net.i2p.util
Class I2PSSLSocketFactory

java.lang.Object
  extended by net.i2p.util.I2PSSLSocketFactory

public class I2PSSLSocketFactory
extends Object

Loads trusted ASCII certs from ~/.i2p/certificates/ and $I2P/certificates/. TODO extend SSLSocketFactory

Since:
0.9.9 moved from ../client, original since 0.8.3
Author:
zzz

Field Summary
static List<String> EXCLUDE_CIPHERS
          We exclude everything that Java 8 disables by default, plus some others.
static List<String> EXCLUDE_PROTOCOLS
          Unmodifiable.
static List<String> INCLUDE_CIPHERS
          Nothing for now.
static List<String> INCLUDE_PROTOCOLS
          Java 7 does not enable 1.1 or 1.2 by default on the client side.
 
Constructor Summary
I2PSSLSocketFactory(I2PAppContext context, boolean loadSystemCerts, String relativeCertPath)
           
 
Method Summary
 Socket createSocket(InetAddress host, int port)
          Returns a socket to the host.
 Socket createSocket(String host, int port)
          Returns a socket to the host.
static void setProtocolsAndCiphers(SSLServerSocket socket)
          Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites.
static void setProtocolsAndCiphers(SSLSocket socket)
          Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites.
static void verifyHostname(I2PAppContext ctx, SSLSocket socket, String host)
          Validate the hostname ref: https://developer.android.com/training/articles/security-ssl.html ref: http://op-co.de/blog/posts/java_sslsocket_mitm/ ref: http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

EXCLUDE_PROTOCOLS

public static final List<String> EXCLUDE_PROTOCOLS
Unmodifiable. Public for RouterConsoleRunner.

Since:
0.9.16

INCLUDE_PROTOCOLS

public static final List<String> INCLUDE_PROTOCOLS
Java 7 does not enable 1.1 or 1.2 by default on the client side. Java 8 does enable 1.1 and 1.2 by default on the client side. ref: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html Unmodifiable. Public for RouterConsoleRunner.

Since:
0.9.16

EXCLUDE_CIPHERS

public static final List<String> EXCLUDE_CIPHERS
We exclude everything that Java 8 disables by default, plus some others. ref: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html Unmodifiable. Public for RouterConsoleRunner.

Since:
0.9.16

INCLUDE_CIPHERS

public static final List<String> INCLUDE_CIPHERS
Nothing for now. There's nothing disabled by default we would want to enable. Unmodifiable. Public for RouterConsoleRunner.

Since:
0.9.16
Constructor Detail

I2PSSLSocketFactory

public I2PSSLSocketFactory(I2PAppContext context,
                           boolean loadSystemCerts,
                           String relativeCertPath)
                    throws GeneralSecurityException
Parameters:
relativeCertPath - e.g. "certificates/i2cp"
Throws:
GeneralSecurityException
Since:
0.9.9 was static
Method Detail

createSocket

public Socket createSocket(String host,
                           int port)
                    throws IOException
Returns a socket to the host. A host argument that's an IP address (instead of a host name) is not recommended, as this will probably fail SSL certificate validation. Hostname validation is skipped for localhost addresses, but you still must trust the certificate.

Throws:
IOException

createSocket

public Socket createSocket(InetAddress host,
                           int port)
                    throws IOException
Returns a socket to the host. An InetAddress argument created with an IP address (instead of a host name) is not recommended, as this will perform a reverse DNS lookup to get the host name for certificate validation, which will probably then fail. Hostname validation is skipped for localhost addresses, but you still must trust the certificate.

Throws:
IOException
Since:
0.9.9

verifyHostname

public static void verifyHostname(I2PAppContext ctx,
                                  SSLSocket socket,
                                  String host)
                           throws SSLException
Validate the hostname ref: https://developer.android.com/training/articles/security-ssl.html ref: http://op-co.de/blog/posts/java_sslsocket_mitm/ ref: http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/

Throws:
SSLException - on hostname verification failure
Since:
0.9.20

setProtocolsAndCiphers

public static void setProtocolsAndCiphers(SSLSocket socket)
Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites. Adapted from Jetty SslContextFactory.java

Since:
0.9.16

setProtocolsAndCiphers

public static void setProtocolsAndCiphers(SSLServerSocket socket)
Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites. Adapted from Jetty SslContextFactory.java

Since:
0.9.16