Package net.i2p.util

Class I2PSSLSocketFactory

java.lang.Object
net.i2p.util.I2PSSLSocketFactory

public class I2PSSLSocketFactory
extends Object
Loads trusted ASCII certs from ~/.i2p/certificates/ and $I2P/certificates/. TODO extend SSLSocketFactory
Since:
0.9.9 moved from ../client, original since 0.8.3
Author:
zzz
  • Field Details

    • EXCLUDE_PROTOCOLS

      public static final List<String> EXCLUDE_PROTOCOLS
      Unmodifiable. Public for RouterConsoleRunner.
      Since:
      0.9.16
    • INCLUDE_PROTOCOLS

      public static final List<String> INCLUDE_PROTOCOLS
      Java 7 does not enable 1.1 or 1.2 by default on the client side. Java 8 does enable 1.1 and 1.2 by default on the client side. 1.3 in Java 11, but it requires: ChaCha20/Poly1305 in Java 12 (we could add a provider) X25519 in Java 13 but may be pulled in to 12 (can't use our unsigned provider) Ed25519 in Java 13 (but we can use our provider) ref: https://openjdk.java.net/jeps/332 ref: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html Unmodifiable. Public for RouterConsoleRunner.
      Since:
      0.9.16
    • EXCLUDE_CIPHERS

      public static final List<String> EXCLUDE_CIPHERS
      We exclude everything that Java 8 disables by default, plus some others. ref: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html See also: https://developer.android.com/reference/javax/net/ssl/SSLSocket.html Unmodifiable. Public for RouterConsoleRunner.
      Since:
      0.9.16
    • INCLUDE_CIPHERS

      public static final List<String> INCLUDE_CIPHERS
      Nothing for now. There's nothing disabled by default we would want to enable. Unmodifiable. Public for RouterConsoleRunner.
      Since:
      0.9.16
  • Constructor Details

  • Method Details

    • createSocket

      public Socket createSocket​(String host, int port) throws IOException
      Returns a socket to the host. A host argument that's an IP address (instead of a host name) is not recommended, as this will probably fail SSL certificate validation. Hostname validation is skipped for localhost addresses, but you still must trust the certificate.
      Throws:
      IOException
    • createSocket

      public Socket createSocket​(InetAddress host, int port) throws IOException
      Returns a socket to the host. An InetAddress argument created with an IP address (instead of a host name) is not recommended, as this will perform a reverse DNS lookup to get the host name for certificate validation, which will probably then fail. Hostname validation is skipped for localhost addresses, but you still must trust the certificate.
      Throws:
      IOException
      Since:
      0.9.9
    • verifyHostname

      public static void verifyHostname​(I2PAppContext ctx, SSLSocket socket, String host) throws SSLException
      Validate the hostname. Warning - be sure to remove [] from IPv6 addresses in host parameter if you got it from URI.getHost(). ref: https://developer.android.com/training/articles/security-ssl.html ref: http://op-co.de/blog/posts/java_sslsocket_mitm/ ref: http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/
      Throws:
      SSLException - on hostname verification failure
      Since:
      0.9.20
    • setProtocolsAndCiphers

      public static void setProtocolsAndCiphers​(SSLSocket socket)
      Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites. Adapted from Jetty SslContextFactory.java
      Since:
      0.9.16
    • setProtocolsAndCiphers

      public static void setProtocolsAndCiphers​(SSLServerSocket socket)
      Select protocols and cipher suites to be used based on configured inclusion and exclusion lists as well as enabled and supported protocols and cipher suites. Adapted from Jetty SslContextFactory.java
      Since:
      0.9.16