refactoring; support for keystores, ciphersuites

9 files changed, 510 insertions, 118 deletions

diff --git a/java/src/IceSSL/Context.java b/java/src/IceSSL/Context.java
new file mode 100644
index 00000000000..88aa61fed3f
--- /dev/null
+++ b/java/src/IceSSL/Context.java
@@ -0,0 +1,256 @@
+// **********************************************************************
+//
+// Copyright (c) 2003-2005 ZeroC, Inc. All rights reserved.
+//
+// This copy of Ice is licensed to you under the terms described in the
+// ICE_LICENSE file included in this distribution.
+//
+// **********************************************************************
+
+package IceSSL;
+
+class Context
+{
+    Context(String ciphers, String keyStore, String password, String keyStorePassword, String certs,
+	    String certsPassword, java.security.SecureRandom rand)
+	throws java.security.GeneralSecurityException
+    {
+	java.util.ArrayList cipherList = new java.util.ArrayList();
+	if(ciphers.length() > 0)
+	{
+	    String[] expr = ciphers.split("[ \t]+");
+	    for(int i = 0; i < expr.length; ++i)
+	    {
+		if(expr[i].equals("ALL"))
+		{
+		    if(i != 0)
+		    {
+			Ice.PluginInitializationException ex = new Ice.PluginInitializationException();
+			ex.reason = "IceSSL: `ALL' must be first in cipher list `" + ciphers + "'";
+			throw ex;
+		    }
+		    _allCiphers = true;
+		}
+		else if(expr[i].equals("NONE"))
+		{
+		    if(i != 0)
+		    {
+			Ice.PluginInitializationException ex = new Ice.PluginInitializationException();
+			ex.reason = "IceSSL: `NONE' must be first in cipher list `" + ciphers + "'";
+			throw ex;
+		    }
+		    _noCiphers = true;
+		}
+		else
+		{
+		    CipherExpression ce = new CipherExpression();
+		    String exp = expr[i];
+		    if(exp.charAt(0) == '!')
+		    {
+			ce.not = true;
+			if(exp.length() > 1)
+			{
+			    exp = exp.substring(1);
+			}
+			else
+			{
+			    Ice.PluginInitializationException ex = new Ice.PluginInitializationException();
+			    ex.reason = "IceSSL: invalid cipher expression `" + exp + "'";
+			    throw ex;
+			}
+		    }
+
+		    if(exp.charAt(0) == '(')
+		    {
+			if(!exp.endsWith(")"))
+			{
+			    Ice.PluginInitializationException ex = new Ice.PluginInitializationException();
+			    ex.reason = "IceSSL: invalid cipher expression `" + exp + "'";
+			    throw ex;
+			}
+
+			try
+			{
+			    ce.re = java.util.regex.Pattern.compile(exp.substring(1, exp.length() - 2));
+			}
+			catch(java.util.regex.PatternSyntaxException ex)
+			{
+			    Ice.PluginInitializationException e = new Ice.PluginInitializationException();
+			    e.reason = "IceSSL: invalid cipher expression `" + exp + "'";
+			    e.initCause(ex);
+			    throw e;
+			}
+		    }
+		    else
+		    {
+			ce.cipher = exp;
+		    }
+
+		    cipherList.add(ce);
+		}
+	    }
+	    _ciphers = new CipherExpression[cipherList.size()];
+	    cipherList.toArray(_ciphers);
+	}
+
+	final String ksType = java.security.KeyStore.getDefaultType();
+
+	javax.net.ssl.KeyManager[] keyManagers = null;
+	if(keyStore != null && keyStore.length() > 0)
+	{
+	    _keys = java.security.KeyStore.getInstance(ksType);
+	    try
+	    {
+		char[] pass = null;
+		if(keyStorePassword != null && keyStorePassword.length() > 0)
+		{
+		    pass = keyStorePassword.toCharArray();
+		}
+
+		java.io.BufferedInputStream bis =
+		    new java.io.BufferedInputStream(new java.io.FileInputStream(keyStore));
+		_keys.load(bis, pass);
+	    }
+	    catch(java.io.IOException ex)
+	    {
+		Ice.PluginInitializationException e = new Ice.PluginInitializationException();
+		e.reason = "IceSSL: unable to load keystore from `" + keyStore + "'";
+		e.initCause(ex);
+		throw e;
+	    }
+
+	    String algorithm = javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm();
+	    javax.net.ssl.KeyManagerFactory kmf = javax.net.ssl.KeyManagerFactory.getInstance(algorithm);
+	    kmf.init(_keys, password.toCharArray());
+	    keyManagers = kmf.getKeyManagers();
+	}
+
+	javax.net.ssl.TrustManager[] trustManagers = null;
+	if(certs != null && certs.length() > 0)
+	{
+	    _certs = java.security.KeyStore.getInstance(ksType);
+	    try
+	    {
+		char[] pass = null;
+		if(certsPassword != null && certsPassword.length() > 0)
+		{
+		    pass = certsPassword.toCharArray();
+		}
+
+		java.io.BufferedInputStream bis =
+		    new java.io.BufferedInputStream(new java.io.FileInputStream(certs));
+		_certs.load(bis, pass);
+	    }
+	    catch(java.io.IOException ex)
+	    {
+		Ice.PluginInitializationException e = new Ice.PluginInitializationException();
+		e.reason = "IceSSL: unable to load keystore from `" + certs + "'";
+		e.initCause(ex);
+		throw e;
+	    }
+
+	    String algorithm = javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm();
+	    javax.net.ssl.TrustManagerFactory tmf = javax.net.ssl.TrustManagerFactory.getInstance(algorithm);
+	    tmf.init(_certs);
+	    trustManagers = tmf.getTrustManagers();
+	}
+
+	_ctx = javax.net.ssl.SSLContext.getInstance("SSL");
+	_ctx.init(keyManagers, trustManagers, rand);
+    }
+
+    javax.net.ssl.SSLContext
+    sslContext()
+    {
+	return _ctx;
+    }
+
+    String[]
+    filterCiphers(String[] supportedCiphers, String[] defaultCiphers)
+    {
+	java.util.LinkedList result = new java.util.LinkedList();
+	if(_allCiphers)
+	{
+	    for(int i = 0; i < supportedCiphers.length; ++i)
+	    {
+		result.add(supportedCiphers[i]);
+	    }
+	}
+	else if(!_noCiphers)
+	{
+	    for(int i = 0; i < defaultCiphers.length; ++i)
+	    {
+		result.add(defaultCiphers[i]);
+	    }
+	}
+
+	if(_ciphers != null)
+	{
+	    for(int i = 0; i < _ciphers.length; ++i)
+	    {
+		CipherExpression ce = (CipherExpression)_ciphers[i];
+		if(ce.not)
+		{
+		    java.util.Iterator e = result.iterator();
+		    while(e.hasNext())
+		    {
+			String cipher = (String)e.next();
+			if(ce.cipher != null)
+			{
+			    if(ce.cipher.equals(cipher))
+			    {
+				e.remove();
+			    }
+			}
+			else
+			{
+			    assert(ce.re != null);
+			    java.util.regex.Matcher m = ce.re.matcher(cipher);
+			    if(m.find())
+			    {
+				e.remove();
+			    }
+			}
+		    }
+		}
+		else
+		{
+		    if(ce.cipher != null)
+		    {
+			result.add(0, ce.cipher);
+		    }
+		    else
+		    {
+			assert(ce.re != null);
+			for(int j = 0; j < supportedCiphers.length; ++j)
+			{
+			    java.util.regex.Matcher m = ce.re.matcher(supportedCiphers[j]);
+			    if(m.find())
+			    {
+				result.add(0, supportedCiphers[j]);
+			    }
+			}
+		    }
+		}
+	    }
+	}
+
+	String[] arr = new String[result.size()];
+	result.toArray(arr);
+	return arr;
+    }
+
+    private static class CipherExpression
+    {
+	boolean not;
+	String cipher;
+	java.util.regex.Pattern re;
+    }
+
+    private CipherExpression[] _ciphers;
+    private boolean _allCiphers;
+    private boolean _noCiphers;
+    private javax.net.ssl.SSLContext _ctx;
+    private java.security.KeyStore _keys;
+    private java.security.KeyStore _certs;
+}
diff --git a/java/src/IceSSL/Instance.java b/java/src/IceSSL/Instance.java
new file mode 100644
index 00000000000..cd2247326d1
--- /dev/null
+++ b/java/src/IceSSL/Instance.java
@@ -0,0 +1,139 @@
+// **********************************************************************
+//
+// Copyright (c) 2003-2005 ZeroC, Inc. All rights reserved.
+//
+// This copy of Ice is licensed to you under the terms described in the
+// ICE_LICENSE file included in this distribution.
+//
+// **********************************************************************
+
+package IceSSL;
+
+class Instance
+{
+    Instance(Ice.Communicator communicator)
+    {
+	_facade = Ice.Util.getProtocolPluginFacade(communicator);
+	_securityTraceLevel = communicator.getProperties().getPropertyAsIntWithDefault("IceSSL.Trace.Security", 0);
+	_securityTraceCategory = "Security";
+
+	java.security.SecureRandom rand;
+	try
+	{
+	    //
+	    // Create a SecureRandom object. We call nextInt() in order to
+	    // force the object to perform any time-consuming initialization tasks now.
+	    //
+	    rand = java.security.SecureRandom.getInstance("SHA1PRNG");
+
+	    //
+	    // We call nextInt() in order to force the object to perform any time-consuming
+	    // initialization tasks now.
+	    //
+	    rand.nextInt();
+
+	}
+	catch(java.security.GeneralSecurityException ex)
+	{
+	    Ice.PluginInitializationException e = new Ice.PluginInitializationException();
+	    e.reason = "IceSSL: unable to initialize secure PRNG";
+	    e.initCause(ex);
+	    throw e;
+	}
+
+	try
+	{
+	    _clientContext = createContext("Client", rand);
+	}
+	catch(java.security.GeneralSecurityException ex)
+	{
+	    Ice.PluginInitializationException e = new Ice.PluginInitializationException();
+	    e.reason = "IceSSL: unable to initialize client context";
+	    e.initCause(ex);
+	    throw e;
+	}
+
+	try
+	{
+	    _serverContext = createContext("Server", rand);
+	}
+	catch(java.security.GeneralSecurityException ex)
+	{
+	    Ice.PluginInitializationException e = new Ice.PluginInitializationException();
+	    e.reason = "IceSSL: unable to initialize server context";
+	    e.initCause(ex);
+	    throw e;
+	}
+
+	_facade.addEndpointFactory(new SslEndpointFactory(this));
+    }
+
+    Ice.Communicator
+    communicator()
+    {
+	return _facade.getCommunicator();
+    }
+
+    String
+    defaultHost()
+    {
+	return _facade.getDefaultHost();
+    }
+
+    int
+    networkTraceLevel()
+    {
+	return _facade.getNetworkTraceLevel();
+    }
+
+    String
+    networkTraceCategory()
+    {
+	return _facade.getNetworkTraceCategory();
+    }
+
+    int
+    securityTraceLevel()
+    {
+	return _securityTraceLevel;
+    }
+
+    String
+    securityTraceCategory()
+    {
+	return _securityTraceCategory;
+    }
+
+    Context
+    clientContext()
+    {
+	return _clientContext;
+    }
+
+    Context
+    serverContext()
+    {
+	return _serverContext;
+    }
+
+    private Context
+    createContext(String mode, java.security.SecureRandom rand)
+	throws java.security.GeneralSecurityException
+    {
+	final String prefix = "IceSSL." + mode + ".";
+	Ice.Properties properties = communicator().getProperties();
+	String ciphers = properties.getProperty(prefix + "Ciphers");
+	String keyStore = properties.getProperty(prefix + "KeyStore");
+	String password = properties.getProperty(prefix + "Password");
+	String keyStorePassword = properties.getProperty(prefix + "KeyStorePassword");
+	String certs = properties.getProperty(prefix + "Certs");
+	String certsPassword = properties.getProperty(prefix + "CertsPassword");
+	return new Context(ciphers, keyStore, password, keyStorePassword, certs, certsPassword, rand);
+    }
+
+    private IceInternal.ProtocolPluginFacade _facade;
+    private int _securityTraceLevel;
+    private String _securityTraceCategory;
+    private Context _clientContext;
+    private Context _serverContext;
+}
diff --git a/java/src/IceSSL/PluginFactory.java b/java/src/IceSSL/PluginFactory.java
index afd0d3ac2d3..bf2dc125ee3 100644
--- a/java/src/IceSSL/PluginFactory.java
+++ b/java/src/IceSSL/PluginFactory.java
@@ -20,6 +20,6 @@ public class PluginFactory implements Ice.PluginFactory
 	    return null;
 	}
 
-	return new PluginI(communicator, name, args);
+	return new PluginI(communicator);
     }
 }
diff --git a/java/src/IceSSL/PluginI.java b/java/src/IceSSL/PluginI.java
index 78213bd3c66..823e2d5b861 100644
--- a/java/src/IceSSL/PluginI.java
+++ b/java/src/IceSSL/PluginI.java
@@ -12,28 +12,15 @@ package IceSSL;
 public class PluginI extends Ice.LocalObjectImpl implements Ice.Plugin
 {
     public
-    PluginI(Ice.Communicator communicator, String name, String[] args)
+    PluginI(Ice.Communicator communicator)
     {
-	javax.net.ssl.SSLContext ctx = null;
-	try
-	{
-	    ctx = javax.net.ssl.SSLContext.getInstance("SSL");
-	    ctx.init(null, null, null);
-	}
-	catch(java.security.GeneralSecurityException ex)
-	{
-	    Ice.PluginInitializationException e = new Ice.PluginInitializationException();
-	    e.reason = "unable to initialize SSLContext";
-	    e.initCause(ex);
-	    throw e;
-	}
-
-	IceInternal.Instance instance = Ice.Util.getInstance(communicator);
-	instance.endpointFactoryManager().add(new SslEndpointFactory(instance, ctx));
+	_instance = new Instance(communicator);
     }
 
     public void
     destroy()
     {
     }
+
+    private Instance _instance;
 }
diff --git a/java/src/IceSSL/SslAcceptor.java b/java/src/IceSSL/SslAcceptor.java
index 2aea596bc13..bc8c1559987 100644
--- a/java/src/IceSSL/SslAcceptor.java
+++ b/java/src/IceSSL/SslAcceptor.java
@@ -20,10 +20,10 @@ class SslAcceptor implements IceInternal.Acceptor
     public void
     close()
     {
-	if(_traceLevels.network >= 1)
+	if(_instance.networkTraceLevel() >= 1)
 	{
 	    String s = "stopping to accept ssl connections at " + toString();
-	    _logger.trace(_traceLevels.networkCat, s);
+	    _logger.trace(_instance.networkTraceCategory(), s);
 	}
 
 	javax.net.ssl.SSLServerSocket fd = _fd;
@@ -46,10 +46,10 @@ class SslAcceptor implements IceInternal.Acceptor
     {
 	// Nothing to do.
 
-	if(_traceLevels.network >= 1)
+	if(_instance.networkTraceLevel() >= 1)
 	{
 	    String s = "accepting ssl connections at " + toString();
-	    _logger.trace(_traceLevels.networkCat, s);
+	    _logger.trace(_instance.networkTraceCategory(), s);
 	}
     }
 
@@ -84,13 +84,13 @@ class SslAcceptor implements IceInternal.Acceptor
 	    throw e;
 	}
 
-	if(_traceLevels.network >= 1)
+	if(_instance.networkTraceLevel() >= 1)
 	{
 	    String s = "accepted ssl connection\n" + IceInternal.Network.fdToString(fd);
-	    _logger.trace(_traceLevels.networkCat, s);
+	    _logger.trace(_instance.networkTraceCategory(), s);
 	}
 
-	return new SslTransceiver(_instance, _ctx, fd);
+	return new SslTransceiver(_instance, fd);
     }
 
     public void
@@ -121,12 +121,11 @@ class SslAcceptor implements IceInternal.Acceptor
 	return _addr.getPort();
     }
 
-    SslAcceptor(IceInternal.Instance instance, javax.net.ssl.SSLContext ctx, String host, int port)
+    SslAcceptor(Instance instance, String host, int port)
     {
 	_instance = instance;
-	_ctx = ctx;
-	_traceLevels = instance.traceLevels();
-	_logger = instance.logger();
+	_ctx = instance.serverContext();
+	_logger = instance.communicator().getLogger();
 	_backlog = 0;
 
 	if(_backlog <= 0)
@@ -136,18 +135,45 @@ class SslAcceptor implements IceInternal.Acceptor
 
 	try
 	{
-	    javax.net.ssl.SSLServerSocketFactory factory = _ctx.getServerSocketFactory();
+	    javax.net.ssl.SSLServerSocketFactory factory = _ctx.sslContext().getServerSocketFactory();
 	    _addr = new java.net.InetSocketAddress(host, port);
-	    if(_traceLevels.network >= 2)
+	    if(_instance.networkTraceLevel() >= 2)
 	    {
 		String s = "attempting to bind to ssl socket " + toString();
-		_logger.trace(_traceLevels.networkCat, s);
+		_logger.trace(_instance.networkTraceCategory(), s);
 	    }
 	    java.net.InetAddress iface = java.net.InetAddress.getByName(host);
 	    _fd = (javax.net.ssl.SSLServerSocket)factory.createServerSocket(port, _backlog, iface);
 	    _addr = (java.net.InetSocketAddress)_fd.getLocalSocketAddress();
-String[] suite = new String[]{ "SSL_DH_anon_WITH_DES_CBC_SHA" };
-_fd.setEnabledCipherSuites(suite);
+
+	    final int clientAuth = _instance.communicator().getProperties().getPropertyAsIntWithDefault(
+		"IceSSL.Server.ClientAuth", 0);
+	    if(clientAuth == 0)
+	    {
+		_fd.setWantClientAuth(false);
+		_fd.setNeedClientAuth(false);
+	    }
+	    else if(clientAuth == 1)
+	    {
+		_fd.setWantClientAuth(true);
+	    }
+	    else
+	    {
+		_fd.setNeedClientAuth(true);
+	    }
+
+	    String[] cipherSuites = _ctx.filterCiphers(_fd.getSupportedCipherSuites(), _fd.getEnabledCipherSuites());
+	    if(_instance.securityTraceLevel() > 0)
+	    {
+		StringBuffer s = new StringBuffer();
+		s.append("enabling ciphersuites for ssl server socket " + toString() + ":");
+		for(int i = 0; i < cipherSuites.length; ++i)
+		{
+		    s.append("\n  " + cipherSuites[i]);
+		}
+		_logger.trace(_instance.securityTraceCategory(), s.toString());
+	    }
+	    _fd.setEnabledCipherSuites(cipherSuites);
 	}
 	catch(java.io.IOException ex)
 	{
@@ -177,9 +203,8 @@ _fd.setEnabledCipherSuites(suite);
 	super.finalize();
     }
 
-    private IceInternal.Instance _instance;
-    private javax.net.ssl.SSLContext _ctx;
-    private IceInternal.TraceLevels _traceLevels;
+    private Instance _instance;
+    private Context _ctx;
     private Ice.Logger _logger;
     private javax.net.ssl.SSLServerSocket _fd;
     private int _backlog;
diff --git a/java/src/IceSSL/SslConnector.java b/java/src/IceSSL/SslConnector.java
index 74c0d6d0a99..03226cdd2f7 100644
--- a/java/src/IceSSL/SslConnector.java
+++ b/java/src/IceSSL/SslConnector.java
@@ -169,10 +169,10 @@ final class SslConnector implements IceInternal.Connector
     public IceInternal.Transceiver
     connect(int timeout)
     {
-	if(_traceLevels.network >= 2)
+	if(_instance.networkTraceLevel() >= 2)
 	{
 	    String s = "trying to establish ssl connection to " + toString();
-	    _logger.trace(_traceLevels.networkCat, s);
+	    _logger.trace(_instance.networkTraceCategory(), s);
 	}
 
 	javax.net.ssl.SSLSocket fd = null;
@@ -183,7 +183,7 @@ final class SslConnector implements IceInternal.Connector
 	    //
 	    if(timeout >= 0)
 	    {
-		ConnectThread ct = new ConnectThread(_ctx, _addr);
+		ConnectThread ct = new ConnectThread(_ctx.sslContext(), _addr);
 		ct.start();
 		fd = ct.getFd(timeout == 0 ? 1 : timeout);
 		if(fd == null)
@@ -193,15 +193,24 @@ final class SslConnector implements IceInternal.Connector
 	    }
 	    else
 	    {
-		javax.net.SocketFactory factory = _ctx.getSocketFactory();
+		javax.net.SocketFactory factory = _ctx.sslContext().getSocketFactory();
 		fd = (javax.net.ssl.SSLSocket)factory.createSocket(_addr.getAddress(), _addr.getPort());
 	    }
 
 	    fd.setUseClientMode(true);
 
-	    // TODO: Temporary
-	    String[] suite = new String[]{ "SSL_DH_anon_WITH_DES_CBC_SHA" };
-	    fd.setEnabledCipherSuites(suite);
+	    String[] cipherSuites = _ctx.filterCiphers(fd.getSupportedCipherSuites(), fd.getEnabledCipherSuites());
+	    if(_instance.securityTraceLevel() > 0)
+	    {
+		StringBuffer s = new StringBuffer();
+		s.append("enabling ciphersuites for ssl socket\n" + IceInternal.Network.fdToString(fd) + ":");
+		for(int i = 0; i < cipherSuites.length; ++i)
+		{
+		    s.append("\n  " + cipherSuites[i]);
+		}
+		_logger.trace(_instance.securityTraceCategory(), s.toString());
+	    }
+	    fd.setEnabledCipherSuites(cipherSuites);
 
 	    //
 	    // If a connect timeout is specified, do the SSL handshake in a separate thread.
@@ -275,34 +284,13 @@ final class SslConnector implements IceInternal.Connector
 	    throw ex;
 	}
 
-	if(_traceLevels.network >= 1)
+	if(_instance.networkTraceLevel() >= 1)
 	{
 	    String s = "ssl connection established\n" + IceInternal.Network.fdToString(fd);
-	    _logger.trace(_traceLevels.networkCat, s);
+	    _logger.trace(_instance.networkTraceCategory(), s);
 	}
 
-	/*
-String[] suites = fd.getSupportedCipherSuites();
-System.out.println("Supported cipher suites:");
-for(int i = 0; i < suites.length; ++i)
-{
-    System.out.println("  " + suites[i]);
-}
-suites = fd.getEnabledCipherSuites();
-System.out.println("Enabled cipher suites:");
-for(int i = 0; i < suites.length; ++i)
-{
-    System.out.println("  " + suites[i]);
-}
-String[] protocols = fd.getSupportedProtocols();
-System.out.println("Supported protocols:");
-for(int i = 0; i < protocols.length; ++i)
-{
-    System.out.println("  " + protocols[i]);
-}
-	*/
-
-	return new SslTransceiver(_instance, _ctx, fd);
+	return new SslTransceiver(_instance, fd);
     }
 
     public String
@@ -314,19 +302,17 @@ for(int i = 0; i < protocols.length; ++i)
     //
     // Only for use by SslEndpoint
     //
-    SslConnector(IceInternal.Instance instance, javax.net.ssl.SSLContext ctx, String host, int port)
+    SslConnector(Instance instance, String host, int port)
     {
 	_instance = instance;
-	_ctx = ctx;
-	_traceLevels = instance.traceLevels();
-	_logger = instance.logger();
+	_ctx = instance.clientContext();
+	_logger = instance.communicator().getLogger();
 
 	_addr = IceInternal.Network.getAddress(host, port);
     }
 
-    private IceInternal.Instance _instance;
-    javax.net.ssl.SSLContext _ctx;
-    private IceInternal.TraceLevels _traceLevels;
+    private Instance _instance;
+    private Context _ctx;
     private Ice.Logger _logger;
     private java.net.InetSocketAddress _addr;
 }
diff --git a/java/src/IceSSL/SslEndpoint.java b/java/src/IceSSL/SslEndpoint.java
index 4a0bb24a3b1..9c1956b4ed0 100644
--- a/java/src/IceSSL/SslEndpoint.java
+++ b/java/src/IceSSL/SslEndpoint.java
@@ -14,10 +14,9 @@ final class SslEndpoint implements IceInternal.Endpoint
     final static short TYPE = 2;
 
     public
-    SslEndpoint(IceInternal.Instance instance, javax.net.ssl.SSLContext ctx, String ho, int po, int ti, boolean co)
+    SslEndpoint(Instance instance, String ho, int po, int ti, boolean co)
     {
 	_instance = instance;
-	_ctx = ctx;
 	_host = ho;
 	_port = po;
 	_timeout = ti;
@@ -26,10 +25,9 @@ final class SslEndpoint implements IceInternal.Endpoint
     }
 
     public
-    SslEndpoint(IceInternal.Instance instance, javax.net.ssl.SSLContext ctx, String str)
+    SslEndpoint(Instance instance, String str)
     {
 	_instance = instance;
-	_ctx = ctx;
 	_host = null;
 	_port = 0;
 	_timeout = -1;
@@ -145,17 +143,16 @@ final class SslEndpoint implements IceInternal.Endpoint
 
 	if(_host == null)
 	{
-	    _host = _instance.defaultsAndOverrides().defaultHost;
+	    _host = _instance.defaultHost();
 	}
 
 	calcHashValue();
     }
 
     public
-    SslEndpoint(IceInternal.BasicStream s, javax.net.ssl.SSLContext ctx)
+    SslEndpoint(Instance instance, IceInternal.BasicStream s)
     {
-	_instance = s.instance();
-	_ctx = ctx;
+	_instance = instance;
 	s.startReadEncaps();
 	_host = s.readString();
 	_port = s.readInt();
@@ -231,7 +228,7 @@ final class SslEndpoint implements IceInternal.Endpoint
 	}
 	else
 	{
-	    return new SslEndpoint(_instance, _ctx, _host, _port, timeout, _compress);
+	    return new SslEndpoint(_instance, _host, _port, timeout, _compress);
 	}
     }
 
@@ -259,7 +256,7 @@ final class SslEndpoint implements IceInternal.Endpoint
 	}
 	else
 	{
-	    return new SslEndpoint(_instance, _ctx, _host, _port, _timeout, compress);
+	    return new SslEndpoint(_instance, _host, _port, _timeout, compress);
 	}
     }
 
@@ -321,7 +318,7 @@ final class SslEndpoint implements IceInternal.Endpoint
     public IceInternal.Connector
     connector()
     {
-	return new SslConnector(_instance, _ctx, _host, _port);
+	return new SslConnector(_instance, _host, _port);
     }
 
     //
@@ -334,8 +331,8 @@ final class SslEndpoint implements IceInternal.Endpoint
     public IceInternal.Acceptor
     acceptor(IceInternal.EndpointHolder endpoint)
     {
-	SslAcceptor p = new SslAcceptor(_instance, _ctx, _host, _port);
-	endpoint.value = new SslEndpoint(_instance, _ctx, _host, p.effectivePort(), _timeout, _compress);
+	SslAcceptor p = new SslAcceptor(_instance, _host, _port);
+	endpoint.value = new SslEndpoint(_instance, _host, p.effectivePort(), _timeout, _compress);
 	return p;
     }
 
@@ -487,8 +484,7 @@ final class SslEndpoint implements IceInternal.Endpoint
 	_hashCode = 5 * _hashCode + (_compress ? 1 : 0);
     }
 
-    private IceInternal.Instance _instance;
-    private javax.net.ssl.SSLContext _ctx;
+    private Instance _instance;
     private String _host;
     private int _port;
     private int _timeout;
diff --git a/java/src/IceSSL/SslEndpointFactory.java b/java/src/IceSSL/SslEndpointFactory.java
index 2a8ef105649..06f645b343c 100644
--- a/java/src/IceSSL/SslEndpointFactory.java
+++ b/java/src/IceSSL/SslEndpointFactory.java
@@ -11,42 +11,40 @@ package IceSSL;
 
 final class SslEndpointFactory implements IceInternal.EndpointFactory
 {
-    SslEndpointFactory(IceInternal.Instance instance, javax.net.ssl.SSLContext ctx)
+    SslEndpointFactory(Instance instance)
     {
-        _instance = instance;
-	_ctx = ctx;
+	_instance = instance;
     }
 
     public short
     type()
     {
-        return SslEndpoint.TYPE;
+	return SslEndpoint.TYPE;
     }
 
     public String
     protocol()
     {
-        return "ssl";
+	return "ssl";
     }
 
     public IceInternal.Endpoint
     create(String str)
     {
-        return new SslEndpoint(_instance, _ctx, str);
+	return new SslEndpoint(_instance, str);
     }
 
     public IceInternal.Endpoint
     read(IceInternal.BasicStream s)
     {
-        return new SslEndpoint(s, _ctx);
+	return new SslEndpoint(_instance, s);
     }
 
     public void
     destroy()
     {
-        _instance = null;
+	_instance = null;
     }
 
-    private IceInternal.Instance _instance;
-    private javax.net.ssl.SSLContext _ctx;
+    private Instance _instance;
 }
diff --git a/java/src/IceSSL/SslTransceiver.java b/java/src/IceSSL/SslTransceiver.java
index af08a554d5e..1dc64ec78a8 100644
--- a/java/src/IceSSL/SslTransceiver.java
+++ b/java/src/IceSSL/SslTransceiver.java
@@ -20,10 +20,10 @@ final class SslTransceiver implements IceInternal.Transceiver
     public void
     close()
     {
-	if(_traceLevels.network >= 1)
+	if(_instance.networkTraceLevel() >= 1)
 	{
 	    String s = "closing ssl connection\n" + toString();
-	    _logger.trace(_traceLevels.networkCat, s);
+	    _logger.trace(_instance.networkTraceCategory(), s);
 	}
 
 	assert(_fd != null);
@@ -47,10 +47,10 @@ final class SslTransceiver implements IceInternal.Transceiver
 	/*
 	 * shutdownOutput is not supported by an SSL socket.
 	 *
-	if(_traceLevels.network >= 2)
+	if(_instance.networkTraceLevel() >= 2)
 	{
 	    String s = "shutting down ssl connection for writing\n" + toString();
-	    _logger.trace(_traceLevels.networkCat, s);
+	    _logger.trace(_instance.networkTraceCategory(), s);
 	}
 
 	assert(_fd != null);
@@ -74,10 +74,10 @@ final class SslTransceiver implements IceInternal.Transceiver
     public void
     shutdownReadWrite()
     {
-	if(_traceLevels.network >= 2)
+	if(_instance.networkTraceLevel() >= 2)
 	{
 	    String s = "shutting down ssl connection for reading and writing\n" + toString();
-	    _logger.trace(_traceLevels.networkCat, s);
+	    _logger.trace(_instance.networkTraceCategory(), s);
 	}
 
 	assert(_fd != null);
@@ -155,10 +155,10 @@ final class SslTransceiver implements IceInternal.Transceiver
 		_out.write(data, off + pos, rem);
 		buf.position(pos + rem);
 
-		if(_traceLevels.network >= 3)
+		if(_instance.networkTraceLevel() >= 3)
 		{
 		    String s = "sent " + rem + " of " + buf.limit() + " bytes via ssl\n" + toString();
-		    _logger.trace(_traceLevels.networkCat, s);
+		    _logger.trace(_instance.networkTraceCategory(), s);
 		}
 
 		if(_stats != null)
@@ -187,7 +187,7 @@ final class SslTransceiver implements IceInternal.Transceiver
 	java.nio.ByteBuffer buf = stream.prepareRead();
 
 	int remaining = 0;
-	if(_traceLevels.network >= 3)
+	if(_instance.networkTraceLevel() >= 3)
 	{
 	    remaining = buf.remaining();
 	}
@@ -226,10 +226,10 @@ final class SslTransceiver implements IceInternal.Transceiver
 
 		if(ret > 0)
 		{
-		    if(_traceLevels.network >= 3)
+		    if(_instance.networkTraceLevel() >= 3)
 		    {
 			String s = "received " + ret + " of " + remaining + " bytes via ssl\n" + toString();
-			_logger.trace(_traceLevels.networkCat, s);
+			_logger.trace(_instance.networkTraceCategory(), s);
 		    }
 
 		    if(_stats != null)
@@ -295,13 +295,19 @@ final class SslTransceiver implements IceInternal.Transceiver
     //
     // Only for use by SslConnector, SslAcceptor
     //
-    SslTransceiver(IceInternal.Instance instance, javax.net.ssl.SSLContext ctx, javax.net.ssl.SSLSocket fd)
+    SslTransceiver(Instance instance, javax.net.ssl.SSLSocket fd)
     {
-	_ctx = ctx;
+	_instance = instance;
 	_fd = fd;
-	_traceLevels = instance.traceLevels();
-	_logger = instance.logger();
-	_stats = instance.stats();
+	_logger = instance.communicator().getLogger();
+	try
+	{
+	    _stats = instance.communicator().getStats();
+	}
+	catch(Ice.CommunicatorDestroyedException ex)
+	{
+	    // Ignore.
+	}
 	_desc = IceInternal.Network.fdToString(_fd);
 	try
 	{
@@ -334,9 +340,8 @@ final class SslTransceiver implements IceInternal.Transceiver
 	super.finalize();
     }
 
-    private javax.net.ssl.SSLContext _ctx;
+    private Instance _instance;
     private javax.net.ssl.SSLSocket _fd;
-    private IceInternal.TraceLevels _traceLevels;
     private Ice.Logger _logger;
     private Ice.Stats _stats;
     private String _desc;