org.apache.http.conn.ssl
Class SSLSocketFactory

java.lang.Object
  org.apache.http.conn.ssl.SSLSocketFactory

All Implemented Interfaces:

LayeredSocketFactory, SocketFactory

@NotThreadSafe
public class SSLSocketFactory
extends Object
implements LayeredSocketFactory

Layered socket factory for TLS/SSL connections, based on JSSE.

SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.

SSLSocketFactory will enable server authentication when supplied with a truststore file containing one or several trusted certificates. The client secure socket will reject the connection during the SSL session handshake if the target HTTPS server attempts to authenticate itself with a non-trusted certificate.

Use JDK keytool utility to import a trusted certificate and generate a truststore file:

     keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
    

The following parameters can be used to customize the behavior of this class:

• CoreConnectionPNames.CONNECTION_TIMEOUT
• CoreConnectionPNames.SO_TIMEOUT

SSLSocketFactory will enable client authentication when supplied with a keystore file containg a private key/public certificate pair. The client secure socket will use the private key to authenticate itself to the target HTTPS server during the SSL session handshake if requested to do so by the server. The target HTTPS server will in its turn verify the certificate presented by the client in order to establish client's authenticity

Use the following sequence of actions to generate a keystore file

• Use JDK keytool utility to generate a new key

  keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore

  For simplicity use the same password for the key as that of the keystore

• Issue a certificate signing request (CSR)

  keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore

• Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.

• Import the trusted CA root certificate

  keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore

• Import the PKCS#7 file containg the complete certificate chain

  keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore

• Verify the content the resultant keystore file

  keytool -list -v -keystore my.keystore

Since:

4.0

Field Summary

static X509HostnameVerifier	ALLOW_ALL_HOSTNAME_VERIFIER
static X509HostnameVerifier	BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
static String	SSL
static String	SSLV2
static X509HostnameVerifier	STRICT_HOSTNAME_VERIFIER
static String	TLS

Constructor Summary

SSLSocketFactory(KeyStore truststore)

SSLSocketFactory(KeyStore keystore, String keystorePassword)

SSLSocketFactory(KeyStore keystore, String keystorePassword, KeyStore truststore)

SSLSocketFactory(SSLContext sslContext)

SSLSocketFactory(SSLContext sslContext, HostNameResolver nameResolver)

SSLSocketFactory(String algorithm, KeyStore keystore, String keystorePassword, KeyStore truststore, SecureRandom random, HostNameResolver nameResolver)

Method Summary

Socket	connectSocket(Socket sock, String host, int port, InetAddress localAddress, int localPort, HttpParams params) Connects a socket to the given host.
Socket	createSocket() Creates a new, unconnected socket.
Socket	createSocket(Socket socket, String host, int port, boolean autoClose) Returns a socket connected to the given host that is layered over an existing socket.
X509HostnameVerifier	getHostnameVerifier()
static SSLSocketFactory	getSocketFactory() Gets the default factory, which uses the default JVM settings for secure connections.
boolean	isSecure(Socket sock) Checks whether a socket connection is secure.
void	setHostnameVerifier(X509HostnameVerifier hostnameVerifier)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

TLS

public static final String TLS

See Also:

Constant Field Values

SSL

public static final String SSL

See Also:

Constant Field Values

SSLV2

public static final String SSLV2

See Also:

Constant Field Values

ALLOW_ALL_HOSTNAME_VERIFIER

public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER

BROWSER_COMPATIBLE_HOSTNAME_VERIFIER

public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER

STRICT_HOSTNAME_VERIFIER

public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER

Constructor Detail

SSLSocketFactory

public SSLSocketFactory(String algorithm,
                        KeyStore keystore,
                        String keystorePassword,
                        KeyStore truststore,
                        SecureRandom random,
                        HostNameResolver nameResolver)
                 throws NoSuchAlgorithmException,
                        KeyManagementException,
                        KeyStoreException,
                        UnrecoverableKeyException

Throws:

NoSuchAlgorithmException

KeyManagementException

KeyStoreException

UnrecoverableKeyException

SSLSocketFactory

public SSLSocketFactory(KeyStore keystore,
                        String keystorePassword,
                        KeyStore truststore)
                 throws NoSuchAlgorithmException,
                        KeyManagementException,
                        KeyStoreException,
                        UnrecoverableKeyException

Throws:

NoSuchAlgorithmException

KeyManagementException

KeyStoreException

UnrecoverableKeyException

SSLSocketFactory

public SSLSocketFactory(KeyStore keystore,
                        String keystorePassword)
                 throws NoSuchAlgorithmException,
                        KeyManagementException,
                        KeyStoreException,
                        UnrecoverableKeyException

Throws:

NoSuchAlgorithmException

KeyManagementException

KeyStoreException

UnrecoverableKeyException

SSLSocketFactory

public SSLSocketFactory(KeyStore truststore)
                 throws NoSuchAlgorithmException,
                        KeyManagementException,
                        KeyStoreException,
                        UnrecoverableKeyException

Throws:

NoSuchAlgorithmException

KeyManagementException

KeyStoreException

UnrecoverableKeyException

SSLSocketFactory

public SSLSocketFactory(SSLContext sslContext,
                        HostNameResolver nameResolver)

SSLSocketFactory

public SSLSocketFactory(SSLContext sslContext)

Method Detail

getSocketFactory

public static SSLSocketFactory getSocketFactory()

Gets the default factory, which uses the default JVM settings for secure connections.

Returns:

the default factory

createSocket

public Socket createSocket()
                    throws IOException

Description copied from interface: SocketFactory

Creates a new, unconnected socket. The socket should subsequently be passed to connectSocket.

Specified by:

createSocket in interface SocketFactory

Returns:

a new socket

Throws:

IOException - if an I/O error occurs while creating the socket

connectSocket

public Socket connectSocket(Socket sock,
                            String host,
                            int port,
                            InetAddress localAddress,
                            int localPort,
                            HttpParams params)
                     throws IOException

Description copied from interface: SocketFactory

Connects a socket to the given host.

Specified by:

connectSocket in interface SocketFactory

Parameters:

sock - the socket to connect, as obtained from createSocket. null indicates that a new socket should be created and connected.

host - the host to connect to

port - the port to connect to on the host

localAddress - the local address to bind the socket to, or null for any

localPort - the port on the local machine, 0 or a negative number for any

params - additional parameters for connecting

Returns:

the connected socket. The returned object may be different from the sock argument if this factory supports a layered protocol.

Throws:

IOException - if an I/O error occurs

UnknownHostException - if the IP address of the target host can not be determined

ConnectTimeoutException - if the socket cannot be connected within the time limit defined in the params

isSecure

public boolean isSecure(Socket sock)
                 throws IllegalArgumentException

Checks whether a socket connection is secure. This factory creates TLS/SSL socket connections which, by default, are considered secure.
Derived classes may override this method to perform runtime checks, for example based on the cypher suite.

Specified by:

isSecure in interface SocketFactory

Parameters:

sock - the connected socket

Returns:

true

Throws:

IllegalArgumentException - if the argument is invalid

createSocket

public Socket createSocket(Socket socket,
                           String host,
                           int port,
                           boolean autoClose)
                    throws IOException,
                           UnknownHostException

Description copied from interface: LayeredSocketFactory

Returns a socket connected to the given host that is layered over an existing socket. Used primarily for creating secure sockets through proxies.

Specified by:

createSocket in interface LayeredSocketFactory

Parameters:

socket - the existing socket

host - the host name/IP

port - the port on the host

autoClose - a flag for closing the underling socket when the created socket is closed

Returns:

Socket a new socket

Throws:

IOException - if an I/O error occurs while creating the socket

UnknownHostException - if the IP address of the host cannot be determined

setHostnameVerifier

public void setHostnameVerifier(X509HostnameVerifier hostnameVerifier)

getHostnameVerifier

public X509HostnameVerifier getHostnameVerifier()