io.netty.internal.tcnative

Class SSL

java.lang.Object

io.netty.internal.tcnative.SSL

public final class SSL
extends java.lang.Object

Field Summary

Fields

Modifier and Type	Field and Description
static int	SSL_CVERIFY_IGNORED
static int	SSL_CVERIFY_NONE
static int	SSL_CVERIFY_OPTIONAL
static int	SSL_CVERIFY_REQUIRED
static int	SSL_ERROR_NONE
static int	SSL_ERROR_SSL
static int	SSL_ERROR_SYSCALL
static int	SSL_ERROR_WANT_ACCEPT
static int	SSL_ERROR_WANT_CERTIFICATE_VERIFY
static int	SSL_ERROR_WANT_CONNECT
static int	SSL_ERROR_WANT_PRIVATE_KEY_OPERATION
static int	SSL_ERROR_WANT_READ
static int	SSL_ERROR_WANT_WRITE
static int	SSL_ERROR_WANT_X509_LOOKUP
static int	SSL_ERROR_ZERO_RETURN
static int	SSL_MAX_PLAINTEXT_LENGTH
static int	SSL_MAX_RECORD_LENGTH The TLS 1.2 RFC defines the maximum length to be SSL_MAX_PLAINTEXT_LENGTH, but there are some implementations such as OpenJDK's SSLEngineImpl that also allow sending larger packets.
static int	SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
static int	SSL_MODE_CLIENT
static int	SSL_MODE_COMBINED
static int	SSL_MODE_ENABLE_PARTIAL_WRITE
static int	SSL_MODE_RELEASE_BUFFERS
static int	SSL_MODE_SERVER
static int	SSL_OP_CIPHER_SERVER_PREFERENCE
static int	SSL_OP_NO_COMPRESSION
static int	SSL_OP_NO_SSLv2
static int	SSL_OP_NO_SSLv3
static int	SSL_OP_NO_TICKET
static int	SSL_OP_NO_TLSv1
static int	SSL_OP_NO_TLSv1_1
static int	SSL_OP_NO_TLSv1_2
static int	SSL_OP_NO_TLSv1_3
static int	SSL_PROTOCOL_ALL
static int	SSL_PROTOCOL_NONE
static int	SSL_PROTOCOL_SSLV2
static int	SSL_PROTOCOL_SSLV3
static int	SSL_PROTOCOL_TLS TLS_*method according to SSL_CTX_new
static int	SSL_PROTOCOL_TLSV1
static int	SSL_PROTOCOL_TLSV1_1
static int	SSL_PROTOCOL_TLSV1_2
static int	SSL_PROTOCOL_TLSV1_3
static int	SSL_RECEIVED_SHUTDOWN
static int	SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL
static int	SSL_SELECTOR_FAILURE_NO_ADVERTISE
static int	SSL_SENT_SHUTDOWN
static long	SSL_SESS_CACHE_OFF
static long	SSL_SESS_CACHE_SERVER
static int	SSL_ST_ACCEPT
static int	SSL_ST_CONNECT
static int	X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
static int	X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
static int	X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS
static int	X509_CHECK_FLAG_NO_WILD_CARDS

Method Summary

Modifier and Type	Method and Description
static java.lang.String[]	authenticationMethods(long ssl) Return the methods used for authentication.
static void	bioClearByteBuffer(long bio) After you are done buffering data from bioSetByteBuffer(long, long, int, boolean), this will ensure the internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g.
static int	bioFlushByteBuffer(long bio) Flush any pending bytes in the internal SSL write buffer.
static int	bioLengthByteBuffer(long bio) Get the remaining length of the ByteBuffer set by bioSetByteBuffer(long, long, int, boolean).
static int	bioLengthNonApplication(long bio) Get the amount of data pending in buffer used for non-application writes.
static long	bioNewByteBuffer(long ssl, int nonApplicationBufferSize) Initialize the BIO for the SSL instance.
static void	bioSetByteBuffer(long bio, long bufferAddress, int maxUsableBytes, boolean isSSLWriteSink) Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted data from.
static int	bioWrite(long bioAddress, long wbufAddress, int wlen) BIO_write
static void	clearError() Clear all the errors from the error queue that OpenSSL encountered on this thread.
static void	clearOptions(long ssl, int options) Clear OpenSSL Option.
static int	doHandshake(long ssl) SSL_do_handshake
static void	enableOcsp(long ssl) Enables OCSP stapling for the given SSLEngine or throws an exception if OCSP stapling is not supported.
static void	fipsModeSet(int mode) Set the FIPS mode to use.
static void	freeBIO(long bio) BIO_free
static void	freePrivateKey(long privateKey) Free private key (EVP_PKEY pointer).
static void	freeSSL(long ssl) SSL_free
static void	freeX509Chain(long x509Chain) Free x509 chain (STACK_OF(X509) pointer).
static java.lang.String	getAlpnSelected(long ssl) SSL_get0_alpn_selected
static java.lang.String	getCipherForSSL(long ssl) SSL_get_cipher
static java.lang.String[]	getCiphers(long ssl) Returns all Returns the cipher suites that are available for negotiation in an SSL handshake.
static byte[]	getClientRandom(long ssl) Extracts the random value sent from the client to the server during the initial SSL/TLS handshake.
static int	getError(long ssl, int ret) SSL_get_error
static java.lang.String	getErrorString(long errorNumber) Get the error string representing for the given errorNumber.
static int	getHandshakeCount(long ssl) Returns the number of handshakes done for this SSL instance.
static java.lang.String	getLastError() Return last SSL error string
static int	getLastErrorNumber() Get the error number representing the last error OpenSSL encountered on this thread.
static byte[]	getMasterKey(long ssl) Returns the master key used for the current ssl session.
static int	getMaxWrapOverhead(long ssl) Get the maximum overhead, in bytes, of wrapping (a.k.a sealing) a record with ssl.
static int	getMode(long ssl) Call SSL_get_mode
static java.lang.String	getNextProtoNegotiated(long ssl) SSL_get0_next_proto_negotiated
static byte[]	getOcspResponse(long ssl) Returns the OCSP response for the given SSLEngine or null if the server didn't provide a stapled OCSP response.
static int	getOptions(long ssl) Get OpenSSL Option.
static byte[][]	getPeerCertChain(long ssl) Get the peer certificate chain or null if none was send.
static byte[]	getPeerCertificate(long ssl) Get the peer certificate or null if non was send.
static byte[]	getServerRandom(long ssl) Extracts the random value sent from the server to the client during the initial SSL/TLS handshake.
static byte[]	getSessionId(long ssl) Returns the ID of the session as byte array representation.
static int	getShutdown(long ssl) SSL_get_shutdown
static java.lang.String[]	getSigAlgs(long ssl) Return the signature algorithms that the remote peer supports or null if none are supported.
static java.lang.String	getSniHostname(long ssl) Return the SNI hostname that was sent as part of the SSL Hello.
static java.lang.Runnable	getTask(long ssl) Return the Runnable thats needs to be run as an operation returned SSL_ERROR_WANT_X509_LOOKUP.
static long	getTime(long ssl) SSL_get_time
static long	getTimeout(long ssl) SSL_get_timeout
static java.lang.String	getVersion(long ssl) SSL_get_version
static int	isInInit(long ssl) SSL_in_init
static long	loadPrivateKeyFromEngine(java.lang.String keyId, java.lang.String password) Load a private key from the used OpenSSL ENGINE via the ENGINE_load_private_key function.
static long	newMemBIO() Initialize new in-memory BIO that is located in the secure heap.
static long	newSSL(long ctx, boolean server) SSL_new
static long	parsePrivateKey(long privateKeyBio, java.lang.String password) Parse private key from BIO and return EVP_PKEY pointer.
static long	parseX509Chain(long x509ChainBio) Parse X509 chain from BIO and return (STACK_OF(X509) pointer).
static int	readFromSSL(long ssl, long rbuf, int rlen) SSL_read
static void	setCertificateBio(long ssl, long certBio, long keyBio, java.lang.String password) Deprecated. use setKeyMaterial(long, long, long)
static void	setCertificateChainBio(long ssl, long bio, boolean skipfirst) Deprecated. use setKeyMaterial(long, long, long)
static boolean	setCipherSuites(long ssl, java.lang.String ciphers) Deprecated. Use setCipherSuites(long, String, boolean)
static boolean	setCipherSuites(long ssl, java.lang.String ciphers, boolean tlsv13) Returns the cipher suites available for negotiation in SSL handshake.
static void	setHostNameValidation(long ssl, int flags, java.lang.String hostname) Explicitly control hostname validation see X509_check_host for X509_CHECK_FLAG* definitions.
static void	setKeyMaterial(long ssl, long chain, long key) Sets the keymaterial to be used.
static void	setKeyMaterialClientSide(long ssl, long x509Out, long pkeyOut, long chain, long key) Deprecated. use setKeyMaterial(long, long, long)
static void	setKeyMaterialServerSide(long ssl, long chain, long key) Deprecated. use setKeyMaterial(long, long, long)
static int	setMode(long ssl, int mode) Call SSL_set_mode
static void	setOcspResponse(long ssl, byte[] response) Sets the OCSP response for the given SSLEngine or throws an exception in case of an error.
static void	setOptions(long ssl, int options) Set OpenSSL Option.
static void	setShutdown(long ssl, int mode) SSL_set_shutdown
static long	setTimeout(long ssl, long seconds) SSL_set_timeout
static void	setTlsExtHostName(long ssl, java.lang.String hostname) Call SSL_set_tlsext_host_name
static void	setVerify(long ssl, int level, int depth) Set Type of Client Certificate verification and Maximum depth of CA Certificates in Client Certificate verification.
static int	shutdownSSL(long ssl) SSL_shutdown
static int	sslPending(long ssl) The number of bytes pending in SSL which can be read immediately.
static int	version()
static java.lang.String	versionString()
static int	writeToSSL(long ssl, long wbuf, int wlen) SSL_write

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SSL_PROTOCOL_NONE

public static final int SSL_PROTOCOL_NONE

See Also:

Constant Field Values

SSL_PROTOCOL_SSLV2

public static final int SSL_PROTOCOL_SSLV2

See Also:

Constant Field Values

SSL_PROTOCOL_SSLV3

public static final int SSL_PROTOCOL_SSLV3

See Also:

Constant Field Values

SSL_PROTOCOL_TLSV1

public static final int SSL_PROTOCOL_TLSV1

See Also:

Constant Field Values

SSL_PROTOCOL_TLSV1_1

public static final int SSL_PROTOCOL_TLSV1_1

See Also:

Constant Field Values

SSL_PROTOCOL_TLSV1_2

public static final int SSL_PROTOCOL_TLSV1_2

See Also:

Constant Field Values

SSL_PROTOCOL_TLSV1_3

public static final int SSL_PROTOCOL_TLSV1_3

See Also:

Constant Field Values

SSL_PROTOCOL_TLS

public static final int SSL_PROTOCOL_TLS

TLS_*method according to SSL_CTX_new

See Also:

Constant Field Values

SSL_PROTOCOL_ALL

public static final int SSL_PROTOCOL_ALL

See Also:

Constant Field Values

SSL_CVERIFY_IGNORED

public static final int SSL_CVERIFY_IGNORED

See Also:

Constant Field Values

SSL_CVERIFY_NONE

public static final int SSL_CVERIFY_NONE

See Also:

Constant Field Values

SSL_CVERIFY_OPTIONAL

public static final int SSL_CVERIFY_OPTIONAL

See Also:

Constant Field Values

SSL_CVERIFY_REQUIRED

public static final int SSL_CVERIFY_REQUIRED

See Also:

Constant Field Values

SSL_OP_CIPHER_SERVER_PREFERENCE

public static final int SSL_OP_CIPHER_SERVER_PREFERENCE

SSL_OP_NO_SSLv2

public static final int SSL_OP_NO_SSLv2

SSL_OP_NO_SSLv3

public static final int SSL_OP_NO_SSLv3

SSL_OP_NO_TLSv1

public static final int SSL_OP_NO_TLSv1

SSL_OP_NO_TLSv1_1

public static final int SSL_OP_NO_TLSv1_1

SSL_OP_NO_TLSv1_2

public static final int SSL_OP_NO_TLSv1_2

SSL_OP_NO_TLSv1_3

public static final int SSL_OP_NO_TLSv1_3

SSL_OP_NO_TICKET

public static final int SSL_OP_NO_TICKET

SSL_OP_NO_COMPRESSION

public static final int SSL_OP_NO_COMPRESSION

SSL_MODE_CLIENT

public static final int SSL_MODE_CLIENT

See Also:

Constant Field Values

SSL_MODE_SERVER

public static final int SSL_MODE_SERVER

See Also:

Constant Field Values

SSL_MODE_COMBINED

public static final int SSL_MODE_COMBINED

See Also:

Constant Field Values

SSL_SESS_CACHE_OFF

public static final long SSL_SESS_CACHE_OFF

SSL_SESS_CACHE_SERVER

public static final long SSL_SESS_CACHE_SERVER

SSL_SELECTOR_FAILURE_NO_ADVERTISE

public static final int SSL_SELECTOR_FAILURE_NO_ADVERTISE

See Also:

Constant Field Values

SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL

public static final int SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL

See Also:

Constant Field Values

SSL_ST_CONNECT

public static final int SSL_ST_CONNECT

SSL_ST_ACCEPT

public static final int SSL_ST_ACCEPT

SSL_MODE_ENABLE_PARTIAL_WRITE

public static final int SSL_MODE_ENABLE_PARTIAL_WRITE

SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER

public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER

SSL_MODE_RELEASE_BUFFERS

public static final int SSL_MODE_RELEASE_BUFFERS

SSL_MAX_PLAINTEXT_LENGTH

public static final int SSL_MAX_PLAINTEXT_LENGTH

SSL_MAX_RECORD_LENGTH

public static final int SSL_MAX_RECORD_LENGTH

The TLS 1.2 RFC defines the maximum length to be SSL_MAX_PLAINTEXT_LENGTH, but there are some implementations such as OpenJDK's SSLEngineImpl that also allow sending larger packets. This can be used as a upper bound for data to support legacy systems.

X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT

public static final int X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT

X509_CHECK_FLAG_NO_WILD_CARDS

public static final int X509_CHECK_FLAG_NO_WILD_CARDS

X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS

public static final int X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS

X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS

public static final int X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS

SSL_SENT_SHUTDOWN

public static final int SSL_SENT_SHUTDOWN

SSL_RECEIVED_SHUTDOWN

public static final int SSL_RECEIVED_SHUTDOWN

SSL_ERROR_NONE

public static final int SSL_ERROR_NONE

SSL_ERROR_SSL

public static final int SSL_ERROR_SSL

SSL_ERROR_WANT_READ

public static final int SSL_ERROR_WANT_READ

SSL_ERROR_WANT_WRITE

public static final int SSL_ERROR_WANT_WRITE

SSL_ERROR_WANT_X509_LOOKUP

public static final int SSL_ERROR_WANT_X509_LOOKUP

SSL_ERROR_SYSCALL

public static final int SSL_ERROR_SYSCALL

SSL_ERROR_ZERO_RETURN

public static final int SSL_ERROR_ZERO_RETURN

SSL_ERROR_WANT_CONNECT

public static final int SSL_ERROR_WANT_CONNECT

SSL_ERROR_WANT_ACCEPT

public static final int SSL_ERROR_WANT_ACCEPT

SSL_ERROR_WANT_PRIVATE_KEY_OPERATION

public static final int SSL_ERROR_WANT_PRIVATE_KEY_OPERATION

SSL_ERROR_WANT_CERTIFICATE_VERIFY

public static final int SSL_ERROR_WANT_CERTIFICATE_VERIFY

Method Detail

version

public static int version()

versionString

public static java.lang.String versionString()

newMemBIO

public static long newMemBIO()
                      throws java.lang.Exception

Initialize new in-memory BIO that is located in the secure heap.

Returns:

New BIO handle

Throws:

java.lang.Exception - if an error happened.

getLastError

public static java.lang.String getLastError()

Return last SSL error string

Returns:

the last SSL error string.

newSSL

public static long newSSL(long ctx,
                          boolean server)

SSL_new

Parameters:

ctx - Server or Client context to use.

server - if true configure SSL instance to use accept handshake routines if false configure SSL instance to use connect handshake routines

Returns:

pointer to SSL instance (SSL *)

getError

public static int getError(long ssl,
                           int ret)

SSL_get_error

Parameters:

ssl - SSL pointer (SSL *)

ret - TLS/SSL I/O return value

Returns:

the error code

bioWrite

public static int bioWrite(long bioAddress,
                           long wbufAddress,
                           int wlen)

BIO_write

Parameters:

bioAddress - The address of a BIO*.

wbufAddress - The address of a native char*.

wlen - The length to write starting at wbufAddress.

Returns:

The number of bytes that were written. See BIO_write for exceptional return values.

bioNewByteBuffer

public static long bioNewByteBuffer(long ssl,
                                    int nonApplicationBufferSize)

Initialize the BIO for the SSL instance. This is a custom BIO which is designed to play nicely with a direct ByteBuffer. Because it is a special BIO it requires special usage such that bioSetByteBuffer(long, long, int, boolean) and bioClearByteBuffer(long) are called in order to provide to supply data to SSL, and also to ensure the internal SSL buffering mechanism is expecting write at the appropriate times.

Parameters:

ssl - the SSL instance (SSL *)

nonApplicationBufferSize - The size of the internal buffer for write operations that are not initiated directly by the application attempting to encrypt data. Must be >0.

Returns:

pointer to the Network BIO (BIO *). The memory is owned by ssl and will be cleaned up by freeSSL(long).

bioSetByteBuffer

public static void bioSetByteBuffer(long bio,
                                    long bufferAddress,
                                    int maxUsableBytes,
                                    boolean isSSLWriteSink)

Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted data from.

After you are done buffering data you should call bioClearByteBuffer(long).

Parameters:

bio - BIO*.

bufferAddress - The memory address (typically from a direct ByteBuffer) which will be used to either write encrypted data to, or read encrypted data from by OpenSSL's internal BIO pair.

maxUsableBytes - The maximum usable length in bytes starting at bufferAddress.

isSSLWriteSink - true if this buffer is expected to buffer data as a result of calls to SSL_write. false if this buffer is expected to buffer data as a result of calls to SSL_read.

bioClearByteBuffer

public static void bioClearByteBuffer(long bio)

After you are done buffering data from bioSetByteBuffer(long, long, int, boolean), this will ensure the internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..).

Parameters:

bio - BIO*.

bioFlushByteBuffer

public static int bioFlushByteBuffer(long bio)

Flush any pending bytes in the internal SSL write buffer.

This does the same thing as BIO_flush for a BIO* of type bioNewByteBuffer(long, int) but returns the number of bytes that were flushed.

Parameters:

bio - BIO*.

Returns:

The number of bytes that were flushed.

bioLengthByteBuffer

public static int bioLengthByteBuffer(long bio)

Get the remaining length of the ByteBuffer set by bioSetByteBuffer(long, long, int, boolean).

Parameters:

bio - BIO*.

Returns:

The remaining length of the ByteBuffer set by bioSetByteBuffer(long, long, int, boolean).

bioLengthNonApplication

public static int bioLengthNonApplication(long bio)

Get the amount of data pending in buffer used for non-application writes. This value will not exceed the value configured in bioNewByteBuffer(long, int).

Parameters:

bio - BIO*.

Returns:

the amount of data pending in buffer used for non-application writes.

sslPending

public static int sslPending(long ssl)

The number of bytes pending in SSL which can be read immediately. See SSL_pending.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

The number of bytes pending in SSL which can be read immediately.

writeToSSL

public static int writeToSSL(long ssl,
                             long wbuf,
                             int wlen)

SSL_write

Parameters:

ssl - the SSL instance (SSL *)

wbuf - the memory address of the buffer

wlen - the length

Returns:

the number of written bytes

readFromSSL

public static int readFromSSL(long ssl,
                              long rbuf,
                              int rlen)

SSL_read

Parameters:

ssl - the SSL instance (SSL *)

rbuf - the memory address of the buffer

rlen - the length

Returns:

the number of read bytes

getShutdown

public static int getShutdown(long ssl)

SSL_get_shutdown

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the return code of SSL_get_shutdown

setShutdown

public static void setShutdown(long ssl,
                               int mode)

SSL_set_shutdown

Parameters:

ssl - the SSL instance (SSL *)

mode - the mode to use

freeSSL

public static void freeSSL(long ssl)

SSL_free

Parameters:

ssl - the SSL instance (SSL *)

freeBIO

public static void freeBIO(long bio)

BIO_free

Parameters:

bio - the BIO

shutdownSSL

public static int shutdownSSL(long ssl)

SSL_shutdown

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the return code of SSL_shutdown

getLastErrorNumber

public static int getLastErrorNumber()

Get the error number representing the last error OpenSSL encountered on this thread.

Returns:

the last error code for the calling thread.

getCipherForSSL

public static java.lang.String getCipherForSSL(long ssl)

SSL_get_cipher

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the name of the current cipher.

getVersion

public static java.lang.String getVersion(long ssl)

SSL_get_version

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the version.

doHandshake

public static int doHandshake(long ssl)

SSL_do_handshake

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the return code of SSL_do_handshake.

isInInit

public static int isInInit(long ssl)

SSL_in_init

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the return code of SSL_in_init.

getNextProtoNegotiated

public static java.lang.String getNextProtoNegotiated(long ssl)

SSL_get0_next_proto_negotiated

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the name of the negotiated proto

getAlpnSelected

public static java.lang.String getAlpnSelected(long ssl)

SSL_get0_alpn_selected

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the name of the selected ALPN protocol

getPeerCertChain

public static byte[][] getPeerCertChain(long ssl)

Get the peer certificate chain or null if none was send.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the chain or null if none was send

getPeerCertificate

public static byte[] getPeerCertificate(long ssl)

Get the peer certificate or null if non was send.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the peer certificate or null if none was send

getErrorString

public static java.lang.String getErrorString(long errorNumber)

Get the error string representing for the given errorNumber.

Parameters:

errorNumber - the error number / code

Returns:

the error string

getTime

public static long getTime(long ssl)

SSL_get_time

Parameters:

ssl - the SSL instance (SSL *)

Returns:

returns the time at which the session ssl was established. The time is given in seconds since the Epoch

getTimeout

public static long getTimeout(long ssl)

SSL_get_timeout

Parameters:

ssl - the SSL instance (SSL *)

Returns:

returns the timeout for the session ssl The time is given in seconds since the Epoch

setTimeout

public static long setTimeout(long ssl,
                              long seconds)

SSL_set_timeout

Parameters:

ssl - the SSL instance (SSL *)

seconds - timeout in seconds

Returns:

returns the timeout for the session ssl before this call. The time is given in seconds since the Epoch

setVerify

public static void setVerify(long ssl,
                             int level,
                             int depth)

Set Type of Client Certificate verification and Maximum depth of CA Certificates in Client Certificate verification.

This directive sets the Certificate verification level for the Client Authentication. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.

The following levels are available for level:

• SSL_CVERIFY_IGNORED - The level is ignored. Only depth will change.
• SSL_CVERIFY_NONE - No client Certificate is required at all
• SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate
• SSL_CVERIFY_REQUIRED - The client has to present a valid Certificate

The depth actually is the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are max allowed to be followed while verifying the client certificate. A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under setCACertificatePath, etc.

Parameters:

ssl - the SSL instance (SSL *)

level - Type of Client Certificate verification.

depth - Maximum depth of CA Certificates in Client Certificate verification. Ignored if value is <0.

setOptions

public static void setOptions(long ssl,
                              int options)

Set OpenSSL Option.

Parameters:

ssl - the SSL instance (SSL *)

options - See SSL.SSL_OP_* for option flags.

clearOptions

public static void clearOptions(long ssl,
                                int options)

Clear OpenSSL Option.

Parameters:

ssl - the SSL instance (SSL *)

options - See SSL.SSL_OP_* for option flags.

getOptions

public static int getOptions(long ssl)

Get OpenSSL Option.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

options See SSL.SSL_OP_* for option flags.

setMode

public static int setMode(long ssl,
                          int mode)

Call SSL_set_mode

Parameters:

ssl - the SSL instance (SSL *).

mode - the mode

Returns:

the set mode.

getMode

public static int getMode(long ssl)

Call SSL_get_mode

Parameters:

ssl - the SSL instance (SSL *).

Returns:

the mode.

getMaxWrapOverhead

public static int getMaxWrapOverhead(long ssl)

Get the maximum overhead, in bytes, of wrapping (a.k.a sealing) a record with ssl. See SSL_max_seal_overhead.

Parameters:

ssl - the SSL instance (SSL *).

Returns:

Maximum overhead, in bytes, of wrapping (a.k.a sealing) a record with ssl.

getCiphers

public static java.lang.String[] getCiphers(long ssl)

Returns all Returns the cipher suites that are available for negotiation in an SSL handshake.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

ciphers

setCipherSuites

@Deprecated
public static boolean setCipherSuites(long ssl,
                                                  java.lang.String ciphers)
                                           throws java.lang.Exception

Deprecated. Use setCipherSuites(long, String, boolean)

Returns the cipher suites available for negotiation in SSL handshake.

This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.

Parameters:

ssl - the SSL instance (SSL *)

ciphers - an SSL cipher specification

Returns:

true if successful

Throws:

java.lang.Exception - if an error happened

setCipherSuites

public static boolean setCipherSuites(long ssl,
                                      java.lang.String ciphers,
                                      boolean tlsv13)
                               throws java.lang.Exception

Returns the cipher suites available for negotiation in SSL handshake.

This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.

Parameters:

ssl - the SSL instance (SSL *)

ciphers - an SSL cipher specification

tlsv13 - true if the ciphers are for TLSv1.3

Returns:

true if successful

Throws:

java.lang.Exception - if an error happened

getSessionId

public static byte[] getSessionId(long ssl)

Returns the ID of the session as byte array representation.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the session as byte array representation obtained via SSL_SESSION_get_id.

getHandshakeCount

public static int getHandshakeCount(long ssl)

Returns the number of handshakes done for this SSL instance. This also includes renegations.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the number of handshakes done for this SSL instance.

clearError

public static void clearError()

Clear all the errors from the error queue that OpenSSL encountered on this thread.

setTlsExtHostName

public static void setTlsExtHostName(long ssl,
                                     java.lang.String hostname)

Call SSL_set_tlsext_host_name

Parameters:

ssl - the SSL instance (SSL *)

hostname - the hostname

setHostNameValidation

public static void setHostNameValidation(long ssl,
                                         int flags,
                                         java.lang.String hostname)

Explicitly control hostname validation see X509_check_host for X509_CHECK_FLAG* definitions. Values are defined as a bitmask of X509_CHECK_FLAG* values.

Parameters:

ssl - the SSL instance (SSL*).

flags - a bitmask of X509_CHECK_FLAG* values.

hostname - the hostname which is expected for validation.

authenticationMethods

public static java.lang.String[] authenticationMethods(long ssl)

Return the methods used for authentication.

Parameters:

ssl - the SSL instance (SSL*)

Returns:

the methods

setCertificateChainBio

@Deprecated
public static void setCertificateChainBio(long ssl,
                                                      long bio,
                                                      boolean skipfirst)

Deprecated. use setKeyMaterial(long, long, long)

Set BIO of PEM-encoded Server CA Certificates

This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order.

But be careful: Providing the certificate chain works only if you are using a single (either RSA or DSA) based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Otherwsie the browsers will be confused in this situation.

Parameters:

ssl - Server or Client to use.

bio - BIO of PEM-encoded Server CA Certificates.

skipfirst - Skip first certificate if chain file is inside certificate file.

setCertificateBio

@Deprecated
public static void setCertificateBio(long ssl,
                                                 long certBio,
                                                 long keyBio,
                                                 java.lang.String password)
                                          throws java.lang.Exception

Deprecated. use setKeyMaterial(long, long, long)

Set Certificate
Point setCertificate at a PEM encoded certificate stored in a BIO. If the certificate is encrypted, then you will be prompted for a pass phrase. Note that a kill -HUP will prompt again. A test certificate can be generated with `make certificate' under built time. Keep in mind that if you've both a RSA and a DSA certificate you can configure both in parallel (to also allow the use of DSA ciphers, etc.)
If the key is not combined with the certificate, use key param to point at the key file. Keep in mind that if you've both a RSA and a DSA private key you can configure both in parallel (to also allow the use of DSA ciphers, etc.)

Parameters:

ssl - Server or Client to use.

certBio - Certificate BIO.

keyBio - Private Key BIO to use if not in cert.

password - Certificate password. If null and certificate is encrypted.

Throws:

java.lang.Exception - if an error happened

loadPrivateKeyFromEngine

public static long loadPrivateKeyFromEngine(java.lang.String keyId,
                                            java.lang.String password)
                                     throws java.lang.Exception

Load a private key from the used OpenSSL ENGINE via the ENGINE_load_private_key function.

Be sure you understand how OpenSsl will behave with respect to reference counting!

If the ownership is not transferred you need to call freePrivateKey(long) once the key is not used anymore to prevent memory leaks.

Parameters:

keyId - the id of the key.

password - the password to use or null if none.

Returns:

EVP_PKEY pointer

Throws:

java.lang.Exception - if an error happened

parsePrivateKey

public static long parsePrivateKey(long privateKeyBio,
                                   java.lang.String password)
                            throws java.lang.Exception

Parse private key from BIO and return EVP_PKEY pointer.

Be sure you understand how OpenSsl will behave with respect to reference counting!

If the EVP_PKEY pointer is used with the client certificate callback CertificateRequestedCallback the ownership goes over to OpenSsl / Tcnative and so calling freePrivateKey(long) should NOT be done in this case. Otherwise you may need to call freePrivateKey(long) to decrement the reference count and free memory.

Parameters:

privateKeyBio - the pointer to the BIO that contains the private key

password - the password or null if no password is needed

Returns:

EVP_PKEY pointer

Throws:

java.lang.Exception - if an error happened

freePrivateKey

public static void freePrivateKey(long privateKey)

Free private key (EVP_PKEY pointer).

Parameters:

privateKey - EVP_PKEY pointer

parseX509Chain

public static long parseX509Chain(long x509ChainBio)
                           throws java.lang.Exception

Parse X509 chain from BIO and return (STACK_OF(X509) pointer).

Be sure you understand how OpenSsl will behave with respect to reference counting!

If the STACK_OF(X509) pointer is used with the client certificate callback CertificateRequestedCallback the ownership goes over to OpenSsl / Tcnative and so calling freeX509Chain(long) should NOT be done in this case. Otherwise you may need to call freeX509Chain(long) to decrement the reference count and free memory.

Parameters:

x509ChainBio - the pointer to the BIO that contains the X509 chain

Returns:

STACK_OF(X509) pointer

Throws:

java.lang.Exception - if an error happened

freeX509Chain

public static void freeX509Chain(long x509Chain)

Free x509 chain (STACK_OF(X509) pointer).

Parameters:

x509Chain - STACK_OF(X509) pointer

enableOcsp

public static void enableOcsp(long ssl)

Enables OCSP stapling for the given SSLEngine or throws an exception if OCSP stapling is not supported.

NOTE: This needs to happen before the SSL handshake.

SSL_set_tlsext_status_type

Search for OCSP

setKeyMaterialServerSide

@Deprecated
public static void setKeyMaterialServerSide(long ssl,
                                                        long chain,
                                                        long key)
                                                 throws java.lang.Exception

Deprecated. use setKeyMaterial(long, long, long)

Sets the keymaterial to be used for the server side. The passed in chain and key needs to be generated via parseX509Chain(long) and parsePrivateKey(long, String). It's important to note that the caller of the method is responsible to free the passed in chain and key in any case as this method will increment the reference count of the chain and key.

Throws:

java.lang.Exception

setKeyMaterial

public static void setKeyMaterial(long ssl,
                                  long chain,
                                  long key)
                           throws java.lang.Exception

Sets the keymaterial to be used. The passed in chain and key needs to be generated via parseX509Chain(long) and parsePrivateKey(long, String). It's important to note that the caller of the method is responsible to free the passed in chain and key in any case as this method will increment the reference count of the chain and key.

Throws:

java.lang.Exception

setKeyMaterialClientSide

@Deprecated
public static void setKeyMaterialClientSide(long ssl,
                                                        long x509Out,
                                                        long pkeyOut,
                                                        long chain,
                                                        long key)
                                                 throws java.lang.Exception

Deprecated. use setKeyMaterial(long, long, long)

Sets the keymaterial to be used for the client side. The passed in chain and key needs to be generated via parseX509Chain(long) and parsePrivateKey(long, String). It's important to note that the caller of the method is responsible to free the passed in chain and key in any case as this method will increment the reference count of the chain and key.

Throws:

java.lang.Exception

setOcspResponse

public static void setOcspResponse(long ssl,
                                   byte[] response)

Sets the OCSP response for the given SSLEngine or throws an exception in case of an error.

NOTE: This is only meant to be called for server SSLEngines.

SSL_set_tlsext_status_type

Search for OCSP

Parameters:

ssl - the SSL instance (SSL *)

getOcspResponse

public static byte[] getOcspResponse(long ssl)

Returns the OCSP response for the given SSLEngine or null if the server didn't provide a stapled OCSP response.

NOTE: This is only meant to be called for client SSLEngines.

SSL_set_tlsext_status_type

Search for OCSP

Parameters:

ssl - the SSL instance (SSL *)

fipsModeSet

public static void fipsModeSet(int mode)
                        throws java.lang.Exception

Set the FIPS mode to use. See man FIPS_mode_set.

Parameters:

mode - the mode to use.

Throws:

java.lang.Exception - throws if setting the fips mode failed.

getSniHostname

public static java.lang.String getSniHostname(long ssl)

Return the SNI hostname that was sent as part of the SSL Hello.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the SNI hostname or null if none was used.

getSigAlgs

public static java.lang.String[] getSigAlgs(long ssl)

Return the signature algorithms that the remote peer supports or null if none are supported. See man SSL_get_sigalgs for more details. The returned names are generated using OBJ_nid2ln with the psignhash as parameter.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the signature algorithms or null.

getMasterKey

public static byte[] getMasterKey(long ssl)

Returns the master key used for the current ssl session. This should be used extremely sparingly as leaking this key defeats the whole purpose of encryption especially forward secrecy. This exists here strictly for debugging purposes.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the master key used for the ssl session

getServerRandom

public static byte[] getServerRandom(long ssl)

Extracts the random value sent from the server to the client during the initial SSL/TLS handshake. This is needed to extract the HMAC & keys from the master key according to the TLS PRF. This is not a random number generator.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the random server value used for the ssl session

getClientRandom

public static byte[] getClientRandom(long ssl)

Extracts the random value sent from the client to the server during the initial SSL/TLS handshake. This is needed to extract the HMAC & keys from the master key according to the TLS PRF. This is not a random number generator.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the random client value used for the ssl session

getTask

public static java.lang.Runnable getTask(long ssl)

Return the Runnable thats needs to be run as an operation returned SSL_ERROR_WANT_X509_LOOKUP. After the task was run we should retry the operations that returned SSL_ERROR_WANT_X509_LOOKUP.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the task to run.