The MWSSLConfig
object provides information
to configure HTTPS. The Java® client API provides a default MWSSLConfig
implementation, MWSSLDefaultConfig
,
which it uses when no SSL configuration is passed to the MWHTTPClient
constructor.
The MWSSLDefaultConfig
object is implemented such
that:
getSSLContext()
returns the default SSLContext
object
created by the JRE.
getHostnameVerifier()
returns a HostnameVerifier
implementation
that always returns false. If the HTTPS hostname verification fails, this
does not override the decision.
getServerAuthorizer()
returns a MWSSLServerAuthorizer
implementation
that authorizes all MATLAB® Production Server™ instances.
You extend the MWSSLDefaultConfig
class
to:
specify the security protocols the client can use
customize how the client verifies hostnames
specify additional server authentication logic
The MWSSLDefaultConfig
class has three methods:
getSSLContext()
— Returns
the SSLContext
object
getHostnameVerifier()
—
Returns a HostnameVerifier
object to use if HTTPS
hostname verification fails
getServerAuthorizer()
—
Returns a MWSSLServerAuthorizer
object to perform
server authorization based on the server certificate
MATLAB Production Server supports the following encryption protocols:
TLSv1.0
TLSv1.1
TLSv1.2
SSLv3.0
SSLv2.0.
By default, all protocols are enabled. If you want to control
which protocols are enabled, you override the getSSLContext()
method
to return an instance of MWCustomSSLContext
with
a list of enabled protocols. Protocols not on the list are not enabled.
For example, to avoid the POODLE vulnerability by disabling SSL protocols,
you enable the TLS protocols.
import javax.net.ssl.SSLContext; import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import com.mathworks.mps.client.*; public class MySSLConfig extends MWSSLDefaultConfig { public SSLContext getSSLContext() { try { final SSLContext context = MWCustomSSLContext.getInstance("TLSv1", "TLSv1.1", "TLSv1.2"); context.init(null,null,null); return context; } catch (NoSuchAlgorithmException e) { return null; } catch (KeyManagementException e) { return null; } } }
As part of the SSL handshake, the HTTPS layer attempts to match
the hostname in the provided URL to the hostname provided in the server
certificate. If the two hostnames do not match, the HTTPS layer calls
the HostnameVerifier.verify()
method as an additional
check. The return value of the HostnameVerifier.verify()
method
determines if the hostname is verified.
The implementation of the HostnameVerifier.verify()
method
provided by the MWSSLDefaultConfig
object always
returns false
. The result is that if the hostname
in the URL and the hostname in the server certificate do not match,
the HTTPS handshake fails.
For a more robust hostname verification scheme, extend the MWSSLDefaultConfig
class
to return an implementation of HostnameVerifier.verify()
that
uses custom logic. For example, if you only wanted to generate one
certificate for all of the servers on which MATLAB Production Server instances
run, you could specify MPS
for the certificate's
hostname. Then your implementation of HostnameVerifier.verify()
returns
true if the hostname stored in the certificate is MPS
.
import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLSession; import com.mathworks.mps.client.*; public class MySSLConfig extends MWSSLDefaultConfig { public HostnameVerifier getHostnameVerifier() { return new HostNameVerifier() { public boolean verify(String s, SSLSession sslSession) { if (sslSession.getPeerHost().equals("MPS")) return true; else return false; } } } }
For more information on HostnameVerify
see Oracle's Java Documentation.
After the HTTPS layer establishes a secure connection, a client
can perform an additional authentication step before sending requests
to a server. An implementation of the MWSSLServerAuthorizer
interface
performshis this additional authentication. An MWSSLSServerAuthorizer
implementation
performs two checks to authorize a server:
isCertificateRequired()
determines
if servers must present a certificate for authorization. If this returns
true and the server has not provided a certificate, the client does
not authorize the server.
authorize(Certificate serverCert)
uses
the server's certificate to determine if the client authorizes the
server to process requests.
The MWSSLSServerAuthorizer
implementation
returned by the MWSSLDefaultConfig
object authorizes
all servers without performing any checks.
To use server authentication, extend the MWSSLDefaultConfig
class
and override the implementation of getServerAuthorizer()
to
return a MWSSLSServerAuthorizer
implementation
that does perform authorization checks.