Package net.i2p.util
Class I2PSSLSocketFactory
- java.lang.Object
-
- net.i2p.util.I2PSSLSocketFactory
-
public class I2PSSLSocketFactory extends Object
Loads trusted ASCII certs from ~/.i2p/certificates/ and $I2P/certificates/. TODO extend SSLSocketFactory- Since:
- 0.9.9 moved from ../client, original since 0.8.3
- Author:
- zzz
-
-
Field Summary
Fields Modifier and Type Field Description static List<String>
EXCLUDE_CIPHERS
We exclude everything that Java 8 disables by default, plus some others.static List<String>
EXCLUDE_PROTOCOLS
Unmodifiable.static List<String>
INCLUDE_CIPHERS
Nothing for now.static List<String>
INCLUDE_PROTOCOLS
Java 7 does not enable 1.1 or 1.2 by default on the client side.
-
Constructor Summary
Constructors Constructor Description I2PSSLSocketFactory(I2PAppContext context, boolean loadSystemCerts, String relativeCertPath)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description Socket
createSocket(String host, int port)
Returns a socket to the host.Socket
createSocket(InetAddress host, int port)
Returns a socket to the host.static void
setProtocolsAndCiphers(SSLServerSocket socket)
Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites.static void
setProtocolsAndCiphers(SSLSocket socket)
Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites.static void
verifyHostname(I2PAppContext ctx, SSLSocket socket, String host)
Validate the hostname.
-
-
-
Field Detail
-
EXCLUDE_PROTOCOLS
public static final List<String> EXCLUDE_PROTOCOLS
Unmodifiable. Public for RouterConsoleRunner.- Since:
- 0.9.16
-
INCLUDE_PROTOCOLS
public static final List<String> INCLUDE_PROTOCOLS
Java 7 does not enable 1.1 or 1.2 by default on the client side. Java 8 does enable 1.1 and 1.2 by default on the client side. 1.3 in Java 11, but it requires: ChaCha20/Poly1305 in Java 12 (we could add a provider) X25519 in Java 13 but may be pulled in to 12 (can't use our unsigned provider) Ed25519 in Java 13 (but we can use our provider) ref: https://openjdk.java.net/jeps/332 ref: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html Unmodifiable. Public for RouterConsoleRunner.- Since:
- 0.9.16
-
EXCLUDE_CIPHERS
public static final List<String> EXCLUDE_CIPHERS
We exclude everything that Java 8 disables by default, plus some others. ref: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html See also: https://developer.android.com/reference/javax/net/ssl/SSLSocket.html Unmodifiable. Public for RouterConsoleRunner.- Since:
- 0.9.16
-
-
Constructor Detail
-
I2PSSLSocketFactory
public I2PSSLSocketFactory(I2PAppContext context, boolean loadSystemCerts, String relativeCertPath) throws GeneralSecurityException
- Parameters:
relativeCertPath
- e.g. "certificates/i2cp"; as of 0.9.41, may be absolute- Throws:
GeneralSecurityException
- Since:
- 0.9.9 was static
-
-
Method Detail
-
createSocket
public Socket createSocket(String host, int port) throws IOException
Returns a socket to the host. A host argument that's an IP address (instead of a hostname) is not recommended, as this will probably fail SSL certificate validation. Hostname validation is skipped for localhost addresses, but you still must trust the certificate.- Throws:
IOException
-
createSocket
public Socket createSocket(InetAddress host, int port) throws IOException
Returns a socket to the host. An InetAddress argument created with an IP address (instead of a hostname) is not recommended, as this will perform a reverse DNS lookup to get the hostname for certificate validation, which will probably then fail. Hostname validation is skipped for localhost addresses, but you still must trust the certificate.- Throws:
IOException
- Since:
- 0.9.9
-
verifyHostname
public static void verifyHostname(I2PAppContext ctx, SSLSocket socket, String host) throws SSLException
Validate the hostname. Warning - be sure to remove [] from IPv6 addresses in host parameter if you got it from URI.getHost(). ref: https://developer.android.com/training/articles/security-ssl.html ref: http://op-co.de/blog/posts/java_sslsocket_mitm/ ref: http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/- Throws:
SSLException
- on hostname verification failure- Since:
- 0.9.20
-
setProtocolsAndCiphers
public static void setProtocolsAndCiphers(SSLSocket socket)
Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites. Adapted from Jetty SslContextFactory.java- Since:
- 0.9.16
-
setProtocolsAndCiphers
public static void setProtocolsAndCiphers(SSLServerSocket socket)
Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites. Adapted from Jetty SslContextFactory.java- Since:
- 0.9.16
-
-