org.jivesoftware.smack.util

Class TLSUtils

java.lang.Object

org.jivesoftware.smack.util.TLSUtils

public class TLSUtils
extends java.lang.Object

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	TLSUtils.AcceptAllTrustManager A X509TrustManager that doesn't validate X.509 certificates.

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	PROTO_SSL3
static java.lang.String	PROTO_TLSV1
static java.lang.String	PROTO_TLSV1_1
static java.lang.String	PROTO_TLSV1_2
static java.lang.String	PROTO_TLSV1_3
static java.lang.String	SSL
static java.lang.String	TLS

Constructor Summary

Constructors

Constructor and Description
TLSUtils()

Method Summary

Modifier and Type	Method and Description
static <B extends ConnectionConfiguration.Builder<B,?>> B	acceptAllCertificates(B builder) Accept all TLS certificates.
static <B extends ConnectionConfiguration.Builder<B,?>> B	disableHostnameVerificationForTlsCertificates(B builder) Disable the hostname verification of TLS certificates.
static byte[]	getChannelBindingTlsServerEndPoint(javax.net.ssl.SSLSession sslSession) Get the channel binding data for the 'tls-server-end-point' channel binding type.
static java.io.FileInputStream	getDefaultTruststoreStreamIfPossible()
static org.jivesoftware.smack.util.TLSUtils.DefaultTrustStoreType	getDefaultTruststoreType()
static void	setDefaultTrustStoreTypeToJksIfRequired() Tries to determine if the default truststore type is of type jks and sets the javax.net.ssl.trustStoreType system property to 'JKS' if so.
static void	setEnabledProtocolsAndCiphers(javax.net.ssl.SSLSocket sslSocket, java.lang.String[] enabledProtocols, java.lang.String[] enabledCiphers)
static <B extends ConnectionConfiguration.Builder<B,?>> B	setEnabledTlsProtocolsToRecommended(B builder) Enable the recommended TLS protocols.
static <B extends ConnectionConfiguration.Builder<B,?>> B	setSSLv3AndTLSOnly(B builder) Deprecated. use setEnabledTlsProtocolsToRecommended(org.jivesoftware.smack.ConnectionConfiguration.Builder) instead.
static <B extends ConnectionConfiguration.Builder<B,?>> B	setTLSOnly(B builder) Deprecated. use setEnabledTlsProtocolsToRecommended(org.jivesoftware.smack.ConnectionConfiguration.Builder) instead.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SSL

public static final java.lang.String SSL

See Also:

Constant Field Values

TLS

public static final java.lang.String TLS

See Also:

Constant Field Values

PROTO_SSL3

public static final java.lang.String PROTO_SSL3

See Also:

Constant Field Values

PROTO_TLSV1

public static final java.lang.String PROTO_TLSV1

See Also:

Constant Field Values

PROTO_TLSV1_1

public static final java.lang.String PROTO_TLSV1_1

See Also:

Constant Field Values

PROTO_TLSV1_2

public static final java.lang.String PROTO_TLSV1_2

See Also:

Constant Field Values

PROTO_TLSV1_3

public static final java.lang.String PROTO_TLSV1_3

See Also:

Constant Field Values

Constructor Detail

TLSUtils

public TLSUtils()

Method Detail

setEnabledTlsProtocolsToRecommended

public static <B extends ConnectionConfiguration.Builder<B,?>> B setEnabledTlsProtocolsToRecommended(B builder)

Enable the recommended TLS protocols.

Type Parameters:

B - Type of the ConnectionConfiguration builder.

Parameters:

builder - the configuration builder to apply this setting to

Returns:

the given builder

setTLSOnly

@Deprecated
public static <B extends ConnectionConfiguration.Builder<B,?>> B setTLSOnly(B builder)

Deprecated. use setEnabledTlsProtocolsToRecommended(org.jivesoftware.smack.ConnectionConfiguration.Builder) instead.

Enable only TLS. Connections created with the given ConnectionConfiguration will only support TLS.

According to the Encrypted XMPP Manifesto, TLSv1.2 shall be deployed, providing fallback support for SSLv3 and TLSv1.1. This method goes one step beyond and upgrades the handshake to use TLSv1 or better. This method requires the underlying OS to support all of TLSv1.2 , 1.1 and 1.0.

Type Parameters:

B - Type of the ConnectionConfiguration builder.

Parameters:

builder - the configuration builder to apply this setting to

Returns:

the given builder

setSSLv3AndTLSOnly

@Deprecated
public static <B extends ConnectionConfiguration.Builder<B,?>> B setSSLv3AndTLSOnly(B builder)

Deprecated. use setEnabledTlsProtocolsToRecommended(org.jivesoftware.smack.ConnectionConfiguration.Builder) instead.

Enable only TLS and SSLv3. Connections created with the given ConnectionConfiguration will only support TLS and SSLv3.

According to the Encrypted XMPP Manifesto, TLSv1.2 shall be deployed, providing fallback support for SSLv3 and TLSv1.1.

Type Parameters:

B - Type of the ConnectionConfiguration builder.

Parameters:

builder - the configuration builder to apply this setting to

Returns:

the given builder

acceptAllCertificates

public static <B extends ConnectionConfiguration.Builder<B,?>> B acceptAllCertificates(B builder)

Accept all TLS certificates.

Warning: Use with care. This method make the Connection use TLSUtils.AcceptAllTrustManager and essentially invalidates all security guarantees provided by TLS. Only use this method if you understand the implications.

Type Parameters:

B - Type of the ConnectionConfiguration builder.

Parameters:

builder - a connection configuration builder.

Returns:

the given builder.

disableHostnameVerificationForTlsCertificates

public static <B extends ConnectionConfiguration.Builder<B,?>> B disableHostnameVerificationForTlsCertificates(B builder)

Disable the hostname verification of TLS certificates.

Warning: Use with care. This disables hostname verification of TLS certificates and essentially invalidates all security guarantees provided by TLS. Only use this method if you understand the implications.

Type Parameters:

B - Type of the ConnectionConfiguration builder.

Parameters:

builder - a connection configuration builder.

Returns:

the given builder.

setEnabledProtocolsAndCiphers

public static void setEnabledProtocolsAndCiphers(javax.net.ssl.SSLSocket sslSocket,
                                                 java.lang.String[] enabledProtocols,
                                                 java.lang.String[] enabledCiphers)
                                          throws SmackException.SecurityNotPossibleException

Throws:

SmackException.SecurityNotPossibleException

getChannelBindingTlsServerEndPoint

public static byte[] getChannelBindingTlsServerEndPoint(javax.net.ssl.SSLSession sslSession)
                                                 throws javax.net.ssl.SSLPeerUnverifiedException,
                                                        java.security.cert.CertificateEncodingException,
                                                        java.security.NoSuchAlgorithmException

Get the channel binding data for the 'tls-server-end-point' channel binding type. This channel binding type is defined in RFC 5929 § 4.

Parameters:

sslSession - the SSL/TLS session from which the data should be retrieved.

Returns:

the channel binding data.

Throws:

javax.net.ssl.SSLPeerUnverifiedException - if we TLS peer could not be verified.

java.security.cert.CertificateEncodingException - if there was an encoding error with the certificate.

java.security.NoSuchAlgorithmException - if no such algorithm is available.

See Also:

RFC 5929 § 4.

getDefaultTruststoreStreamIfPossible

public static java.io.FileInputStream getDefaultTruststoreStreamIfPossible()

getDefaultTruststoreType

public static org.jivesoftware.smack.util.TLSUtils.DefaultTrustStoreType getDefaultTruststoreType()
                                                                                           throws java.io.IOException

Throws:

java.io.IOException

setDefaultTrustStoreTypeToJksIfRequired

public static void setDefaultTrustStoreTypeToJksIfRequired()

Tries to determine if the default truststore type is of type jks and sets the javax.net.ssl.trustStoreType system property to 'JKS' if so. This is meant as workaround in situations where the default truststore type is (still) 'jks' but we run on a newer JRE/JDK which uses PKCS#12 as type. See for example Gentoo bug #712290.