SSLSocketFactory
extends Objectimplements LayeredSchemeSocketFactory LayeredSocketFactory
| java.lang.Object | |
| ↳ | org.apache.http.conn.ssl.SSLSocketFactory |
Class Overview
Layered socket factory for TLS/SSL connections.
SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.
SSLSocketFactory will enable server authentication when supplied with a KeyStore trust-store file containing one or several trusted certificates. The client secure socket will reject the connection during the SSL session handshake if the target HTTPS server attempts to authenticate itself with a non-trusted certificate.
Use JDK keytool utility to import a trusted certificate and generate a trust-store file:
keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
In special cases the standard trust verification process can be bypassed by using a custom
TrustStrategy. This interface is primarily intended for allowing self-signed
certificates to be accepted as trusted without having to add them to the trust-store file.
The following parameters can be used to customize the behavior of this class:
SSLSocketFactory will enable client authentication when supplied with a KeyStore key-store file containing a private key/public certificate pair. The client secure socket will use the private key to authenticate itself to the target HTTPS server during the SSL session handshake if requested to do so by the server. The target HTTPS server will in its turn verify the certificate presented by the client in order to establish client's authenticity
Use the following sequence of actions to generate a key-store file
-
Use JDK keytool utility to generate a new key
keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore
For simplicity use the same password for the key as that of the key-store -
Issue a certificate signing request (CSR)
keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore
-
Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.
-
Import the trusted CA root certificate
keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore
-
Import the PKCS#7 file containg the complete certificate chain
keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore
-
Verify the content the resultant keystore file
keytool -list -v -keystore my.keystore
Summary
| Constants | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| String | SSL | ||||||||||
| String | SSLV2 | ||||||||||
| String | TLS | ||||||||||
| Fields | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ALLOW_ALL_HOSTNAME_VERIFIER | |||||||||||
| BROWSER_COMPATIBLE_HOSTNAME_VERIFIER | |||||||||||
| STRICT_HOSTNAME_VERIFIER | |||||||||||
| Public Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Connects a socket to the target host with the given remote address.
| |||||||||||
This method is deprecated.
Use
connectSocket(Socket, InetSocketAddress, InetSocketAddress, HttpParams)
| |||||||||||
Returns a socket connected to the given host that is layered over an
existing socket.
| |||||||||||
This method is deprecated.
Use
createLayeredSocket(Socket, String, int, boolean)
| |||||||||||
Creates a new, unconnected socket.
| |||||||||||
Creates a new, unconnected socket.
| |||||||||||
Gets the default factory, which uses the default JVM settings for secure
connections.
| |||||||||||
Checks whether a socket connection is secure.
| |||||||||||
|
[Expand]
Inherited Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
From class
java.lang.Object
| |||||||||||
|
From interface
org.apache.http.conn.scheme.LayeredSchemeSocketFactory
| |||||||||||
|
From interface
org.apache.http.conn.scheme.LayeredSocketFactory
| |||||||||||
|
From interface
org.apache.http.conn.scheme.SchemeSocketFactory
| |||||||||||
|
From interface
org.apache.http.conn.scheme.SocketFactory
| |||||||||||
Constants
Fields
Public Constructors
public SSLSocketFactory (String algorithm, KeyStore keystore, String keystorePassword, KeyStore truststore, SecureRandom random, HostNameResolver nameResolver)
This constructor is deprecated.
Use SSLSocketFactory(String, KeyStore, String, KeyStore, SecureRandom, X509HostnameVerifier)
public SSLSocketFactory (String algorithm, KeyStore keystore, String keystorePassword, KeyStore truststore, SecureRandom random, X509HostnameVerifier hostnameVerifier)
public SSLSocketFactory (String algorithm, KeyStore keystore, String keystorePassword, KeyStore truststore, SecureRandom random, TrustStrategy trustStrategy, X509HostnameVerifier hostnameVerifier)
public SSLSocketFactory (KeyStore keystore, String keystorePassword, KeyStore truststore)
public SSLSocketFactory (KeyStore keystore, String keystorePassword)
public SSLSocketFactory (KeyStore truststore)
public SSLSocketFactory (TrustStrategy trustStrategy, X509HostnameVerifier hostnameVerifier)
public SSLSocketFactory (TrustStrategy trustStrategy)
public SSLSocketFactory (SSLContext sslContext, HostNameResolver nameResolver)
public SSLSocketFactory (SSLContext sslContext, X509HostnameVerifier hostnameVerifier)
Public Methods
public Socket connectSocket (Socket socket, InetSocketAddress remoteAddress, InetSocketAddress localAddress, HttpParams params)
Connects a socket to the target host with the given remote address.
Parameters
| socket | the socket to connect, as obtained from
createSocket.
null indicates that a new socket
should be created and connected. |
|---|---|
| remoteAddress | the remote address to connect to |
| localAddress | the local address to bind the socket to, or
null for any |
| params | additional parameters for connecting |
Returns
- the connected socket. The returned object may be different
from the
sockargument if this factory supports a layered protocol.
public Socket connectSocket (Socket socket, String host, int port, InetAddress localAddress, int localPort, HttpParams params)
This method is deprecated.
Use connectSocket(Socket, InetSocketAddress, InetSocketAddress, HttpParams)
Connects a socket to the given host.
Parameters
| socket | the socket to connect, as obtained from
createSocket.
null indicates that a new socket
should be created and connected. |
|---|---|
| host | the host to connect to |
| port | the port to connect to on the host |
| localAddress | the local address to bind the socket to, or
null for any |
| localPort | the port on the local machine, 0 or a negative number for any |
| params | additional parameters for connecting |
Returns
- the connected socket. The returned object may be different
from the
sockargument if this factory supports a layered protocol.
public Socket createLayeredSocket (Socket socket, String host, int port, boolean autoClose)
Returns a socket connected to the given host that is layered over an existing socket. Used primarily for creating secure sockets through proxies.
Parameters
| socket | the existing socket |
|---|---|
| host | the name of the target host. |
| port | the port to connect to on the target host |
| autoClose | a flag for closing the underling socket when the created socket is closed |
Returns
- Socket a new socket
Throws
| IOException | |
|---|---|
| UnknownHostException |
public Socket createSocket (Socket socket, String host, int port, boolean autoClose)
This method is deprecated.
Use createLayeredSocket(Socket, String, int, boolean)
Returns a socket connected to the given host that is layered over an existing socket. Used primarily for creating secure sockets through proxies.
Parameters
| socket | the existing socket |
|---|---|
| host | the host name/IP |
| port | the port on the host |
| autoClose | a flag for closing the underling socket when the created socket is closed |
Returns
- Socket a new socket
Throws
| IOException | |
|---|---|
| UnknownHostException |
public Socket createSocket ()
Creates a new, unconnected socket.
The socket should subsequently be passed to
connectSocket.
Returns
- a new socket
Throws
| IOException |
|---|
public Socket createSocket (HttpParams params)
Creates a new, unconnected socket. The socket should subsequently be passed to
connectSocket(Socket, InetSocketAddress, InetSocketAddress, HttpParams).
Parameters
| params | Optional parameters. Parameters passed to this method will have no effect.
This method will create a unconnected instance of Socket class. |
|---|
Returns
- a new socket
Throws
| IOException |
|---|
public static SSLSocketFactory getSocketFactory ()
Gets the default factory, which uses the default JVM settings for secure connections.
Returns
- the default factory
public boolean isSecure (Socket sock)
Checks whether a socket connection is secure.
This factory creates TLS/SSL socket connections
which, by default, are considered secure.
Derived classes may override this method to perform
runtime checks, for example based on the cypher suite.
Parameters
| sock | the connected socket |
|---|
Returns
true
Throws
| IllegalArgumentException | if the argument is invalid |
|---|