Merge pull request #3480 from eclipse/jetty-9.4.x-3464-split_sslcontextfactory

Issue #3464 - Split SslContextFactory into Client and Server

examples/embedded/src/main/java/org/eclipse/jetty/embedded/Http2Server.java

@@ -22,7 +22,6 @@ package org.eclipse.jetty.embedded;
 import java.io.File;
 import java.io.IOException;
 import java.lang.management.ManagementFactory;
-import java.nio.file.Files;
 import java.util.Date;
 import java.util.EnumSet;
 
@@ -101,7 +100,7 @@ public class Http2Server
         String jetty_distro = System.getProperty("jetty.distro","../../jetty-distribution/target/distribution");
         if (!new File(jetty_distro).exists())
             jetty_distro = "jetty-distribution/target/distribution";
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(jetty_distro + "/demo-base/etc/keystore");
         sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");

examples/embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java

@@ -138,7 +138,7 @@ public class LikeJettyXml
 
         // === jetty-https.xml ===
         // SSL Context Factory
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(jetty_home + "/../../../jetty-server/src/test/config/etc/keystore");
         sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");

examples/embedded/src/main/java/org/eclipse/jetty/embedded/ManyConnectors.java

@@ -20,9 +20,7 @@ package org.eclipse.jetty.embedded;
 
 import java.io.File;
 import java.io.FileNotFoundException;
-import java.security.Security;
 
-import org.conscrypt.OpenSSLProvider;
 import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.HttpConfiguration;
@@ -89,7 +87,7 @@ public class ManyConnectors
         // including things like choosing the particular certificate out of a
         // keystore to be used.
         
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystoreFile.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");

jetty-alpn/jetty-alpn-conscrypt-client/src/test/java/org/eclipse/jetty/alpn/java/client/ConscryptHTTP2Client.java

@@ -44,7 +44,7 @@ public class ConscryptHTTP2Client
     public static void main(String[] args) throws Exception
     {
         Security.addProvider(new OpenSSLProvider());
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Client();
         sslContextFactory.setProvider("Conscrypt");
         HTTP2Client client = new HTTP2Client();
         client.addBean(sslContextFactory);

jetty-alpn/jetty-alpn-conscrypt-server/src/test/java/org/eclipse/jetty/alpn/conscrypt/server/ConscryptHTTP2ServerTest.java

@@ -61,24 +61,35 @@ public class ConscryptHTTP2ServerTest
 
     private Server server = new Server();
 
-    private SslContextFactory newSslContextFactory()
+    private SslContextFactory.Server newServerSslContextFactory()
+    {
+        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
+        configureSslContextFactory(sslContextFactory);
+        return sslContextFactory;
+    }
+
+    private SslContextFactory.Client newClientSslContextFactory()
+    {
+        SslContextFactory.Client sslContextFactory = new SslContextFactory.Client();
+        configureSslContextFactory(sslContextFactory);
+        sslContextFactory.setEndpointIdentificationAlgorithm(null);
+        return sslContextFactory;
+    }
+
+    private void configureSslContextFactory(SslContextFactory sslContextFactory)
     {
         Path path = Paths.get("src", "test", "resources");
         File keys = path.resolve("keystore").toFile();
-
+        sslContextFactory.setKeyStorePath(keys.getAbsolutePath());
-        SslContextFactory sslContextFactory = new SslContextFactory();
         sslContextFactory.setKeyManagerPassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         sslContextFactory.setTrustStorePath(keys.getAbsolutePath());
-        sslContextFactory.setKeyStorePath(keys.getAbsolutePath());
         sslContextFactory.setTrustStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         sslContextFactory.setProvider("Conscrypt");
-        sslContextFactory.setEndpointIdentificationAlgorithm(null);
         if (JavaVersion.VERSION.getPlatform() < 9)
         {
             // Conscrypt enables TLSv1.3 by default but it's not supported in Java 8.
             sslContextFactory.addExcludeProtocols("TLSv1.3");
         }
-        return sslContextFactory;
     }
 
     @BeforeEach
@@ -95,7 +106,7 @@ public class ConscryptHTTP2ServerTest
         HTTP2ServerConnectionFactory h2 = new HTTP2ServerConnectionFactory(httpsConfig);
         ALPNServerConnectionFactory alpn = new ALPNServerConnectionFactory();
         alpn.setDefaultProtocol(http.getProtocol());
-        SslConnectionFactory ssl = new SslConnectionFactory(newSslContextFactory(), alpn.getProtocol());
+        SslConnectionFactory ssl = new SslConnectionFactory(newServerSslContextFactory(), alpn.getProtocol());
 
         ServerConnector http2Connector = new ServerConnector(server, ssl, alpn, h2, http);
         http2Connector.setPort(0);
@@ -125,7 +136,7 @@ public class ConscryptHTTP2ServerTest
     public void testSimpleRequest() throws Exception
     {
         HTTP2Client h2Client = new HTTP2Client();
-        HttpClient client = new HttpClient(new HttpClientTransportOverHTTP2(h2Client), newSslContextFactory());
+        HttpClient client = new HttpClient(new HttpClientTransportOverHTTP2(h2Client), newClientSslContextFactory());
         client.start();
         try
         {

jetty-alpn/jetty-alpn-java-client/src/test/java/org/eclipse/jetty/alpn/java/client/JDK9HTTP2Client.java

@@ -42,7 +42,7 @@ public class JDK9HTTP2Client
     public static void main(String[] args) throws Exception
     {
         HTTP2Client client = new HTTP2Client();
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Client();
         client.addBean(sslContextFactory);
         client.start();
 

jetty-alpn/jetty-alpn-java-server/src/test/java/org/eclipse/jetty/alpn/java/server/JDK9ALPNTest.java

@@ -18,9 +18,6 @@
 
 package org.eclipse.jetty.alpn.java.server;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.containsString;
-
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
@@ -47,6 +44,9 @@ import org.eclipse.jetty.server.handler.AbstractHandler;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+
 public class JDK9ALPNTest
 {
     private Server server;
@@ -68,7 +68,7 @@ public class JDK9ALPNTest
 
     private SslContextFactory newSslContextFactory()
     {
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
@@ -90,7 +90,7 @@ public class JDK9ALPNTest
             }
         });
 
-        SslContextFactory sslContextFactory = new SslContextFactory(true);
+        SslContextFactory sslContextFactory = new SslContextFactory.Client(true);
         sslContextFactory.start();
         SSLContext sslContext = sslContextFactory.getSslContext();
         try (SSLSocket client = (SSLSocket)sslContext.getSocketFactory().createSocket("localhost", connector.getLocalPort()))
@@ -132,7 +132,7 @@ public class JDK9ALPNTest
             }
         });
 
-        SslContextFactory sslContextFactory = new SslContextFactory(true);
+        SslContextFactory sslContextFactory = new SslContextFactory.Client(true);
         sslContextFactory.start();
         SSLContext sslContext = sslContextFactory.getSslContext();
         try (SSLSocket client = (SSLSocket)sslContext.getSocketFactory().createSocket("localhost", connector.getLocalPort()))

jetty-alpn/jetty-alpn-java-server/src/test/java/org/eclipse/jetty/alpn/java/server/JDK9HTTP2Server.java

@@ -45,7 +45,7 @@ public class JDK9HTTP2Server
         httpsConfig.setSendServerVersion(true);
         httpsConfig.addCustomizer(new SecureRequestCustomizer());
 
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");

jetty-alpn/jetty-alpn-openjdk8-client/src/test/java/org/eclipse/jetty/alpn/java/client/OpenJDK8HTTP2Client.java

@@ -42,7 +42,7 @@ public class OpenJDK8HTTP2Client
     public static void main(String[] args) throws Exception
     {
         HTTP2Client client = new HTTP2Client();
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Client();
         client.addBean(sslContextFactory);
         client.start();
 

jetty-alpn/jetty-alpn-openjdk8-server/src/test/java/org/eclipse/jetty/alpn/openjdk8/server/OpenJDK8HTTP2Server.java

@@ -45,7 +45,7 @@ public class OpenJDK8HTTP2Server
         httpsConfig.setSendServerVersion(true);
         httpsConfig.addCustomizer(new SecureRequestCustomizer());
 
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");

jetty-client/src/test/java/org/eclipse/jetty/client/AbstractHttpClientServerTest.java

@@ -58,7 +58,7 @@ public abstract class AbstractHttpClientServerTest
             serverThreads.setName("server");
             server = new Server(serverThreads);
         }
-        connector = new ServerConnector(server, scenario.newSslContextFactory());
+        connector = new ServerConnector(server, scenario.newServerSslContextFactory());
         connector.setPort(0);
         server.addConnector(connector);
         server.setHandler(handler);
@@ -67,12 +67,12 @@ public abstract class AbstractHttpClientServerTest
 
     protected void startClient(final Scenario scenario) throws Exception
     {
-        startClient(scenario, null,null);
+        startClient(scenario, null, null);
     }
 
     protected void startClient(final Scenario scenario, HttpClientTransport transport, Consumer<HttpClient> config) throws Exception
     {
-        if (transport==null)
+        if (transport == null)
             transport = new HttpClientTransportOverHTTP(1);
 
         QueuedThreadPool executor = new QueuedThreadPool();
@@ -82,7 +82,7 @@ public abstract class AbstractHttpClientServerTest
         client.setExecutor(executor);
         client.setScheduler(scheduler);
         client.setSocketAddressResolver(new SocketAddressResolver.Sync());
-        if (config!=null)
+        if (config != null)
             config.accept(client);
 
         client.start();
@@ -90,7 +90,7 @@ public abstract class AbstractHttpClientServerTest
 
     public HttpClient newHttpClient(Scenario scenario, HttpClientTransport transport)
     {
-        return new HttpClient(transport, scenario.newSslContextFactory());
+        return new HttpClient(transport, scenario.newClientSslContextFactory());
     }
 
     @AfterEach
@@ -113,9 +113,10 @@ public abstract class AbstractHttpClientServerTest
         }
     }
 
-    public static class ScenarioProvider implements ArgumentsProvider {
+    public static class ScenarioProvider implements ArgumentsProvider
+    {
         @Override
-        public Stream<? extends Arguments> provideArguments(ExtensionContext context) throws Exception
+        public Stream<? extends Arguments> provideArguments(ExtensionContext context)
         {
             return Stream.of(
                     new NormalScenario(),
@@ -125,9 +126,10 @@ public abstract class AbstractHttpClientServerTest
         }
     }
 
-    public static class NonSslScenarioProvider implements ArgumentsProvider {
+    public static class NonSslScenarioProvider implements ArgumentsProvider
+    {
         @Override
-        public Stream<? extends Arguments> provideArguments(ExtensionContext context) throws Exception
+        public Stream<? extends Arguments> provideArguments(ExtensionContext context)
         {
             return Stream.of(
                     new NormalScenario()
@@ -138,12 +140,27 @@ public abstract class AbstractHttpClientServerTest
 
     public interface Scenario
     {
-        default SslContextFactory newSslContextFactory() { return null; }
+        SslContextFactory newClientSslContextFactory();
+
+        SslContextFactory newServerSslContextFactory();
+
         String getScheme();
     }
 
     public static class NormalScenario implements Scenario
     {
+        @Override
+        public SslContextFactory newClientSslContextFactory()
+        {
+            return null;
+        }
+
+        @Override
+        public SslContextFactory newServerSslContextFactory()
+        {
+            return null;
+        }
+
         @Override
         public String getScheme()
         {
@@ -160,15 +177,27 @@ public abstract class AbstractHttpClientServerTest
     public static class SslScenario implements Scenario
     {
         @Override
-        public SslContextFactory newSslContextFactory()
+        public SslContextFactory newClientSslContextFactory()
+        {
+            SslContextFactory.Client result = new SslContextFactory.Client();
+            result.setEndpointIdentificationAlgorithm(null);
+            configure(result);
+            return result;
+        }
+
+        @Override
+        public SslContextFactory newServerSslContextFactory()
+        {
+            SslContextFactory.Server result = new SslContextFactory.Server();
+            configure(result);
+            return result;
+        }
+
+        private void configure(SslContextFactory ssl)
         {
             Path keystorePath = MavenTestingUtils.getTestResourcePath("keystore.jks");
-
-            SslContextFactory ssl = new SslContextFactory();
-            ssl.setEndpointIdentificationAlgorithm("");
             ssl.setKeyStorePath(keystorePath.toString());
             ssl.setKeyStorePassword("storepwd");
-            return ssl;
         }
 
         @Override

jetty-client/src/test/java/org/eclipse/jetty/client/ExternalSiteTest.java

@@ -18,10 +18,6 @@
 
 package org.eclipse.jetty.client;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assumptions.assumeTrue;
-
 import java.net.Socket;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
@@ -36,6 +32,10 @@ import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
+
 @Disabled
 public class ExternalSiteTest
 {
@@ -44,7 +44,7 @@ public class ExternalSiteTest
     @BeforeEach
     public void prepare() throws Exception
     {
-        client = new HttpClient(new SslContextFactory());
+        client = new HttpClient(new SslContextFactory.Client());
         client.start();
     }
 
@@ -94,7 +94,7 @@ public class ExternalSiteTest
     public void testExternalSSLSite() throws Exception
     {
         client.stop();
-        client = new HttpClient(new SslContextFactory());
+        client = new HttpClient(new SslContextFactory.Client());
         client.start();
 
         String host = "api-3t.paypal.com";

jetty-client/src/test/java/org/eclipse/jetty/client/HostnameVerificationTest.java

@@ -18,10 +18,6 @@
 
 package org.eclipse.jetty.client;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.fail;
-
 import java.io.IOException;
 import java.security.cert.CertificateException;
 import java.util.concurrent.ExecutionException;
@@ -40,11 +36,14 @@ import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.AfterEach;
-
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.fail;
+
 /**
  * This test class runs tests to make sure that hostname verification (http://www.ietf.org/rfc/rfc2818.txt
  * section 3.1) is configurable in SslContextFactory and works as expected.
@@ -52,7 +51,7 @@ import org.junit.jupiter.api.Test;
 @Disabled
 public class HostnameVerificationTest
 {
-    private SslContextFactory clientSslContextFactory = new SslContextFactory();
+    private SslContextFactory clientSslContextFactory = new SslContextFactory.Client();
     private Server server;
     private HttpClient client;
     private NetworkConnector connector;
@@ -64,7 +63,7 @@ public class HostnameVerificationTest
         serverThreads.setName("server");
         server = new Server(serverThreads);
 
-        SslContextFactory serverSslContextFactory = new SslContextFactory();
+        SslContextFactory serverSslContextFactory = new SslContextFactory.Server();
         serverSslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         serverSslContextFactory.setKeyStorePassword("storepwd");
         connector = new ServerConnector(server, serverSslContextFactory);

jetty-client/src/test/java/org/eclipse/jetty/client/HttpClientTLSTest.java

@@ -89,13 +89,25 @@ public class HttpClientTLSTest
         client.start();
     }
 
-    private SslContextFactory createSslContextFactory()
+    private SslContextFactory.Server createServerSslContextFactory()
+    {
+        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
+        configureSslContextFactory(sslContextFactory);
+        return sslContextFactory;
+    }
+
+    private SslContextFactory.Client createClientSslContextFactory()
+    {
+        SslContextFactory.Client sslContextFactory = new SslContextFactory.Client();
+        configureSslContextFactory(sslContextFactory);
+        sslContextFactory.setEndpointIdentificationAlgorithm(null);
+        return sslContextFactory;
+    }
+
+    private void configureSslContextFactory(SslContextFactory sslContextFactory)
     {
-        SslContextFactory sslContextFactory = new SslContextFactory();
-        sslContextFactory.setEndpointIdentificationAlgorithm("");
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("storepwd");
-        return sslContextFactory;
     }
 
     @AfterEach
@@ -110,7 +122,7 @@ public class HttpClientTLSTest
     @Test
     public void testNoCommonTLSProtocol() throws Exception
     {
-        SslContextFactory serverTLSFactory = createSslContextFactory();
+        SslContextFactory serverTLSFactory = createServerSslContextFactory();
         serverTLSFactory.setIncludeProtocols("TLSv1.3");
         startServer(serverTLSFactory, new EmptyServerHandler());
 
@@ -124,7 +136,7 @@ public class HttpClientTLSTest
             }
         });
 
-        SslContextFactory clientTLSFactory = createSslContextFactory();
+        SslContextFactory clientTLSFactory = createClientSslContextFactory();
         clientTLSFactory.setIncludeProtocols("TLSv1.2");
         startClient(clientTLSFactory);
 
@@ -151,7 +163,7 @@ public class HttpClientTLSTest
     @Test
     public void testNoCommonTLSCiphers() throws Exception
     {
-        SslContextFactory serverTLSFactory = createSslContextFactory();
+        SslContextFactory serverTLSFactory = createServerSslContextFactory();
         serverTLSFactory.setIncludeCipherSuites("TLS_RSA_WITH_AES_128_CBC_SHA");
         startServer(serverTLSFactory, new EmptyServerHandler());
 
@@ -165,7 +177,7 @@ public class HttpClientTLSTest
             }
         });
 
-        SslContextFactory clientTLSFactory = createSslContextFactory();
+        SslContextFactory clientTLSFactory = createClientSslContextFactory();
         clientTLSFactory.setExcludeCipherSuites(".*_SHA$");
         startClient(clientTLSFactory);
 
@@ -192,7 +204,7 @@ public class HttpClientTLSTest
     @Test
     public void testMismatchBetweenTLSProtocolAndTLSCiphersOnServer() throws Exception
     {
-        SslContextFactory serverTLSFactory = createSslContextFactory();
+        SslContextFactory serverTLSFactory = createServerSslContextFactory();
         // TLS 1.1 protocol, but only TLS 1.2 ciphers.
         serverTLSFactory.setIncludeProtocols("TLSv1.1");
         serverTLSFactory.setIncludeCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
@@ -208,7 +220,7 @@ public class HttpClientTLSTest
             }
         });
 
-        SslContextFactory clientTLSFactory = createSslContextFactory();
+        SslContextFactory clientTLSFactory = createClientSslContextFactory();
         startClient(clientTLSFactory);
 
         CountDownLatch clientLatch = new CountDownLatch(1);
@@ -237,7 +249,7 @@ public class HttpClientTLSTest
     @Test
     public void testMismatchBetweenTLSProtocolAndTLSCiphersOnClient() throws Exception
     {
-        SslContextFactory serverTLSFactory = createSslContextFactory();
+        SslContextFactory serverTLSFactory = createServerSslContextFactory();
         startServer(serverTLSFactory, new EmptyServerHandler());
 
         CountDownLatch serverLatch = new CountDownLatch(1);
@@ -250,7 +262,7 @@ public class HttpClientTLSTest
             }
         });
 
-        SslContextFactory clientTLSFactory = createSslContextFactory();
+        SslContextFactory clientTLSFactory = createClientSslContextFactory();
         // TLS 1.1 protocol, but only TLS 1.2 ciphers.
         clientTLSFactory.setIncludeProtocols("TLSv1.1");
         clientTLSFactory.setIncludeCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
@@ -279,7 +291,7 @@ public class HttpClientTLSTest
     @Test
     public void testHandshakeSucceeded() throws Exception
     {
-        SslContextFactory serverTLSFactory = createSslContextFactory();
+        SslContextFactory serverTLSFactory = createServerSslContextFactory();
         startServer(serverTLSFactory, new EmptyServerHandler());
 
         CountDownLatch serverLatch = new CountDownLatch(1);
@@ -292,7 +304,7 @@ public class HttpClientTLSTest
             }
         });
 
-        SslContextFactory clientTLSFactory = createSslContextFactory();
+        SslContextFactory clientTLSFactory = createClientSslContextFactory();
         startClient(clientTLSFactory);
 
         CountDownLatch clientLatch = new CountDownLatch(1);
@@ -318,7 +330,7 @@ public class HttpClientTLSTest
     @Test
     public void testHandshakeSucceededWithSessionResumption() throws Exception
     {
-        SslContextFactory serverTLSFactory = createSslContextFactory();
+        SslContextFactory serverTLSFactory = createServerSslContextFactory();
         startServer(serverTLSFactory, new EmptyServerHandler());
 
         AtomicReference<byte[]> serverSession = new AtomicReference<>();
@@ -331,7 +343,7 @@ public class HttpClientTLSTest
             }
         });
 
-        SslContextFactory clientTLSFactory = createSslContextFactory();
+        SslContextFactory clientTLSFactory = createClientSslContextFactory();
         startClient(clientTLSFactory);
 
         AtomicReference<byte[]> clientSession = new AtomicReference<>();
@@ -398,10 +410,10 @@ public class HttpClientTLSTest
     @Test
     public void testClientRawCloseDoesNotInvalidateSession() throws Exception
     {
-        SslContextFactory serverTLSFactory = createSslContextFactory();
+        SslContextFactory serverTLSFactory = createServerSslContextFactory();
         startServer(serverTLSFactory, new EmptyServerHandler());
 
-        SslContextFactory clientTLSFactory = createSslContextFactory();
+        SslContextFactory clientTLSFactory = createClientSslContextFactory();
         clientTLSFactory.start();
 
         String host = "localhost";
@@ -453,13 +465,13 @@ public class HttpClientTLSTest
     @Test
     public void testServerRawCloseDetectedByClient() throws Exception
     {
-        SslContextFactory serverTLSFactory = createSslContextFactory();
+        SslContextFactory serverTLSFactory = createServerSslContextFactory();
         serverTLSFactory.start();
         try (ServerSocket server = new ServerSocket(0))
         {
             QueuedThreadPool clientThreads = new QueuedThreadPool();
             clientThreads.setName("client");
-            client = new HttpClient(createSslContextFactory())
+            client = new HttpClient(createClientSslContextFactory())
             {
                 @Override
                 protected ClientConnectionFactory newSslClientConnectionFactory(ClientConnectionFactory connectionFactory)
@@ -523,10 +535,10 @@ public class HttpClientTLSTest
     @Test
     public void testHostNameVerificationFailure() throws Exception
     {
-        SslContextFactory serverTLSFactory = createSslContextFactory();
+        SslContextFactory serverTLSFactory = createServerSslContextFactory();
         startServer(serverTLSFactory, new EmptyServerHandler());
 
-        SslContextFactory clientTLSFactory = createSslContextFactory();
+        SslContextFactory clientTLSFactory = createClientSslContextFactory();
         // Make sure the host name is not verified at the TLS level.
         clientTLSFactory.setEndpointIdentificationAlgorithm(null);
         // Add host name verification after the TLS handshake.

jetty-client/src/test/java/org/eclipse/jetty/client/HttpClientTest.java

@@ -18,16 +18,6 @@
 
 package org.eclipse.jetty.client;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.instanceOf;
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -106,12 +96,21 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.ArgumentsSource;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.instanceOf;
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 @ExtendWith(WorkDirExtension.class)
 public class HttpClientTest extends AbstractHttpClientServerTest
 {
     public WorkDir testdir;
 
-
     @ParameterizedTest
     @ArgumentsSource(ScenarioProvider.class)
     public void testStoppingClosesConnections(Scenario scenario) throws Exception
@@ -1529,7 +1528,7 @@ public class HttpClientTest extends AbstractHttpClientServerTest
                     }
                 };
             }
-        }, scenario.newSslContextFactory());
+        }, scenario.newClientSslContextFactory());
         client.start();
 
         final CountDownLatch latch = new CountDownLatch(2);

jetty-client/src/test/java/org/eclipse/jetty/client/TLSServerConnectionCloseTest.java

@@ -18,8 +18,6 @@
 
 package org.eclipse.jetty.client;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -42,14 +40,15 @@ import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.EnumSource;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 public class TLSServerConnectionCloseTest
 {
     private HttpClient client;
 
     private void startClient() throws Exception
     {
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
-        sslContextFactory.setEndpointIdentificationAlgorithm("");
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("storepwd");
 

jetty-client/src/test/java/org/eclipse/jetty/client/ssl/NeedWantClientAuthTest.java

@@ -18,11 +18,6 @@
 
 package org.eclipse.jetty.client.ssl;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
 import java.security.cert.Certificate;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
@@ -43,9 +38,13 @@ import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.AfterEach;
-
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  * In order to work, client authentication needs a certificate
  * signed by a CA that also signed the server certificate.
@@ -81,10 +80,9 @@ public class NeedWantClientAuthTest
         client.start();
     }
 
-    private SslContextFactory createSslContextFactory()
+    private SslContextFactory.Server createServerSslContextFactory()
     {
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
-        sslContextFactory.setEndpointIdentificationAlgorithm("");
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("storepwd");
         return sslContextFactory;
@@ -102,11 +100,11 @@ public class NeedWantClientAuthTest
     @Test
     public void testWantClientAuthWithoutAuth() throws Exception
     {
-        SslContextFactory serverSSL = createSslContextFactory();
+        SslContextFactory.Server serverSSL = createServerSslContextFactory();
         serverSSL.setWantClientAuth(true);
         startServer(serverSSL, new EmptyServerHandler());
 
-        SslContextFactory clientSSL = new SslContextFactory(true);
+        SslContextFactory clientSSL = new SslContextFactory.Client(true);
         startClient(clientSSL);
 
         ContentResponse response = client.newRequest("https://localhost:" + connector.getLocalPort())
@@ -119,7 +117,7 @@ public class NeedWantClientAuthTest
     @Test
     public void testWantClientAuthWithAuth() throws Exception
     {
-        SslContextFactory serverSSL = createSslContextFactory();
+        SslContextFactory.Server serverSSL = createServerSslContextFactory();
         serverSSL.setWantClientAuth(true);
         startServer(serverSSL, new EmptyServerHandler());
         CountDownLatch handshakeLatch = new CountDownLatch(1);
@@ -143,7 +141,7 @@ public class NeedWantClientAuthTest
             }
         });
 
-        SslContextFactory clientSSL = new SslContextFactory(true);
+        SslContextFactory clientSSL = new SslContextFactory.Client(true);
         clientSSL.setKeyStorePath("src/test/resources/client_keystore.jks");
         clientSSL.setKeyStorePassword("storepwd");
         startClient(clientSSL);
@@ -166,11 +164,11 @@ public class NeedWantClientAuthTest
         // The server still sends bad_certificate to the client, but the client handshake has already
         // completed successfully its TLS handshake.
 
-        SslContextFactory serverSSL = createSslContextFactory();
+        SslContextFactory.Server serverSSL = createServerSslContextFactory();
         serverSSL.setNeedClientAuth(true);
         startServer(serverSSL, new EmptyServerHandler());
 
-        SslContextFactory clientSSL = new SslContextFactory(true);
+        SslContextFactory clientSSL = new SslContextFactory.Client(true);
         startClient(clientSSL);
         CountDownLatch handshakeLatch = new CountDownLatch(1);
         client.addBean(new SslHandshakeListener()
@@ -210,7 +208,7 @@ public class NeedWantClientAuthTest
     @Test
     public void testNeedClientAuthWithAuth() throws Exception
     {
-        SslContextFactory serverSSL = createSslContextFactory();
+        SslContextFactory.Server serverSSL = createServerSslContextFactory();
         serverSSL.setNeedClientAuth(true);
         startServer(serverSSL, new EmptyServerHandler());
         CountDownLatch handshakeLatch = new CountDownLatch(1);
@@ -234,7 +232,7 @@ public class NeedWantClientAuthTest
             }
         });
 
-        SslContextFactory clientSSL = new SslContextFactory(true);
+        SslContextFactory clientSSL = new SslContextFactory.Client(true);
         clientSSL.setKeyStorePath("src/test/resources/client_keystore.jks");
         clientSSL.setKeyStorePassword("storepwd");
         startClient(clientSSL);

jetty-client/src/test/java/org/eclipse/jetty/client/ssl/SslBytesClientTest.java

@@ -70,7 +70,7 @@ public class SslBytesClientTest extends SslBytesTest
     {
         threadPool = Executors.newCachedThreadPool();
 
-        sslContextFactory = new SslContextFactory(true);
+        sslContextFactory = new SslContextFactory.Client(true);
         client = new HttpClient(sslContextFactory);
         client.setMaxConnectionsPerDestination(1);
         File keyStore = MavenTestingUtils.getTestResourceFile("keystore.jks");

jetty-client/src/test/java/org/eclipse/jetty/client/ssl/SslBytesServerTest.java

@@ -119,7 +119,7 @@ public class SslBytesServerTest extends SslBytesTest
         serverEndPoint.set(null);
         
         File keyStore = MavenTestingUtils.getTestResourceFile("keystore.jks");
-        sslContextFactory = new SslContextFactory();
+        sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keyStore.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("storepwd");
 

jetty-client/src/test/java/org/eclipse/jetty/client/ssl/SslConnectionTest.java

@@ -18,8 +18,6 @@
 
 package org.eclipse.jetty.client.ssl;
 
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
 import java.io.File;
 import java.nio.ByteBuffer;
 
@@ -36,16 +34,17 @@ import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
 import org.eclipse.jetty.util.BufferUtil;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
-
 import org.junit.jupiter.api.Test;
 
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
 public class SslConnectionTest
 {
     @Test
     public void testSslConnectionClosedBeforeFill() throws Exception
     {
         File keyStore = MavenTestingUtils.getTestResourceFile("keystore.jks");
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keyStore.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.start();

jetty-documentation/src/main/asciidoc/administration/jmx/using-jmx.adoc

@@ -290,8 +290,8 @@ Similarly, in code:
 
 [source, java, subs="{sub-order}"]
 ----
-SslContextFactory sslContextFactory = new SslContextFactory();
+SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
-sslContextFactory.setKeyStorePath();
+sslContextFactory.setKeyStorePath("/path/to/keystore");
 sslContextFactory.setKeyStorePassword("secret");
 
 JMXServiceURL jmxURL = new JMXServiceURL("rmi", null, 1099, "/jndi/rmi:///jmxrmi");

jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-connectors.adoc

@@ -472,7 +472,7 @@ This adds a `SecureRequestCustomizer` which adds SSL Session IDs and certificate
 ==== SSL Context Configuration
 
 The SSL/TLS connectors for HTTPS and HTTP/2 require a certificate to establish a secure connection.
-Jetty holds certificates in standard JVM keystores and are configured as keystore and truststores on a link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html[`SslContextFactory`] instance that is injected into an link:{JDURL}/org/eclipse/jetty/server/SslConnectionFactory.html[`SslConnectionFactory`] instance.
+Jetty holds certificates in standard JVM keystores and are configured as keystore and truststores on a link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.Server.html[`SslContextFactory.Server`] instance that is injected into an link:{JDURL}/org/eclipse/jetty/server/SslConnectionFactory.html[`SslConnectionFactory`] instance.
 An example using the keystore distributed with Jetty (containing a self signed test certificate) is in link:{GITBROWSEURL}/jetty-server/src/main/config/etc/jetty-https.xml[`jetty-https.xml`].
 Read more about SSL keystores in link:#configuring-ssl[Configuring SSL].
 

jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc

@@ -55,9 +55,8 @@ You can re-enable these by re-declaring the ciphers you want excluded in code:
 
 [source, java, subs="{sub-order}"]
 ----
-SslContextFactory sslContextFactory = new SslContextFactory();
+SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
-sslContextFactory.setExcludeCipherSuites(
+sslContextFactory.setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
-            "^.*_(MD5|SHA|SHA1)$");
 ----
 
 If, after making these changes, you still have issues using these ciphers they are likely being blocked at the JVM level.
@@ -664,7 +663,7 @@ the other is `$JETTY/etc/truststore` which contains intermediary CA and root CA.
 [[configuring-sslcontextfactory]]
 ==== Configuring the Jetty SslContextFactory
 
-The generated SSL certificates from above are held in the key store are configured in an instance of link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html[SslContextFactory] object.
+The generated SSL certificates from above are held in the key store are configured in an instance of link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.Server.html[SslContextFactory.Server] object.
 
 The `SslContextFactory` is responsible for:
 
@@ -679,9 +678,9 @@ The `SslContextFactory` is responsible for:
 * https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol[OCSP] Support
 * Client Authentication Support
 
-For Jetty Connectors, the configured `SslContextFactory` is injected into a specific ServerConnector `SslConnectionFactory`.
+For Jetty Connectors, the configured `SslContextFactory.Server` is injected into a specific ServerConnector `SslConnectionFactory`.
 
-For Jetty Clients, the various constructors support using a configured `SslContextFactory`.
+For Jetty Clients, the various constructors support using a configured `SslContextFactory.Client`.
 
 While the `SslContextFactory` can operate without a keystore (this mode is most suitable for the various Jetty Clients) it is best practice to at least configure the keystore being used.
 
@@ -729,7 +728,7 @@ Implementing Conscrypt for the link:{GITBROWSEURL}/jetty-alpn/jetty-alpn-conscry
 ...
 Security.addProvider(new OpenSSLProvider());
 ...
-SslContextFactory sslContextFactory = new SslContextFactory();
+SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
 sslContextFactory.setKeyStorePath("path/to/keystore");
 sslContextFactory.setKeyStorePassword("CleverKeyStorePassword");
 sslContextFactory.setKeyManagerPassword("OBF:VerySecretManagerPassword");
@@ -790,7 +789,7 @@ To do this, first create a new `${jetty.base}/etc/tweak-ssl.xml` file (this can
 <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
           "http://www.eclipse.org/jetty/configure_9_3.dtd">
 <!-- Tweak SsslContextFactory Includes / Excludes -->
-<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
   <!-- Mitigate SLOTH Attack -->
   <Call name="addExcludeCipherSuites">
     <Arg>

jetty-documentation/src/main/asciidoc/development/clients/http/http-client-intro.adoc

@@ -75,13 +75,13 @@ There are several reasons for having multiple `HttpClient` instances including,
 
 When you create a `HttpClient` instance using the parameterless constructor, you will only be able to perform plain HTTP requests and you will not be able to perform HTTPS requests.
 
-In order to perform HTTPS requests, you should create first a link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html[`SslContextFactory`], configure it, and pass it to the `HttpClient` constructor.
+In order to perform HTTPS requests, you should create first a link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.Client.html[`SslContextFactory.Client`], configure it, and pass it to the `HttpClient` constructor.
 When created with a `SslContextFactory`, the `HttpClient` will be able to perform both HTTP and HTTPS requests to any domain.
 
 [source, java, subs="{sub-order}"]
 ----
 // Instantiate and configure the SslContextFactory
-SslContextFactory sslContextFactory = new SslContextFactory();
+SslContextFactory.Client sslContextFactory = new SslContextFactory.Client();
 
 // Instantiate HttpClient with the SslContextFactory
 HttpClient httpClient = new HttpClient(sslContextFactory);

jetty-fcgi/fcgi-server/src/test/java/org/eclipse/jetty/fcgi/server/proxy/DrupalHTTP2FastCGIProxyServer.java

@@ -36,8 +36,7 @@ public class DrupalHTTP2FastCGIProxyServer
 {
     public static void main(String[] args) throws Exception
     {
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
-        sslContextFactory.setEndpointIdentificationAlgorithm("");
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setTrustStorePath("src/test/resources/truststore.jks");

jetty-fcgi/fcgi-server/src/test/java/org/eclipse/jetty/fcgi/server/proxy/TryFilesFilterTest.java

@@ -18,9 +18,6 @@
 
 package org.eclipse.jetty.fcgi.server.proxy;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
 import java.io.IOException;
 import java.util.EnumSet;
 
@@ -41,6 +38,9 @@ import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 public class TryFilesFilterTest
 {
     private Server server;
@@ -55,8 +55,7 @@ public class TryFilesFilterTest
         connector = new ServerConnector(server);
         server.addConnector(connector);
 
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
-        sslContextFactory.setEndpointIdentificationAlgorithm("");
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setTrustStorePath("src/test/resources/truststore.jks");

jetty-fcgi/fcgi-server/src/test/java/org/eclipse/jetty/fcgi/server/proxy/WordPressHTTP2FastCGIProxyServer.java

@@ -43,8 +43,7 @@ public class WordPressHTTP2FastCGIProxyServer
     {
         int tlsPort = 8443;
 
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
-        sslContextFactory.setEndpointIdentificationAlgorithm("");
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setTrustStorePath("src/test/resources/truststore.jks");

jetty-http2/http2-alpn-tests/src/test/java/org/eclipse/jetty/http2/alpn/tests/ALPNNegotiationTest.java

@@ -18,11 +18,6 @@
 
 package org.eclipse.jetty.http2.alpn.tests;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.containsString;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
 import java.io.BufferedReader;
 import java.io.InputStream;
 import java.io.InputStreamReader;
@@ -43,13 +38,18 @@ import org.eclipse.jetty.util.BufferUtil;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 public class ALPNNegotiationTest extends AbstractALPNTest
 {
     @Test
     public void testGentleCloseDuringHandshake() throws Exception
     {
         InetSocketAddress address = prepare();
-        SslContextFactory sslContextFactory = newSslContextFactory();
+        SslContextFactory sslContextFactory = newClientSslContextFactory();
         sslContextFactory.start();
         SSLEngine sslEngine = sslContextFactory.newSSLEngine(address);
         sslEngine.setUseClientMode(true);
@@ -113,7 +113,7 @@ public class ALPNNegotiationTest extends AbstractALPNTest
     public void testAbruptCloseDuringHandshake() throws Exception
     {
         InetSocketAddress address = prepare();
-        SslContextFactory sslContextFactory = newSslContextFactory();
+        SslContextFactory sslContextFactory = newClientSslContextFactory();
         sslContextFactory.start();
         SSLEngine sslEngine = sslContextFactory.newSSLEngine(address);
         sslEngine.setUseClientMode(true);
@@ -175,7 +175,7 @@ public class ALPNNegotiationTest extends AbstractALPNTest
     {
         InetSocketAddress address = prepare();
 
-        SslContextFactory sslContextFactory = newSslContextFactory();
+        SslContextFactory sslContextFactory = newClientSslContextFactory();
         sslContextFactory.start();
         SSLContext sslContext = sslContextFactory.getSslContext();
 
@@ -228,7 +228,7 @@ public class ALPNNegotiationTest extends AbstractALPNTest
     {
         InetSocketAddress address = prepare();
 
-        SslContextFactory sslContextFactory = newSslContextFactory();
+        SslContextFactory sslContextFactory = newClientSslContextFactory();
         sslContextFactory.start();
         SSLContext sslContext = sslContextFactory.getSslContext();
         try (SSLSocket client = (SSLSocket)sslContext.getSocketFactory().createSocket(address.getAddress(), address.getPort()))
@@ -280,7 +280,7 @@ public class ALPNNegotiationTest extends AbstractALPNTest
     {
         InetSocketAddress address = prepare();
 
-        SslContextFactory sslContextFactory = newSslContextFactory();
+        SslContextFactory sslContextFactory = newClientSslContextFactory();
         sslContextFactory.start();
         SSLContext sslContext = sslContextFactory.getSslContext();
         try (SSLSocket client = (SSLSocket)sslContext.getSocketFactory().createSocket(address.getAddress(), address.getPort()))

jetty-http2/http2-alpn-tests/src/test/java/org/eclipse/jetty/http2/alpn/tests/AbstractALPNTest.java

@@ -49,7 +49,7 @@ public class AbstractALPNTest
         ALPNServerConnectionFactory alpn = new ALPNServerConnectionFactory();
         alpn.setDefaultProtocol(h1.getProtocol());
         
-        connector = new ServerConnector(server, newSslContextFactory(), alpn, h1, h2);
+        connector = new ServerConnector(server, newServerSslContextFactory(), alpn, h1, h2);
         connector.setPort(0);
         connector.setIdleTimeout(30000);
         server.addConnector(connector);
@@ -60,9 +60,22 @@ public class AbstractALPNTest
         return new InetSocketAddress("localhost", connector.getLocalPort());
     }
 
-    protected SslContextFactory newSslContextFactory()
+    protected SslContextFactory.Server newServerSslContextFactory()
+    {
+        SslContextFactory.Server result = new SslContextFactory.Server();
+        configureSslContextFactory(result);
+        return result;
+    }
+
+    protected SslContextFactory.Client newClientSslContextFactory()
+    {
+        SslContextFactory.Client result = new SslContextFactory.Client();
+        configureSslContextFactory(result);
+        return result;
+    }
+
+    private void configureSslContextFactory(SslContextFactory sslContextFactory)
     {
-        SslContextFactory sslContextFactory = new SslContextFactory();
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setTrustStorePath("src/test/resources/truststore.jks");
@@ -70,7 +83,6 @@ public class AbstractALPNTest
         sslContextFactory.setIncludeProtocols("TLSv1.2");
         // The mandatory HTTP/2 cipher.
         sslContextFactory.setIncludeCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
-        return sslContextFactory;
     }
 
     @AfterEach

jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/Client.java

@@ -43,7 +43,7 @@ public class Client
     public static void main(String[] args) throws Exception
     {
         HTTP2Client client = new HTTP2Client();
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Client();
         client.addBean(sslContextFactory);
         client.start();
 

jetty-http2/http2-http-client-transport/src/test/java/org/eclipse/jetty/http2/client/http/DirectHTTP2OverTLSTest.java

@@ -68,7 +68,7 @@ public class DirectHTTP2OverTLSTest
         HttpConfiguration httpsConfig = new HttpConfiguration();
         httpsConfig.addCustomizer(new SecureRequestCustomizer());
         ConnectionFactory h2 = new HTTP2ServerConnectionFactory(httpsConfig);
-        ConnectionFactory ssl = new SslConnectionFactory(newSslContextFactory(), h2.getProtocol());
+        ConnectionFactory ssl = new SslConnectionFactory(newServerSslContextFactory(), h2.getProtocol());
         connector = new ServerConnector(server, 1, 1, ssl, h2);
         server.addConnector(connector);
         server.setHandler(handler);
@@ -81,8 +81,7 @@ public class DirectHTTP2OverTLSTest
         clientThreads.setName("client");
         HttpClientTransportOverHTTP2 transport = new HttpClientTransportOverHTTP2(new HTTP2Client());
         transport.setUseALPN(false);
-        SslContextFactory sslContextFactory = newSslContextFactory();
+        SslContextFactory sslContextFactory = newClientSslContextFactory();
-        sslContextFactory.setEndpointIdentificationAlgorithm(null);
         client = new HttpClient(transport, sslContextFactory);
         client.setExecutor(clientThreads);
         client.start();
@@ -97,14 +96,27 @@ public class DirectHTTP2OverTLSTest
             server.stop();
     }
 
-    private SslContextFactory newSslContextFactory()
+    private SslContextFactory.Server newServerSslContextFactory()
+    {
+        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
+        configureSslContextFactory(sslContextFactory);
+        return sslContextFactory;
+    }
+
+    private SslContextFactory.Client newClientSslContextFactory()
+    {
+        SslContextFactory.Client sslContextFactory = new SslContextFactory.Client();
+        configureSslContextFactory(sslContextFactory);
+        sslContextFactory.setEndpointIdentificationAlgorithm(null);
+        return sslContextFactory;
+    }
+
+    private void configureSslContextFactory(SslContextFactory sslContextFactory)
     {
-        SslContextFactory sslContextFactory = new SslContextFactory();
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setUseCipherSuitesOrder(true);
         sslContextFactory.setCipherComparator(HTTP2Cipher.COMPARATOR);
-        return sslContextFactory;
     }
 
     @Test

jetty-http2/http2-http-client-transport/src/test/java/org/eclipse/jetty/http2/client/http/HttpClientTransportOverHTTP2Test.java

@@ -18,15 +18,6 @@
 
 package org.eclipse.jetty.http2.client.http;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.greaterThanOrEqualTo;
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertSame;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -87,6 +78,15 @@ import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.greaterThanOrEqualTo;
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertSame;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 public class HttpClientTransportOverHTTP2Test extends AbstractTest
 {
     @Test
@@ -601,7 +601,7 @@ public class HttpClientTransportOverHTTP2Test extends AbstractTest
     public void testExternalServer() throws Exception
     {
         HTTP2Client http2Client = new HTTP2Client();
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Client();
         HttpClient httpClient = new HttpClient(new HttpClientTransportOverHTTP2(http2Client), sslContextFactory);
         Executor executor = new QueuedThreadPool();
         httpClient.setExecutor(executor);

jetty-io/src/test/java/org/eclipse/jetty/io/SocketChannelEndPointTest.java

@@ -18,15 +18,6 @@
 
 package org.eclipse.jetty.io;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.greaterThan;
-import static org.hamcrest.Matchers.greaterThanOrEqualTo;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
-
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
@@ -73,6 +64,15 @@ import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.greaterThanOrEqualTo;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+
 @SuppressWarnings("Duplicates")
 public class SocketChannelEndPointTest
 {
@@ -626,24 +626,23 @@ public class SocketChannelEndPointTest
     public static class SslScenario implements Scenario
     {
         private final NormalScenario _normalScenario;
-        private final SslContextFactory __sslCtxFactory = new SslContextFactory();
+        private final SslContextFactory _sslCtxFactory = new SslContextFactory.Server();
-        private final ByteBufferPool __byteBufferPool = new MappedByteBufferPool();
+        private final ByteBufferPool _byteBufferPool = new MappedByteBufferPool();
 
         public SslScenario(NormalScenario normalScenario) throws Exception
         {
             _normalScenario = normalScenario;
             File keystore = MavenTestingUtils.getTestResourceFile("keystore");
-            __sslCtxFactory.setKeyStorePath(keystore.getAbsolutePath());
+            _sslCtxFactory.setKeyStorePath(keystore.getAbsolutePath());
-            __sslCtxFactory.setKeyStorePassword("storepwd");
+            _sslCtxFactory.setKeyStorePassword("storepwd");
-            __sslCtxFactory.setKeyManagerPassword("keypwd");
+            _sslCtxFactory.setKeyManagerPassword("keypwd");
-            __sslCtxFactory.setEndpointIdentificationAlgorithm("");
+            _sslCtxFactory.start();
-            __sslCtxFactory.start();
         }
 
         @Override
         public Socket newClient(ServerSocketChannel connector) throws IOException
         {
-            SSLSocket socket = __sslCtxFactory.newSslSocket();
+            SSLSocket socket = _sslCtxFactory.newSslSocket();
             socket.connect(connector.socket().getLocalSocketAddress());
             return socket;
         }
@@ -651,11 +650,11 @@ public class SocketChannelEndPointTest
         @Override
         public Connection newConnection(SelectableChannel channel, EndPoint endpoint, Executor executor, AtomicInteger blockAt, AtomicInteger writeCount)
         {
-            SSLEngine engine = __sslCtxFactory.newSSLEngine();
+            SSLEngine engine = _sslCtxFactory.newSSLEngine();
             engine.setUseClientMode(false);
-            SslConnection sslConnection = new SslConnection(__byteBufferPool, executor, endpoint, engine);
+            SslConnection sslConnection = new SslConnection(_byteBufferPool, executor, endpoint, engine);
-            sslConnection.setRenegotiationAllowed(__sslCtxFactory.isRenegotiationAllowed());
+            sslConnection.setRenegotiationAllowed(_sslCtxFactory.isRenegotiationAllowed());
-            sslConnection.setRenegotiationLimit(__sslCtxFactory.getRenegotiationLimit());
+            sslConnection.setRenegotiationLimit(_sslCtxFactory.getRenegotiationLimit());
             Connection appConnection = _normalScenario.newConnection(channel, sslConnection.getDecryptedEndPoint(), executor, blockAt, writeCount);
             sslConnection.getDecryptedEndPoint().setConnection(appConnection);
             return sslConnection;

jetty-io/src/test/java/org/eclipse/jetty/io/SslConnectionTest.java

@@ -60,7 +60,7 @@ public class SslConnectionTest
     private static final int TIMEOUT = 1000000;
     private static ByteBufferPool __byteBufferPool = new LeakTrackingByteBufferPool(new MappedByteBufferPool.Tagged());
 
-    private final SslContextFactory _sslCtxFactory =new SslContextFactory();
+    private final SslContextFactory _sslCtxFactory = new SslContextFactory.Server();
     protected volatile EndPoint _lastEndp;
     private volatile boolean _testFill=true;
     private volatile FutureCallback _writeCallback;
@@ -92,7 +92,6 @@ public class SslConnectionTest
             return sslConnection;
         }
 
-
         @Override
         protected EndPoint newEndPoint(SelectableChannel channel, ManagedSelector selector, SelectionKey selectionKey)
         {
@@ -133,7 +132,6 @@ public class SslConnectionTest
         }
     }
 
-
     @BeforeEach
     public void initSSL() throws Exception
     {
@@ -143,7 +141,6 @@ public class SslConnectionTest
         _sslCtxFactory.setKeyManagerPassword("keypwd");
         _sslCtxFactory.setRenegotiationAllowed(true);
         _sslCtxFactory.setRenegotiationLimit(-1);
-        _sslCtxFactory.setEndpointIdentificationAlgorithm(null);
         startManager();
     }
 

jetty-io/src/test/java/org/eclipse/jetty/io/SslEngineBehaviorTest.java

@@ -18,10 +18,6 @@
 
 package org.eclipse.jetty.io;
 
-import static org.hamcrest.Matchers.greaterThan;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.hamcrest.MatcherAssert.assertThat;
-
 import java.io.File;
 import java.nio.ByteBuffer;
 
@@ -32,12 +28,15 @@ import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
 import org.eclipse.jetty.util.BufferUtil;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.junit.jupiter.api.AfterAll;
-
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.EnabledOnJre;
 import org.junit.jupiter.api.condition.JRE;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.greaterThan;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 public class SslEngineBehaviorTest
 {
     private static SslContextFactory sslCtxFactory;
@@ -45,12 +44,11 @@ public class SslEngineBehaviorTest
     @BeforeAll
     public static void startSsl() throws Exception
     {
-        sslCtxFactory = new SslContextFactory();
+        sslCtxFactory = new SslContextFactory.Server();
         File keystore = MavenTestingUtils.getTestResourceFile("keystore");
         sslCtxFactory.setKeyStorePath(keystore.getAbsolutePath());
         sslCtxFactory.setKeyStorePassword("storepwd");
         sslCtxFactory.setKeyManagerPassword("keypwd");
-        sslCtxFactory.setEndpointIdentificationAlgorithm("");
         sslCtxFactory.start();
     }
 

jetty-jmx/src/test/java/org/eclipse/jetty/jmx/ConnectorServerTest.java

@@ -18,10 +18,6 @@
 
 package org.eclipse.jetty.jmx;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
 import java.net.ConnectException;
 import java.net.InetAddress;
 import java.net.ServerSocket;
@@ -40,6 +36,10 @@ import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  * Running the tests of this class in the same JVM results often in
  * <pre>
@@ -227,7 +227,7 @@ public class ConnectorServerTest
     @Test
     public void testJMXOverTLS() throws Exception
     {
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         String keyStorePath = MavenTestingUtils.getTestResourcePath("keystore.jks").toString();
         String keyStorePassword = "storepwd";
         sslContextFactory.setKeyStorePath(keyStorePath);

jetty-osgi/test-jetty-osgi/src/test/config/etc/jetty-ssl.xml

@@ -29,13 +29,12 @@
   <!-- ============================================================= -->
   <!-- Create a TLS (SSL) Context Factory  for later reuse           -->
   <!-- ============================================================= -->
-  <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+  <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
     <Set name="Provider"><SystemProperty name="jetty.sslContext.provider"/></Set>
     <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.keyStorePath" default="etc/keystore"/></Set>
     <Set name="KeyStorePassword"><Property name="jetty.sslContext.keyStorePassword" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
     <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.trustStorePath" default="etc/keystore"/></Set>
     <Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
-    <Set name="EndpointIdentificationAlgorithm"></Set>
     <Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" default="false"/></Set>
     <Set name="WantClientAuth"><Property name="jetty.sslContext.wantClientAuth" default="false"/></Set>
     <Set name="ExcludeCipherSuites">

jetty-osgi/test-jetty-osgi/src/test/java/org/eclipse/jetty/osgi/test/TestJettyOSGiBootHTTP2.java

@@ -154,7 +154,7 @@ public class TestJettyOSGiBootHTTP2
             
             //set up client to do http2
             http2Client = new HTTP2Client();
-            SslContextFactory sslContextFactory = new SslContextFactory();
+            SslContextFactory sslContextFactory = new SslContextFactory.Client();
             sslContextFactory.setKeyManagerPassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
             sslContextFactory.setTrustStorePath(keys.getAbsolutePath());
             sslContextFactory.setKeyStorePath(keys.getAbsolutePath());

jetty-osgi/test-jetty-osgi/src/test/java/org/eclipse/jetty/osgi/test/TestJettyOSGiBootHTTP2Conscrypt.java

@@ -139,7 +139,7 @@ public class TestJettyOSGiBootHTTP2Conscrypt
             File keys = path.resolve("etc").resolve("keystore").toFile();
 
             HTTP2Client http2Client = new HTTP2Client();
-            SslContextFactory sslContextFactory = new SslContextFactory();
+            SslContextFactory sslContextFactory = new SslContextFactory.Client();
             sslContextFactory.setKeyManagerPassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
             sslContextFactory.setTrustStorePath(keys.getAbsolutePath());
             sslContextFactory.setKeyStorePath(keys.getAbsolutePath());

jetty-osgi/test-jetty-osgi/src/test/java/org/eclipse/jetty/osgi/test/TestJettyOSGiBootHTTP2JDK9.java

@@ -133,7 +133,7 @@ public class TestJettyOSGiBootHTTP2JDK9
             
             //set up client to do http2
             http2Client = new HTTP2Client();
-            SslContextFactory sslContextFactory = new SslContextFactory();
+            SslContextFactory sslContextFactory = new SslContextFactory.Client();
             sslContextFactory.setKeyManagerPassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
             sslContextFactory.setTrustStorePath(keys.getAbsolutePath());
             sslContextFactory.setKeyStorePath(keys.getAbsolutePath());

jetty-osgi/test-jetty-osgi/src/test/java/org/eclipse/jetty/osgi/test/TestOSGiUtil.java

@@ -24,6 +24,7 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -273,10 +274,10 @@ public class TestOSGiUtil
        return bundleContext.getAllServiceReferences(service, null);
     }
 
-    protected static SslContextFactory newSslContextFactory()
+    protected static SslContextFactory newClientSslContextFactory()
     {
-        SslContextFactory sslContextFactory = new SslContextFactory(true);
+        SslContextFactory sslContextFactory = new SslContextFactory.Client(true);
-        sslContextFactory.setEndpointIdentificationAlgorithm("");
+        sslContextFactory.setEndpointIdentificationAlgorithm(null);
         return sslContextFactory;
     }
 
@@ -306,7 +307,7 @@ public class TestOSGiUtil
         }, null, null);
 
         // now test the servlet
-        HttpClient client = protocol.equals("https") ? new HttpClient(newSslContextFactory()) : new HttpClient();
+        HttpClient client = protocol.equals("https") ? new HttpClient(newClientSslContextFactory()) : new HttpClient();
         try
         {
             client.start();

jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ConnectHandlerSSLTest.java

@@ -18,8 +18,6 @@
 
 package org.eclipse.jetty.proxy;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -43,10 +41,11 @@ import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.handler.AbstractHandler;
 import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
-
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 public class ConnectHandlerSSLTest extends AbstractConnectHandlerTest
 {
     private SslContextFactory sslContextFactory;
@@ -54,7 +53,7 @@ public class ConnectHandlerSSLTest extends AbstractConnectHandlerTest
     @BeforeEach
     public void prepare() throws Exception
     {
-        sslContextFactory = new SslContextFactory();
+        sslContextFactory = new SslContextFactory.Server();
         String keyStorePath = MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath();
         sslContextFactory.setKeyStorePath(keyStorePath);
         sslContextFactory.setKeyStorePassword("storepwd");

jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ForwardProxyServerTest.java

@@ -62,7 +62,7 @@ public class ForwardProxyServerTest
         // no server SSL
         SslContextFactory scenario1 = null;
         // basic server SSL
-        SslContextFactory scenario2 = new SslContextFactory();
+        SslContextFactory scenario2 = new SslContextFactory.Server();
         scenario2.setKeyStorePath(keyStorePath);
         scenario2.setKeyStorePassword("storepwd");
         scenario2.setKeyManagerPassword("keypwd");
@@ -203,7 +203,7 @@ public class ForwardProxyServerTest
         startProxy();
 
         String keyStorePath = MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath();
-        SslContextFactory clientSsl = new SslContextFactory();
+        SslContextFactory clientSsl = new SslContextFactory.Client();
         clientSsl.setKeyStorePath(keyStorePath);
         clientSsl.setKeyStorePassword("storepwd");
         clientSsl.setKeyManagerPassword("keypwd");

jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ForwardProxyTLSServerTest.java

@@ -82,7 +82,7 @@ public class ForwardProxyTLSServerTest
         // no server SSL
         SslContextFactory scenario1 = null;
         // basic server SSL
-        SslContextFactory scenario2 = new SslContextFactory();
+        SslContextFactory scenario2 = new SslContextFactory.Server();
         scenario2.setKeyStorePath(keyStorePath);
         scenario2.setKeyStorePassword("storepwd");
         scenario2.setKeyManagerPassword("keypwd");
@@ -139,22 +139,27 @@ public class ForwardProxyTLSServerTest
 
     private static SslContextFactory newServerSslContextFactory()
     {
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
-        String keyStorePath = MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath();
+        configureSslContextFactory(sslContextFactory);
-        sslContextFactory.setKeyStorePath(keyStorePath);
-        sslContextFactory.setKeyStorePassword("storepwd");
-        sslContextFactory.setKeyManagerPassword("keypwd");
         return sslContextFactory;
-
     }
 
     private static SslContextFactory newClientSslContextFactory()
     {
-        SslContextFactory sslContextFactory = newServerSslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Client();
+        configureSslContextFactory(sslContextFactory);
         sslContextFactory.setEndpointIdentificationAlgorithm(null);
         return sslContextFactory;
     }
 
+    private static void configureSslContextFactory(SslContextFactory sslContextFactory)
+    {
+        String keyStorePath = MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath();
+        sslContextFactory.setKeyStorePath(keyStorePath);
+        sslContextFactory.setKeyStorePassword("storepwd");
+        sslContextFactory.setKeyManagerPassword("keypwd");
+    }
+
     @AfterEach
     public void stop() throws Exception
     {
@@ -629,9 +634,6 @@ public class ForwardProxyTLSServerTest
             assumeTrue(false, "Environment not able to connect to proxy service");
         }
 
-        SslContextFactory sslContextFactory = new SslContextFactory();
-        sslContextFactory.start();
-
         HttpClient httpClient = new HttpClient(newClientSslContextFactory());
         httpClient.getProxyConfiguration().getProxies().add(new HttpProxy(proxyHost, proxyPort));
         httpClient.start();

jetty-server/src/main/config/etc/jetty-ssl-context.xml

@@ -10,7 +10,7 @@
      https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites
 -->
 
-<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
   <Set name="Provider"><Property name="jetty.sslContext.provider"/></Set>
   <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.keyStorePath" deprecated="jetty.keystore" default="etc/keystore"/></Set>
   <Set name="KeyStorePassword"><Property name="jetty.sslContext.keyStorePassword" deprecated="jetty.keystore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>

jetty-server/src/main/java/org/eclipse/jetty/server/SslConnectionFactory.java

@@ -53,8 +53,8 @@ public class SslConnectionFactory extends AbstractConnectionFactory
     public SslConnectionFactory(@Name("sslContextFactory") SslContextFactory factory, @Name("next") String nextProtocol)
     {
         super("SSL");
-        _sslContextFactory=factory==null?new SslContextFactory():factory;
+        _sslContextFactory = factory == null ? new SslContextFactory.Server() : factory;
-        _nextProtocol=nextProtocol;
+        _nextProtocol = nextProtocol;
         addBean(_sslContextFactory);
     }
 

jetty-server/src/test/java/org/eclipse/jetty/server/ConnectionOpenCloseTest.java

@@ -18,11 +18,6 @@
 
 package org.eclipse.jetty.server;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.is;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
 import java.io.File;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -49,6 +44,11 @@ import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.DisabledIfSystemProperty;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 public class ConnectionOpenCloseTest extends AbstractHttpTest
 {
     @Test
@@ -170,7 +170,7 @@ public class ConnectionOpenCloseTest extends AbstractHttpTest
     @DisabledIfSystemProperty(named = "env", matches = "ci") // TODO: SLOW, needs review
     public void testSSLOpenRequestClose() throws Exception
     {
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         File keystore = MavenTestingUtils.getTestResourceFile("keystore");
         sslContextFactory.setKeyStoreResource(Resource.newResource(keystore));
         sslContextFactory.setKeyStorePassword("storepwd");

jetty-server/src/test/java/org/eclipse/jetty/server/OptionalSslConnectionTest.java

@@ -52,7 +52,7 @@ public class OptionalSslConnectionTest
         server = new Server(serverThreads);
 
         String keystore = MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath();
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystore);
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyManagerPassword("keypwd");
@@ -113,7 +113,7 @@ public class OptionalSslConnectionTest
         }
 
         // Then try a SSL connection.
-        SslContextFactory sslContextFactory = new SslContextFactory(true);
+        SslContextFactory sslContextFactory = new SslContextFactory.Client(true);
         sslContextFactory.start();
         try (Socket ssl = sslContextFactory.newSslSocket())
         {

jetty-server/src/test/java/org/eclipse/jetty/server/ThreadStarvationTest.java

@@ -18,11 +18,6 @@
 
 package org.eclipse.jetty.server;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.is;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -62,6 +57,11 @@ import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 public class ThreadStarvationTest
 {
     final static int BUFFER_SIZE=1024*1024;
@@ -89,7 +89,7 @@ public class ThreadStarvationTest
         // HTTPS/SSL/TLS
         ConnectorProvider https = (server, acceptors, selectors) -> {
             Path keystorePath = MavenTestingUtils.getTestResourcePath("keystore");
-            SslContextFactory sslContextFactory = new SslContextFactory();
+            SslContextFactory sslContextFactory = new SslContextFactory.Server();
             sslContextFactory.setKeyStorePath(keystorePath.toString());
             sslContextFactory.setKeyStorePassword("storepwd");
             sslContextFactory.setKeyManagerPassword("keypwd");

jetty-server/src/test/java/org/eclipse/jetty/server/handler/DebugHandlerTest.java

@@ -18,11 +18,6 @@
 
 package org.eclipse.jetty.server.handler;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.not;
-
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.IOException;
@@ -58,6 +53,11 @@ import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.not;
+
 public class DebugHandlerTest
 {
     public final static HostnameVerifier __hostnameverifier = new HostnameVerifier()
@@ -89,7 +89,7 @@ public class DebugHandlerTest
         server.addConnector(httpConnector);
         
         File keystorePath = MavenTestingUtils.getTestResourceFile("keystore");
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystorePath.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyManagerPassword("keypwd");

jetty-server/src/test/java/org/eclipse/jetty/server/handler/SecuredRedirectHandlerTest.java

@@ -18,10 +18,6 @@
 
 package org.eclipse.jetty.server.handler;
 
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.MatcherAssert.assertThat;
-
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -55,6 +51,10 @@ import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+
 public class SecuredRedirectHandlerTest
 {
     private static Server server;
@@ -68,7 +68,7 @@ public class SecuredRedirectHandlerTest
     {
         // Setup SSL
         File keystore = MavenTestingUtils.getTestResourceFile("keystore");
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystore.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyManagerPassword("keypwd");

jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java

@@ -27,7 +27,6 @@ import java.net.Socket;
 import java.nio.charset.StandardCharsets;
 
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLEngine;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -37,7 +36,6 @@ import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.handler.AbstractHandler;
 import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
-import org.eclipse.jetty.util.TypeUtil;
 import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.junit.jupiter.api.Test;
@@ -48,7 +46,7 @@ public class SSLCloseTest
     public void testClose() throws Exception
     {
         File keystore = MavenTestingUtils.getTestResourceFile("keystore");
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStoreResource(Resource.newResource(keystore));
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyManagerPassword("keypwd");

jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java

@@ -23,12 +23,6 @@
 
 package org.eclipse.jetty.server.ssl;
 
-import static org.hamcrest.Matchers.greaterThan;
-import static org.hamcrest.Matchers.is;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.hamcrest.MatcherAssert.assertThat;
-
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
@@ -63,6 +57,12 @@ import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.is;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
 /**
  *
  */
@@ -109,7 +109,7 @@ public class SSLEngineTest
     public void startServer() throws Exception
     {
         String keystore = MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath();
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystore);
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyManagerPassword("keypwd");

jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLReadEOFAfterResponseTest.java

@@ -18,9 +18,6 @@
 
 package org.eclipse.jetty.server.ssl;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -46,6 +43,9 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.DisabledOnJre;
 import org.junit.jupiter.api.condition.JRE;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 // Only in JDK 11 is possible to use SSLSocket.shutdownOutput().
 @DisabledOnJre({JRE.JAVA_8, JRE.JAVA_9, JRE.JAVA_10})
 public class SSLReadEOFAfterResponseTest
@@ -54,7 +54,7 @@ public class SSLReadEOFAfterResponseTest
     public void testReadEOFAfterResponse() throws Exception
     {
         File keystore = MavenTestingUtils.getTestResourceFile("keystore");
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStoreResource(Resource.newResource(keystore));
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyManagerPassword("keypwd");

jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLSelectChannelConnectorLoadTest.java

@@ -18,9 +18,6 @@
 
 package org.eclipse.jetty.server.ssl;
 
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.MatcherAssert.assertThat;
-
 import java.io.BufferedReader;
 import java.io.FileInputStream;
 import java.io.IOException;
@@ -53,6 +50,9 @@ import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
 public class SSLSelectChannelConnectorLoadTest
 {
     private static Server server;
@@ -63,7 +63,7 @@ public class SSLSelectChannelConnectorLoadTest
     public static void startServer() throws Exception
     {
         String keystorePath = System.getProperty("basedir", ".") + "/src/test/resources/keystore";
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystorePath);
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyManagerPassword("keypwd");

jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SelectChannelServerSslTest.java

@@ -18,14 +18,6 @@
 
 package org.eclipse.jetty.server.ssl;
 
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.isEmptyOrNullString;
-import static org.hamcrest.Matchers.not;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.condition.OS.WINDOWS;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -62,11 +54,19 @@ import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
 import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.hamcrest.Matchers;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.condition.DisabledOnOs;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.isEmptyOrNullString;
+import static org.hamcrest.Matchers.not;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.condition.OS.WINDOWS;
+
 /**
  * HttpServer Tester.
  */
@@ -83,7 +83,7 @@ public class SelectChannelServerSslTest extends HttpServerTestBase
     public void init() throws Exception
     {
         String keystorePath = MavenTestingUtils.getTestResourcePath("keystore").toString();
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystorePath);
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyManagerPassword("keypwd");

jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SlowClientsTest.java

@@ -18,8 +18,6 @@
 
 package org.eclipse.jetty.server.ssl;
 
-import static java.time.Duration.ofSeconds;
-
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -51,6 +49,8 @@ import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.Test;
 
+import static java.time.Duration.ofSeconds;
+
 @Tag("Unstable")
 @Disabled
 public class SlowClientsTest
@@ -61,7 +61,7 @@ public class SlowClientsTest
     public void testSlowClientsWithSmallThreadPool() throws Exception
     {
         File keystore = MavenTestingUtils.getTestResourceFile("keystore");
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystore.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyManagerPassword("keypwd");

jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SniSslConnectionFactoryTest.java

@@ -18,12 +18,6 @@
 
 package org.eclipse.jetty.server.ssl;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.startsWith;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
@@ -70,6 +64,12 @@ import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.startsWith;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 public class SniSslConnectionFactoryTest
 {
     private Server _server;
@@ -118,7 +118,7 @@ public class SniSslConnectionFactoryTest
         if (!keystoreFile.exists())
             throw new FileNotFoundException(keystoreFile.getAbsolutePath());
 
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystoreFile.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
@@ -224,7 +224,7 @@ public class SniSslConnectionFactoryTest
     {
         start("src/test/resources/keystore_sni.p12");
 
-        SslContextFactory clientContextFactory = new SslContextFactory(true);
+        SslContextFactory clientContextFactory = new SslContextFactory.Client(true);
         clientContextFactory.start();
         SSLSocketFactory factory = clientContextFactory.getSslContext().getSocketFactory();
         try (SSLSocket sslSocket = (SSLSocket)factory.createSocket("127.0.0.1", _port))
@@ -282,7 +282,7 @@ public class SniSslConnectionFactoryTest
     {
         start("src/test/resources/keystore_sni.p12");
 
-        SslContextFactory clientContextFactory = new SslContextFactory(true);
+        SslContextFactory clientContextFactory = new SslContextFactory.Client(true);
         clientContextFactory.start();
         SSLSocketFactory factory = clientContextFactory.getSslContext().getSocketFactory();
         try (SSLSocket sslSocket = (SSLSocket)factory.createSocket("127.0.0.1", _port))
@@ -360,7 +360,7 @@ public class SniSslConnectionFactoryTest
 
     private String getResponse(String sniHost, String reqHost, String cn) throws Exception
     {
-        SslContextFactory clientContextFactory = new SslContextFactory(true);
+        SslContextFactory clientContextFactory = new SslContextFactory.Client(true);
         clientContextFactory.start();
         SSLSocketFactory factory = clientContextFactory.getSslContext().getSocketFactory();
         try (SSLSocket sslSocket = (SSLSocket)factory.createSocket("127.0.0.1", _port))

jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslConnectionFactoryTest.java

@@ -18,11 +18,6 @@
 
 package org.eclipse.jetty.server.ssl;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
@@ -59,10 +54,14 @@ import org.eclipse.jetty.util.IO;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.AfterEach;
-
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
 public class SslConnectionFactoryTest
 {
     private Server _server;
@@ -87,7 +86,7 @@ public class SslConnectionFactoryTest
         https_config.addCustomizer(new SecureRequestCustomizer());
 
 
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystoreFile.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
@@ -210,7 +209,7 @@ public class SslConnectionFactoryTest
 
     private String getResponse(String sniHost, String reqHost, String cn) throws Exception
     {
-        SslContextFactory clientContextFactory = new SslContextFactory(true);
+        SslContextFactory clientContextFactory = new SslContextFactory.Client(true);
         clientContextFactory.start();
         SSLSocketFactory factory = clientContextFactory.getSslContext().getSocketFactory();
 

jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslContextFactoryReloadTest.java

@@ -18,10 +18,6 @@
 
 package org.eclipse.jetty.server.ssl;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -56,9 +52,12 @@ import org.eclipse.jetty.util.thread.ScheduledExecutorScheduler;
 import org.eclipse.jetty.util.thread.Scheduler;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.AfterEach;
-
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
 public class SslContextFactoryReloadTest
 {
     public static final String KEYSTORE_1 = "src/test/resources/reload_keystore_1.jks";
@@ -72,7 +71,7 @@ public class SslContextFactoryReloadTest
     {
         server = new Server();
 
-        sslContextFactory = new SslContextFactory();
+        sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(KEYSTORE_1);
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyStoreType("JKS");

jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSelectChannelTimeoutTest.java

@@ -45,7 +45,7 @@ public class SslSelectChannelTimeoutTest extends ConnectorTimeoutTest
     public void init() throws Exception
     {
         String keystorePath = System.getProperty("basedir",".") + "/src/test/resources/keystore";
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystorePath);
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyManagerPassword("keypwd");
@@ -64,7 +64,5 @@ public class SslSelectChannelTimeoutTest extends ConnectorTimeoutTest
         trustManagerFactory.init(keystore);
         __sslContext = SSLContext.getInstance("SSL");
         __sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
-
     }
-
 }

jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslUploadTest.java

@@ -18,9 +18,6 @@
 
 package org.eclipse.jetty.server.ssl;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
@@ -49,6 +46,9 @@ import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  */
 public class SslUploadTest
@@ -62,7 +62,7 @@ public class SslUploadTest
     {
         File keystore = MavenTestingUtils.getTestResourceFile("keystore");
 
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keystore.getAbsolutePath());
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setKeyManagerPassword("keypwd");

jetty-servlet/src/test/java/org/eclipse/jetty/servlet/SSLAsyncIOServletTest.java

@@ -18,9 +18,6 @@
 
 package org.eclipse.jetty.servlet;
 
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -48,6 +45,9 @@ import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 public class SSLAsyncIOServletTest
 {
     public static Stream<Arguments> scenarios()
@@ -221,8 +221,7 @@ public class SSLAsyncIOServletTest
             Path keystorePath = MavenTestingUtils.getTestResourcePath("keystore.jks");
             Path truststorePath = MavenTestingUtils.getTestResourcePath("truststore.jks");
 
-            sslContextFactory = new SslContextFactory();
+            sslContextFactory = new SslContextFactory.Server();
-            sslContextFactory.setEndpointIdentificationAlgorithm("");
             sslContextFactory.setKeyStorePath(keystorePath.toString());
             sslContextFactory.setKeyStorePassword("storepwd");
             sslContextFactory.setTrustStorePath(truststorePath.toString());

jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java

@@ -86,10 +86,10 @@ import org.eclipse.jetty.util.security.CertificateValidator;
 import org.eclipse.jetty.util.security.Password;
 
 /**
- * SslContextFactory is used to configure SSL connectors
+ * <p>SslContextFactory is used to configure SSL parameters
- * as well as HttpClient. It holds all SSL parameters and
+ * to be used by server and client connectors.</p>
- * creates SSL context based on these parameters to be
+ * <p>Use {@link Server} to configure server-side connectors,
- * used by the SSL connectors.
+ * and {@link Client} to configure HTTP or WebSocket clients.</p>
  */
 @ManagedObject
 public class SslContextFactory extends AbstractLifeCycle implements Dumpable
@@ -198,9 +198,11 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
     private HostnameVerifier _hostnameVerifier;
 
     /**
-     * Construct an instance of SslContextFactory
+     * Construct an instance of SslContextFactory with the default configuration.
-     * Default constructor for use in XmlConfiguration files
+     *
+     * @deprecated use {@link Client#Client()} or {@link Server#Server()} instead
      */
+    @Deprecated
     public SslContextFactory()
     {
         this(false);
@@ -212,7 +214,9 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
      *
      * @param trustAll whether to blindly trust all certificates
      * @see #setTrustAll(boolean)
+     * @deprecated use {@link Client#Client(boolean)} instead
      */
+    @Deprecated
     public SslContextFactory(boolean trustAll)
     {
         this(trustAll, null);
@@ -222,7 +226,9 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
      * Construct an instance of SslContextFactory
      *
      * @param keyStorePath default keystore location
+     * @deprecated use {@link #setKeyStorePath(String)} instead
      */
+    @Deprecated
     public SslContextFactory(String keyStorePath)
     {
         this(false, keyStorePath);
@@ -249,21 +255,33 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
         {
             load();
         }
-
+        checkConfiguration();
-        secureConfigurationCheck();
     }
 
-    protected void secureConfigurationCheck()
+    protected void checkConfiguration()
     {
-        if (isTrustAll())
-            LOG_CONFIG.warn("Trusting all certificates configured for {}",this);
-        if (getEndpointIdentificationAlgorithm()==null)
-            LOG_CONFIG.warn("No Client EndPointIdentificationAlgorithm configured for {}",this);
-
         SSLEngine engine = _factory._context.createSSLEngine();
         customize(engine);
         SSLParameters supported = engine.getSSLParameters();
 
+        checkProtocols(supported);
+        checkCiphers(supported);
+    }
+
+    protected void checkTrustAll()
+    {
+        if (isTrustAll())
+            LOG_CONFIG.warn("Trusting all certificates configured for {}", this);
+    }
+
+    protected void checkEndPointIdentificationAlgorithm()
+    {
+        if (getEndpointIdentificationAlgorithm() == null)
+            LOG_CONFIG.warn("No Client EndPointIdentificationAlgorithm configured for {}", this);
+    }
+
+    protected void checkProtocols(SSLParameters supported)
+    {
         for (String protocol : supported.getProtocols())
         {
             for (String excluded : DEFAULT_EXCLUDED_PROTOCOLS)
@@ -272,7 +290,10 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
                     LOG_CONFIG.warn("Protocol {} not excluded for {}", protocol, this);
             }
         }
+    }
 
+    protected void checkCiphers(SSLParameters supported)
+    {
         for (String suite : supported.getCipherSuites())
         {
             for (String excludedSuiteRegex : DEFAULT_EXCLUDED_CIPHER_SUITES)
@@ -417,9 +438,9 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
                     getExcludeCipherSuites(),
                     getIncludeCipherSuites()));
         }
-        catch (NoSuchAlgorithmException ignore)
+        catch (NoSuchAlgorithmException x)
         {
-            LOG.ignore(ignore);
+            LOG.ignore(x);
         }
     }
 
@@ -754,8 +775,10 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
     /**
      * @return True if SSL needs client authentication.
      * @see SSLEngine#getNeedClientAuth()
+     * @deprecated use {@link Server#getNeedClientAuth()} instead
      */
     @ManagedAttribute("Whether client authentication is needed")
+    @Deprecated
     public boolean getNeedClientAuth()
     {
         return _needClientAuth;
@@ -764,7 +787,9 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
     /**
      * @param needClientAuth True if SSL needs client authentication.
      * @see SSLEngine#getNeedClientAuth()
+     * @deprecated use {@link Server#setNeedClientAuth(boolean)} instead
      */
+    @Deprecated
     public void setNeedClientAuth(boolean needClientAuth)
     {
         _needClientAuth = needClientAuth;
@@ -773,8 +798,10 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
     /**
      * @return True if SSL wants client authentication.
      * @see SSLEngine#getWantClientAuth()
+     * @deprecated use {@link Server#getWantClientAuth()} instead
      */
     @ManagedAttribute("Whether client authentication is wanted")
+    @Deprecated
     public boolean getWantClientAuth()
     {
         return _wantClientAuth;
@@ -783,7 +810,9 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
     /**
      * @param wantClientAuth True if SSL wants client authentication.
      * @see SSLEngine#getWantClientAuth()
+     * @deprecated use {@link Server#setWantClientAuth(boolean)} instead
      */
+    @Deprecated
     public void setWantClientAuth(boolean wantClientAuth)
     {
         _wantClientAuth = wantClientAuth;
@@ -1110,6 +1139,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
      * Deployments can be vulnerable to a man-in-the-middle attack if a EndpointIndentificationAlgorithm
      * is not set.
      * @param endpointIdentificationAlgorithm Set the endpointIdentificationAlgorithm
+     * @see #setHostnameVerifier(HostnameVerifier)
      */
     public void setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
     {
@@ -1198,7 +1228,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
                 }
 
                 // Is SNI needed to select a certificate?
-                if (!_certWilds.isEmpty() || _certHosts.size()>1 || _certHosts.size()==1 && _aliasX509.size()>1)
+                if (!_certWilds.isEmpty() || _certHosts.size()>1 || (_certHosts.size()==1 && _aliasX509.size()>1))
                 {
                     for (int idx = 0; idx < managers.length; idx++)
                     {
@@ -1761,10 +1791,14 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
             sslParams.setCipherSuites(_selectedCipherSuites);
         if (_selectedProtocols != null)
             sslParams.setProtocols(_selectedProtocols);
-        if (getWantClientAuth())
+        if (this instanceof Server)
-            sslParams.setWantClientAuth(true);
+        {
-        if (getNeedClientAuth())
+            Server server = (Server)this;
-            sslParams.setNeedClientAuth(true);
+            if (server.getWantClientAuth())
+                sslParams.setWantClientAuth(true);
+            if (server.getNeedClientAuth())
+                sslParams.setNeedClientAuth(true);
+        }
         return sslParams;
     }
 
@@ -1792,7 +1826,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
             java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509");
             for (int i = 0; i < length; i++)
             {
-                byte bytes[] = javaxCerts[i].getEncoded();
+                byte[] bytes = javaxCerts[i].getEncoded();
                 ByteArrayInputStream stream = new ByteArrayInputStream(bytes);
                 javaCerts[i] = (X509Certificate)cf.generateCertificate(stream);
             }
@@ -1953,4 +1987,56 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
             return _x509;
         }
     }
+
+    public static class Client extends SslContextFactory
+    {
+        public Client()
+        {
+            this(false);
+        }
+
+        public Client(boolean trustAll)
+        {
+            super(trustAll);
+        }
+
+        @Override
+        protected void checkConfiguration()
+        {
+            checkTrustAll();
+            checkEndPointIdentificationAlgorithm();
+            super.checkConfiguration();
+        }
+    }
+
+    public static class Server extends SslContextFactory
+    {
+        public Server()
+        {
+            setEndpointIdentificationAlgorithm(null);
+        }
+
+        @Override
+        public boolean getWantClientAuth()
+        {
+            return super.getWantClientAuth();
+        }
+
+        public void setWantClientAuth(boolean wantClientAuth)
+        {
+            super.setWantClientAuth(wantClientAuth);
+        }
+
+        @Override
+        public boolean getNeedClientAuth()
+        {
+            return super.getNeedClientAuth();
+        }
+
+        @Override
+        public void setNeedClientAuth(boolean needClientAuth)
+        {
+            super.setNeedClientAuth(needClientAuth);
+        }
+    }
 }

jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java

@@ -18,21 +18,6 @@
 
 package org.eclipse.jetty.util.ssl;
 
-import static org.eclipse.jetty.toolchain.test.matchers.RegexMatcher.matchesPattern;
-import static org.hamcrest.Matchers.containsInAnyOrder;
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.equalTo;
-import static org.hamcrest.Matchers.greaterThan;
-import static org.hamcrest.Matchers.hasItem;
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.not;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.KeyStore;
@@ -50,6 +35,22 @@ import org.eclipse.jetty.util.resource.Resource;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
+import static org.eclipse.jetty.toolchain.test.matchers.RegexMatcher.matchesPattern;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.not;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 public class SslContextFactoryTest
 {
     private SslContextFactory cf;
@@ -57,7 +58,7 @@ public class SslContextFactoryTest
     @BeforeEach
     public void setUp() throws Exception
     {
-        cf = new SslContextFactory();
+        cf = new SslContextFactory.Server();
 
         java.security.cert.CertPathBuilder certPathBuilder = java.security.cert.CertPathBuilder.getInstance("PKIX");
         java.security.cert.PKIXRevocationChecker revocationChecker = (java.security.cert.PKIXRevocationChecker)certPathBuilder.getRevocationChecker();
@@ -325,18 +326,36 @@ public class SslContextFactoryTest
     @Test
     public void testNonDefaultKeyStoreTypeUsedForTrustStore() throws Exception
     {
-        cf = new SslContextFactory();
+        cf = new SslContextFactory.Server();
         cf.setKeyStoreResource(Resource.newSystemResource("keystore.p12"));
         cf.setKeyStoreType("pkcs12");
         cf.setKeyStorePassword("storepwd");
         cf.start();
         cf.stop();
 
-        cf = new SslContextFactory();
+        cf = new SslContextFactory.Server();
         cf.setKeyStoreResource(Resource.newSystemResource("keystore.jce"));
         cf.setKeyStoreType("jceks");
         cf.setKeyStorePassword("storepwd");
         cf.start();
         cf.stop();
     }
+
+    @Test
+    public void testClientSslContextFactory() throws Exception
+    {
+        cf = new SslContextFactory.Client();
+        cf.start();
+
+        assertEquals("HTTPS", cf.getEndpointIdentificationAlgorithm());
+    }
+
+    @Test
+    public void testServerSslContextFactory() throws Exception
+    {
+        cf = new SslContextFactory.Server();
+        cf.start();
+
+        assertNull(cf.getEndpointIdentificationAlgorithm());
+    }
 }

jetty-websocket/websocket-client/src/main/java/org/eclipse/jetty/websocket/client/DefaultHttpClientProvider.java

@@ -44,7 +44,7 @@ class DefaultHttpClientProvider
         
         if (sslContextFactory == null)
         {
-            sslContextFactory = new SslContextFactory();
+            sslContextFactory = new SslContextFactory.Client();
             sslContextFactory.setTrustAll(false);
             sslContextFactory.setEndpointIdentificationAlgorithm("HTTPS");
         }

jetty-websocket/websocket-client/src/test/resources/httpclient/simple/jetty-websocket-httpclient.xml

@@ -3,7 +3,7 @@
 
 <Configure class="org.eclipse.jetty.client.HttpClient">
   <Arg>
-    <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
+    <New class="org.eclipse.jetty.util.ssl.SslContextFactory$Client">
       <Set name="trustAll" type="java.lang.Boolean">false</Set>
       <Call name="addExcludeProtocols">
         <Arg>
@@ -20,4 +20,4 @@
       <Set name="name">XmlBasedClient@</Set>
     </New>
   </Set>
-</Configure>
+</Configure>

jetty-websocket/websocket-common/src/main/java/org/eclipse/jetty/websocket/common/scopes/SimpleContainerScope.java

@@ -48,8 +48,7 @@ public class SimpleContainerScope extends ContainerLifeCycle implements WebSocke
 
     public SimpleContainerScope(WebSocketPolicy policy)
     {
-        this(policy, new MappedByteBufferPool(), new DecoratedObjectFactory());
+        this(policy, new MappedByteBufferPool());
-        this.sslContextFactory = new SslContextFactory();
     }
 
     public SimpleContainerScope(WebSocketPolicy policy, ByteBufferPool bufferPool)
@@ -59,7 +58,7 @@ public class SimpleContainerScope extends ContainerLifeCycle implements WebSocke
 
     public SimpleContainerScope(WebSocketPolicy policy, ByteBufferPool bufferPool, DecoratedObjectFactory objectFactory)
     {
-        this(policy, bufferPool, (Executor) null, objectFactory);
+        this(policy, bufferPool, null, objectFactory);
     }
     
     public SimpleContainerScope(WebSocketPolicy policy, ByteBufferPool bufferPool, Executor executor, DecoratedObjectFactory objectFactory)
@@ -83,9 +82,9 @@ public class SimpleContainerScope extends ContainerLifeCycle implements WebSocke
             this.objectFactory = objectFactory;
         }
 
-        if(ssl == null)
+        if (ssl == null)
         {
-            this.sslContextFactory = new SslContextFactory();
+            this.sslContextFactory = new SslContextFactory.Server();
         }
         else
         {

jetty-websocket/websocket-server/src/test/java/org/eclipse/jetty/websocket/server/RedirectWebSocketClientTest.java

@@ -18,10 +18,6 @@
 
 package org.eclipse.jetty.websocket.server;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.notNullValue;
-
 import java.net.URI;
 import java.util.concurrent.Future;
 
@@ -48,6 +44,10 @@ import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.notNullValue;
+
 public class RedirectWebSocketClientTest
 {
     public static Server server;
@@ -114,7 +114,7 @@ public class RedirectWebSocketClientTest
 
     private static SslContextFactory newSslContextFactory()
     {
-        SslContextFactory ssl = new SslContextFactory();
+        SslContextFactory ssl = new SslContextFactory.Server();
         ssl.setKeyStorePath(MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath());
         ssl.setKeyStorePassword("storepwd");
         ssl.setKeyManagerPassword("keypwd");
@@ -124,7 +124,10 @@ public class RedirectWebSocketClientTest
     @Test
     public void testRedirect() throws Exception
     {
-        SslContextFactory ssl = newSslContextFactory();
+        SslContextFactory ssl = new SslContextFactory.Client();
+        ssl.setKeyStorePath(MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath());
+        ssl.setKeyStorePassword("storepwd");
+        ssl.setKeyManagerPassword("keypwd");
         ssl.setTrustAll(false);
         ssl.setEndpointIdentificationAlgorithm(null);
         HttpClient httpClient = new HttpClient(ssl);
@@ -149,7 +152,7 @@ public class RedirectWebSocketClientTest
     }
 
     @WebSocket
-    public static class EmptyWebSocket {
+    public static class EmptyWebSocket
-
+    {
     }
 }

jetty-websocket/websocket-server/src/test/java/org/eclipse/jetty/websocket/server/SimpleServletServer.java

@@ -19,6 +19,7 @@
 package org.eclipse.jetty.websocket.server;
 
 import java.net.URI;
+
 import javax.servlet.http.HttpServlet;
 
 import org.eclipse.jetty.http.HttpVersion;
@@ -87,11 +88,10 @@ public class SimpleServletServer
             http_config.setSendServerVersion(true);
             http_config.setSendDateHeader(false);
 
-            sslContextFactory = new SslContextFactory();
+            sslContextFactory = new SslContextFactory.Server();
             sslContextFactory.setKeyStorePath(MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath());
             sslContextFactory.setKeyStorePassword("storepwd");
             sslContextFactory.setKeyManagerPassword("keypwd");
-            sslContextFactory.setEndpointIdentificationAlgorithm(null);
 
             // SSL HTTP Configuration
             HttpConfiguration https_config = new HttpConfiguration(http_config);

tests/test-http-client-transport/src/test/java/org/eclipse/jetty/http/client/HttpChannelAssociationTest.java

@@ -65,7 +65,7 @@ public class HttpChannelAssociationTest extends AbstractTest<TransportScenario>
         init(transport);
         scenario.startServer(new EmptyServerHandler());
 
-        scenario.client = new HttpClient(newHttpClientTransport(scenario, exchange -> false), scenario.sslContextFactory);
+        scenario.client = new HttpClient(newHttpClientTransport(scenario, exchange -> false), scenario.newClientSslContextFactory());
         QueuedThreadPool clientThreads = new QueuedThreadPool();
         clientThreads.setName("client");
         scenario.client.setExecutor(clientThreads);
@@ -90,8 +90,7 @@ public class HttpChannelAssociationTest extends AbstractTest<TransportScenario>
         scenario.startServer(new EmptyServerHandler());
 
         long idleTimeout = 1000;
-        SslContextFactory sslContextFactory = scenario.newSslContextFactory();
+        SslContextFactory sslContextFactory = scenario.newClientSslContextFactory();
-        sslContextFactory.setEndpointIdentificationAlgorithm(null);
         scenario.client = new HttpClient(newHttpClientTransport(scenario, exchange ->
         {
             // We idle timeout just before the association,

tests/test-http-client-transport/src/test/java/org/eclipse/jetty/http/client/HttpClientTest.java

@@ -18,15 +18,6 @@
 
 package org.eclipse.jetty.http.client;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.containsString;
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InterruptedIOException;
@@ -63,6 +54,15 @@ import org.junit.jupiter.api.Assumptions;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.ArgumentsSource;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+
 public class HttpClientTest extends AbstractTest<TransportScenario>
 {
     @Override
@@ -343,7 +343,9 @@ public class HttpClientTest extends AbstractTest<TransportScenario>
         scenario.startServer(new EmptyServerHandler());
 
         // Use a default SslContextFactory, requests should fail because the server certificate is unknown.
-        scenario.client = scenario.newHttpClient(scenario.provideClientTransport(), new SslContextFactory());
+        SslContextFactory.Client clientTLS = scenario.newClientSslContextFactory();
+        clientTLS.setEndpointIdentificationAlgorithm("HTTPS");
+        scenario.client = scenario.newHttpClient(scenario.provideClientTransport(), clientTLS);
         QueuedThreadPool clientThreads = new QueuedThreadPool();
         clientThreads.setName("client");
         scenario.client.setExecutor(clientThreads);

tests/test-http-client-transport/src/test/java/org/eclipse/jetty/http/client/HttpClientTimeoutTest.java

@@ -251,8 +251,7 @@ public class HttpClientTimeoutTest extends AbstractTest<TransportScenario>
         scenario.startServer(new TimeoutHandler(2 * timeout));
 
         AtomicBoolean sslIdle = new AtomicBoolean();
-        SslContextFactory sslContextFactory = scenario.newSslContextFactory();
+        SslContextFactory sslContextFactory = scenario.newClientSslContextFactory();
-        sslContextFactory.setEndpointIdentificationAlgorithm(null);
         scenario.client = new HttpClient(scenario.provideClientTransport(), sslContextFactory)
         {
             @Override

tests/test-http-client-transport/src/test/java/org/eclipse/jetty/http/client/TransportScenario.java

@@ -298,8 +298,7 @@ public class TransportScenario
         QueuedThreadPool clientThreads = new QueuedThreadPool();
         clientThreads.setName("client");
         clientThreads.setDetailedDump(true);
-        SslContextFactory sslContextFactory = newSslContextFactory();
+        SslContextFactory sslContextFactory = newClientSslContextFactory();
-        sslContextFactory.setEndpointIdentificationAlgorithm(null);
         client = newHttpClient(provideClientTransport(transport), sslContextFactory);
         client.setExecutor(clientThreads);
         client.setSocketAddressResolver(new SocketAddressResolver.Sync());
@@ -324,7 +323,7 @@ public class TransportScenario
 
     public void startServer(Handler handler) throws Exception
     {
-        sslContextFactory = newSslContextFactory();
+        sslContextFactory = newServerSslContextFactory();
         QueuedThreadPool serverThreads = new QueuedThreadPool();
         serverThreads.setName("server");
         serverThreads.setDetailedDump(true);
@@ -352,16 +351,29 @@ public class TransportScenario
         }
     }
 
-    protected SslContextFactory newSslContextFactory()
+    protected SslContextFactory.Server newServerSslContextFactory()
+    {
+        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
+        configureSslContextFactory(sslContextFactory);
+        return sslContextFactory;
+    }
+
+    protected SslContextFactory.Client newClientSslContextFactory()
+    {
+        SslContextFactory.Client sslContextFactory = new SslContextFactory.Client();
+        configureSslContextFactory(sslContextFactory);
+        sslContextFactory.setEndpointIdentificationAlgorithm(null);
+        return sslContextFactory;
+    }
+
+    private void configureSslContextFactory(SslContextFactory sslContextFactory)
     {
-        SslContextFactory sslContextFactory = new SslContextFactory();
         sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
         sslContextFactory.setKeyStorePassword("storepwd");
         sslContextFactory.setTrustStorePath("src/test/resources/truststore.jks");
         sslContextFactory.setTrustStorePassword("storepwd");
         sslContextFactory.setUseCipherSuitesOrder(true);
         sslContextFactory.setCipherComparator(HTTP2Cipher.COMPARATOR);
-        return sslContextFactory;
     }
 
     public void stopClient() throws Exception

tests/test-integration/src/test/java/org/eclipse/jetty/test/HttpInputIntegrationTest.java

@@ -101,11 +101,10 @@ public class HttpInputIntegrationTest
 
         // SSL Context Factory for HTTPS and HTTP/2
         String jetty_distro = System.getProperty("jetty.distro","../../jetty-distribution/target/distribution");
-        __sslContextFactory = new SslContextFactory();
+        __sslContextFactory = new SslContextFactory.Server();
         __sslContextFactory.setKeyStorePath(jetty_distro + "/../../../jetty-server/src/test/config/etc/keystore");
         __sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         __sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
-        __sslContextFactory.setEndpointIdentificationAlgorithm(null);
 
         // HTTPS Configuration
         __sslConfig = new HttpConfiguration(__config);

tests/test-integration/src/test/resources/ssl.xml

@@ -1,10 +1,9 @@
-<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
   <Set name="KeyStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.sslContext.keyStorePath" default="keystore"/></Set>
   <Set name="KeyStorePassword"><Property name="jetty.sslContext.keyStorePassword" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
   <Set name="KeyManagerPassword"><Property name="jetty.sslContext.keyManagerPassword" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>
   <Set name="TrustStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.sslContext.trustStorePath" default="keystore"/></Set>
   <Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
-  <Set name="EndpointIdentificationAlgorithm"></Set>
   <Set name="ExcludeCipherSuites">
     <Array type="String">
       <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>

tests/test-webapps/test-http2-webapp/src/main/java/org/eclipse/jetty/test/webapp/HTTP1Servlet.java

@@ -54,7 +54,7 @@ public class HTTP1Servlet extends HttpServlet
     {
         try
         {
-            sslContextFactory = new SslContextFactory(true);
+            sslContextFactory = new SslContextFactory.Client(true);
             http2Client = new HTTP2Client();
             http2Client.addBean(sslContextFactory);
             http2Client.start();

tests/test-webapps/test-http2-webapp/src/test/java/org/eclipse/jetty/test/webapp/HTTP2FromWebAppIT.java

@@ -18,8 +18,6 @@
 
 package org.eclipse.jetty.test.webapp;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
 import java.util.concurrent.TimeUnit;
 
 import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory;
@@ -36,9 +34,10 @@ import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.SslConnectionFactory;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.eclipse.jetty.webapp.WebAppContext;
-
 import org.junit.jupiter.api.Test;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 public class HTTP2FromWebAppIT
 {
     @Test
@@ -46,7 +45,7 @@ public class HTTP2FromWebAppIT
     {
         Server server = new Server();
 
-        SslContextFactory serverTLS = new SslContextFactory();
+        SslContextFactory serverTLS = new SslContextFactory.Server();
         serverTLS.setKeyStorePath("src/test/resources/keystore.jks");
         serverTLS.setKeyStorePassword("storepwd");
         serverTLS.setCipherComparator(new HTTP2Cipher.CipherComparator());
@@ -71,7 +70,7 @@ public class HTTP2FromWebAppIT
 
         try
         {
-            SslContextFactory clientTLS = new SslContextFactory(true);
+            SslContextFactory clientTLS = new SslContextFactory.Client(true);
             HttpClient client = new HttpClient(clientTLS);
             client.start();
 

tests/test-webapps/test-proxy-webapp/src/test/java/org/eclipse/jetty/TestTransparentProxyServer.java

@@ -82,7 +82,7 @@ public class TestTransparentProxyServer
 
         
         // SSL configurations
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(jetty_root + "/jetty-server/src/main/config/etc/keystore");
         sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
         sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
@@ -136,5 +136,4 @@ public class TestTransparentProxyServer
         server.start();
         server.join();
     }
-
 }