Package com.enterprisedt.net.ftp
Class AdvancedSSLSettings
java.lang.Object
com.enterprisedt.net.ftp.AdvancedSSLSettings
Settings specifically for the FTPS (FTP over SSL) protocol.
Generally these settings are not required for basic use of the
protocol.
All settings must be set before connecting to the server.
- Version:
- $Revision$
- Author:
- Bruce Blackshaw
-
Method Summary
Modifier and TypeMethodDescriptionbooleanIndicates whether custom diffie-helman groups are permittedvoiddisableSSL3(boolean disable) Set whether to disable SSL3.Get the client certificate to be usedGet the passphrase that has been set for the client certificate, or null if it has not been set.Get the path of the PEM file containing the client certificate and private key.Get the client certificate to be usedGet a list of the enabled cipher suites.intGet the maximum SSL/TLS versionintGet the minimum SSL/TLS versionSet the security mechanism that should be used to set up the secure connection.String[]Gets the names that will be used to match the CommonName (CN) field while the certificate is being validated.Returns a reference to theSSLFTPCertificateStorewhich contains the root certificates that will be used to validate the server certificate.Get the SSL validator that was setbooleanAre non-CA certificates (e.g.booleanIs session resumption disabled? The default is false (i.e.booleanIs standard SSL closure disabled? If disabled, SSL connections are forced to close.booleanIs the disable waiting on close flag set? If set, stops the client waiting for an SSL closure acknowledgement on both the control channel and the data channel.booleanreturn if SSL3 is disabledbooleanAre clear data channels used initially? By default the client switches to private data channels immediately after AUTH.booleanShould FTPS command-channel be revert to plain text after establishing an encrypted connection (FTPS only).voidsetAllowBasicConstraintsNonCA(boolean allowBasicConstraintsNonCA) Are non-CA certificates (e.g.voidsetAllowCustomDHGroups(boolean allowCustomDHGroups) Allows custom diffie-helman groups to be permittedvoidSet the client certificate to be usedvoidsetClientCertificatePassphrase(String clientCertificatePassphrase) Set the passphrase for the client certificate.voidsetClientCertificatePath(String clientCertificatePath) Set the path of the PEM file containing the client certificate and private key.voidSet the client private key to be usedvoidsetDisableSessionResumption(boolean disableSessionResumption) Set session resumption on or off.voidsetDisableSSLClosure(boolean disableSSLClosure) Disables standard SSL closure by forcing on both data and control channels SSL connections to close in a non-standard manner.voidsetDisableWaitOnClose(boolean disableWaitOnClose) If set, stops the client waiting for an SSL closure acknowledgement on both the control channel and the data channel.voidsetEnabledCipherSuites(SSLFTPCipherSuite[] enabledCipherSuites) Set the list of enabled ciper suites.voidsetMaxSSLVersion(int maxSSLVersion) Set the maximum SSL/TLS versionvoidsetMinSSLVersion(int minSSLVersion) Set the minimum SSL/TLS versionvoidGet the security mechanism that should be used to set up the secure connection.voidsetSSLServerCommonNames(String[] serverCommonNames) Set the names that will be used to match the CommonName (CN) field while the certificate is being validated.voidsetSSLValidator(SSLFTPValidator sslValidator) Set the SSL validator instance.voidsetStartWithClearDataChannels(boolean startWithClearDataChannels) By default the client switches to private data channels immediately after theauth(String)method is called.voidsetUseUnencryptedCommands(boolean useUnencryptedCommands) Changed whether command-channel reverts to plain text after connecting (FTPS only).
-
Method Details
-
allowCustomDHGroups
public boolean allowCustomDHGroups()Indicates whether custom diffie-helman groups are permitted- Returns:
- true if custom diffie-helman groups are permitted, otherwise false
-
setAllowCustomDHGroups
public void setAllowCustomDHGroups(boolean allowCustomDHGroups) Allows custom diffie-helman groups to be permitted- Parameters:
allowCustomDHGroups- if true, custom diffie-helman groups are permitted
-
getSSLServerValidationCertificates
Returns a reference to theSSLFTPCertificateStorewhich contains the root certificates that will be used to validate the server certificate.- Returns:
- The root certificate-store.
-
getClientCertificate
Get the client certificate to be used- Returns:
- client certificate
-
setClientCertificate
Set the client certificate to be used- Parameters:
cert- client certificate
-
getClientPrivateKey
Get the client certificate to be used- Returns:
- client certificate
-
setClientPrivateKey
Set the client private key to be used- Parameters:
key- client private key
-
getClientCertificatePath
Get the path of the PEM file containing the client certificate and private key. This is required if client authentication is to be used.- Returns:
- file path
-
setClientCertificatePath
Set the path of the PEM file containing the client certificate and private key. This is required if client authentication is to be used.The file must be formatted as follows:
-----BEGIN xxx PRIVATE KEY----- ... client's private key ... -----END xxx PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... client's certificate ... -----END CERTIFICATE-----
wherexxxdefines the keytype which must be either RSA or DSA.A chain of keys (ordered from client's certificate to the root) may be placed in the file. Each certificate must be bracketed as shown above.
- Parameters:
clientCertificatePath- path of the client certificate file
-
getClientCertificatePassphrase
Get the passphrase that has been set for the client certificate, or null if it has not been set.- Returns:
- passphrase or null
-
setClientCertificatePassphrase
Set the passphrase for the client certificate.- Parameters:
clientCertificatePassphrase- passphrase to set
-
isAllowBasicConstraintsNonCA
public boolean isAllowBasicConstraintsNonCA()Are non-CA certificates (e.g. client certificates) permitted to have basic constraints? By default, they are not.- Returns:
- true if basic constraints permitted, false if not
-
setAllowBasicConstraintsNonCA
public void setAllowBasicConstraintsNonCA(boolean allowBasicConstraintsNonCA) Are non-CA certificates (e.g. client certificates) permitted to have basic constraints? By default, they are not. Enabling this flag permits non-CA certificates to have basic constraints.- Parameters:
allowBasicConstraintsNonCA- true to allow basic constraints in non-CA certs.
-
isStartWithClearDataChannels
public boolean isStartWithClearDataChannels()Are clear data channels used initially? By default the client switches to private data channels immediately after AUTH.- Returns:
- true if starting with clear channels, false if private
-
setStartWithClearDataChannels
public void setStartWithClearDataChannels(boolean startWithClearDataChannels) By default the client switches to private data channels immediately after theauth(String)method is called. It does this by invokingpbsz(0)andprot('P')from inside theauth()method. This flag stops this behaviour if set to true. The default is false.- Parameters:
startWithClearDataChannels- true to force clear data channels
-
isDisableSessionResumption
public boolean isDisableSessionResumption()Is session resumption disabled? The default is false (i.e. it is enabled).- Returns:
- true if disabled, false if enabled
-
setDisableSessionResumption
public void setDisableSessionResumption(boolean disableSessionResumption) Set session resumption on or off. Session resumption is a feature of SSL/TLS, which speeds up the establishment of secure connections by caching certain cryptographic parameters during the first connection, such that they may be used in subsequent connections. This is particularly handy for FTPS which opens a new connection for each file transfer. Occasionally it can cause problems when establishing secure connections on data-channels, so this flag is provided for disabling the feature and thus forcing a full exchange of cryptographic data for every file.- Parameters:
disableSessionResumption- true to disable.
-
isDisableWaitOnClose
public boolean isDisableWaitOnClose()Is the disable waiting on close flag set? If set, stops the client waiting for an SSL closure acknowledgement on both the control channel and the data channel. This flag may be useful if it is found that the client freezes after a data-transfer or when the FTP connection is closed.- Returns:
- true if wait on close is disabled
-
setDisableWaitOnClose
public void setDisableWaitOnClose(boolean disableWaitOnClose) If set, stops the client waiting for an SSL closure acknowledgement on both the control channel and the data channel. This flag may be useful if it is found that the client freezes after a data-transfer or when the FTP connection is closed.- Parameters:
disableWaitOnClose- true to disable wait on close
-
isDisableSSLClosure
public boolean isDisableSSLClosure()Is standard SSL closure disabled? If disabled, SSL connections are forced to close. This flag may be useful if it is found that the client or the server (or both) freezes after a data-transfer or when the FTP connection is closed.- Returns:
-
setDisableSSLClosure
public void setDisableSSLClosure(boolean disableSSLClosure) Disables standard SSL closure by forcing on both data and control channels SSL connections to close in a non-standard manner. This flag may be useful if it is found that the client or the server (or both) freezes after a data-transfer or when the FTP connection is closed.- Parameters:
disableSSLClosure- true to disable SSL closure
-
disableSSL3
public void disableSSL3(boolean disable) Set whether to disable SSL3. The default is true/yes.- Parameters:
disable- true to disable SSL3
-
isSSL3Disabled
public boolean isSSL3Disabled()return if SSL3 is disabled- Returns:
- true if SSL3 is disabled (the default)
-
getMinSSLVersion
public int getMinSSLVersion()Get the minimum SSL/TLS version- See Also:
-
setMinSSLVersion
public void setMinSSLVersion(int minSSLVersion) Set the minimum SSL/TLS version- Parameters:
int- minimum SSL/TLS version- See Also:
-
getMaxSSLVersion
public int getMaxSSLVersion()Get the maximum SSL/TLS version- See Also:
-
setMaxSSLVersion
public void setMaxSSLVersion(int maxSSLVersion) Set the maximum SSL/TLS version- Parameters:
int- maximum SSL/TLS version- See Also:
-
getSecurityMechanism
Set the security mechanism that should be used to set up the secure connection.- Returns:
- SSLFTPSecurityMechanism
-
setSecurityMechanism
Get the security mechanism that should be used to set up the secure connection.- Parameters:
auth- security mechanism to use
-
getEnabledCipherSuites
Get a list of the enabled cipher suites.- Returns:
- SSLFTPCipherSuite[]
-
setEnabledCipherSuites
Set the list of enabled ciper suites.- Parameters:
enabledCipherSuites- cipher suites to enabled
-
isUseUnencryptedCommands
public boolean isUseUnencryptedCommands()Should FTPS command-channel be revert to plain text after establishing an encrypted connection (FTPS only). If enabled this results in the CCC command being sent immediately after log-in.- Returns:
- true if command-channel reverts to plain text after connecting (FTPS only).
-
setUseUnencryptedCommands
public void setUseUnencryptedCommands(boolean useUnencryptedCommands) Changed whether command-channel reverts to plain text after connecting (FTPS only). If enabled this results in the CCC command being sent immediately after log-in.- Parameters:
useUnencryptedCommands- true if commands should be sent in plain text (FTPS only).
-
getSSLServerCommonNames
Gets the names that will be used to match the CommonName (CN) field while the certificate is being validated.- Returns:
- names that will be used for matching.
-
setSSLServerCommonNames
Set the names that will be used to match the CommonName (CN) field while the certificate is being validated.- Parameters:
serverCommonNames- names which will be used for matching.
-
getSSLValidator
Get the SSL validator that was set- Returns:
- SSLFTPValidator
-
setSSLValidator
Set the SSL validator instance. Note that if this is set, the common names that are set will not be used, @see setSSLServerCommonNames- Parameters:
sslValidator- validator to use
-