Package net.i2p.util
Class I2PSSLSocketFactory
java.lang.Object
net.i2p.util.I2PSSLSocketFactory
Loads trusted ASCII certs from ~/.i2p/certificates/ and $I2P/certificates/.
TODO extend SSLSocketFactory
- Since:
- 0.9.9 moved from ../client, original since 0.8.3
- Author:
- zzz
-
Field Summary
Modifier and TypeFieldDescriptionWe exclude everything that Java 8 disables by default, plus some others.Unmodifiable.Nothing for now.Java 7 does not enable 1.1 or 1.2 by default on the client side. -
Constructor Summary
ConstructorDescriptionI2PSSLSocketFactory
(I2PAppContext context, boolean loadSystemCerts, String relativeCertPath) -
Method Summary
Modifier and TypeMethodDescriptioncreateSocket
(String host, int port) Returns a socket to the host.createSocket
(InetAddress host, int port) Returns a socket to the host.static void
Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites.static void
setProtocolsAndCiphers
(SSLSocket socket) Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites.static void
verifyHostname
(I2PAppContext ctx, SSLSocket socket, String host) Validate the hostname.
-
Field Details
-
EXCLUDE_PROTOCOLS
Unmodifiable. Public for RouterConsoleRunner.- Since:
- 0.9.16
-
INCLUDE_PROTOCOLS
Java 7 does not enable 1.1 or 1.2 by default on the client side. Java 8 does enable 1.1 and 1.2 by default on the client side. 1.3 in Java 11, but it requires: ChaCha20/Poly1305 in Java 12 (we could add a provider) X25519 in Java 13 but may be pulled in to 12 (can't use our unsigned provider) Ed25519 in Java 13 (but we can use our provider) ref: https://openjdk.java.net/jeps/332 ref: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html Unmodifiable. Public for RouterConsoleRunner.- Since:
- 0.9.16
-
EXCLUDE_CIPHERS
We exclude everything that Java 8 disables by default, plus some others. ref: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html See also: https://developer.android.com/reference/javax/net/ssl/SSLSocket.html Unmodifiable. Public for RouterConsoleRunner.- Since:
- 0.9.16
-
INCLUDE_CIPHERS
Nothing for now. There's nothing disabled by default we would want to enable. Unmodifiable. Public for RouterConsoleRunner.- Since:
- 0.9.16
-
-
Constructor Details
-
I2PSSLSocketFactory
public I2PSSLSocketFactory(I2PAppContext context, boolean loadSystemCerts, String relativeCertPath) throws GeneralSecurityException - Parameters:
relativeCertPath
- e.g. "certificates/i2cp"; as of 0.9.41, may be absolute- Throws:
GeneralSecurityException
- Since:
- 0.9.9 was static
-
-
Method Details
-
createSocket
Returns a socket to the host. A host argument that's an IP address (instead of a hostname) is not recommended, as this will probably fail SSL certificate validation. Hostname validation is skipped for localhost addresses, but you still must trust the certificate.- Throws:
IOException
-
createSocket
Returns a socket to the host. An InetAddress argument created with an IP address (instead of a hostname) is not recommended, as this will perform a reverse DNS lookup to get the hostname for certificate validation, which will probably then fail. Hostname validation is skipped for localhost addresses, but you still must trust the certificate.- Throws:
IOException
- Since:
- 0.9.9
-
verifyHostname
public static void verifyHostname(I2PAppContext ctx, SSLSocket socket, String host) throws SSLException Validate the hostname. Warning - be sure to remove [] from IPv6 addresses in host parameter if you got it from URI.getHost(). ref: https://developer.android.com/training/articles/security-ssl.html ref: http://op-co.de/blog/posts/java_sslsocket_mitm/ ref: http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/- Throws:
SSLException
- on hostname verification failure- Since:
- 0.9.20
-
setProtocolsAndCiphers
Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites. Adapted from Jetty SslContextFactory.java- Since:
- 0.9.16
-
setProtocolsAndCiphers
Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites. Adapted from Jetty SslContextFactory.java- Since:
- 0.9.16
-