OpenTop C++ class: SSLServerSocket

Overview

Namespace

Class

Glossary

Index

OpenTop Portal

OpenTop 1.5

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

Cross-Platform C++

SUMMARY: CONSTRUCTOR | METHOD

DETAIL: CONSTRUCTOR | METHOD

ot::ssl
class SSLServerSocket (abstract)

#include "ot/ssl/SSLServerSocket.h"

Extends ServerSocket to provide support for secure communications over TCP/IP using SSL/TLS. A SSLServerSocket differs from a standard ServerSocket in the following ways:-

The socket type returned from accept() is a derivative of SSLSocket.
It provides the ability to configure the accepted SSLSocket before the SSL handshake takes place. A SSLServerSocket contains configuration information such as which cipher suites to use and whether accepted connections should operate in SSL client or server mode. These configuration details are inherited by SSLSockets created by the accept() function and are therefore established before the SSL handshake takes place.

SSLServerSocket is an abstract base class which will have an implementation specific to a security provider (such as OpenSSL). Instances of SSLServerSocket should be created via a SSLServerSocketFactory which is ultimately provided by a SSLContext. The following example employs the default SSLServerSocketFactory:-

    try
    {
        RefPtr<SSLServerSocketFactory> rpSocketFactory = SSLServerSocketFactory::GetDefault();
        RefPtr<ServerSocket> rpServerSocket = rpSocketFactory->createServerSocket(port);
        //
        // In this case we want to configure our SSLServerSocket
        // to require clients to provide us with a certificate, and we will reject
        // the SSL/TLS connection if the certificate cannot be validated
        //
        static_cast<SSLServerSocket*>(rpServerSocket.get())->setNeedClientAuth(true);
        while(true)
        {
            RefPtr<Socket> rpClientSocket = rpServerSocket->accept();
            // do something with the client connection...
        }
    }
    catch(Exception& e)
    {
        ...
    }

Since:: OpenTop 1.4

Constructor/Destructor Summary
`SSLServerSocket()` Protected constructor for use by SSL security providers.
`SSLServerSocket(int port)` Protected constructor for use by SSL security providers.
`SSLServerSocket(int port, int backlog)` Protected constructor for use by SSL security providers.
`SSLServerSocket(int port, int backlog, InetAddress* pBindAddr)` Protected constructor for use by SSL security providers.
`~SSLServerSocket()` virtual Destructor.

Method Summary
`virtual size_t`	`getEnabledCipherSuites(StringList& ret) const=0` Returns an ordered list of cipher suite names which are currently enabled for this SSLServerSocket.
`virtual bool`	`getNeedClientAuth() const=0` Returns a boolean flag indicating if client authentication is required during SSL handshaking.
`virtual size_t`	`getSupportedCipherSuites(StringList& ret) const=0` Returns an ordered list of cipher suite names which the security provider supports.
`virtual bool`	`getUseClientMode() const=0` Returns a boolean flag indicating if new connections should use SSL client mode during the initial SSL handshake.
`virtual bool`	`getWantClientAuth() const=0` Returns a boolean flag indicating if new server mode connections will request the client to authenticate itself (by sending a certificate) during the SSL handshake.
`virtual void`	`setEnabledCipherSuites(const StringList& suites)=0` Specifies the permitted cipher suites which may be used to negotiate new SSL connections.
`virtual void`	`setNeedClientAuth(bool bSet)=0` Specifies whether client authentication is required during the negotiation of new SSL connections.
`virtual void`	`setUseClientMode(bool bClient)=0` Controls whether SSL client or server mode will be used during the negotiation of new SSL connections.
`virtual void`	`setWantClientAuth(bool bWantAuth)=0` Specifies whether client authentication is requested during the negotiation of new SSL connections.

Methods inherited from class ot::ManagedObject

addRef(), getRefCount(), onFinalRelease(), operator=(const ManagedObject&), release()

Methods inherited from class ot::net::ServerSocket

accept(), bind(int, int, InetAddress*), bind(int, int), bind(int), close(), getInetAddress(), getLocalPort(), getReceiveBufferSize(), getReuseAddress(), getSocketDescriptor(), GetSocketImplFactory(), getSoTimeout(), implAccept(Socket*), isBound(), setReceiveBufferSize(size_t), setReuseAddress(bool), SetSocketImplFactory(SocketImplFactory*), setSoTimeout(size_t), toString()

Typedefs

StringList

typedef std::list< String > StringList

Constructor/Destructor Detail

SSLServerSocket

protected  SSLServerSocket()

Protected constructor for use by SSL security providers.

SSLServerSocket

protected  SSLServerSocket(int port)

Protected constructor for use by SSL security providers.

SSLServerSocket

protected  SSLServerSocket(int port,
                           int backlog)

Protected constructor for use by SSL security providers.

SSLServerSocket

protected  SSLServerSocket(int port,
                           int backlog,
                           InetAddress* pBindAddr)

Protected constructor for use by SSL security providers.

~SSLServerSocket

protected  ~SSLServerSocket()

virtual Destructor.

Method Detail

getEnabledCipherSuites

virtual size_t getEnabledCipherSuites(StringList& ret) const=0

Returns an ordered list of cipher suite names which are currently enabled for this SSLServerSocket. This list will be inherited by SSLSockets created during an accept() call.

A given security provider may support more cipher suites than are enabled by default. This is because not all cipher suites are equally secure, so security providers should only enable reasonably secure protocols by default.

Parameters:: ret - A reference to a StringList object, the contents of which are replaced with a list of enabled cipher suite names. This will be a subset of the cipher suite names which would be returned by getSupportedCipherSuites().

Returns:: the number of enabled cipher suites.

See also:: getSupportedCipherSuites()

Note:: The fact that a particular cipher suite is enabled does not necessarily mean that it can be used in a SSL handshake. There are various reasons why an enabled cipher suite would not be used, such as the need for a local certificate which hasn't been supplied or the fact that a cipher suite is anonymous but the peer has been configured to require authentication.

getNeedClientAuth

virtual bool getNeedClientAuth() const=0

Returns a boolean flag indicating if client authentication is required during SSL handshaking. This value is inherited by SSLSockets created during an accept() call. This option is only used by SSLSockets operating in SSL server mode.

Returns:: true if client authentication is required; false otherwise.

See also:: setNeedClientAuth()

getSupportedCipherSuites

virtual size_t getSupportedCipherSuites(StringList& ret) const=0

Returns an ordered list of cipher suite names which the security provider supports. The most secure cipher suite is listed first and the least secure last.

Parameters:: ret - A reference to a StringList, the contents of which are completely replaced with supported cipher suite names.

Returns:: The number of entries in the returned list.

getUseClientMode

virtual bool getUseClientMode() const=0

Returns a boolean flag indicating if new connections should use SSL client mode during the initial SSL handshake. This value is inherited by SSLSockets created during an accept() call and has a default value of false.

Returns:: true if SSL client mode will be used; false otherwise.

See also:: setUseClientMode()

getWantClientAuth

virtual bool getWantClientAuth() const=0

Returns a boolean flag indicating if new server mode connections will request the client to authenticate itself (by sending a certificate) during the SSL handshake. However, if the client declines to send a certificate, the handshake continues anyway.

Returns:: true if the client will be asked for authentication; false otherwise.

See also:: setWantClientAuth() , setNeedClientAuth()

setEnabledCipherSuites

virtual void setEnabledCipherSuites(const StringList& suites)=0

Specifies the permitted cipher suites which may be used to negotiate new SSL connections. The provided list of cipher suite names will be inherited by SSLSockets created during an accept() call.

During SSL negotiations, the list of enabled cipher suites is traversed from beginning to end, with the first acceptable suite being selected. For this reason the application should order the most secure cipher suites at the beginning of the list to help ensure maximum security.

Each value in the list must be a valid cipher suite name as returned by getSupportedCipherSuites().

Exceptions:: IllegalArgumentException - if any of the specified cipher suites are not supported by the security provider.

See also:: getEnabledCipherSuites()

Note:: The fact that a particular cipher suite is enabled does not necessarily mean that it can be used in a SSL handshake. There are various reasons why an enabled cipher suite would not be used, such as the need for a local certificate which hasn't been supplied or the fact that a cipher suite is anonymous but the peer has been configured to require authentication.

setNeedClientAuth

virtual void setNeedClientAuth(bool bSet)=0

Specifies whether client authentication is required during the negotiation of new SSL connections. This is only used by SSLSockets operating in SSL server mode.

The provided value is inherited by SSLSockets created during an accept() call.

Parameters:: bSet - true if clients must authenticate themselves (by sending a certificate). Setting this value to true also overrides the current setting of setWantClientAuth() to ensure that the client is requested to authenticate itself.

See also:: getNeedClientAuth()

setUseClientMode

virtual void setUseClientMode(bool bClient)=0

Controls whether SSL client or server mode will be used during the negotiation of new SSL connections. The mode controls both the order and contents of the packets transferred between hosts during the SSL handshake.

The provided value is inherited by SSLSockets created during an accept() call. The default value is false because it is most common for servers to operate in SSL server mode.

Parameters:: bSet - true if new connections should use SSL client mode; false otherwise.

See also:: getUseClientMode()

setWantClientAuth

virtual void setWantClientAuth(bool bWantAuth)=0

Specifies whether client authentication is requested during the negotiation of new SSL connections. This is only used by SSLSockets operating in SSL server mode.

The provided value is inherited by SSLSockets created during an accept() call.

Parameters:: bSet - true if clients are requested to authenticate themselves (by sending a certificate). Setting this value to false also overrides the current setting of setNeedClientAuth() because the client will not be asked to authenticate itself.