in java/org/apache/tomcat/jni/SSLContext.java [108:347]
public static native boolean setCipherSuite(long ctx, String ciphers)
throws Exception;
/**
* Set File of concatenated PEM-encoded CA CRLs or
* directory of PEM-encoded CA Certificates for Client Auth
* <br>
* This directive sets the all-in-one file where you can assemble the
* Certificate Revocation Lists (CRL) of Certification Authorities (CA)
* whose clients you deal with. These are used for Client Authentication.
* Such a file is simply the concatenation of the various PEM-encoded CRL
* files, in order of preference.
* <br>
* The files in this directory have to be PEM-encoded and are accessed through
* hash filenames. So usually you can't just place the Certificate files there:
* you also have to create symbolic links named hash-value.N. And you should
* always make sure this directory contains the appropriate symbolic links.
* Use the Makefile which comes with mod_ssl to accomplish this task.
* @param ctx Server or Client context to use.
* @param file File of concatenated PEM-encoded CA CRLs for Client Auth.
* @param path Directory of PEM-encoded CA Certificates for Client Auth.
* @return <code>true</code> if the operation was successful
* @throws Exception An error occurred
*/
public static native boolean setCARevocation(long ctx, String file,
String path)
throws Exception;
/**
* Set File of PEM-encoded Server CA Certificates
* <br>
* This directive sets the optional all-in-one file where you can assemble the
* certificates of Certification Authorities (CA) which form the certificate
* chain of the server certificate. This starts with the issuing CA certificate
* of of the server certificate and can range up to the root CA certificate.
* Such a file is simply the concatenation of the various PEM-encoded CA
* Certificate files, usually in certificate chain order.
* <br>
* But be careful: Providing the certificate chain works only if you are using
* a single (either RSA or DSA) based server certificate. If you are using a
* coupled RSA+DSA certificate pair, this will work only if actually both
* certificates use the same certificate chain. Else the browsers will be
* confused in this situation.
* @param ctx Server or Client context to use.
* @param file File of PEM-encoded Server CA Certificates.
* @param skipfirst Skip first certificate if chain file is inside
* certificate file.
* @return <code>true</code> if the operation was successful
*/
public static native boolean setCertificateChainFile(long ctx, String file,
boolean skipfirst);
/**
* Set Certificate
* <br>
* Point setCertificateFile at a PEM encoded certificate. If
* the certificate is encrypted, then you will be prompted for a
* pass phrase. Note that a kill -HUP will prompt again. A test
* certificate can be generated with 'make certificate' under
* built time. Keep in mind that if you've both a RSA and a DSA
* certificate you can configure both in parallel (to also allow
* the use of DSA ciphers, etc.)
* <br>
* If the key is not combined with the certificate, use key param
* to point at the key file. Keep in mind that if
* you've both a RSA and a DSA private key you can configure
* both in parallel (to also allow the use of DSA ciphers, etc.)
* @param ctx Server or Client context to use.
* @param cert Certificate file.
* @param key Private Key file to use if not in cert.
* @param password Certificate password. If null and certificate
* is encrypted, password prompt will be displayed.
* @param idx Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA.
* @return <code>true</code> if the operation was successful
* @throws Exception An error occurred
*/
public static native boolean setCertificate(long ctx, String cert,
String key, String password,
int idx)
throws Exception;
/**
* Set the size of the internal session cache.
* http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html
* @param ctx Server or Client context to use.
* @param size The cache size
* @return the value set
*/
public static native long setSessionCacheSize(long ctx, long size);
/**
* Get the size of the internal session cache.
* http://www.openssl.org/docs/ssl/SSL_CTX_sess_get_cache_size.html
* @param ctx Server or Client context to use.
* @return the size
*/
public static native long getSessionCacheSize(long ctx);
/**
* Set the timeout for the internal session cache in seconds.
* http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
* @param ctx Server or Client context to use.
* @param timeoutSeconds Timeout value
* @return the value set
*/
public static native long setSessionCacheTimeout(long ctx, long timeoutSeconds);
/**
* Get the timeout for the internal session cache in seconds.
* http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
* @param ctx Server or Client context to use.
* @return the timeout
*/
public static native long getSessionCacheTimeout(long ctx);
/**
* Set the mode of the internal session cache and return the previous used mode.
* @param ctx Server or Client context to use.
* @param mode The mode to set
* @return the value set
*/
public static native long setSessionCacheMode(long ctx, long mode);
/**
* Get the mode of the current used internal session cache.
* @param ctx Server or Client context to use.
* @return the value set
*/
public static native long getSessionCacheMode(long ctx);
/*
* Session resumption statistics methods.
* http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html
*/
public static native long sessionAccept(long ctx);
public static native long sessionAcceptGood(long ctx);
public static native long sessionAcceptRenegotiate(long ctx);
public static native long sessionCacheFull(long ctx);
public static native long sessionCbHits(long ctx);
public static native long sessionConnect(long ctx);
public static native long sessionConnectGood(long ctx);
public static native long sessionConnectRenegotiate(long ctx);
public static native long sessionHits(long ctx);
public static native long sessionMisses(long ctx);
public static native long sessionNumber(long ctx);
public static native long sessionTimeouts(long ctx);
/**
* Set TLS session keys. This allows us to share keys across TFEs.
* @param ctx Server or Client context to use.
* @param keys Some session keys
*/
public static native void setSessionTicketKeys(long ctx, byte[] keys);
/**
* Set File and Directory of concatenated PEM-encoded CA Certificates
* for Client Auth
* <br>
* This directive sets the all-in-one file where you can assemble the
* Certificates of Certification Authorities (CA) whose clients you deal with.
* These are used for Client Authentication. Such a file is simply the
* concatenation of the various PEM-encoded Certificate files, in order of
* preference. This can be used alternatively and/or additionally to
* path.
* <br>
* The files in this directory have to be PEM-encoded and are accessed through
* hash filenames. So usually you can't just place the Certificate files there:
* you also have to create symbolic links named hash-value.N. And you should
* always make sure this directory contains the appropriate symbolic links.
* Use the Makefile which comes with mod_ssl to accomplish this task.
* @param ctx Server or Client context to use.
* @param file File of concatenated PEM-encoded CA Certificates for
* Client Auth.
* @param path Directory of PEM-encoded CA Certificates for Client Auth.
* @return <code>true</code> if the operation was successful
* @throws Exception An error occurred
*/
public static native boolean setCACertificate(long ctx, String file,
String path)
throws Exception;
/**
* Set Type of Client Certificate verification and Maximum depth of CA Certificates
* in Client Certificate verification.
* <br>
* This directive sets the Certificate verification level for the Client
* Authentication. Notice that this directive can be used both in per-server
* and per-directory context. In per-server context it applies to the client
* authentication process used in the standard SSL handshake when a connection
* is established. In per-directory context it forces an SSL renegotiation with
* the reconfigured client verification level after the HTTP request was read
* but before the HTTP response is sent.
* <br>
* The following levels are available for level:
* <PRE>
* SSL_CVERIFY_NONE - No client Certificate is required at all
* SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate
* SSL_CVERIFY_REQUIRE - The client has to present a valid Certificate
* SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate
* but it need not to be (successfully) verifiable
* </PRE>
* <br>
* The depth actually is the maximum number of intermediate certificate issuers,
* i.e. the number of CA certificates which are max allowed to be followed while
* verifying the client certificate. A depth of 0 means that self-signed client
* certificates are accepted only, the default depth of 1 means the client
* certificate can be self-signed or has to be signed by a CA which is directly
* known to the server (i.e. the CA's certificate is under
* <code>setCACertificatePath</code>), etc.
* @param ctx Server or Client context to use.
* @param level Type of Client Certificate verification.
* @param depth Maximum depth of CA Certificates in Client Certificate
* verification.
*/
public static native void setVerify(long ctx, int level, int depth);
/**
* When tc-native encounters a SNI extension in the TLS handshake it will
* call this method to determine which OpenSSL SSLContext to use for the
* connection.
*
* @param currentCtx The OpenSSL SSLContext that the handshake started to
* use. This will be the default OpenSSL SSLContext for
* the endpoint associated with the socket.
* @param sniHostName The host name requested by the client
*
* @return The Java representation of the pointer to the OpenSSL SSLContext
* to use for the given host or zero if no SSLContext could be
* identified
*/
public static long sniCallBack(long currentCtx, String sniHostName) {
SNICallBack sniCallBack = sniCallBacks.get(Long.valueOf(currentCtx));
if (sniCallBack == null) {
return 0;
}
// Can't be sure OpenSSL is going to provide the SNI value in lower case
// so convert it before looking up the SSLContext
String hostName = (sniHostName == null) ? null : sniHostName.toLowerCase(Locale.ENGLISH);
return sniCallBack.getSslContext(hostName);
}