view src/org/eclipse/jetty/util/ssl/SslContextFactory.java @ 1036:b87f97f6418a

minor
author Franklin Schmidt <fschmidt@gmail.com>
date Thu, 03 Nov 2016 21:42:41 -0600
parents 35d04ac3fd0b
children
line wrap: on
line source

//
//  ========================================================================
//  Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
//  ------------------------------------------------------------------------
//  All rights reserved. This program and the accompanying materials
//  are made available under the terms of the Eclipse Public License v1.0
//  and Apache License v2.0 which accompanies this distribution.
//
//      The Eclipse Public License is available at
//      http://www.eclipse.org/legal/epl-v10.html
//
//      The Apache License v2.0 is available at
//      http://www.opensource.org/licenses/apache2.0.php
//
//  You may elect to redistribute this code under either of these licenses.
//  ========================================================================
//

package org.eclipse.jetty.util.ssl;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.security.InvalidParameterException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;

import org.eclipse.jetty.util.IO;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.security.CertificateUtils;
import org.eclipse.jetty.util.security.CertificateValidator;
import org.eclipse.jetty.util.security.Password;


/* ------------------------------------------------------------ */
/**
 * SslContextFactory is used to configure SSL connectors
 * as well as HttpClient. It holds all SSL parameters and
 * creates SSL context based on these parameters to be
 * used by the SSL connectors.
 */
public class SslContextFactory extends AbstractLifeCycle
{
	public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager()
	{
		public java.security.cert.X509Certificate[] getAcceptedIssuers()
		{
			return new java.security.cert.X509Certificate[]{};
		}

		public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
		{
		}

		public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
		{
		}
	}};

	private static final Logger LOG = LoggerFactory.getLogger(SslContextFactory.class);

	public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
		(Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
				"SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
	public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM =
		(Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ?
				"SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm"));

	/** Default value for the keystore location path. */
	public static final String DEFAULT_KEYSTORE_PATH =
		System.getProperty("user.home") + File.separator + ".keystore";

	/** String name of key password property. */
	public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";

	/** String name of keystore password property. */
	public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";

	/** Excluded protocols. */
	private final Set<String> _excludeProtocols = new LinkedHashSet<String>();
	/** Included protocols. */
	private Set<String> _includeProtocols = null;

	/** Excluded cipher suites. */
	private final Set<String> _excludeCipherSuites = new LinkedHashSet<String>();
	/** Included cipher suites. */
	private Set<String> _includeCipherSuites = null;

	/** Keystore path. */
	private String _keyStorePath;
	/** Keystore provider name */
	private String _keyStoreProvider;
	/** Keystore type */
	private String _keyStoreType = "JKS";
	/** Keystore input stream */
	private InputStream _keyStoreInputStream;

	/** SSL certificate alias */
	private String _certAlias;

	/** Truststore path */
	private String _trustStorePath;
	/** Truststore provider name */
	private String _trustStoreProvider;
	/** Truststore type */
	private String _trustStoreType = "JKS";
	/** Truststore input stream */
	private InputStream _trustStoreInputStream;

	/** Set to true if client certificate authentication is required */
	private boolean _needClientAuth = false;
	/** Set to true if client certificate authentication is desired */
	private boolean _wantClientAuth = false;

	/** Set to true if renegotiation is allowed */
	private boolean _allowRenegotiate = true;

	/** Keystore password */
	private transient Password _keyStorePassword;
	/** Key manager password */
	private transient Password _keyManagerPassword;
	/** Truststore password */
	private transient Password _trustStorePassword;

	/** SSL provider name */
	private String _sslProvider;
	/** SSL protocol name */
	private String _sslProtocol = "TLS";

	/** SecureRandom algorithm */
	private String _secureRandomAlgorithm;
	/** KeyManager factory algorithm */
	private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
	/** TrustManager factory algorithm */
	private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;

	/** Set to true if SSL certificate validation is required */
	private boolean _validateCerts;
	/** Set to true if SSL certificate of the peer validation is required */
	private boolean _validatePeerCerts;
	/** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */
	private int _maxCertPathLength = -1;
	/** Path to file that contains Certificate Revocation List */
	private String _crlPath;
	/** Set to true to enable CRL Distribution Points (CRLDP) support */
	private boolean _enableCRLDP = false;
	/** Set to true to enable On-Line Certificate Status Protocol (OCSP) support */
	private boolean _enableOCSP = false;
	/** Location of OCSP Responder */
	private String _ocspResponderURL;

	/** SSL keystore */
	private KeyStore _keyStore;
	/** SSL truststore */
	private KeyStore _trustStore;
	/** Set to true to enable SSL Session caching */
	private boolean _sessionCachingEnabled = true;
	/** SSL session cache size */
	private int _sslSessionCacheSize;
	/** SSL session timeout */
	private int _sslSessionTimeout;

	/** SSL context */
	private SSLContext _context;

	private boolean _trustAll;

	/* ------------------------------------------------------------ */
	/**
	 * Construct an instance of SslContextFactory
	 * Default constructor for use in XmlConfiguration files
	 */
	public SslContextFactory()
	{
		_trustAll=true;
	}

	/* ------------------------------------------------------------ */
	/**
	 * Construct an instance of SslContextFactory
	 * Default constructor for use in XmlConfiguration files
	 * @param trustAll whether to blindly trust all certificates
	 * @see #setTrustAll(boolean)
	 */
	public SslContextFactory(boolean trustAll)
	{
		_trustAll=trustAll;
	}

	/* ------------------------------------------------------------ */
	/**
	 * Construct an instance of SslContextFactory
	 * @param keyStorePath default keystore location
	 */
	public SslContextFactory(String keyStorePath)
	{
		_keyStorePath = keyStorePath;
	}

	/* ------------------------------------------------------------ */
	/**
	 * Create the SSLContext object and start the lifecycle
	 * @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart()
	 */
	@Override
	protected void doStart() throws Exception
	{
		if (_context == null)
		{
			if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null &&
				_trustStore==null && _trustStoreInputStream == null && _trustStorePath == null )
			{
				TrustManager[] trust_managers=null;

				if (_trustAll)
				{
					LOG.debug("No keystore or trust store configured.  ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
					// Create a trust manager that does not validate certificate chains
					trust_managers = TRUST_ALL_CERTS;
				}

				SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
				_context = SSLContext.getInstance(_sslProtocol);
				_context.init(null, trust_managers, secureRandom);
			}
			else
			{
				// verify that keystore and truststore
				// parameters are set up correctly
				checkKeyStore();

				KeyStore keyStore = loadKeyStore();
				KeyStore trustStore = loadTrustStore();

				Collection<? extends CRL> crls = loadCRL(_crlPath);

				if (_validateCerts && keyStore != null)
				{
					if (_certAlias == null)
					{
						List<String> aliases = Collections.list(keyStore.aliases());
						_certAlias = aliases.size() == 1 ? aliases.get(0) : null;
					}

					Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
					if (cert == null)
					{
						throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias));
					}

					CertificateValidator validator = new CertificateValidator(trustStore, crls);
					validator.setMaxCertPathLength(_maxCertPathLength);
					validator.setEnableCRLDP(_enableCRLDP);
					validator.setEnableOCSP(_enableOCSP);
					validator.setOcspResponderURL(_ocspResponderURL);
					validator.validate(keyStore, cert);
				}

				KeyManager[] keyManagers = getKeyManagers(keyStore);
				TrustManager[] trustManagers = getTrustManagers(trustStore,crls);

				SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
				_context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider);
				_context.init(keyManagers,trustManagers,secureRandom);

				SSLEngine engine=newSslEngine();

				LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols()));
				if (LOG.isDebugEnabled())
					LOG.debug("Enabled Ciphers   {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites()));
			}
		}
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The array of protocol names to exclude from
	 * {@link SSLEngine#setEnabledProtocols(String[])}
	 */
	public String[] getExcludeProtocols()
	{
		return _excludeProtocols.toArray(new String[_excludeProtocols.size()]);
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param protocols
	 *            The array of protocol names to exclude from
	 *            {@link SSLEngine#setEnabledProtocols(String[])}
	 */
	public void setExcludeProtocols(String... protocols)
	{
		checkNotStarted();

		_excludeProtocols.clear();
		_excludeProtocols.addAll(Arrays.asList(protocols));
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param protocol Protocol names to add to {@link SSLEngine#setEnabledProtocols(String[])}
	 */
	public void addExcludeProtocols(String... protocol)
	{
		checkNotStarted();
		_excludeProtocols.addAll(Arrays.asList(protocol));
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The array of protocol names to include in
	 * {@link SSLEngine#setEnabledProtocols(String[])}
	 */
	public String[] getIncludeProtocols()
	{
		return _includeProtocols.toArray(new String[_includeProtocols.size()]);
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param protocols
	 *            The array of protocol names to include in
	 *            {@link SSLEngine#setEnabledProtocols(String[])}
	 */
	public void setIncludeProtocols(String... protocols)
	{
		checkNotStarted();

		_includeProtocols = new LinkedHashSet<String>(Arrays.asList(protocols));
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The array of cipher suite names to exclude from
	 * {@link SSLEngine#setEnabledCipherSuites(String[])}
	 */
	public String[] getExcludeCipherSuites()
	{
		return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]);
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param cipherSuites
	 *            The array of cipher suite names to exclude from
	 *            {@link SSLEngine#setEnabledCipherSuites(String[])}
	 */
	public void setExcludeCipherSuites(String... cipherSuites)
	{
		checkNotStarted();
		_excludeCipherSuites.clear();
		_excludeCipherSuites.addAll(Arrays.asList(cipherSuites));
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param cipher Cipher names to add to {@link SSLEngine#setEnabledCipherSuites(String[])}
	 */
	public void addExcludeCipherSuites(String... cipher)
	{
		checkNotStarted();
		_excludeCipherSuites.addAll(Arrays.asList(cipher));
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The array of cipher suite names to include in
	 * {@link SSLEngine#setEnabledCipherSuites(String[])}
	 */
	public String[] getIncludeCipherSuites()
	{
		return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]);
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param cipherSuites
	 *            The array of cipher suite names to include in
	 *            {@link SSLEngine#setEnabledCipherSuites(String[])}
	 */
	public void setIncludeCipherSuites(String... cipherSuites)
	{
		checkNotStarted();

		_includeCipherSuites = new LinkedHashSet<String>(Arrays.asList(cipherSuites));
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The file or URL of the SSL Key store.
	 */
	public String getKeyStorePath()
	{
		return _keyStorePath;
	}

	/* ------------------------------------------------------------ */
	@Deprecated
	public String getKeyStore()
	{
		return _keyStorePath;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param keyStorePath
	 *            The file or URL of the SSL Key store.
	 */
	public void setKeyStorePath(String keyStorePath)
	{
		checkNotStarted();

		_keyStorePath = keyStorePath;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param keyStorePath the file system path or URL of the keystore
	 * @deprecated Use {@link #setKeyStorePath(String)}
	 */
	@Deprecated
	public void setKeyStore(String keyStorePath)
	{
		checkNotStarted();

		_keyStorePath = keyStorePath;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The provider of the key store
	 */
	public String getKeyStoreProvider()
	{
		return _keyStoreProvider;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param keyStoreProvider
	 *            The provider of the key store
	 */
	public void setKeyStoreProvider(String keyStoreProvider)
	{
		checkNotStarted();

		_keyStoreProvider = keyStoreProvider;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The type of the key store (default "JKS")
	 */
	public String getKeyStoreType()
	{
		return (_keyStoreType);
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param keyStoreType
	 *            The type of the key store (default "JKS")
	 */
	public void setKeyStoreType(String keyStoreType)
	{
		checkNotStarted();

		_keyStoreType = keyStoreType;
	}

	/* ------------------------------------------------------------ */
	/** Get the _keyStoreInputStream.
	 * @return the _keyStoreInputStream
	 *
	 * @deprecated
	 */
	@Deprecated
	public InputStream getKeyStoreInputStream()
	{
		checkKeyStore();

		return _keyStoreInputStream;
	}

	/* ------------------------------------------------------------ */
	/** Set the keyStoreInputStream.
	 * @param keyStoreInputStream the InputStream to the KeyStore
	 *
	 * @deprecated Use {@link #setKeyStore(KeyStore)}
	 */
	@Deprecated
	public void setKeyStoreInputStream(InputStream keyStoreInputStream)
	{
		checkNotStarted();

		_keyStoreInputStream = keyStoreInputStream;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return Alias of SSL certificate for the connector
	 */
	public String getCertAlias()
	{
		return _certAlias;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param certAlias
	 *            Alias of SSL certificate for the connector
	 */
	public void setCertAlias(String certAlias)
	{
		checkNotStarted();

		_certAlias = certAlias;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The file name or URL of the trust store location
	 */
	public String getTrustStore()
	{
		return _trustStorePath;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param trustStorePath
	 *            The file name or URL of the trust store location
	 */
	public void setTrustStore(String trustStorePath)
	{
		checkNotStarted();

		_trustStorePath = trustStorePath;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The provider of the trust store
	 */
	public String getTrustStoreProvider()
	{
		return _trustStoreProvider;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param trustStoreProvider
	 *            The provider of the trust store
	 */
	public void setTrustStoreProvider(String trustStoreProvider)
	{
		checkNotStarted();

		_trustStoreProvider = trustStoreProvider;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The type of the trust store (default "JKS")
	 */
	public String getTrustStoreType()
	{
		return _trustStoreType;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param trustStoreType
	 *            The type of the trust store (default "JKS")
	 */
	public void setTrustStoreType(String trustStoreType)
	{
		checkNotStarted();

		_trustStoreType = trustStoreType;
	}

	/* ------------------------------------------------------------ */
	/** Get the _trustStoreInputStream.
	 * @return the _trustStoreInputStream
	 *
	 * @deprecated
	 */
	@Deprecated
	public InputStream getTrustStoreInputStream()
	{
		checkKeyStore();

		return _trustStoreInputStream;
	}

	/* ------------------------------------------------------------ */
	/** Set the _trustStoreInputStream.
	 * @param trustStoreInputStream the InputStream to the TrustStore
	 *
	 * @deprecated
	 */
	@Deprecated
	public void setTrustStoreInputStream(InputStream trustStoreInputStream)
	{
		checkNotStarted();

		_trustStoreInputStream = trustStoreInputStream;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return True if SSL needs client authentication.
	 * @see SSLEngine#getNeedClientAuth()
	 */
	public boolean getNeedClientAuth()
	{
		return _needClientAuth;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param needClientAuth
	 *            True if SSL needs client authentication.
	 * @see SSLEngine#getNeedClientAuth()
	 */
	public void setNeedClientAuth(boolean needClientAuth)
	{
		checkNotStarted();

		_needClientAuth = needClientAuth;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return True if SSL wants client authentication.
	 * @see SSLEngine#getWantClientAuth()
	 */
	public boolean getWantClientAuth()
	{
		return _wantClientAuth;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param wantClientAuth
	 *            True if SSL wants client authentication.
	 * @see SSLEngine#getWantClientAuth()
	 */
	public void setWantClientAuth(boolean wantClientAuth)
	{
		checkNotStarted();

		_wantClientAuth = wantClientAuth;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return true if SSL certificate has to be validated
	 * @deprecated
	 */
	@Deprecated
	public boolean getValidateCerts()
	{
		return _validateCerts;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return true if SSL certificate has to be validated
	 */
	public boolean isValidateCerts()
	{
		return _validateCerts;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param validateCerts
	 *            true if SSL certificates have to be validated
	 */
	public void setValidateCerts(boolean validateCerts)
	{
		checkNotStarted();

		_validateCerts = validateCerts;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return true if SSL certificates of the peer have to be validated
	 */
	public boolean isValidatePeerCerts()
	{
		return _validatePeerCerts;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param validatePeerCerts
	 *            true if SSL certificates of the peer have to be validated
	 */
	public void setValidatePeerCerts(boolean validatePeerCerts)
	{
		checkNotStarted();

		_validatePeerCerts = validatePeerCerts;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return True if SSL re-negotiation is allowed (default false)
	 */
	public boolean isAllowRenegotiate()
	{
		return _allowRenegotiate;
	}

	/* ------------------------------------------------------------ */
	/**
	 * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
	 * a vulnerability in SSL/TLS with re-negotiation.  If your JVM
	 * does not have CVE-2009-3555 fixed, then re-negotiation should
	 * not be allowed.  CVE-2009-3555 was fixed in Sun java 1.6 with a ban
	 * of renegotiates in u19 and with RFC5746 in u22.
	 *
	 * @param allowRenegotiate
	 *            true if re-negotiation is allowed (default false)
	 */
	public void setAllowRenegotiate(boolean allowRenegotiate)
	{
		checkNotStarted();

		_allowRenegotiate = allowRenegotiate;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param password
	 *            The password for the key store
	 */
	public void setKeyStorePassword(String password)
	{
		checkNotStarted();

		_keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param password
	 *            The password (if any) for the specific key within the key store
	 */
	public void setKeyManagerPassword(String password)
	{
		checkNotStarted();

		_keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param password
	 *            The password for the trust store
	 */
	public void setTrustStorePassword(String password)
	{
		checkNotStarted();

		_trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The SSL provider name, which if set is passed to
	 * {@link SSLContext#getInstance(String, String)}
	 */
	public String getProvider()
	{
		return _sslProvider;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param provider
	 *            The SSL provider name, which if set is passed to
	 *            {@link SSLContext#getInstance(String, String)}
	 */
	public void setProvider(String provider)
	{
		checkNotStarted();

		_sslProvider = provider;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The SSL protocol (default "TLS") passed to
	 * {@link SSLContext#getInstance(String, String)}
	 */
	public String getProtocol()
	{
		return _sslProtocol;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param protocol
	 *            The SSL protocol (default "TLS") passed to
	 *            {@link SSLContext#getInstance(String, String)}
	 */
	public void setProtocol(String protocol)
	{
		checkNotStarted();

		_sslProtocol = protocol;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The algorithm name, which if set is passed to
	 * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to
	 * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)}
	 */
	public String getSecureRandomAlgorithm()
	{
		return _secureRandomAlgorithm;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param algorithm
	 *            The algorithm name, which if set is passed to
	 *            {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to
	 *            {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)}
	 */
	public void setSecureRandomAlgorithm(String algorithm)
	{
		checkNotStarted();

		_secureRandomAlgorithm = algorithm;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory}
	 */
	public String getSslKeyManagerFactoryAlgorithm()
	{
		return (_keyManagerFactoryAlgorithm);
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param algorithm
	 *            The algorithm name (default "SunX509") used by the {@link KeyManagerFactory}
	 */
	public void setSslKeyManagerFactoryAlgorithm(String algorithm)
	{
		checkNotStarted();

		_keyManagerFactoryAlgorithm = algorithm;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory}
	 */
	public String getTrustManagerFactoryAlgorithm()
	{
		return (_trustManagerFactoryAlgorithm);
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return True if all certificates should be trusted if there is no KeyStore or TrustStore
	 */
	public boolean isTrustAll()
	{
		return _trustAll;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param trustAll True if all certificates should be trusted if there is no KeyStore or TrustStore
	 */
	public void setTrustAll(boolean trustAll)
	{
		_trustAll = trustAll;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param algorithm
	 *            The algorithm name (default "SunX509") used by the {@link TrustManagerFactory}
	 *            Use the string "TrustAll" to install a trust manager that trusts all.
	 */
	public void setTrustManagerFactoryAlgorithm(String algorithm)
	{
		checkNotStarted();

		_trustManagerFactoryAlgorithm = algorithm;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return Path to file that contains Certificate Revocation List
	 */
	public String getCrlPath()
	{
		return _crlPath;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param crlPath
	 *            Path to file that contains Certificate Revocation List
	 */
	public void setCrlPath(String crlPath)
	{
		checkNotStarted();

		_crlPath = crlPath;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return Maximum number of intermediate certificates in
	 * the certification path (-1 for unlimited)
	 */
	public int getMaxCertPathLength()
	{
		return _maxCertPathLength;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param maxCertPathLength
	 *            maximum number of intermediate certificates in
	 *            the certification path (-1 for unlimited)
	 */
	public void setMaxCertPathLength(int maxCertPathLength)
	{
		checkNotStarted();

		_maxCertPathLength = maxCertPathLength;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return The SSLContext
	 */
	public SSLContext getSslContext()
	{
		if (!isStarted())
			throw new IllegalStateException(getState());
		return _context;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @param sslContext
	 *            Set a preconfigured SSLContext
	 */
	public void setSslContext(SSLContext sslContext)
	{
		checkNotStarted();

		_context = sslContext;
	}

	/* ------------------------------------------------------------ */
	/**
	 * Override this method to provide alternate way to load a keystore.
	 *
	 * @return the key store instance
	 * @throws Exception if the keystore cannot be loaded
	 */
	protected KeyStore loadKeyStore() throws Exception
	{
		return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream,
				_keyStorePath, _keyStoreType, _keyStoreProvider,
				_keyStorePassword==null? null: _keyStorePassword.toString());
	}

	/* ------------------------------------------------------------ */
	/**
	 * Override this method to provide alternate way to load a truststore.
	 *
	 * @return the key store instance
	 * @throws Exception if the truststore cannot be loaded
	 */
	protected KeyStore loadTrustStore() throws Exception
	{
		return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream,
				_trustStorePath, _trustStoreType,  _trustStoreProvider,
				_trustStorePassword==null? null: _trustStorePassword.toString());
	}

	/* ------------------------------------------------------------ */
	/**
	 * Loads keystore using an input stream or a file path in the same
	 * order of precedence.
	 *
	 * Required for integrations to be able to override the mechanism
	 * used to load a keystore in order to provide their own implementation.
	 *
	 * @param storeStream keystore input stream
	 * @param storePath path of keystore file
	 * @param storeType keystore type
	 * @param storeProvider keystore provider
	 * @param storePassword keystore password
	 * @return created keystore
	 * @throws Exception if the keystore cannot be obtained
	 *
	 * @deprecated
	 */
	@Deprecated
	protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception
	{
		return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword);
	}

	/* ------------------------------------------------------------ */
	/**
	 * Loads certificate revocation list (CRL) from a file.
	 *
	 * Required for integrations to be able to override the mechanism used to
	 * load CRL in order to provide their own implementation.
	 *
	 * @param crlPath path of certificate revocation list file
	 * @return Collection of CRL's
	 * @throws Exception if the certificate revocation list cannot be loaded
	 */
	protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
	{
		return CertificateUtils.loadCRL(crlPath);
	}

	/* ------------------------------------------------------------ */
	protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
	{
		KeyManager[] managers = null;

		if (keyStore != null)
		{
			KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm);
			keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray());
			managers = keyManagerFactory.getKeyManagers();

			if (_certAlias != null)
			{
				for (int idx = 0; idx < managers.length; idx++)
				{
					if (managers[idx] instanceof X509KeyManager)
					{
						managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]);
					}
				}
			}
		}

		return managers;
	}

	/* ------------------------------------------------------------ */
	protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
	{
		TrustManager[] managers = null;
		if (trustStore != null)
		{
			// Revocation checking is only supported for PKIX algorithm
			if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX"))
			{
				PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector());

				// Set maximum certification path length
				pbParams.setMaxPathLength(_maxCertPathLength);

				// Make sure revocation checking is enabled
				pbParams.setRevocationEnabled(true);

				if (crls != null && !crls.isEmpty())
				{
					pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls)));
				}

				if (_enableCRLDP)
				{
					// Enable Certificate Revocation List Distribution Points (CRLDP) support
					System.setProperty("com.sun.security.enableCRLDP","true");
				}

				if (_enableOCSP)
				{
					// Enable On-Line Certificate Status Protocol (OCSP) support
					Security.setProperty("ocsp.enable","true");

					if (_ocspResponderURL != null)
					{
						// Override location of OCSP Responder
						Security.setProperty("ocsp.responderURL", _ocspResponderURL);
					}
				}

				TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
				trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));

				managers = trustManagerFactory.getTrustManagers();
			}
			else
			{
				TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
				trustManagerFactory.init(trustStore);

				managers = trustManagerFactory.getTrustManagers();
			}
		}

		return managers;
	}

	/* ------------------------------------------------------------ */
	/**
	 * Check KeyStore Configuration. Ensures that if keystore has been
	 * configured but there's no truststore, that keystore is
	 * used as truststore.
	 * @throws IllegalStateException if SslContextFactory configuration can't be used.
	 */
	public void checkKeyStore()
	{
		if (_context != null)
			return; //nothing to check if using preconfigured context


		if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null)
			throw new IllegalStateException("SSL doesn't have a valid keystore");

		// if the keystore has been configured but there is no
		// truststore configured, use the keystore as the truststore
		if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
		{
			_trustStore = _keyStore;
			_trustStorePath = _keyStorePath;
			_trustStoreInputStream = _keyStoreInputStream;
			_trustStoreType = _keyStoreType;
			_trustStoreProvider = _keyStoreProvider;
			_trustStorePassword = _keyStorePassword;
			_trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
		}

		// It's the same stream we cannot read it twice, so read it once in memory
		if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream)
		{
			try
			{
				ByteArrayOutputStream baos = new ByteArrayOutputStream();
				IO.copy(_keyStoreInputStream, baos);
				_keyStoreInputStream.close();

				_keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
				_trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
			}
			catch (Exception ex)
			{
				throw new IllegalStateException(ex);
			}
		}
	}

	/* ------------------------------------------------------------ */
	/**
	 * Select protocols to be used by the connector
	 * based on configured inclusion and exclusion lists
	 * as well as enabled and supported protocols.
	 * @param enabledProtocols Array of enabled protocols
	 * @param supportedProtocols Array of supported protocols
	 * @return Array of protocols to enable
	 */
	public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
	{
		Set<String> selected_protocols = new LinkedHashSet<String>();

		// Set the starting protocols - either from the included or enabled list
		if (_includeProtocols!=null)
		{
			// Use only the supported included protocols
			for (String protocol : _includeProtocols)
				if(Arrays.asList(supportedProtocols).contains(protocol))
					selected_protocols.add(protocol);
		}
		else
			selected_protocols.addAll(Arrays.asList(enabledProtocols));


		// Remove any excluded protocols
		if (_excludeProtocols != null)
			selected_protocols.removeAll(_excludeProtocols);

		return selected_protocols.toArray(new String[selected_protocols.size()]);
	}

	/* ------------------------------------------------------------ */
	/**
	 * Select cipher suites to be used by the connector
	 * based on configured inclusion and exclusion lists
	 * as well as enabled and supported cipher suite lists.
	 * @param enabledCipherSuites Array of enabled cipher suites
	 * @param supportedCipherSuites Array of supported cipher suites
	 * @return Array of cipher suites to enable
	 */
	public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
	{
		Set<String> selected_ciphers = new LinkedHashSet<String>();

		// Set the starting ciphers - either from the included or enabled list
		if (_includeCipherSuites!=null)
		{
			// Use only the supported included ciphers
			for (String cipherSuite : _includeCipherSuites)
				if(Arrays.asList(supportedCipherSuites).contains(cipherSuite))
					selected_ciphers.add(cipherSuite);
		}
		else
			selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));


		// Remove any excluded ciphers
		if (_excludeCipherSuites != null)
			selected_ciphers.removeAll(_excludeCipherSuites);
		return selected_ciphers.toArray(new String[selected_ciphers.size()]);
	}

	/* ------------------------------------------------------------ */
	/**
	 * Check if the lifecycle has been started and throw runtime exception
	 */
	protected void checkNotStarted()
	{
		if (isStarted())
			throw new IllegalStateException("Cannot modify configuration when "+getState());
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return true if CRL Distribution Points support is enabled
	 */
	public boolean isEnableCRLDP()
	{
		return _enableCRLDP;
	}

	/* ------------------------------------------------------------ */
	/** Enables CRL Distribution Points Support
	 * @param enableCRLDP true - turn on, false - turns off
	 */
	public void setEnableCRLDP(boolean enableCRLDP)
	{
		checkNotStarted();

		_enableCRLDP = enableCRLDP;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return true if On-Line Certificate Status Protocol support is enabled
	 */
	public boolean isEnableOCSP()
	{
		return _enableOCSP;
	}

	/* ------------------------------------------------------------ */
	/** Enables On-Line Certificate Status Protocol support
	 * @param enableOCSP true - turn on, false - turn off
	 */
	public void setEnableOCSP(boolean enableOCSP)
	{
		checkNotStarted();

		_enableOCSP = enableOCSP;
	}

	/* ------------------------------------------------------------ */
	/**
	 * @return Location of the OCSP Responder
	 */
	public String getOcspResponderURL()
	{
		return _ocspResponderURL;
	}

	/* ------------------------------------------------------------ */
	/** Set the location of the OCSP Responder.
	 * @param ocspResponderURL location of the OCSP Responder
	 */
	public void setOcspResponderURL(String ocspResponderURL)
	{
		checkNotStarted();

		_ocspResponderURL = ocspResponderURL;
	}

	/* ------------------------------------------------------------ */
	/** Set the key store.
	 * @param keyStore the key store to set
	 */
	public void setKeyStore(KeyStore keyStore)
	{
		checkNotStarted();

		_keyStore = keyStore;
	}

	/* ------------------------------------------------------------ */
	/** Set the trust store.
	 * @param trustStore the trust store to set
	 */
	public void setTrustStore(KeyStore trustStore)
	{
		checkNotStarted();

		_trustStore = trustStore;
	}

	/* ------------------------------------------------------------ */
	/** Set the key store resource.
	 * @param resource the key store resource to set
	 */
	public void setKeyStoreResource(Resource resource)
	{
		checkNotStarted();

		try
		{
			_keyStoreInputStream = resource.getInputStream();
		}
		catch (IOException e)
		{
			 throw new InvalidParameterException("Unable to get resource "+
					 "input stream for resource "+resource.toString());
		}
	}

	/* ------------------------------------------------------------ */
	/** Set the trust store resource.
	 * @param resource the trust store resource to set
	 */
	public void setTrustStoreResource(Resource resource)
	{
		checkNotStarted();

		try
		{
			_trustStoreInputStream = resource.getInputStream();
		}
		catch (IOException e)
		{
			 throw new InvalidParameterException("Unable to get resource "+
					 "input stream for resource "+resource.toString());
		}
	}

	/* ------------------------------------------------------------ */
	/**
	* @return true if SSL Session caching is enabled
	*/
	public boolean isSessionCachingEnabled()
	{
		return _sessionCachingEnabled;
	}

	/* ------------------------------------------------------------ */
	/** Set the flag to enable SSL Session caching.
	* @param enableSessionCaching the value of the flag
	*/
	public void setSessionCachingEnabled(boolean enableSessionCaching)
	{
		_sessionCachingEnabled = enableSessionCaching;
	}

	/* ------------------------------------------------------------ */
	/** Get SSL session cache size.
	 * @return SSL session cache size
	 */
	public int getSslSessionCacheSize()
	{
		return _sslSessionCacheSize;
	}

	/* ------------------------------------------------------------ */
	/** SEt SSL session cache size.
	 * @param sslSessionCacheSize SSL session cache size to set
	 */
	public void setSslSessionCacheSize(int sslSessionCacheSize)
	{
		_sslSessionCacheSize = sslSessionCacheSize;
	}

	/* ------------------------------------------------------------ */
	/** Get SSL session timeout.
	 * @return SSL session timeout
	 */
	public int getSslSessionTimeout()
	{
		return _sslSessionTimeout;
	}

	/* ------------------------------------------------------------ */
	/** Set SSL session timeout.
	 * @param sslSessionTimeout SSL session timeout to set
	 */
	public void setSslSessionTimeout(int sslSessionTimeout)
	{
		_sslSessionTimeout = sslSessionTimeout;
	}


	/* ------------------------------------------------------------ */
	public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException
	{
		SSLServerSocketFactory factory = _context.getServerSocketFactory();

		SSLServerSocket socket =
			(SSLServerSocket) (host==null ?
						factory.createServerSocket(port,backlog):
						factory.createServerSocket(port,backlog,InetAddress.getByName(host)));

		if (getWantClientAuth())
			socket.setWantClientAuth(getWantClientAuth());
		if (getNeedClientAuth())
			socket.setNeedClientAuth(getNeedClientAuth());

		socket.setEnabledCipherSuites(selectCipherSuites(
											socket.getEnabledCipherSuites(),
											socket.getSupportedCipherSuites()));
		socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));

		return socket;
	}

	/* ------------------------------------------------------------ */
	public SSLSocket newSslSocket() throws IOException
	{
		SSLSocketFactory factory = _context.getSocketFactory();

		SSLSocket socket = (SSLSocket)factory.createSocket();

		if (getWantClientAuth())
			socket.setWantClientAuth(getWantClientAuth());
		if (getNeedClientAuth())
			socket.setNeedClientAuth(getNeedClientAuth());

		socket.setEnabledCipherSuites(selectCipherSuites(
											socket.getEnabledCipherSuites(),
											socket.getSupportedCipherSuites()));
		socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));

		return socket;
	}

	/* ------------------------------------------------------------ */
	public SSLEngine newSslEngine(String host,int port)
	{
		SSLEngine sslEngine=isSessionCachingEnabled()
			?_context.createSSLEngine(host, port)
			:_context.createSSLEngine();

		customize(sslEngine);
		return sslEngine;
	}

	/* ------------------------------------------------------------ */
	public SSLEngine newSslEngine()
	{
		SSLEngine sslEngine=_context.createSSLEngine();
		customize(sslEngine);
		return sslEngine;
	}

	/* ------------------------------------------------------------ */
	public void customize(SSLEngine sslEngine)
	{
		if (getWantClientAuth())
			sslEngine.setWantClientAuth(getWantClientAuth());
		if (getNeedClientAuth())
			sslEngine.setNeedClientAuth(getNeedClientAuth());

		sslEngine.setEnabledCipherSuites(selectCipherSuites(
				sslEngine.getEnabledCipherSuites(),
				sslEngine.getSupportedCipherSuites()));

		sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols()));
	}

	/* ------------------------------------------------------------ */
	public String toString()
	{
		return String.format("%s@%x(%s,%s)",
				getClass().getSimpleName(),
				hashCode(),
				_keyStorePath,
				_trustStorePath);
	}
}