io.netty.internal.tcnative

Class SSL

java.lang.Object

io.netty.internal.tcnative.SSL

public final class SSL
extends Object

Field Summary

Fields

Modifier and Type	Field and Description
static int	SSL_CVERIFY_IGNORED
static int	SSL_CVERIFY_NONE
static int	SSL_CVERIFY_OPTIONAL
static int	SSL_CVERIFY_REQUIRED
static int	SSL_ERROR_NONE
static int	SSL_ERROR_SSL
static int	SSL_ERROR_SYSCALL
static int	SSL_ERROR_WANT_ACCEPT
static int	SSL_ERROR_WANT_CONNECT
static int	SSL_ERROR_WANT_READ
static int	SSL_ERROR_WANT_WRITE
static int	SSL_ERROR_WANT_X509_LOOKUP
static int	SSL_ERROR_ZERO_RETURN
static int	SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
static int	SSL_MODE_CLIENT
static int	SSL_MODE_COMBINED
static int	SSL_MODE_ENABLE_PARTIAL_WRITE
static int	SSL_MODE_RELEASE_BUFFERS
static int	SSL_MODE_SERVER
static int	SSL_OP_CIPHER_SERVER_PREFERENCE
static int	SSL_OP_NO_COMPRESSION
static int	SSL_OP_NO_SSLv2
static int	SSL_OP_NO_SSLv3
static int	SSL_OP_NO_TICKET
static int	SSL_OP_NO_TLSv1
static int	SSL_OP_NO_TLSv1_1
static int	SSL_OP_NO_TLSv1_2
static int	SSL_PROTOCOL_ALL
static int	SSL_PROTOCOL_NONE
static int	SSL_PROTOCOL_SSLV2
static int	SSL_PROTOCOL_SSLV3
static int	SSL_PROTOCOL_TLS TLS_*method according to https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_new.html
static int	SSL_PROTOCOL_TLSV1
static int	SSL_PROTOCOL_TLSV1_1
static int	SSL_PROTOCOL_TLSV1_2
static int	SSL_RECEIVED_SHUTDOWN
static int	SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL
static int	SSL_SELECTOR_FAILURE_NO_ADVERTISE
static int	SSL_SENT_SHUTDOWN
static long	SSL_SESS_CACHE_OFF
static long	SSL_SESS_CACHE_SERVER
static int	SSL_ST_ACCEPT
static int	SSL_ST_CONNECT
static int	X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
static int	X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
static int	X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS
static int	X509_CHECK_FLAG_NO_WILD_CARDS

Method Summary

Methods

Modifier and Type	Method and Description
static String[]	authenticationMethods(long ssl)
static void	bioClearByteBuffer(long bio) After you are done buffering data from bioSetByteBuffer(long, long, int, boolean), this will ensure the internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..).
static int	bioFlushByteBuffer(long bio) Flush any pending bytes in the internal SSL write buffer.
static int	bioLengthByteBuffer(long bio) Get the remaining length of the ByteBuffer set by bioSetByteBuffer(long, long, int, boolean).
static int	bioLengthNonApplication(long bio) Get the amount of data pending in buffer used for non-application writes.
static long	bioNewByteBuffer(long ssl, int nonApplicationBufferSize) Initialize the BIO for the SSL instance.
static void	bioSetByteBuffer(long bio, long bufferAddress, int maxUsableBytes, boolean isSSLWriteSink) Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted data from.
static int	bioWrite(long bioAddress, long wbufAddress, int wlen) BIO_write
static void	clearError() Clear all the errors from the error queue that OpenSSL encountered on this thread.
static void	clearOptions(long ssl, int options) Clear OpenSSL Option.
static int	doHandshake(long ssl) SSL_do_handshake
static void	freeBIO(long bio) BIO_free
static void	freePrivateKey(long privateKey) Free private key (EVP_PKEY pointer).
static void	freeSSL(long ssl) SSL_free
static void	freeX509Chain(long x509Chain) Free x509 chain (STACK_OF(X509) pointer).
static String	getAlpnSelected(long ssl) SSL_get0_alpn_selected
static String	getCipherForSSL(long ssl) SSL_get_cipher
static String[]	getCiphers(long ssl) Returns all Returns the cipher suites that are available for negotiation in an SSL handshake.
static int	getError(long ssl, int ret) SSL_get_error
static String	getErrorString(long errorNumber)
static int	getHandshakeCount(long ssl) Returns the number of handshakes done for this SSL instance.
static String	getLastError() Return last SSL error string
static int	getLastErrorNumber() Get the error number representing the last error OpenSSL encountered on this thread.
static String	getNextProtoNegotiated(long ssl) SSL_get0_next_proto_negotiated
static int	getOptions(long ssl) Get OpenSSL Option.
static byte[][]	getPeerCertChain(long ssl) Get the peer certificate chain or null if non was send.
static byte[]	getPeerCertificate(long ssl) Get the peer certificate or null if non was send.
static byte[]	getSessionId(long ssl) Returns the ID of the session as byte array representation.
static int	getShutdown(long ssl) SSL_get_shutdown
static long	getTime(long ssl) SSL_get_time
static long	getTimeout(long ssl) SSL_get_timeout
static String	getVersion(long ssl) SSL_get_version
static boolean	hasOp(int op) Return true if all the requested SSL_OP_* are supported by OpenSSL.
static int	isInInit(long SSL) SSL_in_init
static long	newMemBIO() Initialize new in-memory BIO that is located in the secure heap.
static long	newSSL(long ctx, boolean server) SSL_new
static long	parsePrivateKey(long privateKeyBio, String password) Parse private key from BIO and return EVP_PKEY pointer.
static long	parseX509Chain(long x509ChainBio) Parse X509 chain from BIO and return (STACK_OF(X509) pointer).
static int	readFromSSL(long ssl, long rbuf, int rlen) SSL_read
static int	renegotiate(long ssl) Call SSL_renegotiate.
static void	setCertificateBio(long ssl, long certBio, long keyBio, String password) Set Certificate Point setCertificate at a PEM encoded certificate stored in a BIO.
static void	setCertificateChainBio(long ssl, long bio, boolean skipfirst) Set BIO of PEM-encoded Server CA Certificates This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate.
static boolean	setCipherSuites(long ssl, String ciphers) Returns the cipher suites available for negotiation in SSL handshake.
static void	setHostNameValidation(long ssl, int flags, String hostname) Explicitly control hostname validation see X509_check_host for X509_CHECK_FLAG* definitions.
static void	setOptions(long ssl, int options) Set OpenSSL Option.
static void	setShutdown(long ssl, int mode) SSL_set_shutdown
static void	setState(long ssl, int state) Call SSL_set_state.
static long	setTimeout(long ssl, long seconds) SSL_set_timeout
static void	setTlsExtHostName(long ssl, String hostname) Call SSL_set_tlsext_host_name
static void	setVerify(long ssl, int level, int depth) Set Type of Client Certificate verification and Maximum depth of CA Certificates in Client Certificate verification.
static int	shutdownSSL(long ssl) SSL_shutdown
static int	version()
static String	versionString()
static int	writeToSSL(long ssl, long wbuf, int wlen) SSL_write

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SSL_PROTOCOL_NONE

public static final int SSL_PROTOCOL_NONE

See Also:

Constant Field Values

SSL_PROTOCOL_SSLV2

public static final int SSL_PROTOCOL_SSLV2

See Also:

Constant Field Values

SSL_PROTOCOL_SSLV3

public static final int SSL_PROTOCOL_SSLV3

See Also:

Constant Field Values

SSL_PROTOCOL_TLSV1

public static final int SSL_PROTOCOL_TLSV1

See Also:

Constant Field Values

SSL_PROTOCOL_TLSV1_1

public static final int SSL_PROTOCOL_TLSV1_1

See Also:

Constant Field Values

SSL_PROTOCOL_TLSV1_2

public static final int SSL_PROTOCOL_TLSV1_2

See Also:

Constant Field Values

SSL_PROTOCOL_TLS

public static final int SSL_PROTOCOL_TLS

TLS_*method according to https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_new.html

See Also:

Constant Field Values

SSL_PROTOCOL_ALL

public static final int SSL_PROTOCOL_ALL

See Also:

Constant Field Values

SSL_CVERIFY_IGNORED

public static final int SSL_CVERIFY_IGNORED

See Also:

Constant Field Values

SSL_CVERIFY_NONE

public static final int SSL_CVERIFY_NONE

See Also:

Constant Field Values

SSL_CVERIFY_OPTIONAL

public static final int SSL_CVERIFY_OPTIONAL

See Also:

Constant Field Values

SSL_CVERIFY_REQUIRED

public static final int SSL_CVERIFY_REQUIRED

See Also:

Constant Field Values

SSL_OP_CIPHER_SERVER_PREFERENCE

public static final int SSL_OP_CIPHER_SERVER_PREFERENCE

SSL_OP_NO_SSLv2

public static final int SSL_OP_NO_SSLv2

SSL_OP_NO_SSLv3

public static final int SSL_OP_NO_SSLv3

SSL_OP_NO_TLSv1

public static final int SSL_OP_NO_TLSv1

SSL_OP_NO_TLSv1_1

public static final int SSL_OP_NO_TLSv1_1

SSL_OP_NO_TLSv1_2

public static final int SSL_OP_NO_TLSv1_2

SSL_OP_NO_TICKET

public static final int SSL_OP_NO_TICKET

SSL_OP_NO_COMPRESSION

public static final int SSL_OP_NO_COMPRESSION

SSL_MODE_CLIENT

public static final int SSL_MODE_CLIENT

See Also:

Constant Field Values

SSL_MODE_SERVER

public static final int SSL_MODE_SERVER

See Also:

Constant Field Values

SSL_MODE_COMBINED

public static final int SSL_MODE_COMBINED

See Also:

Constant Field Values

SSL_SESS_CACHE_OFF

public static final long SSL_SESS_CACHE_OFF

SSL_SESS_CACHE_SERVER

public static final long SSL_SESS_CACHE_SERVER

SSL_SELECTOR_FAILURE_NO_ADVERTISE

public static final int SSL_SELECTOR_FAILURE_NO_ADVERTISE

See Also:

Constant Field Values

SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL

public static final int SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL

See Also:

Constant Field Values

SSL_ST_CONNECT

public static final int SSL_ST_CONNECT

SSL_ST_ACCEPT

public static final int SSL_ST_ACCEPT

SSL_MODE_ENABLE_PARTIAL_WRITE

public static final int SSL_MODE_ENABLE_PARTIAL_WRITE

SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER

public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER

SSL_MODE_RELEASE_BUFFERS

public static final int SSL_MODE_RELEASE_BUFFERS

X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT

public static final int X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT

X509_CHECK_FLAG_NO_WILD_CARDS

public static final int X509_CHECK_FLAG_NO_WILD_CARDS

X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS

public static final int X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS

X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS

public static final int X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS

SSL_SENT_SHUTDOWN

public static final int SSL_SENT_SHUTDOWN

SSL_RECEIVED_SHUTDOWN

public static final int SSL_RECEIVED_SHUTDOWN

SSL_ERROR_NONE

public static final int SSL_ERROR_NONE

SSL_ERROR_SSL

public static final int SSL_ERROR_SSL

SSL_ERROR_WANT_READ

public static final int SSL_ERROR_WANT_READ

SSL_ERROR_WANT_WRITE

public static final int SSL_ERROR_WANT_WRITE

SSL_ERROR_WANT_X509_LOOKUP

public static final int SSL_ERROR_WANT_X509_LOOKUP

SSL_ERROR_SYSCALL

public static final int SSL_ERROR_SYSCALL

SSL_ERROR_ZERO_RETURN

public static final int SSL_ERROR_ZERO_RETURN

SSL_ERROR_WANT_CONNECT

public static final int SSL_ERROR_WANT_CONNECT

SSL_ERROR_WANT_ACCEPT

public static final int SSL_ERROR_WANT_ACCEPT

Method Detail

version

public static int version()

versionString

public static String versionString()

newMemBIO

public static long newMemBIO()
                      throws Exception

Initialize new in-memory BIO that is located in the secure heap.

Returns:

New BIO handle

Throws:

Exception

getLastError

public static String getLastError()

Return last SSL error string

hasOp

public static boolean hasOp(int op)

Return true if all the requested SSL_OP_* are supported by OpenSSL.

Parameters:

op - Bitwise-OR of all SSL_OP_* to test.

Returns:

true if all SSL_OP_* are supported by OpenSSL library.

newSSL

public static long newSSL(long ctx,
          boolean server)

SSL_new

Parameters:

ctx - Server or Client context to use.

server - if true configure SSL instance to use accept handshake routines if false configure SSL instance to use connect handshake routines

Returns:

pointer to SSL instance (SSL *)

getError

public static int getError(long ssl,
           int ret)

SSL_get_error

Parameters:

ssl - SSL pointer (SSL *)

ret - TLS/SSL I/O return value

bioWrite

public static int bioWrite(long bioAddress,
           long wbufAddress,
           int wlen)

BIO_write

Parameters:

bioAddress - The address of a BIO*.

wbufAddress - The address of a native char*.

wlen - The length to write starting at wbufAddress.

Returns:

The number of bytes that were written. See BIO_write for exceptional return values.

bioNewByteBuffer

public static long bioNewByteBuffer(long ssl,
                    int nonApplicationBufferSize)

Initialize the BIO for the SSL instance. This is a custom BIO which is designed to play nicely with a direct ByteBuffer. Because it is a special BIO it requires special usage such that bioSetByteBuffer(long, long, int, boolean) and bioClearByteBuffer(long) are called in order to provide to supply data to SSL, and also to ensure the internal SSL buffering mechanism is expecting write at the appropriate times.

Parameters:

ssl - the SSL instance (SSL *)

nonApplicationBufferSize - The size of the internal buffer for write operations that are not initiated directly by the application attempting to encrypt data. Must be >0.

Returns:

pointer to the Network BIO (BIO *). The memory is owned by ssl and will be cleaned up by freeSSL(long).

bioSetByteBuffer

public static void bioSetByteBuffer(long bio,
                    long bufferAddress,
                    int maxUsableBytes,
                    boolean isSSLWriteSink)

Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted data from.

After you are done buffering data you should call bioClearByteBuffer(long).

Parameters:

bio - BIO*.

bufferAddress - The memory address (typically from a direct ByteBuffer) which will be used to either write encrypted data to, or read encrypted data from by OpenSSL's internal BIO pair.

maxUsableBytes - The maximum usable length in bytes starting at bufferAddress.

isSSLWriteSink - true if this buffer is expected to buffer data as a result of calls to SSL_write. false if this buffer is expected to buffer data as a result of calls to SSL_read.

bioClearByteBuffer

public static void bioClearByteBuffer(long bio)

After you are done buffering data from bioSetByteBuffer(long, long, int, boolean), this will ensure the internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..).

Parameters:

bio - BIO*.

bioFlushByteBuffer

public static int bioFlushByteBuffer(long bio)

Flush any pending bytes in the internal SSL write buffer.

This does the same thing as BIO_flush for a BIO* of type bioNewByteBuffer(long, int) but returns the number of bytes that were flushed.

Parameters:

bio - BIO*.

Returns:

The number of bytes that were flushed.

bioLengthByteBuffer

public static int bioLengthByteBuffer(long bio)

Get the remaining length of the ByteBuffer set by bioSetByteBuffer(long, long, int, boolean).

Parameters:

bio - BIO*.

Returns:

The remaining length of the ByteBuffer set by bioSetByteBuffer(long, long, int, boolean).

bioLengthNonApplication

public static int bioLengthNonApplication(long bio)

Get the amount of data pending in buffer used for non-application writes. This value will not exceed the value configured in bioNewByteBuffer(long, int).

Parameters:

bio - BIO*.

Returns:

the amount of data pending in buffer used for non-application writes.

writeToSSL

public static int writeToSSL(long ssl,
             long wbuf,
             int wlen)

SSL_write

Parameters:

ssl - the SSL instance (SSL *)

wbuf -

wlen -

Returns:

readFromSSL

public static int readFromSSL(long ssl,
              long rbuf,
              int rlen)

SSL_read

Parameters:

ssl - the SSL instance (SSL *)

rbuf -

rlen -

Returns:

getShutdown

public static int getShutdown(long ssl)

SSL_get_shutdown

Parameters:

ssl - the SSL instance (SSL *)

Returns:

setShutdown

public static void setShutdown(long ssl,
               int mode)

SSL_set_shutdown

Parameters:

ssl - the SSL instance (SSL *)

mode -

freeSSL

public static void freeSSL(long ssl)

SSL_free

Parameters:

ssl - the SSL instance (SSL *)

freeBIO

public static void freeBIO(long bio)

BIO_free

Parameters:

bio -

shutdownSSL

public static int shutdownSSL(long ssl)

SSL_shutdown

Parameters:

ssl - the SSL instance (SSL *)

Returns:

getLastErrorNumber

public static int getLastErrorNumber()

Get the error number representing the last error OpenSSL encountered on this thread.

Returns:

getCipherForSSL

public static String getCipherForSSL(long ssl)

SSL_get_cipher

Parameters:

ssl - the SSL instance (SSL *)

Returns:

getVersion

public static String getVersion(long ssl)

SSL_get_version

Parameters:

ssl - the SSL instance (SSL *)

Returns:

doHandshake

public static int doHandshake(long ssl)

SSL_do_handshake

Parameters:

ssl - the SSL instance (SSL *)

isInInit

public static int isInInit(long SSL)

SSL_in_init

Parameters:

SSL -

Returns:

getNextProtoNegotiated

public static String getNextProtoNegotiated(long ssl)

SSL_get0_next_proto_negotiated

Parameters:

ssl - the SSL instance (SSL *)

Returns:

getAlpnSelected

public static String getAlpnSelected(long ssl)

SSL_get0_alpn_selected

Parameters:

ssl - the SSL instance (SSL *)

Returns:

getPeerCertChain

public static byte[][] getPeerCertChain(long ssl)

Get the peer certificate chain or null if non was send.

getPeerCertificate

public static byte[] getPeerCertificate(long ssl)

Get the peer certificate or null if non was send.

getErrorString

public static String getErrorString(long errorNumber)

getTime

public static long getTime(long ssl)

SSL_get_time

Parameters:

ssl - the SSL instance (SSL *)

Returns:

returns the time at which the session ssl was established. The time is given in seconds since the Epoch

getTimeout

public static long getTimeout(long ssl)

SSL_get_timeout

Parameters:

ssl - the SSL instance (SSL *)

Returns:

returns the timeout for the session ssl The time is given in seconds since the Epoch

setTimeout

public static long setTimeout(long ssl,
              long seconds)

SSL_set_timeout

Parameters:

ssl - the SSL instance (SSL *)

seconds - timeout in seconds

Returns:

returns the timeout for the session ssl before this call. The time is given in seconds since the Epoch

setVerify

public static void setVerify(long ssl,
             int level,
             int depth)

Set Type of Client Certificate verification and Maximum depth of CA Certificates in Client Certificate verification.
This directive sets the Certificate verification level for the Client Authentication. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.
The following levels are available for level:

• SSL_CVERIFY_IGNORED - The level is ignored. Only depth will change.
• SSL_CVERIFY_NONE - No client Certificate is required at all
• SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate
• SSL_CVERIFY_REQUIRED - The client has to present a valid Certificate

The depth actually is the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are max allowed to be followed while verifying the client certificate. A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under setCACertificatePath, etc.

Parameters:

ssl - the SSL instance (SSL *)

level - Type of Client Certificate verification.

depth - Maximum depth of CA Certificates in Client Certificate verification. Ignored if value is <0.

setOptions

public static void setOptions(long ssl,
              int options)

Set OpenSSL Option.

Parameters:

ssl - the SSL instance (SSL *)

options - See SSL.SSL_OP_* for option flags.

clearOptions

public static void clearOptions(long ssl,
                int options)

Clear OpenSSL Option.

Parameters:

ssl - the SSL instance (SSL *)

options - See SSL.SSL_OP_* for option flags.

getOptions

public static int getOptions(long ssl)

Get OpenSSL Option.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

options See SSL.SSL_OP_* for option flags.

getCiphers

public static String[] getCiphers(long ssl)

Returns all Returns the cipher suites that are available for negotiation in an SSL handshake.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

ciphers

setCipherSuites

public static boolean setCipherSuites(long ssl,
                      String ciphers)
                               throws Exception

Returns the cipher suites available for negotiation in SSL handshake.
This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.

Parameters:

ssl - the SSL instance (SSL *)

ciphers - an SSL cipher specification

Throws:

Exception

getSessionId

public static byte[] getSessionId(long ssl)

Returns the ID of the session as byte array representation.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the session as byte array representation obtained via SSL_SESSION_get_id.

getHandshakeCount

public static int getHandshakeCount(long ssl)

Returns the number of handshakes done for this SSL instance. This also includes renegations.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the number of handshakes done for this SSL instance.

clearError

public static void clearError()

Clear all the errors from the error queue that OpenSSL encountered on this thread.

renegotiate

public static int renegotiate(long ssl)

Call SSL_renegotiate.

Parameters:

ssl - the SSL instance (SSL *)

Returns:

the result of the operation

setState

public static void setState(long ssl,
            int state)

Call SSL_set_state.

Parameters:

ssl - the SSL instance (SSL *)

setTlsExtHostName

public static void setTlsExtHostName(long ssl,
                     String hostname)

Call SSL_set_tlsext_host_name

Parameters:

ssl - the SSL instance (SSL *)

hostname - the hostname

setHostNameValidation

public static void setHostNameValidation(long ssl,
                         int flags,
                         String hostname)

Explicitly control hostname validation see X509_check_host for X509_CHECK_FLAG* definitions. Values are defined as a bitmask of X509_CHECK_FLAG* values.

Parameters:

ssl - the SSL instance (SSL*).

flags - a bitmask of X509_CHECK_FLAG* values.

hostname - the hostname which is expected for validation.

authenticationMethods

public static String[] authenticationMethods(long ssl)

setCertificateChainBio

public static void setCertificateChainBio(long ssl,
                          long bio,
                          boolean skipfirst)

Set BIO of PEM-encoded Server CA Certificates

This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order.

But be careful: Providing the certificate chain works only if you are using a single (either RSA or DSA) based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Otherwsie the browsers will be confused in this situation.

Parameters:

ssl - Server or Client to use.

bio - BIO of PEM-encoded Server CA Certificates.

skipfirst - Skip first certificate if chain file is inside certificate file.

setCertificateBio

public static void setCertificateBio(long ssl,
                     long certBio,
                     long keyBio,
                     String password)
                              throws Exception

Set Certificate
Point setCertificate at a PEM encoded certificate stored in a BIO. If the certificate is encrypted, then you will be prompted for a pass phrase. Note that a kill -HUP will prompt again. A test certificate can be generated with `make certificate' under built time. Keep in mind that if you've both a RSA and a DSA certificate you can configure both in parallel (to also allow the use of DSA ciphers, etc.)
If the key is not combined with the certificate, use key param to point at the key file. Keep in mind that if you've both a RSA and a DSA private key you can configure both in parallel (to also allow the use of DSA ciphers, etc.)

Parameters:

ssl - Server or Client to use.

certBio - Certificate BIO.

keyBio - Private Key BIO to use if not in cert.

password - Certificate password. If null and certificate is encrypted.

Throws:

Exception

parsePrivateKey

public static long parsePrivateKey(long privateKeyBio,
                   String password)
                            throws Exception

Parse private key from BIO and return EVP_PKEY pointer.

Be sure you understand how OpenSsl will behave with respect to reference counting! If the EVP_PKEY pointer is used with the client certificate callback CertificateRequestedCallback the ownership goes over to OpenSsl / Tcnative and so calling freePrivateKey(long) should NOT be done in this case. Otherwise you may need to call freePrivateKey(long) to decrement the reference count and free memory.

Throws:

Exception

freePrivateKey

public static void freePrivateKey(long privateKey)

Free private key (EVP_PKEY pointer).

parseX509Chain

public static long parseX509Chain(long x509ChainBio)
                           throws Exception

Parse X509 chain from BIO and return (STACK_OF(X509) pointer).

Be sure you understand how OpenSsl will behave with respect to reference counting! If the STACK_OF(X509) pointer is used with the client certificate callback CertificateRequestedCallback the ownership goes over to OpenSsl / Tcnative and and so calling freeX509Chain(long) should NOT be done in this case. Otherwise you may need to call freeX509Chain(long) to decrement the reference count and free memory.

Throws:

Exception

freeX509Chain

public static void freeX509Chain(long x509Chain)

Free x509 chain (STACK_OF(X509) pointer).