com.novell.zos.tls
Interface TlsCallbacks


public interface TlsCallbacks

Callback interface for TLS certificate exceptions.

An instance of this interface may be passed to TlsConfiguration.setCallbacks(TlsCallbacks) or to TlsConfiguration.setDefaultCallbacks(TlsCallbacks) to provide customized handling of missing or mismatched TLS server certicates encountered while attempting to make TLS connections to a ZOS server.

The TlsCallbacks.onCertificateNotFound(SocketAddress,PemCertificate) method is invoked when the ZOS server returns a server certificate and there is currently no certificate found for that server. If this method returns false then a certificate exception is thrown on the client, otherwise, the code for this method can "accept" the certificate, possibly with user warnings and a confirmation dialog before returning true to indicate that the certificate is "OK".

The TlsCallbacks.onCertificateMismatch(SocketAddress,PemCertificate,PemCertificate) method is invoked when the ZOS server returns a server certificate that does not correctly match the current certificate held by the client. This exception is a more severe error than "not found" since it indicates a possible spoofing attempt by a "man in the middle". It is recommended that implementations of this callback method default to returning false unless the user or administrator very specifically indicates a willingness to accept the new certificate.

Since:
ZOS 1.3

Method Summary
 boolean onCertificateMismatch(SocketAddress peer, PemCertificate peerCert, PemCertificate refCert)
          Callback method invoked upon receiving a mismatched server certificate.
 boolean onCertificateNotFound(SocketAddress peer, PemCertificate peerCert)
          Callback method invoked upon receiving a new, unknown certificate.
 

Method Detail

onCertificateNotFound

boolean onCertificateNotFound(SocketAddress peer,
                              PemCertificate peerCert)
Callback method invoked upon receiving a new, unknown certificate.

Invoked when the ZOS server returns a server certificate and there is currently no certificate found for that server. If this method returns false then a certificate exception is thrown on the client, otherwise, the code for this method can "accept" the certificate, possibly with user warnings and a confirmation dialog before returning true to indicate that the certificate is "OK".

Parameters:
peer - The connected socket address for the remote ZOS server.
peerCert - The server certificate presented by the remote ZOS server.
Returns:
If true, then the client TLS engine should "accept" the new certificate. Otherwise the client will throw a certificate exception.

onCertificateMismatch

boolean onCertificateMismatch(SocketAddress peer,
                              PemCertificate peerCert,
                              PemCertificate refCert)
Callback method invoked upon receiving a mismatched server certificate.

Invoked when the ZOS server returns a server certificate that does not correctly match the current certificate held by the client. This exception is a more severe error than "not found" since it indicates a possible spoofing attempt by a "man in the middle". It is recommended that implementations of this callback method default to returning false unless the user or administrator very specifically indicates a willingness to accept the new certificate.

Parameters:
peer - The connected socket address for the remote ZOS server.
peerCert - The server certificate presented by the remote ZOS server.
refCert - The non-matching server certificate currently cached by the client.
Returns:
If true, then the client TLS engine should "accept" the new certificate. Otherwise the client will throw a certificate exception.


Copyright (c) 2009 Novell, Inc. All rights reserved.