1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28 package org.apache.hc.core5.http2.ssl;
29
30 import javax.net.ssl.SSLParameters;
31
32 import org.apache.hc.core5.http.ssl.TLS;
33 import org.apache.hc.core5.http.ssl.TlsCiphers;
34 import org.apache.hc.core5.http2.HttpVersionPolicy;
35 import org.apache.hc.core5.reactor.ssl.SSLSessionInitializer;
36 import org.apache.hc.core5.util.ReflectionUtils;
37
38
39
40
41
42
43 public final class H2TlsSupport {
44
45 public static void setEnableRetransmissions(final SSLParameters sslParameters, final boolean value) {
46 ReflectionUtils.callSetter(sslParameters, "EnableRetransmissions", Boolean.TYPE, value);
47 }
48
49
50
51
52 @Deprecated
53 public static void setApplicationProtocols(final SSLParameters sslParameters, final String[] values) {
54 ReflectionUtils.callSetter(sslParameters, "ApplicationProtocols", String[].class, values);
55 }
56
57 public static String[] selectApplicationProtocols(final Object attachment) {
58 final HttpVersionPolicy versionPolicy = attachment instanceof HttpVersionPolicy ?
59 (HttpVersionPolicy) attachment : HttpVersionPolicy.NEGOTIATE;
60 switch (versionPolicy) {
61 case FORCE_HTTP_1:
62 return new String[] { ApplicationProtocol.HTTP_1_1.id };
63 case FORCE_HTTP_2:
64 return new String[] { ApplicationProtocol.HTTP_2.id };
65 default:
66 return new String[] { ApplicationProtocol.HTTP_2.id, ApplicationProtocol.HTTP_1_1.id };
67 }
68 }
69
70 public static SSLSessionInitializer enforceRequirements(
71 final Object attachment,
72 final SSLSessionInitializer initializer) {
73 return (endpoint, sslEngine) -> {
74 final SSLParameters sslParameters = sslEngine.getSSLParameters();
75 sslParameters.setProtocols(TLS.excludeWeak(sslParameters.getProtocols()));
76 sslParameters.setCipherSuites(TlsCiphers.excludeH2Blacklisted(sslParameters.getCipherSuites()));
77 setEnableRetransmissions(sslParameters, false);
78 sslParameters.setApplicationProtocols(selectApplicationProtocols(attachment));
79 sslEngine.setSSLParameters(sslParameters);
80 if (initializer != null) {
81 initializer.initialize(endpoint, sslEngine);
82 }
83 };
84 }
85
86 }