Issue #3464 - Split SslContextFactory into Client and Server
Updated documentation referencing the 2 new subclasses. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
This commit is contained in:
parent
6fb243ff6c
commit
eaada1aa38
|
@ -290,8 +290,8 @@ Similarly, in code:
|
|||
|
||||
[source, java, subs="{sub-order}"]
|
||||
----
|
||||
SslContextFactory sslContextFactory = new SslContextFactory();
|
||||
sslContextFactory.setKeyStorePath();
|
||||
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
|
||||
sslContextFactory.setKeyStorePath("/path/to/keystore");
|
||||
sslContextFactory.setKeyStorePassword("secret");
|
||||
|
||||
JMXServiceURL jmxURL = new JMXServiceURL("rmi", null, 1099, "/jndi/rmi:///jmxrmi");
|
||||
|
|
|
@ -472,7 +472,7 @@ This adds a `SecureRequestCustomizer` which adds SSL Session IDs and certificate
|
|||
==== SSL Context Configuration
|
||||
|
||||
The SSL/TLS connectors for HTTPS and HTTP/2 require a certificate to establish a secure connection.
|
||||
Jetty holds certificates in standard JVM keystores and are configured as keystore and truststores on a link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html[`SslContextFactory`] instance that is injected into an link:{JDURL}/org/eclipse/jetty/server/SslConnectionFactory.html[`SslConnectionFactory`] instance.
|
||||
Jetty holds certificates in standard JVM keystores and are configured as keystore and truststores on a link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.Server.html[`SslContextFactory.Server`] instance that is injected into an link:{JDURL}/org/eclipse/jetty/server/SslConnectionFactory.html[`SslConnectionFactory`] instance.
|
||||
An example using the keystore distributed with Jetty (containing a self signed test certificate) is in link:{GITBROWSEURL}/jetty-server/src/main/config/etc/jetty-https.xml[`jetty-https.xml`].
|
||||
Read more about SSL keystores in link:#configuring-ssl[Configuring SSL].
|
||||
|
||||
|
|
|
@ -55,9 +55,8 @@ You can re-enable these by re-declaring the ciphers you want excluded in code:
|
|||
|
||||
[source, java, subs="{sub-order}"]
|
||||
----
|
||||
SslContextFactory sslContextFactory = new SslContextFactory();
|
||||
sslContextFactory.setExcludeCipherSuites(
|
||||
"^.*_(MD5|SHA|SHA1)$");
|
||||
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
|
||||
sslContextFactory.setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
|
||||
----
|
||||
|
||||
If, after making these changes, you still have issues using these ciphers they are likely being blocked at the JVM level.
|
||||
|
@ -664,7 +663,7 @@ the other is `$JETTY/etc/truststore` which contains intermediary CA and root CA.
|
|||
[[configuring-sslcontextfactory]]
|
||||
==== Configuring the Jetty SslContextFactory
|
||||
|
||||
The generated SSL certificates from above are held in the key store are configured in an instance of link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html[SslContextFactory] object.
|
||||
The generated SSL certificates from above are held in the key store are configured in an instance of link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.Server.html[SslContextFactory.Server] object.
|
||||
|
||||
The `SslContextFactory` is responsible for:
|
||||
|
||||
|
@ -679,9 +678,9 @@ The `SslContextFactory` is responsible for:
|
|||
* https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol[OCSP] Support
|
||||
* Client Authentication Support
|
||||
|
||||
For Jetty Connectors, the configured `SslContextFactory` is injected into a specific ServerConnector `SslConnectionFactory`.
|
||||
For Jetty Connectors, the configured `SslContextFactory.Server` is injected into a specific ServerConnector `SslConnectionFactory`.
|
||||
|
||||
For Jetty Clients, the various constructors support using a configured `SslContextFactory`.
|
||||
For Jetty Clients, the various constructors support using a configured `SslContextFactory.Client`.
|
||||
|
||||
While the `SslContextFactory` can operate without a keystore (this mode is most suitable for the various Jetty Clients) it is best practice to at least configure the keystore being used.
|
||||
|
||||
|
@ -729,7 +728,7 @@ Implementing Conscrypt for the link:{GITBROWSEURL}/jetty-alpn/jetty-alpn-conscry
|
|||
...
|
||||
Security.addProvider(new OpenSSLProvider());
|
||||
...
|
||||
SslContextFactory sslContextFactory = new SslContextFactory();
|
||||
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
|
||||
sslContextFactory.setKeyStorePath("path/to/keystore");
|
||||
sslContextFactory.setKeyStorePassword("CleverKeyStorePassword");
|
||||
sslContextFactory.setKeyManagerPassword("OBF:VerySecretManagerPassword");
|
||||
|
|
|
@ -75,13 +75,13 @@ There are several reasons for having multiple `HttpClient` instances including,
|
|||
|
||||
When you create a `HttpClient` instance using the parameterless constructor, you will only be able to perform plain HTTP requests and you will not be able to perform HTTPS requests.
|
||||
|
||||
In order to perform HTTPS requests, you should create first a link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html[`SslContextFactory`], configure it, and pass it to the `HttpClient` constructor.
|
||||
In order to perform HTTPS requests, you should create first a link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.Client.html[`SslContextFactory.Client`], configure it, and pass it to the `HttpClient` constructor.
|
||||
When created with a `SslContextFactory`, the `HttpClient` will be able to perform both HTTP and HTTPS requests to any domain.
|
||||
|
||||
[source, java, subs="{sub-order}"]
|
||||
----
|
||||
// Instantiate and configure the SslContextFactory
|
||||
SslContextFactory sslContextFactory = new SslContextFactory();
|
||||
SslContextFactory.Client sslContextFactory = new SslContextFactory.Client();
|
||||
|
||||
// Instantiate HttpClient with the SslContextFactory
|
||||
HttpClient httpClient = new HttpClient(sslContextFactory);
|
||||
|
|
Loading…
Reference in New Issue