001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 * 019 */ 020package org.apache.directory.server.ldap.handlers.ssl; 021 022 023import java.security.SecureRandom; 024import java.util.List; 025 026import javax.net.ssl.SSLContext; 027 028import org.apache.directory.api.ldap.model.exception.LdapException; 029import org.apache.directory.server.i18n.I18n; 030import org.apache.directory.server.ldap.LdapServer; 031import org.apache.directory.server.protocol.shared.transport.TcpTransport; 032import org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder; 033import org.apache.mina.core.filterchain.IoFilterChainBuilder; 034import org.apache.mina.filter.ssl.SslFilter; 035 036 037/** 038 * Loads the certificate file for LDAPS support and creates the appropriate 039 * MINA filter chain. 040 * 041 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 042 * 043 */ 044public final class LdapsInitializer 045{ 046 private LdapsInitializer() 047 { 048 } 049 050 051 /** 052 * Initialize the LDAPS server. 053 * 054 * @param ldapServer The LDAP server instance 055 * @param transport The TCP transport that contains the SSL configuration 056 * @return A IoFilter chain 057 * @throws LdapException If we had a pb 058 */ 059 public static IoFilterChainBuilder init( LdapServer ldapServer, TcpTransport transport ) throws LdapException 060 { 061 SSLContext sslCtx; 062 063 try 064 { 065 // Initialize the SSLContext to work with our key managers. 066 sslCtx = SSLContext.getInstance( "TLS" ); 067 sslCtx.init( ldapServer.getKeyManagerFactory().getKeyManagers(), 068 ldapServer.getTrustManagers(), new SecureRandom() ); 069 } 070 catch ( Exception e ) 071 { 072 throw new LdapException( I18n.err( I18n.ERR_683 ), e ); 073 } 074 075 DefaultIoFilterChainBuilder chain = new DefaultIoFilterChainBuilder(); 076 SslFilter sslFilter = new SslFilter( sslCtx ); 077 078 // The ciphers 079 List<String> cipherSuites = transport.getCipherSuite(); 080 081 if ( ( cipherSuites != null ) && !cipherSuites.isEmpty() ) 082 { 083 sslFilter.setEnabledCipherSuites( cipherSuites.toArray( new String[cipherSuites.size()] ) ); 084 } 085 086 // The protocols 087 List<String> enabledProtocols = transport.getEnabledProtocols(); 088 089 if ( ( enabledProtocols != null ) && !enabledProtocols.isEmpty() ) 090 { 091 sslFilter.setEnabledProtocols( enabledProtocols.toArray( new String[enabledProtocols.size()] ) ); 092 } 093 else 094 { 095 // Be sure we disable SSLV3 096 sslFilter.setEnabledProtocols( new String[] 097 { "TLSv1", "TLSv1.1", "TLSv1.2" } ); 098 } 099 100 // The remaining SSL parameters 101 sslFilter.setNeedClientAuth( transport.isNeedClientAuth() ); 102 sslFilter.setWantClientAuth( transport.isWantClientAuth() ); 103 104 chain.addLast( "sslFilter", sslFilter ); 105 106 return chain; 107 } 108}