io.netty.handler.ssl

Class SslContextBuilder

java.lang.Object

io.netty.handler.ssl.SslContextBuilder

public final class SslContextBuilder
extends Object

Builder for configuring a new SslContext for creation.

Method Summary

Modifier and Type	Method and Description
SslContextBuilder	applicationProtocolConfig(ApplicationProtocolConfig apn) Application protocol negotiation configuration.
SslContext	build() Create new SslContext instance with configured settings.
SslContextBuilder	ciphers(Iterable<String> ciphers) The cipher suites to enable, in the order of preference.
SslContextBuilder	ciphers(Iterable<String> ciphers, CipherSuiteFilter cipherFilter) The cipher suites to enable, in the order of preference.
SslContextBuilder	clientAuth(ClientAuth clientAuth) Sets the client authentication mode.
SslContextBuilder	enableOcsp(boolean enableOcsp) Enables OCSP stapling.
SslContextBuilder	endpointIdentificationAlgorithm(String algorithm) Specify the endpoint identification algorithm (aka. hostname verification algorithm) that clients will use as part of authenticating servers.
static SslContextBuilder	forClient() Creates a builder for new client-side SslContext.
static SslContextBuilder	forServer(File keyCertChainFile, File keyFile) Creates a builder for new server-side SslContext.
static SslContextBuilder	forServer(File keyCertChainFile, File keyFile, String keyPassword) Creates a builder for new server-side SslContext.
static SslContextBuilder	forServer(InputStream keyCertChainInputStream, InputStream keyInputStream) Creates a builder for new server-side SslContext.
static SslContextBuilder	forServer(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword) Creates a builder for new server-side SslContext.
static SslContextBuilder	forServer(KeyManager keyManager) Creates a builder for new server-side SslContext with KeyManager.
static SslContextBuilder	forServer(KeyManagerFactory keyManagerFactory) Creates a builder for new server-side SslContext.
static SslContextBuilder	forServer(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) Creates a builder for new server-side SslContext.
static SslContextBuilder	forServer(PrivateKey key, String keyPassword, Iterable<? extends X509Certificate> keyCertChain) Creates a builder for new server-side SslContext.
static SslContextBuilder	forServer(PrivateKey key, String keyPassword, X509Certificate... keyCertChain) Creates a builder for new server-side SslContext.
static SslContextBuilder	forServer(PrivateKey key, X509Certificate... keyCertChain) Creates a builder for new server-side SslContext.
SslContextBuilder	keyManager(File keyCertChainFile, File keyFile) Identifying certificate for this host.
SslContextBuilder	keyManager(File keyCertChainFile, File keyFile, String keyPassword) Identifying certificate for this host.
SslContextBuilder	keyManager(InputStream keyCertChainInputStream, InputStream keyInputStream) Identifying certificate for this host.
SslContextBuilder	keyManager(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword) Identifying certificate for this host.
SslContextBuilder	keyManager(KeyManager keyManager) A single key manager managing the identity information of this host.
SslContextBuilder	keyManager(KeyManagerFactory keyManagerFactory) Identifying manager for this host.
SslContextBuilder	keyManager(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) Identifying certificate for this host.
SslContextBuilder	keyManager(PrivateKey key, String keyPassword, Iterable<? extends X509Certificate> keyCertChain) Identifying certificate for this host.
SslContextBuilder	keyManager(PrivateKey key, String keyPassword, X509Certificate... keyCertChain) Identifying certificate for this host.
SslContextBuilder	keyManager(PrivateKey key, X509Certificate... keyCertChain) Identifying certificate for this host.
SslContextBuilder	keyStoreType(String keyStoreType) Sets the KeyStore type that should be used.
<T> SslContextBuilder	option(SslContextOption<T> option, T value) Configure a SslContextOption.
SslContextBuilder	protocols(Iterable<String> protocols) The TLS protocol versions to enable.
SslContextBuilder	protocols(String... protocols) The TLS protocol versions to enable.
SslContextBuilder	secureRandom(SecureRandom secureRandom) Specify a non-default source of randomness for the JdkSslContext In general, the best practice is to leave this unspecified, or to assign a new random source using the default new SecureRandom() constructor.
SslContextBuilder	sessionCacheSize(long sessionCacheSize) Set the size of the cache used for storing SSL session objects.
SslContextBuilder	sessionTimeout(long sessionTimeout) Set the timeout for the cached SSL session objects, in seconds.
SslContextBuilder	sslContextProvider(Provider sslContextProvider) The SSLContext Provider to use.
SslContextBuilder	sslProvider(SslProvider provider) The SslContext implementation to use.
SslContextBuilder	startTls(boolean startTls) true if the first write request shouldn't be encrypted.
SslContextBuilder	trustManager(File trustCertCollectionFile) Trusted certificates for verifying the remote endpoint's certificate.
SslContextBuilder	trustManager(InputStream trustCertCollectionInputStream) Trusted certificates for verifying the remote endpoint's certificate.
SslContextBuilder	trustManager(Iterable<? extends X509Certificate> trustCertCollection) Trusted certificates for verifying the remote endpoint's certificate, null uses the system default.
SslContextBuilder	trustManager(TrustManager trustManager) A single trusted manager for verifying the remote endpoint's certificate.
SslContextBuilder	trustManager(TrustManagerFactory trustManagerFactory) Trusted manager for verifying the remote endpoint's certificate.
SslContextBuilder	trustManager(X509Certificate... trustCertCollection) Trusted certificates for verifying the remote endpoint's certificate, null uses the system default.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

forClient

public static SslContextBuilder forClient()

Creates a builder for new client-side SslContext.

forServer

public static SslContextBuilder forServer(File keyCertChainFile,
                                          File keyFile)

Creates a builder for new server-side SslContext.

Parameters:

keyCertChainFile - an X.509 certificate chain file in PEM format

keyFile - a PKCS#8 private key file in PEM format

See Also:

keyManager(File, File)

forServer

public static SslContextBuilder forServer(InputStream keyCertChainInputStream,
                                          InputStream keyInputStream)

Creates a builder for new server-side SslContext.

Parameters:

keyCertChainInputStream - an input stream for an X.509 certificate chain in PEM format. The caller is responsible for calling InputStream.close() after build() has been called.

keyInputStream - an input stream for a PKCS#8 private key in PEM format. The caller is responsible for calling InputStream.close() after build() has been called.

See Also:

keyManager(InputStream, InputStream)

forServer

public static SslContextBuilder forServer(PrivateKey key,
                                          X509Certificate... keyCertChain)

Creates a builder for new server-side SslContext.

Parameters:

key - a PKCS#8 private key

keyCertChain - the X.509 certificate chain

See Also:

keyManager(PrivateKey, X509Certificate[])

forServer

public static SslContextBuilder forServer(PrivateKey key,
                                          Iterable<? extends X509Certificate> keyCertChain)

Creates a builder for new server-side SslContext.

Parameters:

key - a PKCS#8 private key

keyCertChain - the X.509 certificate chain

See Also:

keyManager(PrivateKey, X509Certificate[])

forServer

public static SslContextBuilder forServer(File keyCertChainFile,
                                          File keyFile,
                                          String keyPassword)

Creates a builder for new server-side SslContext.

Parameters:

keyCertChainFile - an X.509 certificate chain file in PEM format

keyFile - a PKCS#8 private key file in PEM format

keyPassword - the password of the keyFile, or null if it's not password-protected

See Also:

keyManager(File, File, String)

forServer

public static SslContextBuilder forServer(InputStream keyCertChainInputStream,
                                          InputStream keyInputStream,
                                          String keyPassword)

Creates a builder for new server-side SslContext.

Parameters:

keyCertChainInputStream - an input stream for an X.509 certificate chain in PEM format. The caller is responsible for calling InputStream.close() after build() has been called.

keyInputStream - an input stream for a PKCS#8 private key in PEM format. The caller is responsible for calling InputStream.close() after build() has been called.

keyPassword - the password of the keyFile, or null if it's not password-protected

See Also:

keyManager(InputStream, InputStream, String)

forServer

public static SslContextBuilder forServer(PrivateKey key,
                                          String keyPassword,
                                          X509Certificate... keyCertChain)

Creates a builder for new server-side SslContext.

Parameters:

key - a PKCS#8 private key

keyCertChain - the X.509 certificate chain

keyPassword - the password of the keyFile, or null if it's not password-protected

See Also:

keyManager(File, File, String)

forServer

public static SslContextBuilder forServer(PrivateKey key,
                                          String keyPassword,
                                          Iterable<? extends X509Certificate> keyCertChain)

Creates a builder for new server-side SslContext.

Parameters:

key - a PKCS#8 private key

keyCertChain - the X.509 certificate chain

keyPassword - the password of the keyFile, or null if it's not password-protected

See Also:

keyManager(File, File, String)

forServer

public static SslContextBuilder forServer(KeyManagerFactory keyManagerFactory)

Creates a builder for new server-side SslContext. If you use SslProvider.OPENSSL or SslProvider.OPENSSL_REFCNT consider using OpenSslX509KeyManagerFactory or OpenSslCachingX509KeyManagerFactory.

Parameters:

keyManagerFactory - non-null factory for server's private key

See Also:

keyManager(KeyManagerFactory)

forServer

public static SslContextBuilder forServer(KeyManager keyManager)

Creates a builder for new server-side SslContext with KeyManager.

Parameters:

keyManager - non-null KeyManager for server's private key

option

public <T> SslContextBuilder option(SslContextOption<T> option,
                                    T value)

Configure a SslContextOption.

sslProvider

public SslContextBuilder sslProvider(SslProvider provider)

The SslContext implementation to use. null uses the default one.

keyStoreType

public SslContextBuilder keyStoreType(String keyStoreType)

Sets the KeyStore type that should be used. null uses the default one.

sslContextProvider

public SslContextBuilder sslContextProvider(Provider sslContextProvider)

The SSLContext Provider to use. null uses the default one. This is only used with SslProvider.JDK.

trustManager

public SslContextBuilder trustManager(File trustCertCollectionFile)

Trusted certificates for verifying the remote endpoint's certificate. The file should contain an X.509 certificate collection in PEM format. null uses the system default.

trustManager

public SslContextBuilder trustManager(InputStream trustCertCollectionInputStream)

Trusted certificates for verifying the remote endpoint's certificate. The input stream should contain an X.509 certificate collection in PEM format. null uses the system default. The caller is responsible for calling InputStream.close() after build() has been called.

trustManager

public SslContextBuilder trustManager(X509Certificate... trustCertCollection)

Trusted certificates for verifying the remote endpoint's certificate, null uses the system default.

trustManager

public SslContextBuilder trustManager(Iterable<? extends X509Certificate> trustCertCollection)

Trusted certificates for verifying the remote endpoint's certificate, null uses the system default.

trustManager

public SslContextBuilder trustManager(TrustManagerFactory trustManagerFactory)

Trusted manager for verifying the remote endpoint's certificate. null uses the system default.

trustManager

public SslContextBuilder trustManager(TrustManager trustManager)

A single trusted manager for verifying the remote endpoint's certificate. This is helpful when custom implementation of TrustManager is needed. Internally, a simple wrapper of TrustManagerFactory that only produces this specified TrustManager will be created, thus all the requirements specified in trustManager(TrustManagerFactory trustManagerFactory) also apply here.

keyManager

public SslContextBuilder keyManager(File keyCertChainFile,
                                    File keyFile)

Identifying certificate for this host. keyCertChainFile and keyFile may be null for client contexts, which disables mutual authentication.

Parameters:

keyCertChainFile - an X.509 certificate chain file in PEM format

keyFile - a PKCS#8 private key file in PEM format

keyManager

public SslContextBuilder keyManager(InputStream keyCertChainInputStream,
                                    InputStream keyInputStream)

Identifying certificate for this host. keyCertChainInputStream and keyInputStream may be null for client contexts, which disables mutual authentication.

Parameters:

keyCertChainInputStream - an input stream for an X.509 certificate chain in PEM format. The caller is responsible for calling InputStream.close() after build() has been called.

keyInputStream - an input stream for a PKCS#8 private key in PEM format. The caller is responsible for calling InputStream.close() after build() has been called.

keyManager

public SslContextBuilder keyManager(PrivateKey key,
                                    X509Certificate... keyCertChain)

Identifying certificate for this host. keyCertChain and key may be null for client contexts, which disables mutual authentication.

Parameters:

key - a PKCS#8 private key

keyCertChain - an X.509 certificate chain

keyManager

public SslContextBuilder keyManager(PrivateKey key,
                                    Iterable<? extends X509Certificate> keyCertChain)

Identifying certificate for this host. keyCertChain and key may be null for client contexts, which disables mutual authentication.

Parameters:

key - a PKCS#8 private key

keyCertChain - an X.509 certificate chain

keyManager

public SslContextBuilder keyManager(File keyCertChainFile,
                                    File keyFile,
                                    String keyPassword)

Identifying certificate for this host. keyCertChainFile and keyFile may be null for client contexts, which disables mutual authentication.

Parameters:

keyCertChainFile - an X.509 certificate chain file in PEM format

keyFile - a PKCS#8 private key file in PEM format

keyPassword - the password of the keyFile, or null if it's not password-protected

keyManager

public SslContextBuilder keyManager(InputStream keyCertChainInputStream,
                                    InputStream keyInputStream,
                                    String keyPassword)

Identifying certificate for this host. keyCertChainInputStream and keyInputStream may be null for client contexts, which disables mutual authentication.

Parameters:

keyCertChainInputStream - an input stream for an X.509 certificate chain in PEM format. The caller is responsible for calling InputStream.close() after build() has been called.

keyInputStream - an input stream for a PKCS#8 private key in PEM format. The caller is responsible for calling InputStream.close() after build() has been called.

keyPassword - the password of the keyInputStream, or null if it's not password-protected

keyManager

public SslContextBuilder keyManager(PrivateKey key,
                                    String keyPassword,
                                    X509Certificate... keyCertChain)

Identifying certificate for this host. keyCertChain and key may be null for client contexts, which disables mutual authentication.

Parameters:

key - a PKCS#8 private key file

keyPassword - the password of the key, or null if it's not password-protected

keyCertChain - an X.509 certificate chain

keyManager

public SslContextBuilder keyManager(PrivateKey key,
                                    String keyPassword,
                                    Iterable<? extends X509Certificate> keyCertChain)

Identifying certificate for this host. keyCertChain and key may be null for client contexts, which disables mutual authentication.

Parameters:

key - a PKCS#8 private key file

keyPassword - the password of the key, or null if it's not password-protected

keyCertChain - an X.509 certificate chain

keyManager

public SslContextBuilder keyManager(KeyManagerFactory keyManagerFactory)

Identifying manager for this host. keyManagerFactory may be null for client contexts, which disables mutual authentication. Using a KeyManagerFactory is only supported for SslProvider.JDK or SslProvider.OPENSSL / SslProvider.OPENSSL_REFCNT if the used openssl version is 1.0.1+. You can check if your openssl version supports using a KeyManagerFactory by calling OpenSsl.supportsKeyManagerFactory(). If this is not the case you must use keyManager(File, File) or keyManager(File, File, String). If you use SslProvider.OPENSSL or SslProvider.OPENSSL_REFCNT consider using OpenSslX509KeyManagerFactory or OpenSslCachingX509KeyManagerFactory.

keyManager

public SslContextBuilder keyManager(KeyManager keyManager)

A single key manager managing the identity information of this host. This is helpful when custom implementation of KeyManager is needed. Internally, a wrapper of KeyManagerFactory that only produces this specified KeyManager will be created, thus all the requirements specified in keyManager(KeyManagerFactory keyManagerFactory) also apply here.

ciphers

public SslContextBuilder ciphers(Iterable<String> ciphers)

The cipher suites to enable, in the order of preference. null to use default cipher suites.

ciphers

public SslContextBuilder ciphers(Iterable<String> ciphers,
                                 CipherSuiteFilter cipherFilter)

The cipher suites to enable, in the order of preference. cipherFilter will be applied to the ciphers before use. If ciphers is null, then the default cipher suites will be used.

applicationProtocolConfig

public SslContextBuilder applicationProtocolConfig(ApplicationProtocolConfig apn)

Application protocol negotiation configuration. null disables support.

sessionCacheSize

public SslContextBuilder sessionCacheSize(long sessionCacheSize)

Set the size of the cache used for storing SSL session objects. 0 to use the default value.

sessionTimeout

public SslContextBuilder sessionTimeout(long sessionTimeout)

Set the timeout for the cached SSL session objects, in seconds. 0 to use the default value.

clientAuth

public SslContextBuilder clientAuth(ClientAuth clientAuth)

Sets the client authentication mode.

protocols

public SslContextBuilder protocols(String... protocols)

The TLS protocol versions to enable.

Parameters:

protocols - The protocols to enable, or null to enable the default protocols.

See Also:

SSLEngine.setEnabledCipherSuites(String[])

protocols

public SslContextBuilder protocols(Iterable<String> protocols)

The TLS protocol versions to enable.

Parameters:

protocols - The protocols to enable, or null to enable the default protocols.

See Also:

SSLEngine.setEnabledCipherSuites(String[])

startTls

public SslContextBuilder startTls(boolean startTls)

true if the first write request shouldn't be encrypted.

enableOcsp

@UnstableApi
public SslContextBuilder enableOcsp(boolean enableOcsp)

Enables OCSP stapling. Please note that not all SslProvider implementations support OCSP stapling and an exception will be thrown upon build().

See Also:

OpenSsl.isOcspSupported()

secureRandom

public SslContextBuilder secureRandom(SecureRandom secureRandom)

Specify a non-default source of randomness for the JdkSslContext

In general, the best practice is to leave this unspecified, or to assign a new random source using the default new SecureRandom() constructor. Only assign this something when you have a good reason to.

Parameters:

secureRandom - the source of randomness for JdkSslContext

endpointIdentificationAlgorithm

public SslContextBuilder endpointIdentificationAlgorithm(String algorithm)

Specify the endpoint identification algorithm (aka. hostname verification algorithm) that clients will use as part of authenticating servers.

See Java Security Standard Names for a list of supported algorithms.

Parameters:

algorithm - either "HTTPS", "LDAPS", or null (disables hostname verification).

See Also:

SSLParameters.setEndpointIdentificationAlgorithm(String)

build

public SslContext build()
                 throws SSLException

Create new SslContext instance with configured settings.

If sslProvider(SslProvider) is set to SslProvider.OPENSSL_REFCNT then the caller is responsible for releasing this object, or else native memory may leak.

Throws:

SSLException