001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 * 019 */ 020package org.apache.directory.server.ldap.handlers.ssl; 021 022 023import java.security.SecureRandom; 024import java.util.List; 025 026import javax.net.ssl.SSLContext; 027import javax.net.ssl.TrustManager; 028 029import org.apache.directory.api.ldap.model.exception.LdapException; 030import org.apache.directory.ldap.client.api.NoVerificationTrustManager; 031import org.apache.directory.server.i18n.I18n; 032import org.apache.directory.server.ldap.LdapServer; 033import org.apache.directory.server.protocol.shared.transport.TcpTransport; 034import org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder; 035import org.apache.mina.core.filterchain.IoFilterChainBuilder; 036import org.apache.mina.filter.ssl.SslFilter; 037 038 039/** 040 * Loads the certificate file for LDAPS support and creates the appropriate 041 * MINA filter chain. 042 * 043 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 044 * 045 */ 046public final class LdapsInitializer 047{ 048 private LdapsInitializer() 049 { 050 } 051 052 053 /** 054 * Initialize the LDAPS server. 055 * 056 * @param ldapServer The LDAP server instance 057 * @param transport The TCP transport that contains the SSL configuration 058 * @return A IoFilter chain 059 * @throws LdapException If we had a pb 060 */ 061 public static IoFilterChainBuilder init( LdapServer ldapServer, TcpTransport transport ) throws LdapException 062 { 063 SSLContext sslCtx; 064 065 try 066 { 067 // Initialize the SSLContext to work with our key managers. 068 sslCtx = SSLContext.getInstance( "TLS" ); 069 sslCtx.init( ldapServer.getKeyManagerFactory().getKeyManagers(), new TrustManager[] 070 { new NoVerificationTrustManager() }, new SecureRandom() ); 071 } 072 catch ( Exception e ) 073 { 074 throw new LdapException( I18n.err( I18n.ERR_683 ), e ); 075 } 076 077 DefaultIoFilterChainBuilder chain = new DefaultIoFilterChainBuilder(); 078 SslFilter sslFilter = new SslFilter( sslCtx ); 079 080 // The ciphers 081 List<String> cipherSuites = transport.getCipherSuite(); 082 083 if ( ( cipherSuites != null ) && !cipherSuites.isEmpty() ) 084 { 085 sslFilter.setEnabledCipherSuites( cipherSuites.toArray( new String[cipherSuites.size()] ) ); 086 } 087 088 // The protocols 089 List<String> enabledProtocols = transport.getEnabledProtocols(); 090 091 if ( ( enabledProtocols != null ) && !enabledProtocols.isEmpty() ) 092 { 093 sslFilter.setEnabledProtocols( enabledProtocols.toArray( new String[enabledProtocols.size()] ) ); 094 } 095 else 096 { 097 // Be sure we disable SSLV3 098 sslFilter.setEnabledProtocols( new String[] 099 { "TLSv1", "TLSv1.1", "TLSv1.2" } ); 100 } 101 102 // The remaining SSL parameters 103 sslFilter.setNeedClientAuth( transport.isNeedClientAuth() ); 104 sslFilter.setWantClientAuth( transport.isWantClientAuth() ); 105 106 chain.addLast( "sslFilter", sslFilter ); 107 108 return chain; 109 } 110}