| java.lang.Object
 org.apache.tomcat.jni.SSLContext
| SSLContext | | final public class SSLContext (Code) | | SSL Context
author:
Mladen Turk
version:
$Revision: 467222 $, $Date: 2006-10-24 05:17:11 +0200 (mar., 24 oct. 2006) $ |
| Method Summary | |
| native public static int | free(long ctx)
Free the resources used by the Context
Parameters:
ctx - Server or Client context to free. | | native public static long | make(long pool, int protocol, int mode)
Initialize new SSL context
Parameters:
pool - The pool to use.
Parameters:
protocol - The SSL protocol to use. | | native public static void | setBIO(long ctx, long bio, int dir)
Asssociate BIOCallback for input or output data capture. | | native public static boolean | setCACertificate(long ctx, String file, String path)
Set File and Directory of concatenated PEM-encoded CA Certificates
for Client Auth
This directive sets the all-in-one file where you can assemble the
Certificates of Certification Authorities (CA) whose clients you deal with.
These are used for Client Authentication. | | native public static boolean | setCARevocation(long ctx, String file, String path)
Set File of concatenated PEM-encoded CA CRLs or
directory of PEM-encoded CA Certificates for Client Auth
This directive sets the all-in-one file where you can assemble the
Certificate Revocation Lists (CRL) of Certification Authorities (CA)
whose clients you deal with. | | native public static boolean | setCertificate(long ctx, String cert, String key, String password, int idx)
Set Certificate
Point setCertificateFile at a PEM encoded certificate. | | native public static boolean | setCertificateChainFile(long ctx, String file, boolean skipfirst)
Set File of PEM-encoded Server CA Certificates
This directive sets the optional all-in-one file where you can assemble the
certificates of Certification Authorities (CA) which form the certificate
chain of the server certificate. | | native public static boolean | setCipherSuite(long ctx, String ciphers)
Cipher Suite available for negotiation in SSL handshake.
This complex directive uses a colon-separated cipher-spec string consisting
of OpenSSL cipher specifications to configure the Cipher Suite the client
is permitted to negotiate in the SSL handshake phase. | | native public static void | setContextId(long ctx, String id)
Set Session context id. | | native public static void | setOptions(long ctx, int options)
Set OpenSSL Option. | | native public static void | setQuietShutdown(long ctx, boolean mode)
Sets the "quiet shutdown" flag for ctx to be
mode. | | native public static void | setShutdowType(long ctx, int type)
| | native public static void | setVerify(long ctx, int level, int depth)
Set Type of Client Certificate verification and Maximum depth of CA Certificates
in Client Certificate verification.
This directive sets the Certificate verification level for the Client
Authentication. |
| free | | native public static int free(long ctx)(Code) | | Free the resources used by the Context
Parameters:
ctx - Server or Client context to free. APR Status code. |
| make | | native public static long make(long pool, int protocol, int mode) throws Exception(Code) | | Initialize new SSL context
Parameters:
pool - The pool to use.
Parameters:
protocol - The SSL protocol to use. It can be one of:SSL_PROTOCOL_SSLV2SSL_PROTOCOL_SSLV3SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3SSL_PROTOCOL_TLSV1SSL_PROTOCOL_ALL
Parameters:
mode - SSL mode to useSSL_MODE_CLIENTSSL_MODE_SERVERSSL_MODE_COMBINED |
| setBIO | | native public static void setBIO(long ctx, long bio, int dir)(Code) | | Asssociate BIOCallback for input or output data capture.
First word in the output string will contain error
level in the form:
[ERROR] -- Critical error messages
[WARN] -- Varning messages
[INFO] -- Informational messages
[DEBUG] -- Debugging messaged
Callback can use that word to determine application logging level
by intercepting write call.
If the bio is set to 0 no error messages will be displayed.
Default is to use the stderr output stream.
Parameters:
ctx - Server or Client context to use.
Parameters:
bio - BIO handle to use, created with SSL.newBIO
Parameters:
dir - BIO direction (1 for input 0 for output). |
| setCACertificate | | native public static boolean setCACertificate(long ctx, String file, String path) throws Exception(Code) | | Set File and Directory of concatenated PEM-encoded CA Certificates
for Client Auth
This directive sets the all-in-one file where you can assemble the
Certificates of Certification Authorities (CA) whose clients you deal with.
These are used for Client Authentication. Such a file is simply the
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
path.
The files in this directory have to be PEM-encoded and are accessed through
hash filenames. So usually you can't just place the Certificate files there:
you also have to create symbolic links named hash-value.N. And you should
always make sure this directory contains the appropriate symbolic links.
Use the Makefile which comes with mod_ssl to accomplish this task.
Parameters:
ctx - Server or Client context to use.
Parameters:
file - File of concatenated PEM-encoded CA Certificates forClient Auth.
Parameters:
path - Directory of PEM-encoded CA Certificates for Client Auth. |
| setCARevocation | | native public static boolean setCARevocation(long ctx, String file, String path) throws Exception(Code) | | Set File of concatenated PEM-encoded CA CRLs or
directory of PEM-encoded CA Certificates for Client Auth
This directive sets the all-in-one file where you can assemble the
Certificate Revocation Lists (CRL) of Certification Authorities (CA)
whose clients you deal with. These are used for Client Authentication.
Such a file is simply the concatenation of the various PEM-encoded CRL
files, in order of preference.
The files in this directory have to be PEM-encoded and are accessed through
hash filenames. So usually you can't just place the Certificate files there:
you also have to create symbolic links named hash-value.N. And you should
always make sure this directory contains the appropriate symbolic links.
Use the Makefile which comes with mod_ssl to accomplish this task.
Parameters:
ctx - Server or Client context to use.
Parameters:
file - File of concatenated PEM-encoded CA CRLs for Client Auth.
Parameters:
path - Directory of PEM-encoded CA Certificates for Client Auth. |
| setCertificate | | native public static boolean setCertificate(long ctx, String cert, String key, String password, int idx) throws Exception(Code) | | Set Certificate
Point setCertificateFile at a PEM encoded certificate. If
the certificate is encrypted, then you will be prompted for a
pass phrase. Note that a kill -HUP will prompt again. A test
certificate can be generated with `make certificate' under
built time. Keep in mind that if you've both a RSA and a DSA
certificate you can configure both in parallel (to also allow
the use of DSA ciphers, etc.)
If the key is not combined with the certificate, use key param
to point at the key file. Keep in mind that if
you've both a RSA and a DSA private key you can configure
both in parallel (to also allow the use of DSA ciphers, etc.)
Parameters:
ctx - Server or Client context to use.
Parameters:
cert - Certificate file.
Parameters:
key - Private Key file to use if not in cert.
Parameters:
password - Certificate password. If null and certificateis encrypted, password prompt will be dispayed.
Parameters:
idx - Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA. |
| setCertificateChainFile | | native public static boolean setCertificateChainFile(long ctx, String file, boolean skipfirst)(Code) | | Set File of PEM-encoded Server CA Certificates
This directive sets the optional all-in-one file where you can assemble the
certificates of Certification Authorities (CA) which form the certificate
chain of the server certificate. This starts with the issuing CA certificate
of of the server certificate and can range up to the root CA certificate.
Such a file is simply the concatenation of the various PEM-encoded CA
Certificate files, usually in certificate chain order.
But be careful: Providing the certificate chain works only if you are using
a single (either RSA or DSA) based server certificate. If you are using a
coupled RSA+DSA certificate pair, this will work only if actually both
certificates use the same certificate chain. Else the browsers will be
confused in this situation.
Parameters:
ctx - Server or Client context to use.
Parameters:
file - File of PEM-encoded Server CA Certificates.
Parameters:
skipfirst - Skip first certificate if chain file is insidecertificate file. |
| setCipherSuite | | native public static boolean setCipherSuite(long ctx, String ciphers) throws Exception(Code) | | Cipher Suite available for negotiation in SSL handshake.
This complex directive uses a colon-separated cipher-spec string consisting
of OpenSSL cipher specifications to configure the Cipher Suite the client
is permitted to negotiate in the SSL handshake phase. Notice that this
directive can be used both in per-server and per-directory context.
In per-server context it applies to the standard SSL handshake when a
connection is established. In per-directory context it forces a SSL
renegotation with the reconfigured Cipher Suite after the HTTP request
was read but before the HTTP response is sent.
Parameters:
ctx - Server or Client context to use.
Parameters:
ciphers - An SSL cipher specification. |
| setContextId | | native public static void setContextId(long ctx, String id)(Code) | | Set Session context id. Usually host:port combination.
Parameters:
ctx - Context to use.
Parameters:
id - String that uniquely identifies this context. |
| setOptions | | native public static void setOptions(long ctx, int options)(Code) | | Set OpenSSL Option.
Parameters:
ctx - Server or Client context to use.
Parameters:
options - See SSL.SSL_OP_* for option flags. |
| setQuietShutdown | | native public static void setQuietShutdown(long ctx, boolean mode)(Code) | | Sets the "quiet shutdown" flag for ctx to be
mode. SSL objects created from ctx inherit the
mode valid at the time and may be 0 or 1.
Normally when a SSL connection is finished, the parties must send out
"close notify" alert messages using L
for a clean shutdown.
When setting the "quiet shutdown" flag to 1, SSL.shutdown
will set the internal flags to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.
(SSL_shutdown then behaves like called with
SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.)
The session is thus considered to be shutdown, but no "close notify" alert
is sent to the peer. This behaviour violates the TLS standard.
The default is normal shutdown behaviour as described by the TLS standard.
Parameters:
ctx - Server or Client context to use.
Parameters:
mode - True to set the quiet shutdown. |
| setShutdowType | | native public static void setShutdowType(long ctx, int type)(Code) | | Set SSL connection shutdown type
The following levels are available for level:
SSL_SHUTDOWN_TYPE_STANDARD
SSL_SHUTDOWN_TYPE_UNCLEAN
SSL_SHUTDOWN_TYPE_ACCURATE
Parameters:
ctx - Server or Client context to use.
Parameters:
type - Shutdown type to use. |
| setVerify | | native public static void setVerify(long ctx, int level, int depth)(Code) | | Set Type of Client Certificate verification and Maximum depth of CA Certificates
in Client Certificate verification.
This directive sets the Certificate verification level for the Client
Authentication. Notice that this directive can be used both in per-server
and per-directory context. In per-server context it applies to the client
authentication process used in the standard SSL handshake when a connection
is established. In per-directory context it forces a SSL renegotation with
the reconfigured client verification level after the HTTP request was read
but before the HTTP response is sent.
The following levels are available for level:
SSL_CVERIFY_NONE - No client Certificate is required at all
SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate
SSL_CVERIFY_REQUIRE - The client has to present a valid Certificate
SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate
but it need not to be (successfully) verifiable
The depth actually is the maximum number of intermediate certificate issuers,
i.e. the number of CA certificates which are max allowed to be followed while
verifying the client certificate. A depth of 0 means that self-signed client
certificates are accepted only, the default depth of 1 means the client
certificate can be self-signed or has to be signed by a CA which is directly
known to the server (i.e. the CA's certificate is under
setCACertificatePath), etc.
Parameters:
ctx - Server or Client context to use.
Parameters:
level - Type of Client Certificate verification.
Parameters:
depth - Maximum depth of CA Certificates in Client Certificateverification. |
|
|