Source code

001/*
002 *  Licensed to the Apache Software Foundation (ASF) under one
003 *  or more contributor license agreements.  See the NOTICE file
004 *  distributed with this work for additional information
005 *  regarding copyright ownership.  The ASF licenses this file
006 *  to you under the Apache License, Version 2.0 (the
007 *  "License"); you may not use this file except in compliance
008 *  with the License.  You may obtain a copy of the License at
009 *  
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *  
012 *  Unless required by applicable law or agreed to in writing,
013 *  software distributed under the License is distributed on an
014 *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 *  KIND, either express or implied.  See the License for the
016 *  specific language governing permissions and limitations
017 *  under the License. 
018 *  
019 */
020package org.apache.directory.server.ldap.handlers.ssl;
021
022
023import java.security.SecureRandom;
024import java.util.List;
025
026import javax.net.ssl.SSLContext;
027
028import org.apache.directory.api.ldap.model.exception.LdapException;
029import org.apache.directory.server.i18n.I18n;
030import org.apache.directory.server.ldap.LdapServer;
031import org.apache.directory.server.protocol.shared.transport.TcpTransport;
032import org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder;
033import org.apache.mina.core.filterchain.IoFilterChainBuilder;
034import org.apache.mina.filter.ssl.SslFilter;
035
036
037/**
038 * Loads the certificate file for LDAPS support and creates the appropriate
039 * MINA filter chain.
040 *
041 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
042 *
043 */
044public final class LdapsInitializer
045{
046    private LdapsInitializer()
047    {
048    }
049
050
051    /**
052     * Initialize the LDAPS server.
053     *
054     * @param ldapServer The LDAP server instance
055     * @param transport The TCP transport that contains the SSL configuration
056     * @return A IoFilter chain
057     * @throws LdapException If we had a pb
058     */
059    public static IoFilterChainBuilder init( LdapServer ldapServer, TcpTransport transport ) throws LdapException
060    {
061        SSLContext sslCtx;
062
063        try
064        {
065            // Initialize the SSLContext to work with our key managers.
066            sslCtx = SSLContext.getInstance( "TLS" );
067            sslCtx.init( ldapServer.getKeyManagerFactory().getKeyManagers(),
068                    ldapServer.getTrustManagers(), new SecureRandom() );
069        }
070        catch ( Exception e )
071        {
072            throw new LdapException( I18n.err( I18n.ERR_683 ), e );
073        }
074
075        DefaultIoFilterChainBuilder chain = new DefaultIoFilterChainBuilder();
076        SslFilter sslFilter = new SslFilter( sslCtx );
077
078        // The ciphers
079        List<String> cipherSuites = transport.getCipherSuite();
080
081        if ( ( cipherSuites != null ) && !cipherSuites.isEmpty() )
082        {
083            sslFilter.setEnabledCipherSuites( cipherSuites.toArray( new String[cipherSuites.size()] ) );
084        }
085
086        // The protocols
087        List<String> enabledProtocols = transport.getEnabledProtocols();
088
089        if ( ( enabledProtocols != null ) && !enabledProtocols.isEmpty() )
090        {
091            sslFilter.setEnabledProtocols( enabledProtocols.toArray( new String[enabledProtocols.size()] ) );
092        }
093        else
094        {
095            // Be sure we disable SSLV3
096            sslFilter.setEnabledProtocols( new String[]
097                { "TLSv1", "TLSv1.1", "TLSv1.2" } );
098        }
099
100        // The remaining SSL parameters
101        sslFilter.setNeedClientAuth( transport.isNeedClientAuth() );
102        sslFilter.setWantClientAuth( transport.isWantClientAuth() );
103
104        chain.addLast( "sslFilter", sslFilter );
105
106        return chain;
107    }
108}