Package net.i2p.util

Class I2PSSLSocketFactory


  • public class I2PSSLSocketFactory
    extends Object
    Loads trusted ASCII certs from ~/.i2p/certificates/ and $I2P/certificates/. TODO extend SSLSocketFactory
    Since:
    0.9.9 moved from ../client, original since 0.8.3
    Author:
    zzz
    • Field Detail

      • EXCLUDE_PROTOCOLS

        public static final List<String> EXCLUDE_PROTOCOLS
        Unmodifiable. Public for RouterConsoleRunner.
        Since:
        0.9.16
      • INCLUDE_PROTOCOLS

        public static final List<String> INCLUDE_PROTOCOLS
        Java 7 does not enable 1.1 or 1.2 by default on the client side. Java 8 does enable 1.1 and 1.2 by default on the client side. 1.3 in Java 11, but it requires: ChaCha20/Poly1305 in Java 12 (we could add a provider) X25519 in Java 13 but may be pulled in to 12 (can't use our unsigned provider) Ed25519 in Java 13 (but we can use our provider) ref: https://openjdk.java.net/jeps/332 ref: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html Unmodifiable. Public for RouterConsoleRunner.
        Since:
        0.9.16
      • EXCLUDE_CIPHERS

        public static final List<String> EXCLUDE_CIPHERS
        We exclude everything that Java 8 disables by default, plus some others. ref: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html See also: https://developer.android.com/reference/javax/net/ssl/SSLSocket.html Unmodifiable. Public for RouterConsoleRunner.
        Since:
        0.9.16
      • INCLUDE_CIPHERS

        public static final List<String> INCLUDE_CIPHERS
        Nothing for now. There's nothing disabled by default we would want to enable. Unmodifiable. Public for RouterConsoleRunner.
        Since:
        0.9.16
    • Method Detail

      • createSocket

        public Socket createSocket​(String host,
                                   int port)
                            throws IOException
        Returns a socket to the host. A host argument that's an IP address (instead of a hostname) is not recommended, as this will probably fail SSL certificate validation. Hostname validation is skipped for localhost addresses, but you still must trust the certificate.
        Throws:
        IOException
      • createSocket

        public Socket createSocket​(InetAddress host,
                                   int port)
                            throws IOException
        Returns a socket to the host. An InetAddress argument created with an IP address (instead of a hostname) is not recommended, as this will perform a reverse DNS lookup to get the hostname for certificate validation, which will probably then fail. Hostname validation is skipped for localhost addresses, but you still must trust the certificate.
        Throws:
        IOException
        Since:
        0.9.9
      • verifyHostname

        public static void verifyHostname​(I2PAppContext ctx,
                                          SSLSocket socket,
                                          String host)
                                   throws SSLException
        Validate the hostname. Warning - be sure to remove [] from IPv6 addresses in host parameter if you got it from URI.getHost(). ref: https://developer.android.com/training/articles/security-ssl.html ref: http://op-co.de/blog/posts/java_sslsocket_mitm/ ref: http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/
        Throws:
        SSLException - on hostname verification failure
        Since:
        0.9.20
      • setProtocolsAndCiphers

        public static void setProtocolsAndCiphers​(SSLSocket socket)
        Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites. Adapted from Jetty SslContextFactory.java
        Since:
        0.9.16
      • setProtocolsAndCiphers

        public static void setProtocolsAndCiphers​(SSLServerSocket socket)
        Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites. Adapted from Jetty SslContextFactory.java
        Since:
        0.9.16