Package io.netty.handler.ssl
Class SslContextBuilder
java.lang.Object
io.netty.handler.ssl.SslContextBuilder
Builder for configuring a new SslContext for creation.
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate ApplicationProtocolConfig
private CipherSuiteFilter
private ClientAuth
private static final Map.Entry[]
private boolean
private final boolean
private PrivateKey
private X509Certificate[]
private KeyManagerFactory
private String
private String
private final Map
<SslContextOption<?>, Object> private String[]
private SslProvider
private long
private long
private Provider
private boolean
private X509Certificate[]
private TrustManagerFactory
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionApplication protocol negotiation configuration.build()
Create newSslContext
instance with configured settings.The cipher suites to enable, in the order of preference.ciphers
(Iterable<String> ciphers, CipherSuiteFilter cipherFilter) The cipher suites to enable, in the order of preference.clientAuth
(ClientAuth clientAuth) Sets the client authentication mode.enableOcsp
(boolean enableOcsp) Enables OCSP stapling.static SslContextBuilder
Creates a builder for new client-sideSslContext
.static SslContextBuilder
Creates a builder for new server-sideSslContext
.static SslContextBuilder
Creates a builder for new server-sideSslContext
.static SslContextBuilder
forServer
(InputStream keyCertChainInputStream, InputStream keyInputStream) Creates a builder for new server-sideSslContext
.static SslContextBuilder
forServer
(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword) Creates a builder for new server-sideSslContext
.static SslContextBuilder
forServer
(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) Creates a builder for new server-sideSslContext
.static SslContextBuilder
forServer
(PrivateKey key, String keyPassword, Iterable<? extends X509Certificate> keyCertChain) Creates a builder for new server-sideSslContext
.static SslContextBuilder
forServer
(PrivateKey key, String keyPassword, X509Certificate... keyCertChain) Creates a builder for new server-sideSslContext
.static SslContextBuilder
forServer
(PrivateKey key, X509Certificate... keyCertChain) Creates a builder for new server-sideSslContext
.static SslContextBuilder
forServer
(KeyManager keyManager) Creates a builder for new server-sideSslContext
withKeyManager
.static SslContextBuilder
forServer
(KeyManagerFactory keyManagerFactory) Creates a builder for new server-sideSslContext
.keyManager
(File keyCertChainFile, File keyFile) Identifying certificate for this host.keyManager
(File keyCertChainFile, File keyFile, String keyPassword) Identifying certificate for this host.keyManager
(InputStream keyCertChainInputStream, InputStream keyInputStream) Identifying certificate for this host.keyManager
(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword) Identifying certificate for this host.keyManager
(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) Identifying certificate for this host.keyManager
(PrivateKey key, String keyPassword, Iterable<? extends X509Certificate> keyCertChain) Identifying certificate for this host.keyManager
(PrivateKey key, String keyPassword, X509Certificate... keyCertChain) Identifying certificate for this host.keyManager
(PrivateKey key, X509Certificate... keyCertChain) Identifying certificate for this host.keyManager
(KeyManager keyManager) A single key manager managing the identity information of this host.keyManager
(KeyManagerFactory keyManagerFactory) Identifying manager for this host.keyStoreType
(String keyStoreType) Sets theKeyStore
type that should be used.option
(SslContextOption<T> option, T value) Configure aSslContextOption
.The TLS protocol versions to enable.The TLS protocol versions to enable.sessionCacheSize
(long sessionCacheSize) Set the size of the cache used for storing SSL session objects.sessionTimeout
(long sessionTimeout) Set the timeout for the cached SSL session objects, in seconds.sslContextProvider
(Provider sslContextProvider) The SSLContextProvider
to use.sslProvider
(SslProvider provider) TheSslContext
implementation to use.startTls
(boolean startTls) true
if the first write request shouldn't be encrypted.private static <T> T[]
trustManager
(File trustCertCollectionFile) Trusted certificates for verifying the remote endpoint's certificate.trustManager
(InputStream trustCertCollectionInputStream) Trusted certificates for verifying the remote endpoint's certificate.trustManager
(Iterable<? extends X509Certificate> trustCertCollection) Trusted certificates for verifying the remote endpoint's certificate,null
uses the system default.trustManager
(X509Certificate... trustCertCollection) Trusted certificates for verifying the remote endpoint's certificate,null
uses the system default.trustManager
(TrustManager trustManager) A single trusted manager for verifying the remote endpoint's certificate.trustManager
(TrustManagerFactory trustManagerFactory) Trusted manager for verifying the remote endpoint's certificate.
-
Field Details
-
EMPTY_ENTRIES
-
forServer
private final boolean forServer -
provider
-
sslContextProvider
-
trustCertCollection
-
trustManagerFactory
-
keyCertChain
-
key
-
keyPassword
-
keyManagerFactory
-
ciphers
-
cipherFilter
-
apn
-
sessionCacheSize
private long sessionCacheSize -
sessionTimeout
private long sessionTimeout -
clientAuth
-
protocols
-
startTls
private boolean startTls -
enableOcsp
private boolean enableOcsp -
keyStoreType
-
options
-
-
Constructor Details
-
SslContextBuilder
private SslContextBuilder(boolean forServer)
-
-
Method Details
-
forClient
Creates a builder for new client-sideSslContext
. -
forServer
Creates a builder for new server-sideSslContext
.- Parameters:
keyCertChainFile
- an X.509 certificate chain file in PEM formatkeyFile
- a PKCS#8 private key file in PEM format- See Also:
-
forServer
public static SslContextBuilder forServer(InputStream keyCertChainInputStream, InputStream keyInputStream) Creates a builder for new server-sideSslContext
.- Parameters:
keyCertChainInputStream
- an input stream for an X.509 certificate chain in PEM format. The caller is responsible for callingInputStream.close()
afterbuild()
has been called.keyInputStream
- an input stream for a PKCS#8 private key in PEM format. The caller is responsible for callingInputStream.close()
afterbuild()
has been called.- See Also:
-
forServer
Creates a builder for new server-sideSslContext
.- Parameters:
key
- a PKCS#8 private keykeyCertChain
- the X.509 certificate chain- See Also:
-
forServer
public static SslContextBuilder forServer(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) Creates a builder for new server-sideSslContext
.- Parameters:
key
- a PKCS#8 private keykeyCertChain
- the X.509 certificate chain- See Also:
-
forServer
Creates a builder for new server-sideSslContext
.- Parameters:
keyCertChainFile
- an X.509 certificate chain file in PEM formatkeyFile
- a PKCS#8 private key file in PEM formatkeyPassword
- the password of thekeyFile
, ornull
if it's not password-protected- See Also:
-
forServer
public static SslContextBuilder forServer(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword) Creates a builder for new server-sideSslContext
.- Parameters:
keyCertChainInputStream
- an input stream for an X.509 certificate chain in PEM format. The caller is responsible for callingInputStream.close()
afterbuild()
has been called.keyInputStream
- an input stream for a PKCS#8 private key in PEM format. The caller is responsible for callingInputStream.close()
afterbuild()
has been called.keyPassword
- the password of thekeyFile
, ornull
if it's not password-protected- See Also:
-
forServer
public static SslContextBuilder forServer(PrivateKey key, String keyPassword, X509Certificate... keyCertChain) Creates a builder for new server-sideSslContext
.- Parameters:
key
- a PKCS#8 private keykeyPassword
- the password of thekeyFile
, ornull
if it's not password-protectedkeyCertChain
- the X.509 certificate chain- See Also:
-
forServer
public static SslContextBuilder forServer(PrivateKey key, String keyPassword, Iterable<? extends X509Certificate> keyCertChain) Creates a builder for new server-sideSslContext
.- Parameters:
key
- a PKCS#8 private keykeyPassword
- the password of thekeyFile
, ornull
if it's not password-protectedkeyCertChain
- the X.509 certificate chain- See Also:
-
forServer
Creates a builder for new server-sideSslContext
. If you useSslProvider.OPENSSL
orSslProvider.OPENSSL_REFCNT
consider usingOpenSslX509KeyManagerFactory
orOpenSslCachingX509KeyManagerFactory
.- Parameters:
keyManagerFactory
- non-null
factory for server's private key- See Also:
-
forServer
Creates a builder for new server-sideSslContext
withKeyManager
.- Parameters:
keyManager
- non-null
KeyManager for server's private key
-
option
Configure aSslContextOption
. -
sslProvider
TheSslContext
implementation to use.null
uses the default one. -
keyStoreType
Sets theKeyStore
type that should be used.null
uses the default one. -
sslContextProvider
-
trustManager
Trusted certificates for verifying the remote endpoint's certificate. The file should contain an X.509 certificate collection in PEM format.null
uses the system default. -
trustManager
Trusted certificates for verifying the remote endpoint's certificate. The input stream should contain an X.509 certificate collection in PEM format.null
uses the system default. The caller is responsible for callingInputStream.close()
afterbuild()
has been called. -
trustManager
Trusted certificates for verifying the remote endpoint's certificate,null
uses the system default. -
trustManager
Trusted certificates for verifying the remote endpoint's certificate,null
uses the system default. -
trustManager
Trusted manager for verifying the remote endpoint's certificate.null
uses the system default. -
trustManager
A single trusted manager for verifying the remote endpoint's certificate. This is helpful when custom implementation ofTrustManager
is needed. Internally, a simple wrapper ofTrustManagerFactory
that only produces this specifiedTrustManager
will be created, thus all the requirements specified intrustManager(TrustManagerFactory trustManagerFactory)
also apply here. -
keyManager
Identifying certificate for this host.keyCertChainFile
andkeyFile
may benull
for client contexts, which disables mutual authentication.- Parameters:
keyCertChainFile
- an X.509 certificate chain file in PEM formatkeyFile
- a PKCS#8 private key file in PEM format
-
keyManager
public SslContextBuilder keyManager(InputStream keyCertChainInputStream, InputStream keyInputStream) Identifying certificate for this host.keyCertChainInputStream
andkeyInputStream
may benull
for client contexts, which disables mutual authentication.- Parameters:
keyCertChainInputStream
- an input stream for an X.509 certificate chain in PEM format. The caller is responsible for callingInputStream.close()
afterbuild()
has been called.keyInputStream
- an input stream for a PKCS#8 private key in PEM format. The caller is responsible for callingInputStream.close()
afterbuild()
has been called.
-
keyManager
Identifying certificate for this host.keyCertChain
andkey
may benull
for client contexts, which disables mutual authentication.- Parameters:
key
- a PKCS#8 private keykeyCertChain
- an X.509 certificate chain
-
keyManager
public SslContextBuilder keyManager(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) Identifying certificate for this host.keyCertChain
andkey
may benull
for client contexts, which disables mutual authentication.- Parameters:
key
- a PKCS#8 private keykeyCertChain
- an X.509 certificate chain
-
keyManager
Identifying certificate for this host.keyCertChainFile
andkeyFile
may benull
for client contexts, which disables mutual authentication.- Parameters:
keyCertChainFile
- an X.509 certificate chain file in PEM formatkeyFile
- a PKCS#8 private key file in PEM formatkeyPassword
- the password of thekeyFile
, ornull
if it's not password-protected
-
keyManager
public SslContextBuilder keyManager(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword) Identifying certificate for this host.keyCertChainInputStream
andkeyInputStream
may benull
for client contexts, which disables mutual authentication.- Parameters:
keyCertChainInputStream
- an input stream for an X.509 certificate chain in PEM format. The caller is responsible for callingInputStream.close()
afterbuild()
has been called.keyInputStream
- an input stream for a PKCS#8 private key in PEM format. The caller is responsible for callingInputStream.close()
afterbuild()
has been called.keyPassword
- the password of thekeyInputStream
, ornull
if it's not password-protected
-
keyManager
public SslContextBuilder keyManager(PrivateKey key, String keyPassword, X509Certificate... keyCertChain) Identifying certificate for this host.keyCertChain
andkey
may benull
for client contexts, which disables mutual authentication.- Parameters:
key
- a PKCS#8 private key filekeyPassword
- the password of thekey
, ornull
if it's not password-protectedkeyCertChain
- an X.509 certificate chain
-
keyManager
public SslContextBuilder keyManager(PrivateKey key, String keyPassword, Iterable<? extends X509Certificate> keyCertChain) Identifying certificate for this host.keyCertChain
andkey
may benull
for client contexts, which disables mutual authentication.- Parameters:
key
- a PKCS#8 private key filekeyPassword
- the password of thekey
, ornull
if it's not password-protectedkeyCertChain
- an X.509 certificate chain
-
keyManager
Identifying manager for this host.keyManagerFactory
may benull
for client contexts, which disables mutual authentication. Using aKeyManagerFactory
is only supported forSslProvider.JDK
orSslProvider.OPENSSL
/SslProvider.OPENSSL_REFCNT
if the used openssl version is 1.0.1+. You can check if your openssl version supports using aKeyManagerFactory
by callingOpenSsl.supportsKeyManagerFactory()
. If this is not the case you must usekeyManager(File, File)
orkeyManager(File, File, String)
. If you useSslProvider.OPENSSL
orSslProvider.OPENSSL_REFCNT
consider usingOpenSslX509KeyManagerFactory
orOpenSslCachingX509KeyManagerFactory
. -
keyManager
A single key manager managing the identity information of this host. This is helpful when custom implementation ofKeyManager
is needed. Internally, a wrapper ofKeyManagerFactory
that only produces this specifiedKeyManager
will be created, thus all the requirements specified inkeyManager(KeyManagerFactory keyManagerFactory)
also apply here. -
ciphers
The cipher suites to enable, in the order of preference.null
to use default cipher suites. -
ciphers
The cipher suites to enable, in the order of preference.cipherFilter
will be applied to the ciphers before use. Ifciphers
isnull
, then the default cipher suites will be used. -
applicationProtocolConfig
Application protocol negotiation configuration.null
disables support. -
sessionCacheSize
Set the size of the cache used for storing SSL session objects.0
to use the default value. -
sessionTimeout
Set the timeout for the cached SSL session objects, in seconds.0
to use the default value. -
clientAuth
Sets the client authentication mode. -
protocols
The TLS protocol versions to enable.- Parameters:
protocols
- The protocols to enable, ornull
to enable the default protocols.- See Also:
-
protocols
The TLS protocol versions to enable.- Parameters:
protocols
- The protocols to enable, ornull
to enable the default protocols.- See Also:
-
startTls
true
if the first write request shouldn't be encrypted. -
enableOcsp
Enables OCSP stapling. Please note that not allSslProvider
implementations support OCSP stapling and an exception will be thrown uponbuild()
.- See Also:
-
build
Create newSslContext
instance with configured settings.If
sslProvider(SslProvider)
is set toSslProvider.OPENSSL_REFCNT
then the caller is responsible for releasing this object, or else native memory may leak.- Throws:
SSLException
-
toArray
-