net.lightbody.bmp.mitm.util

Class SslUtil

java.lang.Object

net.lightbody.bmp.mitm.util.SslUtil

public class SslUtil
extends Object

Utility for creating SSLContexts.

Constructor Summary

Constructors

Constructor and Description
SslUtil()

Method Summary

Modifier and Type	Method and Description
static List<String>	getBuiltInCipherList() Returns ciphers from the hard-coded list of "reasonable" default ciphers in DEFAULT_CIPHERS_LIST_RESOURCE.
static List<String>	getDefaultCipherList() Returns a reasonable default cipher list for new client and server SSL connections.
static List<String>	getEnabledJdkCipherSuites() Returns the list of default "enabled" ciphers for server TLS connections, as reported by the default Java security provider.
static X509Certificate	getServerCertificate(SSLSession sslSession) Returns the X509Certificate for the server this session is connected to.
static io.netty.handler.ssl.SslContext	getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) Creates a netty SslContext for use when connecting to upstream servers.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SslUtil

public SslUtil()

Method Detail

getUpstreamServerSslContext

public static io.netty.handler.ssl.SslContext getUpstreamServerSslContext(Collection<String> cipherSuites,
                                                                          TrustSource trustSource)

Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs from the trustSource. When trustSource is true, no upstream certificate verification will be performed. This will make it possible for attackers to MITM communications with the upstream server, so always supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated certificates).

Parameters:

cipherSuites - cipher suites to allow when connecting to the upstream server

trustSource - the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates

Returns:

an SSLContext to connect to upstream servers with

getServerCertificate

public static X509Certificate getServerCertificate(SSLSession sslSession)

Returns the X509Certificate for the server this session is connected to. The certificate may be null.

Parameters:

sslSession - SSL session connected to upstream server

Returns:

the X.509 certificate from the upstream server, or null if no certificate is available

getEnabledJdkCipherSuites

public static List<String> getEnabledJdkCipherSuites()

Returns the list of default "enabled" ciphers for server TLS connections, as reported by the default Java security provider. This is most likely a subset of "available" ciphers.

Returns:

list of default server ciphers, or an empty list if the default cipher list cannot be loaded

getDefaultCipherList

public static List<String> getDefaultCipherList()

Returns a reasonable default cipher list for new client and server SSL connections. Not all of the ciphers may be supported by the underlying SSL implementation (OpenSsl or JDK). The default list itself may also vary between OpenSsl and JDK implementations. See defaultCipherList for implementation details.

Returns:

default ciphers for client and server connections

getBuiltInCipherList

public static List<String> getBuiltInCipherList()

Returns ciphers from the hard-coded list of "reasonable" default ciphers in DEFAULT_CIPHERS_LIST_RESOURCE.

Returns:

ciphers from the DEFAULT_CIPHERS_LIST_RESOURCE