The whole process of the bio channel has been explained earlier, the process of SSL is plugged into the channel, and the logic of SSL is based on the sslenabled attribute of the connector configuration when the Bio channel is initialized. The location of the main focus is in the bind method of the Jioendpoint: '
This particular serversocketfactory is SSL.Serversocketfactory, let's look at what the factory did before it was created, and break down the code for this line:
On the left is the Tomcat class, the Tomcat class has two sets of SSL implementations, the set is Jsseimplement, that is, based on Jsse (another set is Apr integrated OpenSSL), so this default is jsseimplementation. This instance can be toggled and set to the protocol handler. Forjsseimplementation implementation, which is mainly jssesocketfactory, the main role of this class is to integrate with the Jsse framework, The SSL-related configuration of the connector in Server.xml is passed to the Jsse class, and the bind method of Sslserversocketfactory, which is returned to Jioendpoint, is finally instantiated.
The main initialization is in the init method, which can be summed up in the following steps:
1. Protocol based on connector configuration, instantiation of Sslcontext
2. Initialize KeyStore and Truststore
3. Pass the KeyStore as a parameter to Keymanagerfactory and obtain the Keymanager
For Truststore, it is the same way of passing in, and finally getting trustmAnager
4. Use Keymanager,trustmanager as a parameter, call Sslcontext.init
5. Configuring Tomcat's Sslsessioncontext
6. Get sslseversocketfactory based on Sslcontext
7. Cipers with sslcontext default cipers according to the connector configuration
8. According to the Enableprotocol configured by the connector, the Sslcontext default
Protocol
Take intersection
This step is the same as the one in the previous step, and is an intersection of the protocols supported by the two:
For the 7th and 82 steps, the enabledprotocol of the intersection is obtained andenabledcipersuits, need to be set at the last step, when generating sslserversocket
9. The final
Checkconfig,
verify based on the previous configuration
It is important to note that there are several properties that need to be set when initializing the Sslserversocket, so you can look at the Initserversocket method:
There are altogether 4 attributes,Enabledprotocol andEnabledcipersuits, there are two-way authentication ClientAuth for clients, and only JDK8 supports Ciper order.
To this end, the entire SSL channel bio part of the basic logic is finished, followed by programming based on Sslserversocket, Jsse has the SSL entire handshake protocol various processes are encapsulated, andthe procedure of ServerSocket is not very different.
Summary
The implementation of the bio-mode SSL logic, that is, if the generation of sslserversocket, in this process is divided into 9 steps, each step is called Jsse interface, the Tomcat configuration as a parameter passed in, in the generationafter the Sslserversocket, the subsequent operation is based on the socket programming, and bio's ordinary socket is not any difference.
From for notes (Wiz)
SSL channel flow in I.bio mode
