - if we TLS peer could not be verified.
        java.security.cert.CertificateEncodingException - if there was an encoding error with the certificate.
        java.security.NoSuchAlgorithmException - if no such algorithm is available.
        See Also:
        RFC 5929 § 4.
      • getDefaultTruststoreType

        public static org.jivesoftware.smack.util.TLSUtils.DefaultTrustStoreType getDefaultTruststoreType()
                                                                                                   throws java.io.IOException
        Throws:
        java.io.IOException
      • setDefaultTrustStoreTypeToJksIfRequired

        public static void setDefaultTrustStoreTypeToJksIfRequired()
        Tries to determine if the default truststore type is of type jks and sets the javax.net.ssl.trustStoreType system property to 'JKS' if so. This is meant as workaround in situations where the default truststore type is (still) 'jks' but we run on a newer JRE/JDK which uses PKCS#12 as type. See for example Gentoo bug #712290.