Class TLSUtils
- java.lang.Object
-
- org.jivesoftware.smack.util.TLSUtils
-
public class TLSUtils extends java.lang.Object
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
TLSUtils.AcceptAllTrustManager
AX509TrustManager
that doesn't validate X.509 certificates.
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
PROTO_SSL3
static java.lang.String
PROTO_TLSV1
static java.lang.String
PROTO_TLSV1_1
static java.lang.String
PROTO_TLSV1_2
static java.lang.String
PROTO_TLSV1_3
static java.lang.String
SSL
static java.lang.String
TLS
-
Constructor Summary
Constructors Constructor Description TLSUtils()
-
Method Summary
All Methods Static Methods Concrete Methods Deprecated Methods Modifier and Type Method Description static <B extends ConnectionConfiguration.Builder<B,?>>
BacceptAllCertificates(B builder)
Accept all TLS certificates.static <B extends ConnectionConfiguration.Builder<B,?>>
BdisableHostnameVerificationForTlsCertificates(B builder)
Disable the hostname verification of TLS certificates.static byte[]
getChannelBindingTlsServerEndPoint(javax.net.ssl.SSLSession sslSession)
Get the channel binding data for the 'tls-server-end-point' channel binding type.static java.io.FileInputStream
getDefaultTruststoreStreamIfPossible()
static org.jivesoftware.smack.util.TLSUtils.DefaultTrustStoreType
getDefaultTruststoreType()
static void
setDefaultTrustStoreTypeToJksIfRequired()
Tries to determine if the default truststore type is of type jks and sets the javax.net.ssl.trustStoreType system property to 'JKS' if so.static void
setEnabledProtocolsAndCiphers(javax.net.ssl.SSLSocket sslSocket, java.lang.String[] enabledProtocols, java.lang.String[] enabledCiphers)
static <B extends ConnectionConfiguration.Builder<B,?>>
BsetEnabledTlsProtocolsToRecommended(B builder)
Enable the recommended TLS protocols.static <B extends ConnectionConfiguration.Builder<B,?>>
BsetSSLv3AndTLSOnly(B builder)
Deprecated.static <B extends ConnectionConfiguration.Builder<B,?>>
BsetTLSOnly(B builder)
Deprecated.
-
-
-
Field Detail
-
SSL
public static final java.lang.String SSL
- See Also:
- Constant Field Values
-
TLS
public static final java.lang.String TLS
- See Also:
- Constant Field Values
-
PROTO_SSL3
public static final java.lang.String PROTO_SSL3
- See Also:
- Constant Field Values
-
PROTO_TLSV1
public static final java.lang.String PROTO_TLSV1
- See Also:
- Constant Field Values
-
PROTO_TLSV1_1
public static final java.lang.String PROTO_TLSV1_1
- See Also:
- Constant Field Values
-
PROTO_TLSV1_2
public static final java.lang.String PROTO_TLSV1_2
- See Also:
- Constant Field Values
-
PROTO_TLSV1_3
public static final java.lang.String PROTO_TLSV1_3
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
TLSUtils
public TLSUtils()
-
-
Method Detail
-
setEnabledTlsProtocolsToRecommended
public static <B extends ConnectionConfiguration.Builder<B,?>> B setEnabledTlsProtocolsToRecommended(B builder)
Enable the recommended TLS protocols.- Type Parameters:
B
- Type of the ConnectionConfiguration builder.- Parameters:
builder
- the configuration builder to apply this setting to- Returns:
- the given builder
-
setTLSOnly
@Deprecated public static <B extends ConnectionConfiguration.Builder<B,?>> B setTLSOnly(B builder)
Deprecated.Enable only TLS. Connections created with the given ConnectionConfiguration will only support TLS.According to the Encrypted XMPP Manifesto, TLSv1.2 shall be deployed, providing fallback support for SSLv3 and TLSv1.1. This method goes one step beyond and upgrades the handshake to use TLSv1 or better. This method requires the underlying OS to support all of TLSv1.2 , 1.1 and 1.0.
- Type Parameters:
B
- Type of the ConnectionConfiguration builder.- Parameters:
builder
- the configuration builder to apply this setting to- Returns:
- the given builder
-
setSSLv3AndTLSOnly
@Deprecated public static <B extends ConnectionConfiguration.Builder<B,?>> B setSSLv3AndTLSOnly(B builder)
Deprecated.Enable only TLS and SSLv3. Connections created with the given ConnectionConfiguration will only support TLS and SSLv3.According to the Encrypted XMPP Manifesto, TLSv1.2 shall be deployed, providing fallback support for SSLv3 and TLSv1.1.
- Type Parameters:
B
- Type of the ConnectionConfiguration builder.- Parameters:
builder
- the configuration builder to apply this setting to- Returns:
- the given builder
-
acceptAllCertificates
public static <B extends ConnectionConfiguration.Builder<B,?>> B acceptAllCertificates(B builder)
Accept all TLS certificates.Warning: Use with care. This method make the Connection use
TLSUtils.AcceptAllTrustManager
and essentially invalidates all security guarantees provided by TLS. Only use this method if you understand the implications.- Type Parameters:
B
- Type of the ConnectionConfiguration builder.- Parameters:
builder
- a connection configuration builder.- Returns:
- the given builder.
-
disableHostnameVerificationForTlsCertificates
public static <B extends ConnectionConfiguration.Builder<B,?>> B disableHostnameVerificationForTlsCertificates(B builder)
Disable the hostname verification of TLS certificates.Warning: Use with care. This disables hostname verification of TLS certificates and essentially invalidates all security guarantees provided by TLS. Only use this method if you understand the implications.
- Type Parameters:
B
- Type of the ConnectionConfiguration builder.- Parameters:
builder
- a connection configuration builder.- Returns:
- the given builder.
-
setEnabledProtocolsAndCiphers
public static void setEnabledProtocolsAndCiphers(javax.net.ssl.SSLSocket sslSocket, java.lang.String[] enabledProtocols, java.lang.String[] enabledCiphers) throws SmackException.SecurityNotPossibleException
-
getChannelBindingTlsServerEndPoint
public static byte[] getChannelBindingTlsServerEndPoint(javax.net.ssl.SSLSession sslSession) throws javax.net.ssl.SSLPeerUnverifiedException, java.security.cert.CertificateEncodingException, java.security.NoSuchAlgorithmException
Get the channel binding data for the 'tls-server-end-point' channel binding type. This channel binding type is defined in RFC 5929 § 4.- Parameters:
sslSession
- the SSL/TLS session from which the data should be retrieved.- Returns:
- the channel binding data.
- Throws:
javax.net.ssl.SSLPeerUnverifiedException
- if we TLS peer could not be verified.java.security.cert.CertificateEncodingException
- if there was an encoding error with the certificate.java.security.NoSuchAlgorithmException
- if no such algorithm is available.- See Also:
- RFC 5929 § 4.
-
getDefaultTruststoreStreamIfPossible
public static java.io.FileInputStream getDefaultTruststoreStreamIfPossible()
-
getDefaultTruststoreType
public static org.jivesoftware.smack.util.TLSUtils.DefaultTrustStoreType getDefaultTruststoreType() throws java.io.IOException
- Throws:
java.io.IOException
-
setDefaultTrustStoreTypeToJksIfRequired
public static void setDefaultTrustStoreTypeToJksIfRequired()
Tries to determine if the default truststore type is of type jks and sets the javax.net.ssl.trustStoreType system property to 'JKS' if so. This is meant as workaround in situations where the default truststore type is (still) 'jks' but we run on a newer JRE/JDK which uses PKCS#12 as type. See for example Gentoo bug #712290.
-
-