Jetty has two SSL connectors–the SslSocketConnector and the SslSelectChannelConnector. The SslSocketConnector is built on top of the Jetty SocketConnector which is Jetty's implementation of a blocking connector. It uses Java's SslSocket to add the security layer. The SslSelectChannelConnector is an extension of Jetty's SelectChannelConnector which uses non-blocking IO. For its security layer, it uses java nio SslEngine. You can configure these two connectors similarly; the difference is in the implementation.
Configuring Jetty for SSL
Beginning with Jetty 7.3.1, the preferred way to configure SSL parameters for the connector is by configuring the SslContextFactory object and passing it to the connector's constructor.
The following is an example of an SslSelectChannelConnector configuration. You can configure an SslSocketConnector the same way–just change the value of the class to org.eclipse.jetty.server.ssl.SslSocketConnector.
Other properties which can be set for SslContextFactory are:
- certAlias - alias of a certificate to use
- keyStoreType - default value: "JKS"
- keyStoreProvider - defaults to the SunJSSE provider
- trustStoreType - default value: "JKS"
- trustStoreProvider - defaults to the SunJSSE provider
- sslKeyManagerFactoryAlgorithm - set to the value of the "ssl.KeyManagerFactory.algorithm" system property. If there is no such property, this defaults to "SunX509"
- sslTrustManagerFactoryAlgorithm - set to the value of the "ssl.TrustManagerFactory.algorithm" system property. If there is no such property, this defaults to "SunX509"
- secureRandomAlgorithm - default value is null
- protocol - default value is "TLS"
- provider - defaults to the first provider that supports protocol
- includeCipherSuites - see How to configure SSL Cipher Suites page.
- excludeCipherSuites - see How to configure SSL Cipher Suites page.
- needClientAuth - defaults to false
- wantClientAuth - defaults to false
- validateCerts - defaults to false
- allowRenegotiate - defaults to false
- crlPath - path to certificate revocation list file for SSL certificate validation
- maxCertPathLengh - maximum allowed number of intermediate certificates, defaults to -1 (unlimited)
If there is no value for the "truststore", it will use the "keystore" value. Passwords can be obfuscated by using Jetty password utility.
The methods of SslConnector that previously were being used to configure SSL parameters have been deprecated and will be removed in a future version of Jetty. Following is an example of configuring SslSelectChannelConnector connector in Jetty 7.3.0 and earlier.