/** Deshabilita las comprobaciones de certificados en conexiones SSL, aceptádose entonces * cualquier certificado. * @throws KeyManagementException Si hay problemas en la gestión de claves SSL. * @throws NoSuchAlgorithmException Si el JRE no soporta algún algoritmo necesario. * @throws KeyStoreException Si no se puede cargar el KeyStore SSL. * @throws IOException Si hay errores en la carga del fichero KeyStore SSL. * @throws CertificateException Si los certificados del KeyStore SSL son inválidos. * @throws UnrecoverableKeyException Si una clave del KeyStore SSL es inválida. * @throws NoSuchProviderException Si ocurre un error al recuperar la instancia del Keystore.*/ public static void disableSslChecks() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException, CertificateException, IOException, NoSuchProviderException { final SSLContext sc = SSLContext.getInstance(SSL_CONTEXT); sc.init(getKeyManager(), DUMMY_TRUST_MANAGER, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); HttpsURLConnection.setDefaultHostnameVerifier( new HostnameVerifier() { @Override public boolean verify(final String hostname, final SSLSession session) { return true; } } ); }
private static boolean checkProtocol(SSLSession session, String protocol) { if (session == null) { System.out.println("Check protocol: no session provided"); return false; } System.out.println("Check protocol: negotiated protocol: " + session.getProtocol()); System.out.println("Check protocol: expected protocol: " + protocol); if (!protocol.equals(session.getProtocol())) { System.out.println("Check protocol: unexpected negotiated protocol"); return false; } return true; }
private static boolean checkCipherSuite(SSLSession session, String ciphersuite) { if (session == null) { System.out.println("Check protocol: no session provided"); return false; } System.out.println("Check protocol: negotiated ciphersuite: " + session.getCipherSuite()); System.out.println("Check protocol: expected ciphersuite: " + ciphersuite); if (!ciphersuite.equals(session.getCipherSuite())) { System.out.println("Check protocol: unexpected negotiated ciphersuite"); return false; } return true; }
@Override public void prepare(Benchmark benchmark) { super.prepare(benchmark); client = new OkHttpClient.Builder() .protocols(benchmark.protocols) .build(); if (benchmark.tls) { SslClient sslClient = SslClient.localhost(); SSLSocketFactory socketFactory = sslClient.socketFactory; HostnameVerifier hostnameVerifier = new HostnameVerifier() { @Override public boolean verify(String s, SSLSession session) { return true; } }; client = new OkHttpClient.Builder() .sslSocketFactory(socketFactory, sslClient.trustManager) .hostnameVerifier(hostnameVerifier) .build(); } }
@Override public void prepare(Benchmark benchmark) { super.prepare(benchmark); if (benchmark.tls) { SslClient sslClient = SslClient.localhost(); SSLSocketFactory socketFactory = sslClient.socketFactory; HostnameVerifier hostnameVerifier = new HostnameVerifier() { @Override public boolean verify(String s, SSLSession session) { return true; } }; HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier); HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory); } }
protected void createBuffers( SSLSession session ) { int netBufferMax = session.getPacketBufferSize(); int appBufferMax = Math.max(session.getApplicationBufferSize(), netBufferMax); if( inData == null ) { inData = ByteBuffer.allocate( appBufferMax ); outCrypt = ByteBuffer.allocate( netBufferMax ); inCrypt = ByteBuffer.allocate( netBufferMax ); } else { if( inData.capacity() != appBufferMax ) inData = ByteBuffer.allocate( appBufferMax ); if( outCrypt.capacity() != netBufferMax ) outCrypt = ByteBuffer.allocate( netBufferMax ); if( inCrypt.capacity() != netBufferMax ) inCrypt = ByteBuffer.allocate( netBufferMax ); } inData.rewind(); inData.flip(); inCrypt.rewind(); inCrypt.flip(); outCrypt.rewind(); outCrypt.flip(); bufferallocations++; }
public SSLSession getSslSession () { final IoSession session = this.session; if ( session == null ) { return null; } final Object sslSession = session.getAttribute ( SslFilter.SSL_SESSION ); if ( sslSession instanceof SSLSession ) { return (SSLSession)sslSession; } else { return null; } }
public void handshakeCompleted(HandshakeCompletedEvent evt) { SSLSession session; String sessionId; SSLSocket socket; if (Trace.TRACE) { socket = evt.getSocket(); session = evt.getSession(); Trace.printSystemOut("SSL handshake completed:"); Trace.printSystemOut( "------------------------------------------------"); Trace.printSystemOut("socket: : " + socket); Trace.printSystemOut("cipher suite : " + session.getCipherSuite()); sessionId = StringConverter.byteToHex(session.getId()); Trace.printSystemOut("session id : " + sessionId); Trace.printSystemOut( "------------------------------------------------"); } }
/** * 忽略HTTPS请求的SSL证书,必须在openConnection之前调用 * @throws Exception */ public static void ignoreSsl() throws Exception{ HostnameVerifier hv = new HostnameVerifier() { public boolean verify(String urlHostName, SSLSession session) { return true; } }; trustAllHttpsCertificates(); HttpsURLConnection.setDefaultHostnameVerifier(hv); }
@Override public boolean verify(String host, SSLSession session) { try { Certificate[] certificates = session.getPeerCertificates(); return verify(host, (X509Certificate) certificates[0]); } catch (SSLException e) { return false; } }
private static void checkIdentity(SSLSession session, X509Certificate cert, String algorithm, boolean isClient, List<SNIServerName> sniNames) throws CertificateException { boolean identifiable = false; String peerHost = session.getPeerHost(); if (isClient) { String hostname = getHostNameInSNI(sniNames); if (hostname != null) { try { checkIdentity(hostname, cert, algorithm); identifiable = true; } catch (CertificateException ce) { if (hostname.equalsIgnoreCase(peerHost)) { throw ce; } // otherwisw, failover to check peer host } } } if (!identifiable) { checkIdentity(peerHost, cert, algorithm); } }
@Test public void verifySubjectAlt() throws Exception { // CN=foo.com, subjectAlt=bar.com SSLSession session = session("" + "-----BEGIN CERTIFICATE-----\n" + "MIIEXDCCA0SgAwIBAgIJAIz+EYMBU6aRMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD\n" + "VQQGEwJDQTELMAkGA1UECBMCQkMxEjAQBgNVBAcTCVZhbmNvdXZlcjEWMBQGA1UE\n" + "ChMNd3d3LmN1Y2JjLmNvbTEUMBIGA1UECxQLY29tbW9uc19zc2wxHTAbBgNVBAMU\n" + "FGRlbW9faW50ZXJtZWRpYXRlX2NhMSUwIwYJKoZIhvcNAQkBFhZqdWxpdXNkYXZp\n" + "ZXNAZ21haWwuY29tMB4XDTA2MTIxMTE1MzYyOVoXDTI4MTEwNTE1MzYyOVowgaQx\n" + "CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEUMBIGA1UEBxMLRm9yZXN0\n" + "IEhpbGwxFzAVBgNVBAoTDmh0dHBjb21wb25lbnRzMRowGAYDVQQLExF0ZXN0IGNl\n" + "cnRpZmljYXRlczEQMA4GA1UEAxMHZm9vLmNvbTElMCMGCSqGSIb3DQEJARYWanVs\n" + "aXVzZGF2aWVzQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n" + "ggEBAMhjr5aCPoyp0R1iroWAfnEyBMGYWoCidH96yGPFjYLowez5aYKY1IOKTY2B\n" + "lYho4O84X244QrZTRl8kQbYtxnGh4gSCD+Z8gjZ/gMvLUlhqOb+WXPAUHMB39GRy\n" + "zerA/ZtrlUqf+lKo0uWcocxeRc771KN8cPH3nHZ0rV0Hx4ZAZy6U4xxObe4rtSVY\n" + "07hNKXAb2odnVqgzcYiDkLV8ilvEmoNWMWrp8UBqkTcpEhYhCYp3cTkgJwMSuqv8\n" + "BqnGd87xQU3FVZI4tbtkB+KzjD9zz8QCDJAfDjZHR03KNQ5mxOgXwxwKw6lGMaiV\n" + "JTxpTKqym93whYk93l3ocEe55c0CAwEAAaOBkDCBjTAJBgNVHRMEAjAAMCwGCWCG\n" + "SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E\n" + "FgQUnxR3vz86tso4gkJIFiza0Mteh9gwHwYDVR0jBBgwFoAUe5raj5CZTlLSrNuz\n" + "A1LKh6YNPg0wEgYDVR0RBAswCYIHYmFyLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEA\n" + "dQyprNZBmVnvuVWjV42sey/PTfkYShJwy1j0/jcFZR/ypZUovpiHGDO1DgL3Y3IP\n" + "zVQ26uhUsSw6G0gGRiaBDe/0LUclXZoJzXX1qpS55OadxW73brziS0sxRgGrZE/d\n" + "3g5kkio6IED47OP6wYnlmZ7EKP9cqjWwlnvHnnUcZ2SscoLNYs9rN9ccp8tuq2by\n" + "88OyhKwGjJfhOudqfTNZcDzRHx4Fzm7UsVaycVw4uDmhEHJrAsmMPpj/+XRK9/42\n" + "2xq+8bc6HojdtbCyug/fvBZvZqQXSmU8m8IVcMmWMz0ZQO8ee3QkBHMZfCy7P/kr\n" + "VbWx/uETImUu+NZg22ewEw==\n" + "-----END CERTIFICATE-----\n"); assertFalse(verifier.verify("foo.com", session)); assertFalse(verifier.verify("a.foo.com", session)); assertTrue(verifier.verify("bar.com", session)); assertFalse(verifier.verify("a.bar.com", session)); }
@Test public void verifySubjectAltOnly() throws Exception { // subjectAlt=foo.com SSLSession session = session("" + "-----BEGIN CERTIFICATE-----\n" + "MIIESjCCAzKgAwIBAgIJAIz+EYMBU6aYMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD\n" + "VQQGEwJDQTELMAkGA1UECBMCQkMxEjAQBgNVBAcTCVZhbmNvdXZlcjEWMBQGA1UE\n" + "ChMNd3d3LmN1Y2JjLmNvbTEUMBIGA1UECxQLY29tbW9uc19zc2wxHTAbBgNVBAMU\n" + "FGRlbW9faW50ZXJtZWRpYXRlX2NhMSUwIwYJKoZIhvcNAQkBFhZqdWxpdXNkYXZp\n" + "ZXNAZ21haWwuY29tMB4XDTA2MTIxMTE2MjYxMFoXDTI4MTEwNTE2MjYxMFowgZIx\n" + "CzAJBgNVBAYTAlVTMREwDwYDVQQIDAhNYXJ5bGFuZDEUMBIGA1UEBwwLRm9yZXN0\n" + "IEhpbGwxFzAVBgNVBAoMDmh0dHBjb21wb25lbnRzMRowGAYDVQQLDBF0ZXN0IGNl\n" + "cnRpZmljYXRlczElMCMGCSqGSIb3DQEJARYWanVsaXVzZGF2aWVzQGdtYWlsLmNv\n" + "bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhjr5aCPoyp0R1iroWA\n" + "fnEyBMGYWoCidH96yGPFjYLowez5aYKY1IOKTY2BlYho4O84X244QrZTRl8kQbYt\n" + "xnGh4gSCD+Z8gjZ/gMvLUlhqOb+WXPAUHMB39GRyzerA/ZtrlUqf+lKo0uWcocxe\n" + "Rc771KN8cPH3nHZ0rV0Hx4ZAZy6U4xxObe4rtSVY07hNKXAb2odnVqgzcYiDkLV8\n" + "ilvEmoNWMWrp8UBqkTcpEhYhCYp3cTkgJwMSuqv8BqnGd87xQU3FVZI4tbtkB+Kz\n" + "jD9zz8QCDJAfDjZHR03KNQ5mxOgXwxwKw6lGMaiVJTxpTKqym93whYk93l3ocEe5\n" + "5c0CAwEAAaOBkDCBjTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM\n" + "IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUnxR3vz86tso4gkJIFiza\n" + "0Mteh9gwHwYDVR0jBBgwFoAUe5raj5CZTlLSrNuzA1LKh6YNPg0wEgYDVR0RBAsw\n" + "CYIHZm9vLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAjl78oMjzFdsMy6F1sGg/IkO8\n" + "tF5yUgPgFYrs41yzAca7IQu6G9qtFDJz/7ehh/9HoG+oqCCIHPuIOmS7Sd0wnkyJ\n" + "Y7Y04jVXIb3a6f6AgBkEFP1nOT0z6kjT7vkA5LJ2y3MiDcXuRNMSta5PYVnrX8aZ\n" + "yiqVUNi40peuZ2R8mAUSBvWgD7z2qWhF8YgDb7wWaFjg53I36vWKn90ZEti3wNCw\n" + "qAVqixM+J0qJmQStgAc53i2aTMvAQu3A3snvH/PHTBo+5UL72n9S1kZyNCsVf1Qo\n" + "n8jKTiRriEM+fMFlcgQP284EBFzYHyCXFb9O/hMjK2+6mY9euMB1U1aFFzM/Bg==\n" + "-----END CERTIFICATE-----\n"); assertTrue(verifier.verify("foo.com", session)); assertFalse(verifier.verify("a.foo.com", session)); assertTrue(verifier.verify("foo.com", session)); assertFalse(verifier.verify("a.foo.com", session)); }
@Test public void verifyMultipleCn() throws Exception { // CN=foo.com, CN=bar.com, CN=花子.co.jp SSLSession session = session("" + "-----BEGIN CERTIFICATE-----\n" + "MIIEbzCCA1egAwIBAgIJAIz+EYMBU6aXMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD\n" + "VQQGEwJDQTELMAkGA1UECBMCQkMxEjAQBgNVBAcTCVZhbmNvdXZlcjEWMBQGA1UE\n" + "ChMNd3d3LmN1Y2JjLmNvbTEUMBIGA1UECxQLY29tbW9uc19zc2wxHTAbBgNVBAMU\n" + "FGRlbW9faW50ZXJtZWRpYXRlX2NhMSUwIwYJKoZIhvcNAQkBFhZqdWxpdXNkYXZp\n" + "ZXNAZ21haWwuY29tMB4XDTA2MTIxMTE2MTk0NVoXDTI4MTEwNTE2MTk0NVowgc0x\n" + "CzAJBgNVBAYTAlVTMREwDwYDVQQIDAhNYXJ5bGFuZDEUMBIGA1UEBwwLRm9yZXN0\n" + "IEhpbGwxFzAVBgNVBAoMDmh0dHBjb21wb25lbnRzMRowGAYDVQQLDBF0ZXN0IGNl\n" + "cnRpZmljYXRlczEQMA4GA1UEAwwHZm9vLmNvbTEQMA4GA1UEAwwHYmFyLmNvbTEV\n" + "MBMGA1UEAwwM6Iqx5a2QLmNvLmpwMSUwIwYJKoZIhvcNAQkBFhZqdWxpdXNkYXZp\n" + "ZXNAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGOv\n" + "loI+jKnRHWKuhYB+cTIEwZhagKJ0f3rIY8WNgujB7PlpgpjUg4pNjYGViGjg7zhf\n" + "bjhCtlNGXyRBti3GcaHiBIIP5nyCNn+Ay8tSWGo5v5Zc8BQcwHf0ZHLN6sD9m2uV\n" + "Sp/6UqjS5ZyhzF5FzvvUo3xw8fecdnStXQfHhkBnLpTjHE5t7iu1JVjTuE0pcBva\n" + "h2dWqDNxiIOQtXyKW8Sag1YxaunxQGqRNykSFiEJindxOSAnAxK6q/wGqcZ3zvFB\n" + "TcVVkji1u2QH4rOMP3PPxAIMkB8ONkdHTco1DmbE6BfDHArDqUYxqJUlPGlMqrKb\n" + "3fCFiT3eXehwR7nlzQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQf\n" + "Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUnxR3vz86\n" + "tso4gkJIFiza0Mteh9gwHwYDVR0jBBgwFoAUe5raj5CZTlLSrNuzA1LKh6YNPg0w\n" + "DQYJKoZIhvcNAQEFBQADggEBAGuZb8ai1NO2j4v3y9TLZvd5s0vh5/TE7n7RX+8U\n" + "y37OL5k7x9nt0mM1TyAKxlCcY+9h6frue8MemZIILSIvMrtzccqNz0V1WKgA+Orf\n" + "uUrabmn+CxHF5gpy6g1Qs2IjVYWA5f7FROn/J+Ad8gJYc1azOWCLQqSyfpNRLSvY\n" + "EriQFEV63XvkJ8JrG62b+2OT2lqT4OO07gSPetppdlSa8NBSKP6Aro9RIX1ZjUZQ\n" + "SpQFCfo02NO0uNRDPUdJx2huycdNb+AXHaO7eXevDLJ+QnqImIzxWiY6zLOdzjjI\n" + "VBMkLHmnP7SjGSQ3XA4ByrQOxfOUTyLyE7NuemhHppuQPxE=\n" + "-----END CERTIFICATE-----\n"); assertFalse(verifier.verify("foo.com", session)); assertFalse(verifier.verify("a.foo.com", session)); assertFalse(verifier.verify("bar.com", session)); assertFalse(verifier.verify("a.bar.com", session)); assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session)); assertFalse(verifier.verify("a.\u82b1\u5b50.co.jp", session)); }
@Test public void verifyWilcardCn() throws Exception { // CN=*.foo.com SSLSession session = session("" + "-----BEGIN CERTIFICATE-----\n" + "MIIESDCCAzCgAwIBAgIJAIz+EYMBU6aUMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD\n" + "VQQGEwJDQTELMAkGA1UECBMCQkMxEjAQBgNVBAcTCVZhbmNvdXZlcjEWMBQGA1UE\n" + "ChMNd3d3LmN1Y2JjLmNvbTEUMBIGA1UECxQLY29tbW9uc19zc2wxHTAbBgNVBAMU\n" + "FGRlbW9faW50ZXJtZWRpYXRlX2NhMSUwIwYJKoZIhvcNAQkBFhZqdWxpdXNkYXZp\n" + "ZXNAZ21haWwuY29tMB4XDTA2MTIxMTE2MTU1NVoXDTI4MTEwNTE2MTU1NVowgaYx\n" + "CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEUMBIGA1UEBxMLRm9yZXN0\n" + "IEhpbGwxFzAVBgNVBAoTDmh0dHBjb21wb25lbnRzMRowGAYDVQQLExF0ZXN0IGNl\n" + "cnRpZmljYXRlczESMBAGA1UEAxQJKi5mb28uY29tMSUwIwYJKoZIhvcNAQkBFhZq\n" + "dWxpdXNkYXZpZXNAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n" + "CgKCAQEAyGOvloI+jKnRHWKuhYB+cTIEwZhagKJ0f3rIY8WNgujB7PlpgpjUg4pN\n" + "jYGViGjg7zhfbjhCtlNGXyRBti3GcaHiBIIP5nyCNn+Ay8tSWGo5v5Zc8BQcwHf0\n" + "ZHLN6sD9m2uVSp/6UqjS5ZyhzF5FzvvUo3xw8fecdnStXQfHhkBnLpTjHE5t7iu1\n" + "JVjTuE0pcBvah2dWqDNxiIOQtXyKW8Sag1YxaunxQGqRNykSFiEJindxOSAnAxK6\n" + "q/wGqcZ3zvFBTcVVkji1u2QH4rOMP3PPxAIMkB8ONkdHTco1DmbE6BfDHArDqUYx\n" + "qJUlPGlMqrKb3fCFiT3eXehwR7nlzQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG\n" + "SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E\n" + "FgQUnxR3vz86tso4gkJIFiza0Mteh9gwHwYDVR0jBBgwFoAUe5raj5CZTlLSrNuz\n" + "A1LKh6YNPg0wDQYJKoZIhvcNAQEFBQADggEBAH0ipG6J561UKUfgkeW7GvYwW98B\n" + "N1ZooWX+JEEZK7+Pf/96d3Ij0rw9ACfN4bpfnCq0VUNZVSYB+GthQ2zYuz7tf/UY\n" + "A6nxVgR/IjG69BmsBl92uFO7JTNtHztuiPqBn59pt+vNx4yPvno7zmxsfI7jv0ww\n" + "yfs+0FNm7FwdsC1k47GBSOaGw38kuIVWqXSAbL4EX9GkryGGOKGNh0qvAENCdRSB\n" + "G9Z6tyMbmfRY+dLSh3a9JwoEcBUso6EWYBakLbq4nG/nvYdYvG9ehrnLVwZFL82e\n" + "l3Q/RK95bnA6cuRClGusLad0e6bjkBzx/VQ3VarDEpAkTLUGVAa0CLXtnyc=\n" + "-----END CERTIFICATE-----\n"); assertFalse(verifier.verify("foo.com", session)); assertTrue(verifier.verify("www.foo.com", session)); assertTrue(verifier.verify("\u82b1\u5b50.foo.com", session)); assertFalse(verifier.verify("a.b.foo.com", session)); }
@Test public void verifyWilcardCnOnTld() throws Exception { // It's the CA's responsibility to not issue broad-matching certificates! // CN=*.co.jp SSLSession session = session("" + "-----BEGIN CERTIFICATE-----\n" + "MIIERjCCAy6gAwIBAgIJAIz+EYMBU6aVMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD\n" + "VQQGEwJDQTELMAkGA1UECBMCQkMxEjAQBgNVBAcTCVZhbmNvdXZlcjEWMBQGA1UE\n" + "ChMNd3d3LmN1Y2JjLmNvbTEUMBIGA1UECxQLY29tbW9uc19zc2wxHTAbBgNVBAMU\n" + "FGRlbW9faW50ZXJtZWRpYXRlX2NhMSUwIwYJKoZIhvcNAQkBFhZqdWxpdXNkYXZp\n" + "ZXNAZ21haWwuY29tMB4XDTA2MTIxMTE2MTYzMFoXDTI4MTEwNTE2MTYzMFowgaQx\n" + "CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEUMBIGA1UEBxMLRm9yZXN0\n" + "IEhpbGwxFzAVBgNVBAoTDmh0dHBjb21wb25lbnRzMRowGAYDVQQLExF0ZXN0IGNl\n" + "cnRpZmljYXRlczEQMA4GA1UEAxQHKi5jby5qcDElMCMGCSqGSIb3DQEJARYWanVs\n" + "aXVzZGF2aWVzQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n" + "ggEBAMhjr5aCPoyp0R1iroWAfnEyBMGYWoCidH96yGPFjYLowez5aYKY1IOKTY2B\n" + "lYho4O84X244QrZTRl8kQbYtxnGh4gSCD+Z8gjZ/gMvLUlhqOb+WXPAUHMB39GRy\n" + "zerA/ZtrlUqf+lKo0uWcocxeRc771KN8cPH3nHZ0rV0Hx4ZAZy6U4xxObe4rtSVY\n" + "07hNKXAb2odnVqgzcYiDkLV8ilvEmoNWMWrp8UBqkTcpEhYhCYp3cTkgJwMSuqv8\n" + "BqnGd87xQU3FVZI4tbtkB+KzjD9zz8QCDJAfDjZHR03KNQ5mxOgXwxwKw6lGMaiV\n" + "JTxpTKqym93whYk93l3ocEe55c0CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB\n" + "hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE\n" + "FJ8Ud78/OrbKOIJCSBYs2tDLXofYMB8GA1UdIwQYMBaAFHua2o+QmU5S0qzbswNS\n" + "yoemDT4NMA0GCSqGSIb3DQEBBQUAA4IBAQA0sWglVlMx2zNGvUqFC73XtREwii53\n" + "CfMM6mtf2+f3k/d8KXhLNySrg8RRlN11zgmpPaLtbdTLrmG4UdAHHYr8O4y2BBmE\n" + "1cxNfGxxechgF8HX10QV4dkyzp6Z1cfwvCeMrT5G/V1pejago0ayXx+GPLbWlNeZ\n" + "S+Kl0m3p+QplXujtwG5fYcIpaGpiYraBLx3Tadih39QN65CnAh/zRDhLCUzKyt9l\n" + "UGPLEUDzRHMPHLnSqT1n5UU5UDRytbjJPXzF+l/+WZIsanefWLsxnkgAuZe/oMMF\n" + "EJMryEzOjg4Tfuc5qM0EXoPcQ/JlheaxZ40p2IyHqbsWV4MRYuFH4bkM\n" + "-----END CERTIFICATE-----\n"); assertTrue(verifier.verify("foo.co.jp", session)); assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session)); }
boolean isTimedout(SSLSession sess) { if (timeout == 0) { return false; } if ((sess != null) && ((sess.getCreationTime() + timeout * 1000L) <= (System.currentTimeMillis()))) { sess.invalidate(); return true; } return false; }
@Test public void subjectAltName() throws Exception { // $ cat ./cert.cnf // [req] // distinguished_name=distinguished_name // req_extensions=req_extensions // x509_extensions=x509_extensions // [distinguished_name] // [req_extensions] // [x509_extensions] // subjectAltName=DNS:bar.com,DNS:baz.com // // $ openssl req -x509 -nodes -days 36500 -subj '/CN=foo.com' -config ./cert.cnf \ // -newkey rsa:512 -out cert.pem SSLSession session = session("" + "-----BEGIN CERTIFICATE-----\n" + "MIIBPTCB6KADAgECAgkA7zoHaaqNGHQwDQYJKoZIhvcNAQEFBQAwEjEQMA4GA1UE\n" + "AxMHZm9vLmNvbTAgFw0xMDEyMjAxODM5MzZaGA8yMTEwMTEyNjE4MzkzNlowEjEQ\n" + "MA4GA1UEAxMHZm9vLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC+gmoSxF+8\n" + "hbV+rgRQqHIJd50216OWQJbU3BvdlPbca779NYO4+UZWTFdBM8BdQqs3H4B5Agvp\n" + "y7HeSff1F7XRAgMBAAGjHzAdMBsGA1UdEQQUMBKCB2Jhci5jb22CB2Jhei5jb20w\n" + "DQYJKoZIhvcNAQEFBQADQQBXpZZPOY2Dy1lGG81JTr8L4or9jpKacD7n51eS8iqI\n" + "oTznPNuXHU5bFN0AAGX2ij47f/EahqTpo5RdS95P4sVm\n" + "-----END CERTIFICATE-----"); assertFalse(verifier.verify("foo.com", session)); assertTrue(verifier.verify("bar.com", session)); assertTrue(verifier.verify("baz.com", session)); assertFalse(verifier.verify("a.foo.com", session)); assertFalse(verifier.verify("quux.com", session)); }
protected java.security.cert.X509Certificate [] getX509Certificates(SSLSession session) throws IOException { Certificate [] certs=null; try { certs = session.getPeerCertificates(); } catch( Throwable t ) { log.debug("Error getting client certs",t); return null; } if( certs==null ) return null; java.security.cert.X509Certificate [] x509Certs = new java.security.cert.X509Certificate[certs.length]; for(int i=0; i < certs.length; i++) { if (certs[i] instanceof java.security.cert.X509Certificate ) { // always currently true with the JSSE 1.1.x x509Certs[i] = (java.security.cert.X509Certificate) certs[i]; } else { try { byte [] buffer = certs[i].getEncoded(); CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream stream = new ByteArrayInputStream(buffer); x509Certs[i] = (java.security.cert.X509Certificate) cf.generateCertificate(stream); } catch(Exception ex) { log.info("Error translating cert " + certs[i], ex); return null; } } if(log.isTraceEnabled()) log.trace("Cert #" + i + " = " + x509Certs[i]); } if(x509Certs.length < 1) return null; return x509Certs; }
private static Principal getPeerPrincipal(SSLSession session) throws SSLPeerUnverifiedException { Principal principal; try { principal = session.getPeerPrincipal(); } catch (AbstractMethodError e) { // if the JSSE provider does not support it, return null, since // we need it only for Kerberos. principal = null; } return principal; }
static List<SNIServerName> getRequestedServerNames(Socket socket) { if (socket != null && socket.isConnected() && socket instanceof SSLSocket) { SSLSocket sslSocket = (SSLSocket)socket; SSLSession session = sslSocket.getHandshakeSession(); if (session != null && (session instanceof ExtendedSSLSession)) { ExtendedSSLSession extSession = (ExtendedSSLSession)session; return extSession.getRequestedServerNames(); } } return Collections.<SNIServerName>emptyList(); }
public SSLSession getSSLSession() { final Socket socket = super.getSocket(); if (socket instanceof SSLSocket) { return ((SSLSocket) socket).getSession(); } else { return null; } }
public HttpRequest setTrustedHost(final String hostStr) { if (hostStr.length() > 0) { TRUSTED_VERIFIER = new HostnameVerifier() { public boolean verify(String host, SSLSession session) { if (hostStr.contains(host)) { return true; } else { return false; } } }; } return this; }
@Test public void verifyNonAsciiCn() throws Exception { // CN=花子.co.jp SSLSession session = session("" + "-----BEGIN CERTIFICATE-----\n" + "MIIESzCCAzOgAwIBAgIJAIz+EYMBU6aTMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD\n" + "VQQGEwJDQTELMAkGA1UECBMCQkMxEjAQBgNVBAcTCVZhbmNvdXZlcjEWMBQGA1UE\n" + "ChMNd3d3LmN1Y2JjLmNvbTEUMBIGA1UECxQLY29tbW9uc19zc2wxHTAbBgNVBAMU\n" + "FGRlbW9faW50ZXJtZWRpYXRlX2NhMSUwIwYJKoZIhvcNAQkBFhZqdWxpdXNkYXZp\n" + "ZXNAZ21haWwuY29tMB4XDTA2MTIxMTE1NDIxNVoXDTI4MTEwNTE1NDIxNVowgakx\n" + "CzAJBgNVBAYTAlVTMREwDwYDVQQIDAhNYXJ5bGFuZDEUMBIGA1UEBwwLRm9yZXN0\n" + "IEhpbGwxFzAVBgNVBAoMDmh0dHBjb21wb25lbnRzMRowGAYDVQQLDBF0ZXN0IGNl\n" + "cnRpZmljYXRlczEVMBMGA1UEAwwM6Iqx5a2QLmNvLmpwMSUwIwYJKoZIhvcNAQkB\n" + "FhZqdWxpdXNkYXZpZXNAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n" + "MIIBCgKCAQEAyGOvloI+jKnRHWKuhYB+cTIEwZhagKJ0f3rIY8WNgujB7PlpgpjU\n" + "g4pNjYGViGjg7zhfbjhCtlNGXyRBti3GcaHiBIIP5nyCNn+Ay8tSWGo5v5Zc8BQc\n" + "wHf0ZHLN6sD9m2uVSp/6UqjS5ZyhzF5FzvvUo3xw8fecdnStXQfHhkBnLpTjHE5t\n" + "7iu1JVjTuE0pcBvah2dWqDNxiIOQtXyKW8Sag1YxaunxQGqRNykSFiEJindxOSAn\n" + "AxK6q/wGqcZ3zvFBTcVVkji1u2QH4rOMP3PPxAIMkB8ONkdHTco1DmbE6BfDHArD\n" + "qUYxqJUlPGlMqrKb3fCFiT3eXehwR7nlzQIDAQABo3sweTAJBgNVHRMEAjAAMCwG\n" + "CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV\n" + "HQ4EFgQUnxR3vz86tso4gkJIFiza0Mteh9gwHwYDVR0jBBgwFoAUe5raj5CZTlLS\n" + "rNuzA1LKh6YNPg0wDQYJKoZIhvcNAQEFBQADggEBALJ27i3okV/KvlDp6KMID3gd\n" + "ITl68PyItzzx+SquF8gahMh016NX73z/oVZoVUNdftla8wPUB1GwIkAnGkhQ9LHK\n" + "spBdbRiCj0gMmLCsX8SrjFvr7cYb2cK6J/fJe92l1tg/7Y4o7V/s4JBe/cy9U9w8\n" + "a0ctuDmEBCgC784JMDtT67klRfr/2LlqWhlOEq7pUFxRLbhpquaAHSOjmIcWnVpw\n" + "9BsO7qe46hidgn39hKh1WjKK2VcL/3YRsC4wUi0PBtFW6ScMCuMhgIRXSPU55Rae\n" + "UIlOdPjjr1SUNWGId1rD7W16Scpwnknn310FNxFMHVI0GTGFkNdkilNCFJcIoRA=\n" + "-----END CERTIFICATE-----\n"); assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session)); assertFalse(verifier.verify("a.\u82b1\u5b50.co.jp", session)); }
@Override public void handshake(Socket sock) throws IOException { // We do getSession instead of startHandshake() so we can call this // multiple times SSLSession session = ((SSLSocket) sock).getSession(); if (session.getCipherSuite().equals("SSL_NULL_WITH_NULL_NULL")) throw new IOException("SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL"); if (!allowUnsafeLegacyRenegotiation && !rfc5746Supported) { // Prevent further handshakes by removing all cipher suites ((SSLSocket) sock).setEnabledCipherSuites(new String[0]); } }
@Override public boolean verify(String hostname, SSLSession session) { if (this.host == null || "".equals(this.host) || !this.host.contains(hostname)) { return false; } return true; }
@Override protected Registry<ConnectionSocketFactory> getRegistry() { HostnameVerifier verifier = new HostnameVerifier() { @Override public boolean verify(String hostName, SSLSession session) { return true; } }; SSLContext sslContext = null; try { sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() { public boolean isTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { return true; } }).build(); } catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException e) { e.printStackTrace(); } if (sslContext == null) { throw new RuntimeException("SSL Context not created"); } SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory( sslContext, new String[]{"TLSv1.2"}, null, verifier); return RegistryBuilder.<ConnectionSocketFactory>create() .register("http", PlainConnectionSocketFactory.getSocketFactory()) .register("https", sslConnectionSocketFactory) .build(); }
public SSLSession getHandshakeSession() { try { return (SSLSession) SSLSocket.class.getMethod("getHandshakeSession").invoke(delegate); } catch (IllegalAccessException | InvocationTargetException | NoSuchMethodException e) { throw new AssertionError(); } }
@Override public boolean verify(String hostname, SSLSession session) { HttpLog.i("############### verify " + hostname + " " + this.host); if (this.host == null || "".equals(this.host) || !this.host.contains(hostname)) return false; return true; }
private NetworkRequestClient(){ OkHttpClient.Builder builder = new OkHttpClient.Builder(); //支持Https builder.hostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session) { return true; } }); builder.connectTimeout(TIME_OUT, TimeUnit.SECONDS); // builder.readTimeout(TIME_OUT, TimeUnit.SECONDS); // builder.writeTimeout(TIME_OUT, TimeUnit.SECONDS); mOkHttpClient = builder.build(); }
public Object getUserToken(final HttpContext context) { final HttpClientContext clientContext = HttpClientContext.adapt(context); Principal userPrincipal = null; final AuthState targetAuthState = clientContext.getTargetAuthState(); if (targetAuthState != null) { userPrincipal = getAuthPrincipal(targetAuthState); if (userPrincipal == null) { final AuthState proxyAuthState = clientContext.getProxyAuthState(); userPrincipal = getAuthPrincipal(proxyAuthState); } } if (userPrincipal == null) { final HttpConnection conn = clientContext.getConnection(); if (conn.isOpen() && conn instanceof ManagedHttpClientConnection) { final SSLSession sslsession = ((ManagedHttpClientConnection) conn).getSSLSession(); if (sslsession != null) { userPrincipal = sslsession.getLocalPrincipal(); } } } return userPrincipal; }
public SSLSession getSSLSession() { OperatedClientConnection conn = getWrappedConnection(); assertValid(conn); if (!isOpen()) return null; SSLSession result = null; Socket sock = conn.getSocket(); if (sock instanceof SSLSocket) { result = ((SSLSocket)sock).getSession(); } return result; }
public final boolean verify(final String host, final SSLSession session) { try { final Certificate[] certs = session.getPeerCertificates(); final X509Certificate x509 = (X509Certificate) certs[0]; verify(host, x509); return true; } catch(final SSLException e) { return false; } }
public SSLSession getSSLSession() { if (this.socket instanceof SSLSocket) { return ((SSLSocket) this.socket).getSession(); } else { return null; } }
public static void main (String[] args) throws Exception { SSLContext context = SSLContext.getDefault(); // set the property before initialization SSLEngine. System.setProperty("jsse.SSLEngine.acceptLargeFragments", "true"); SSLEngine cliEngine = context.createSSLEngine(); cliEngine.setUseClientMode(true); SSLEngine srvEngine = context.createSSLEngine(); srvEngine.setUseClientMode(false); SSLSession cliSession = cliEngine.getSession(); SSLSession srvSession = srvEngine.getSession(); // check packet buffer sizes. if (cliSession.getPacketBufferSize() < 33049 || srvSession.getPacketBufferSize() < 33049) { throw new Exception("Don't accept large SSL/TLS fragments"); } // check application data buffer sizes. if (cliSession.getApplicationBufferSize() < 32768 || srvSession.getApplicationBufferSize() < 32768) { throw new Exception( "Don't accept large SSL/TLS application data "); } }
