COM.claymoresystems.sslg

Class SSLPolicyInt

public class SSLPolicyInt extends Object

SSLPolicyInt.java Copyright (C) 1999, Claymore Systems, Inc. All Rights Reserved. ekr@rtfm.com Wed May 5 08:47:37 1999 This package is a SSLv3/TLS implementation written by Eric Rescorla and licensed by Claymore Systems, Inc. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by Claymore Systems, Inc. 4. Neither the name of Claymore Systems, Inc. nor the name of Eric Rescorla may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. $Id: SSLPolicyInt.java,v 1.10 2002/08/20 01:04:50 ekr Exp $
Field Summary
static shortTLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
static shortTLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
static shortTLS_DHE_DSS_WITH_DES_CBC_SHA
static shortTLS_DHE_DSS_WITH_NULL_SHA
static shortTLS_DHE_DSS_WITH_RC4_128_SHA
static shortTLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
static shortTLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
static shortTLS_DHE_RSA_WITH_DES_CBC_SHA
static shortTLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
static shortTLS_DH_anon_EXPORT_WITH_RC4_40_MD5
static shortTLS_DH_anon_WITH_3DES_EDE_CBC_SHA
static shortTLS_DH_anon_WITH_DES_CBC_SHA
static shortTLS_DH_anon_WITH_RC4_128_MD5
static shortTLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
static shortTLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
static shortTLS_DH_DSS_WITH_DES_CBC_SHA
static shortTLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
static shortTLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
static shortTLS_DH_RSA_WITH_DES_CBC_SHA
static shortTLS_RSA_EXPORT_WITH_DES40_CBC_SHA
static shortTLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
static shortTLS_RSA_EXPORT_WITH_RC4_40_MD5
static shortTLS_RSA_WITH_3DES_EDE_CBC_SHA
static shortTLS_RSA_WITH_DES_CBC_SHA
static shortTLS_RSA_WITH_IDEA_CBC_SHA
static shortTLS_RSA_WITH_NULL_MD5
static shortTLS_RSA_WITH_NULL_SHA
static shortTLS_RSA_WITH_RC4_128_MD5
static shortTLS_RSA_WITH_RC4_128_SHA
Method Summary
voidacceptUnverifiableCertificates(boolean accept)
allow unverifiable certificates.
booleanacceptUnverifiableCertificatesP()
return whether unverifiable certificates are accepted
booleandhAlwaysEphemeralP()
CertVerifyPolicyIntgetCertVerifyPolicy()
static StringgetCipherSuiteName(int num)
get the name of a cipher from the number
static intgetCipherSuiteNumber(String name)
get the number of a cipher from the name
short[]getCipherSuites()
Return the allowed cipherSuites
intgetSessionLifetime()
return the lifetime of a session
voidhandshakeOnConnect(boolean value)
booleanhandshakeOnConnectP()
voidnegotiateTLS(boolean tls)
Set whether to try to negotiate TLS.
booleannegotiateTLSP()
return whether TLS is to be negotiated
voidrequireClientAuth(boolean val)
Set whether or not to require client authentication when negotiating (this is relevant only for servers)
booleanrequireClientAuthP()
Get whether client auth is required.
voidsetCertVerifyPolicy(CertVerifyPolicyInt p)
voidsetCipherSuites(short[] cS)
Specify which cipherSuites may be negotiated.
voidsetDHAlwaysEphemeral(boolean dhephemeral)
Force the creation of a new ephemeral DH key for each connection Only set this to false if you are using a Sophie-Germain or other prime designed to resist small subgroup attacks.
voidsetSessonLifetime(int lifetime)
Set the lifetime of a cached session.
voidwaitOnClose(boolean v)
booleanwaitOnCloseP()

Field Detail

TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

public static final short TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

public static final short TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_DES_CBC_SHA

public static final short TLS_DHE_DSS_WITH_DES_CBC_SHA

TLS_DHE_DSS_WITH_NULL_SHA

public static final short TLS_DHE_DSS_WITH_NULL_SHA

TLS_DHE_DSS_WITH_RC4_128_SHA

public static final short TLS_DHE_DSS_WITH_RC4_128_SHA

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

public static final short TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

public static final short TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_RSA_WITH_DES_CBC_SHA

public static final short TLS_DHE_RSA_WITH_DES_CBC_SHA

TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA

public static final short TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA

TLS_DH_anon_EXPORT_WITH_RC4_40_MD5

public static final short TLS_DH_anon_EXPORT_WITH_RC4_40_MD5

TLS_DH_anon_WITH_3DES_EDE_CBC_SHA

public static final short TLS_DH_anon_WITH_3DES_EDE_CBC_SHA

TLS_DH_anon_WITH_DES_CBC_SHA

public static final short TLS_DH_anon_WITH_DES_CBC_SHA

TLS_DH_anon_WITH_RC4_128_MD5

public static final short TLS_DH_anon_WITH_RC4_128_MD5

TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA

public static final short TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA

TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA

public static final short TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA

TLS_DH_DSS_WITH_DES_CBC_SHA

public static final short TLS_DH_DSS_WITH_DES_CBC_SHA

TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA

public static final short TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA

TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA

public static final short TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DH_RSA_WITH_DES_CBC_SHA

public static final short TLS_DH_RSA_WITH_DES_CBC_SHA

TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

public static final short TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

public static final short TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

TLS_RSA_EXPORT_WITH_RC4_40_MD5

public static final short TLS_RSA_EXPORT_WITH_RC4_40_MD5

TLS_RSA_WITH_3DES_EDE_CBC_SHA

public static final short TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_DES_CBC_SHA

public static final short TLS_RSA_WITH_DES_CBC_SHA

TLS_RSA_WITH_IDEA_CBC_SHA

public static final short TLS_RSA_WITH_IDEA_CBC_SHA

TLS_RSA_WITH_NULL_MD5

public static final short TLS_RSA_WITH_NULL_MD5

TLS_RSA_WITH_NULL_SHA

public static final short TLS_RSA_WITH_NULL_SHA

TLS_RSA_WITH_RC4_128_MD5

public static final short TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_RC4_128_SHA

public static final short TLS_RSA_WITH_RC4_128_SHA

Method Detail

acceptUnverifiableCertificates

public void acceptUnverifiableCertificates(boolean accept)
allow unverifiable certificates. If we encounter a certificate which cannot be verified by a known root, we ordinarily reject, but this accepts that behavior to be overridden. The value of getCertificateChain() will be null.

Setting this value to true completely compromises security against active attack. This should only be used for testing purposes.

Parameters: accept a boolean indicating whether unverifiable certificates should be accepted

acceptUnverifiableCertificatesP

public boolean acceptUnverifiableCertificatesP()
return whether unverifiable certificates are accepted

Returns: a boolean indicating whether unverifiable certs will be accepted

dhAlwaysEphemeralP

public boolean dhAlwaysEphemeralP()

getCertVerifyPolicy

public CertVerifyPolicyInt getCertVerifyPolicy()

getCipherSuiteName

public static String getCipherSuiteName(int num)
get the name of a cipher from the number

Returns: the name

getCipherSuiteNumber

public static int getCipherSuiteNumber(String name)
get the number of a cipher from the name

Returns: the number (or -1)

getCipherSuites

public short[] getCipherSuites()
Return the allowed cipherSuites

Returns: a short[] containing all the cipherSuites currently allowed

getSessionLifetime

public int getSessionLifetime()
return the lifetime of a session

Returns: the lifetime setting, in seconds

handshakeOnConnect

public void handshakeOnConnect(boolean value)

handshakeOnConnectP

public boolean handshakeOnConnectP()

negotiateTLS

public void negotiateTLS(boolean tls)
Set whether to try to negotiate TLS. IF this value is false, SSLv3 will be negotiated. The default is true/yes.

Parameters: tls a boolean indicating whether to try to negotiate TLS

negotiateTLSP

public boolean negotiateTLSP()
return whether TLS is to be negotiated

Returns: a boolean indicating whether TLS negotiation is attempted.

requireClientAuth

public void requireClientAuth(boolean val)
Set whether or not to require client authentication when negotiating (this is relevant only for servers)

Parameters: val a boolean specifying whether client auth is required. The default is no

requireClientAuthP

public boolean requireClientAuthP()
Get whether client auth is required. This is relevant only for servers

Returns: val a boolean indicating whether client auth is required

setCertVerifyPolicy

public void setCertVerifyPolicy(CertVerifyPolicyInt p)

setCipherSuites

public void setCipherSuites(short[] cS)
Specify which cipherSuites may be negotiated.

Currently there is no check made as to whether these cipherSuites are in fact negotiatable given the current keying material. This is a bug.

Currently supported cipher suites:

	 TLS_DHE_DSS_EXPORT_WITH_DES40_RSA
	 TLS_DHE_DSS_WITH_DES_CBC_SHA
	 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
	 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
	 TLS_RSA_WITH_DES_CBC_SHA,
	 TLS_RSA_WITH_RC4_128_MD5,
	 TLS_RSA_WITH_RC4_128_SHA,
	 TLS_RSA_EXPORT_WITH_RC4_40_MD5,
	 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
	 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
	 

Parameters: cS the list of allowed cipherSuites as an array of shorts. The values are specified as constants in this class

setDHAlwaysEphemeral

public void setDHAlwaysEphemeral(boolean dhephemeral)
Force the creation of a new ephemeral DH key for each connection Only set this to false if you are using a Sophie-Germain or other prime designed to resist small subgroup attacks.

Parameters: dhephemeral a boolean indicating whether to force a new DH key for each connection--default to true

setSessonLifetime

public void setSessonLifetime(int lifetime)
Set the lifetime of a cached session. Any attempt to resume a session after it has expired will fail. This has no effect on sessions that are currently active, however.

Parameters: lifetime lifetime of a cached session in seconds. Default is 86400 (1 day)

waitOnClose

public void waitOnClose(boolean v)

waitOnCloseP

public boolean waitOnCloseP()
Copyright (c) 1999-2001 Claymore Systems, Inc., All Rights Reserved.