Big refactor:

- Move classes and predicates to appropriate libraries
- Overhaul the endpoint identification algorithm logic to use taint tracking
- Adapt tests

java/ql/lib/semmle/code/java/frameworks/Networking.qll

@@ -14,6 +14,11 @@ class TypeSocket extends RefType {
   TypeSocket() { this.hasQualifiedName("java.net", "Socket") }
 }
 
+/** The type `javax.net.SocketFactory` */
+class TypeSocketFactory extends RefType {
+  TypeSocketFactory() { this.hasQualifiedName("javax.net", "SocketFactory") }
+}
+
 /** The type `java.net.URL`. */
 class TypeUrl extends RefType {
   TypeUrl() { this.hasQualifiedName("java.net", "URL") }
@@ -143,6 +148,21 @@ class UrlOpenConnectionMethod extends Method {
   }
 }
 
+/** The method `javax.net.SocketFactory::createSocket`. */
+class CreateSocketMethod extends Method {
+  CreateSocketMethod() {
+    this.hasName("createSocket") and
+    this.getDeclaringType() instanceof TypeSocketFactory
+  }
+}
+
+class SocketConnectMethod extends Method {
+  SocketConnectMethod() {
+    this.hasName("connect") and
+    this.getDeclaringType() instanceof TypeSocket
+  }
+}
+
 /**
  * A string matching private host names of IPv4 and IPv6, which only matches the host portion therefore checking for port is not necessary.
  * Several examples are localhost, reserved IPv4 IP addresses including 127.0.0.1, 10.x.x.x, 172.16.x,x, 192.168.x,x, and reserved IPv6 addresses including [0:0:0:0:0:0:0:1] and [::1]

java/ql/lib/semmle/code/java/security/Encryption.qll

@@ -34,6 +34,19 @@ class SSLSession extends RefType {
   SSLSession() { this.hasQualifiedName("javax.net.ssl", "SSLSession") }
 }
 
+class SSLEngine extends RefType {
+  SSLEngine() { this.hasQualifiedName("javax.net.ssl", "SSLEngine") }
+}
+
+class SSLSocket extends RefType {
+  SSLSocket() { this.hasQualifiedName("javax.net.ssl", "SSLSocket") }
+}
+
+/** The `javax.net.ssl.SSLParameters` class. */
+class SSLParameters extends RefType {
+  SSLParameters() { this.hasQualifiedName("javax.net.ssl", "SSLParameters") }
+}
+
 class HostnameVerifier extends RefType {
   HostnameVerifier() { this.hasQualifiedName("javax.net.ssl", "HostnameVerifier") }
 }
@@ -79,6 +92,14 @@ class GetSocketFactory extends Method {
   }
 }
 
+/** The `createSSLEngine` method of the class `javax.net.ssl.SSLContext` */
+class CreateSslEngineMethod extends Method {
+  CreateSslEngineMethod() {
+    this.hasName("createSSLEngine") and
+    this.getDeclaringType() instanceof SSLContext
+  }
+}
+
 class SetConnectionFactoryMethod extends Method {
   SetConnectionFactoryMethod() {
     this.hasName("setSSLSocketFactory") and
@@ -101,6 +122,14 @@ class SetDefaultHostnameVerifierMethod extends Method {
   }
 }
 
+/** The `getSession` method of the class `javax.net.ssl.SSLSession`.select */
+class GetSslSessionMethod extends Method {
+  GetSslSessionMethod() {
+    hasName("getSession") and
+    getDeclaringType().getASupertype*() instanceof SSLSession
+  }
+}
+
 bindingset[algorithmString]
 private string algorithmRegex(string algorithmString) {
   // Algorithms usually appear in names surrounded by characters that are not
@@ -168,7 +197,7 @@ string getInsecureAlgorithmRegex() {
 string getASecureAlgorithmName() {
   result =
     [
-      "RSA", "SHA256", "SHA512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
+      "RSA", "SHA256", "SHA512", "CCM", "GCM", "AES([^a-zA-Z](?!ECB|CBC/PKCS[57]Padding)).*",
       "Blowfish", "ECIES"
     ]
 }

java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll

@@ -0,0 +1,103 @@
+/** Provides classes and predicates to reason about unsafe certificate trust vulnerablities. */
+
+import java
+private import semmle.code.java.frameworks.Networking
+private import semmle.code.java.security.Encryption
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.DataFlow2
+
+/**
+ * The creation of an object that prepares an SSL connection.
+ */
+class SslConnectionInit extends DataFlow::Node {
+  SslConnectionInit() {
+    this.asExpr().(MethodAccess).getMethod() instanceof CreateSslEngineMethod or
+    this.asExpr().(MethodAccess).getMethod() instanceof CreateSocketMethod
+  }
+}
+
+/**
+ * A call to a method that establishes an SSL connection.
+ */
+class SslConnectionCreation extends DataFlow::Node {
+  SslConnectionCreation() {
+    exists(MethodAccess ma, Method m |
+      m instanceof GetSslSessionMethod or
+      m instanceof SocketConnectMethod
+    |
+      ma.getMethod() = m and
+      this.asExpr() = ma.getQualifier()
+    )
+    or
+    // calls to SocketFactory.createSocket with parameters immediately create the connection
+    exists(MethodAccess ma, Method m |
+      ma.getMethod() = m and
+      m instanceof CreateSocket and
+      m.getNumberOfParameters() > 0
+    |
+      this.asExpr() = ma
+    )
+  }
+}
+
+/**
+ * An SSL object that was assigned a safe `SSLParameters` object an can be considered safe.
+ */
+class SslConnectionWithSafeSslParameters extends Expr {
+  SslConnectionWithSafeSslParameters() {
+    exists(SafeSslParametersFlowConfig config, DataFlow::Node safe |
+      config.hasFlowTo(safe) and this = safe.asExpr().(Argument).getCall().getQualifier()
+    )
+  }
+}
+
+private class SafeSslParametersFlowConfig extends DataFlow2::Configuration {
+  SafeSslParametersFlowConfig() { this = "SafeSslParametersFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(MethodAccess ma |
+      ma instanceof SafeSetEndpointIdentificationAlgorithm and
+      ma.getQualifier() = source.asExpr()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma, RefType t | t instanceof SSLSocket or t instanceof SSLEngine |
+      ma.getMethod().hasName("setSSLParameters") and
+      ma.getMethod().getDeclaringType().getASupertype*() = t and
+      ma.getArgument(0) = sink.asExpr()
+    )
+  }
+}
+
+private class SafeSetEndpointIdentificationAlgorithm extends MethodAccess {
+  SafeSetEndpointIdentificationAlgorithm() {
+    this.getMethod().hasName("setEndpointIdentificationAlgorithm") and
+    this.getMethod().getDeclaringType() instanceof SSLParameters and
+    not this.getArgument(0) instanceof NullLiteral and
+    not this.getArgument(0).(CompileTimeConstantExpr).getStringValue().length() = 0
+  }
+}
+
+/**
+ * A call to the method `useSslProtocol` on an instance of `com.rabbitmq.client.ConnectionFactory`
+ * that doesn't have `enableHostnameVerification` set.
+ */
+class RabbitMQEnableHostnameVerificationNotSet extends MethodAccess {
+  RabbitMQEnableHostnameVerificationNotSet() {
+    this.getMethod().hasName("useSslProtocol") and
+    this.getMethod().getDeclaringType() instanceof RabbitMQConnectionFactory and
+    exists(Variable v |
+      v.getType() instanceof RabbitMQConnectionFactory and
+      this.getQualifier() = v.getAnAccess() and
+      not exists(MethodAccess ma |
+        ma.getMethod().hasName("enableHostnameVerification") and
+        ma.getQualifier() = v.getAnAccess()
+      )
+    )
+  }
+}
+
+private class RabbitMQConnectionFactory extends RefType {
+  RabbitMQConnectionFactory() { this.hasQualifiedName("com.rabbitmq.client", "ConnectionFactory") }
+}

java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql

@@ -12,158 +12,25 @@
  */
 
 import java
-import semmle.code.java.security.Encryption
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.UnsafeCertTrust
 
-class SSLEngine extends RefType {
-  SSLEngine() { this.hasQualifiedName("javax.net.ssl", "SSLEngine") }
-}
+class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
+  SslEndpointIdentificationFlowConfig() { this = "SslEndpointIdentificationFlowConfig" }
 
-class Socket extends RefType {
-  Socket() { this.hasQualifiedName("java.net", "Socket") }
-}
+  override predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
 
-class SocketFactory extends RefType {
-  SocketFactory() { this.hasQualifiedName("javax.net", "SocketFactory") }
-}
+  override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
 
-class SSLSocket extends RefType {
-  SSLSocket() { this.hasQualifiedName("javax.net.ssl", "SSLSocket") }
-}
-
-/**
- * has setEndpointIdentificationAlgorithm set correctly
- */
-predicate setEndpointIdentificationAlgorithm(MethodAccess createSSL) {
-  exists(
-    Variable sslo, MethodAccess ma, Variable sslparams //setSSLParameters with valid setEndpointIdentificationAlgorithm set
-  |
-    createSSL = sslo.getAnAssignedValue() and
-    ma.getQualifier() = sslo.getAnAccess() and
-    ma.getMethod().hasName("setSSLParameters") and
-    ma.getArgument(0) = sslparams.getAnAccess() and
-    exists(MethodAccess setepa |
-      setepa.getQualifier() = sslparams.getAnAccess() and
-      setepa.getMethod().hasName("setEndpointIdentificationAlgorithm") and
-      not setepa.getArgument(0) instanceof NullLiteral
-    )
-  )
-}
-
-/**
- * has setEndpointIdentificationAlgorithm set correctly
- */
-predicate hasEndpointIdentificationAlgorithm(Variable ssl) {
-  exists(
-    MethodAccess ma, Variable sslparams //setSSLParameters with valid setEndpointIdentificationAlgorithm set
-  |
-    ma.getQualifier() = ssl.getAnAccess() and
-    ma.getMethod().hasName("setSSLParameters") and
-    ma.getArgument(0) = sslparams.getAnAccess() and
-    exists(MethodAccess setepa |
-      setepa.getQualifier() = sslparams.getAnAccess() and
-      setepa.getMethod().hasName("setEndpointIdentificationAlgorithm") and
-      not setepa.getArgument(0) instanceof NullLiteral
-    )
-  )
-}
-
-/**
- * Cast of Socket to SSLSocket
- */
-predicate sslCast(MethodAccess createSSL) {
-  exists(Variable ssl, CastExpr ce |
-    ce.getExpr() = createSSL and
-    ce.getControlFlowNode().getASuccessor().(VariableAssign).getDestVar() = ssl and
-    ssl.getType() instanceof SSLSocket //With a type cast `SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443)`
-  )
-}
-
-/**
- * SSL object is created in a separate method call or in the same method
- */
-predicate hasFlowPath(MethodAccess createSSL, Variable ssl) {
-  (
-    createSSL = ssl.getAnAssignedValue()
-    or
-    exists(CastExpr ce |
-      ce.getExpr() = createSSL and
-      ce.getControlFlowNode().getASuccessor().(VariableAssign).getDestVar() = ssl //With a type cast like SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
-    )
-  )
-  or
-  exists(MethodAccess tranm |
-    createSSL.getEnclosingCallable() = tranm.getMethod() and
-    tranm.getControlFlowNode().getASuccessor().(VariableAssign).getDestVar() = ssl and
-    not setEndpointIdentificationAlgorithm(createSSL) //Check the scenario of invocation before used in the current method
-  )
-}
-
-/**
- * Not have the SSLParameter set
- */
-predicate hasNoEndpointIdentificationSet(MethodAccess createSSL, Variable ssl) {
-  //No setSSLParameters set
-  hasFlowPath(createSSL, ssl) and
-  not exists(MethodAccess ma |
-    ma.getQualifier() = ssl.getAnAccess() and
-    ma.getMethod().hasName("setSSLParameters")
-  )
-  or
-  //No endpointIdentificationAlgorithm set with setSSLParameters
-  hasFlowPath(createSSL, ssl) and
-  not setEndpointIdentificationAlgorithm(createSSL)
-}
-
-/**
- * The setEndpointIdentificationAlgorithm method of SSLParameters with the ssl engine or socket
- */
-class SSLEndpointIdentificationNotSet extends MethodAccess {
-  SSLEndpointIdentificationNotSet() {
-    (
-      this.getMethod().hasName("createSSLEngine") and
-      this.getMethod().getDeclaringType() instanceof SSLContext //createEngine method of SSLContext
-      or
-      this.getMethod().hasName("createSocket") and
-      this.getMethod().getDeclaringType() instanceof SocketFactory and
-      this.getMethod().getReturnType() instanceof Socket and
-      sslCast(this) //createSocket method of SocketFactory
-    ) and
-    exists(Variable ssl |
-      hasNoEndpointIdentificationSet(this, ssl) and //Not set in itself
-      not exists(VariableAssign ar, Variable newSsl |
-        ar.getSource() = this.getCaller().getAReference() and
-        ar.getDestVar() = newSsl and
-        hasEndpointIdentificationAlgorithm(newSsl) //Not set in its caller either
-      )
-    ) and
-    not exists(MethodAccess ma | ma.getMethod() instanceof HostnameVerifierVerify) //Reduce false positives since this method access set default hostname verifier
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer.asExpr() instanceof SslConnectionWithSafeSslParameters
   }
 }
 
-class RabbitMQConnectionFactory extends RefType {
-  RabbitMQConnectionFactory() { this.hasQualifiedName("com.rabbitmq.client", "ConnectionFactory") }
-}
-
-/**
- * The com.rabbitmq.client.ConnectionFactory useSslProtocol method access without enableHostnameVerification
- */
-class RabbitMQEnableHostnameVerificationNotSet extends MethodAccess {
-  RabbitMQEnableHostnameVerificationNotSet() {
-    this.getMethod().hasName("useSslProtocol") and
-    this.getMethod().getDeclaringType() instanceof RabbitMQConnectionFactory and
-    exists(Variable v |
-      v.getType() instanceof RabbitMQConnectionFactory and
-      this.getQualifier() = v.getAnAccess() and
-      not exists(MethodAccess ma |
-        ma.getMethod().hasName("enableHostnameVerification") and
-        ma.getQualifier() = v.getAnAccess()
-      )
-    )
-  }
-}
-
-from MethodAccess aa
+from Expr unsafeConfig
 where
-  aa instanceof SSLEndpointIdentificationNotSet or
-  aa instanceof RabbitMQEnableHostnameVerificationNotSet
-select aa, "Unsafe configuration of trusted certificates"
+  unsafeConfig instanceof RabbitMQEnableHostnameVerificationNotSet or
+  exists(SslEndpointIdentificationFlowConfig config |
+    config.hasFlowTo(DataFlow::exprNode(unsafeConfig))
+  )
+select unsafeConfig, "Unsafe configuration of trusted certificates"

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java

@@ -1,20 +1,12 @@
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+import javax.net.SocketFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
-
-import java.net.Socket;
-import javax.net.SocketFactory;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-
-//import com.rabbitmq.client.ConnectionFactory;
+import com.rabbitmq.client.ConnectionFactory;
 
 public class UnsafeCertTrustTest {
 
@@ -27,6 +19,7 @@ public class UnsafeCertTrustTest {
 		SSLParameters sslParameters = sslEngine.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm(null);
 		sslEngine.setSSLParameters(sslParameters);
+		sslEngine.getSession();
 	}
 
 	/**
@@ -35,17 +28,97 @@ public class UnsafeCertTrustTest {
 	public void testSSLEngineEndpointIdNotSet() throws java.security.NoSuchAlgorithmException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLEngine sslEngine = sslContext.createSSLEngine();
+		sslEngine.getSession();
+	}
+
+	/**
+	 * Test the endpoint identification of SSL engine is set to HTTPS
+	 */
+	public void testSSLEngineEndpointIdSafe() throws java.security.NoSuchAlgorithmException {
+		SSLContext sslContext = SSLContext.getInstance("TLS");
+		SSLEngine sslEngine = sslContext.createSSLEngine();
+		SSLParameters sslParameters = sslEngine.getSSLParameters();
+		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+		sslEngine.setSSLParameters(sslParameters);
+		sslEngine.getSession();
 	}
 
 	/**
 	 * Test the endpoint identification of SSL socket is not set
 	 */
-	public void testSSLSocketEndpointIdNotSet() throws java.security.NoSuchAlgorithmException, java.io.IOException {
+	public void testSSLSocketImmediatelyConnects()
+			throws java.security.NoSuchAlgorithmException, java.io.IOException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
 	}
 
+	/**
+	 * Test the endpoint identification of SSL socket is not set
+	 */
+	public void testSSLSocketEndpointIdNotSet()
+			throws java.security.NoSuchAlgorithmException, java.io.IOException {
+		SSLContext sslContext = SSLContext.getInstance("TLS");
+		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
+		socket.connect(new InetSocketAddress("www.example.com", 443));
+	}
+
+	/**
+	 * Test the endpoint identification of SSL socket is set to null
+	 */
+	public void testSSLSocketEndpointIdSetNull()
+			throws java.security.NoSuchAlgorithmException, java.io.IOException {
+		SSLContext sslContext = SSLContext.getInstance("TLS");
+		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
+		SSLParameters sslParameters = socket.getSSLParameters();
+		sslParameters.setEndpointIdentificationAlgorithm(null);
+		socket.setSSLParameters(sslParameters);
+		socket.connect(new InetSocketAddress("www.example.com", 443));
+	}
+
+	/**
+	 * Test the endpoint identification of SSL socket is set to empty
+	 */
+	public void testSSLSocketEndpointIdSetEmpty()
+			throws java.security.NoSuchAlgorithmException, java.io.IOException {
+		SSLContext sslContext = SSLContext.getInstance("TLS");
+		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
+		SSLParameters sslParameters = socket.getSSLParameters();
+		sslParameters.setEndpointIdentificationAlgorithm("");
+		socket.setSSLParameters(sslParameters);
+		socket.connect(new InetSocketAddress("www.example.com", 443));
+	}
+
+	/**
+	 * Test the endpoint identification of SSL socket is not set
+	 */
+	public void testSSLSocketEndpointIdAfterConnecting()
+			throws java.security.NoSuchAlgorithmException, java.io.IOException {
+		SSLContext sslContext = SSLContext.getInstance("TLS");
+		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
+		SSLParameters sslParameters = socket.getSSLParameters();
+		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+		socket.setSSLParameters(sslParameters);
+	}
+
+	/**
+	 * Test the endpoint identification of SSL socket is not set
+	 */
+	public void testSSLSocketEndpointIdSafe()
+			throws java.security.NoSuchAlgorithmException, java.io.IOException {
+		SSLContext sslContext = SSLContext.getInstance("TLS");
+		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
+		SSLParameters sslParameters = socket.getSSLParameters();
+		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+		socket.setSSLParameters(sslParameters);
+		socket.connect(new InetSocketAddress("www.example.com", 443));
+	}
+
 	/**
 	 * Test the endpoint identification of regular socket is not set
 	 */
@@ -54,11 +127,20 @@ public class UnsafeCertTrustTest {
 		Socket socket = socketFactory.createSocket("www.example.com", 80);
 	}
 
-	// /**
-	// * Test the enableHostnameVerification of RabbitMQConnectionFactory is not set
-	// */
-	// public void testEnableHostnameVerificationOfRabbitMQFactoryNotSet() {
-	// ConnectionFactory connectionFactory = new ConnectionFactory();
-	// connectionFactory.useSslProtocol();
-	// }
+	/**
+	 * Test the enableHostnameVerification of RabbitMQConnectionFactory is not set
+	 */
+	public void testRabbitMQFactoryEnableHostnameVerificationNotSet() throws Exception {
+		ConnectionFactory connectionFactory = new ConnectionFactory();
+		connectionFactory.useSslProtocol();
+	}
+
+	/**
+	 * Test the enableHostnameVerification of RabbitMQConnectionFactory is not set
+	 */
+	public void testRabbitMQFactorySafe() throws Exception {
+		ConnectionFactory connectionFactory = new ConnectionFactory();
+		connectionFactory.useSslProtocol();
+		connectionFactory.enableHostnameVerification();
+	}
 }

java/ql/test/query-tests/security/CWE-273/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/amqp-client-5.12.0

java/ql/test/stubs/amqp-client-5.12.0/com/rabbitmq/client/ConnectionFactory.java

@@ -0,0 +1,223 @@
+// Copyright (c) 2007-2020 VMware, Inc. or its affiliates. All rights reserved.
+//
+// This software, the RabbitMQ Java client library, is triple-licensed under the
+// Mozilla Public License 2.0 ("MPL"), the GNU General Public License version 2
+// ("GPL") and the Apache License version 2 ("ASL"). For the MPL, please see
+// LICENSE-MPL-RabbitMQ. For the GPL, please see LICENSE-GPL2. For the ASL,
+// please see LICENSE-APACHE2.
+//
+// This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND,
+// either express or implied. See the LICENSE file for specific language governing
+// rights and limitations of this software.
+//
+// If you have any questions regarding licensing, please contact us at
+// info@rabbitmq.com.
+
+package com.rabbitmq.client;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.util.*;
+import java.util.concurrent.*;
+import java.util.function.Predicate;
+import static java.util.concurrent.TimeUnit.MINUTES;
+
+public class ConnectionFactory implements Cloneable {
+  public static final int DEFAULT_CHANNEL_RPC_TIMEOUT = (int) MINUTES.toMillis(10);
+
+  public String getHost() {
+    return null;
+  }
+
+  public void setHost(String host) {}
+
+  public static int portOrDefault(int port, boolean ssl) {
+    return 0;
+  }
+
+  public int getPort() {
+    return 0;
+  }
+
+  public void setPort(int port) {}
+
+  public String getUsername() {
+    return null;
+  }
+
+  public void setUsername(String username) {}
+
+  public String getPassword() {
+    return null;
+  }
+
+  public void setPassword(String password) {}
+
+  public String getVirtualHost() {
+    return null;
+  }
+
+  public void setVirtualHost(String virtualHost) {}
+
+  public void setUri(URI uri)
+      throws URISyntaxException, NoSuchAlgorithmException, KeyManagementException {}
+
+  public void setUri(String uriString)
+      throws URISyntaxException, NoSuchAlgorithmException, KeyManagementException {}
+
+  public int getRequestedChannelMax() {
+    return 0;
+  }
+
+  public void setRequestedChannelMax(int requestedChannelMax) {}
+
+  public int getRequestedFrameMax() {
+    return 0;
+  }
+
+  public void setRequestedFrameMax(int requestedFrameMax) {}
+
+  public int getRequestedHeartbeat() {
+    return 0;
+  }
+
+  public void setConnectionTimeout(int timeout) {}
+
+  public int getConnectionTimeout() {
+    return 0;
+  }
+
+  public int getHandshakeTimeout() {
+    return 0;
+  }
+
+  public void setHandshakeTimeout(int timeout) {}
+
+  public void setShutdownTimeout(int shutdownTimeout) {}
+
+  public int getShutdownTimeout() {
+    return 0;
+  }
+
+  public void setRequestedHeartbeat(int requestedHeartbeat) {}
+
+  public Map<String, Object> getClientProperties() {
+    return null;
+  }
+
+  public void setClientProperties(Map<String, Object> clientProperties) {}
+
+  public void setSharedExecutor(ExecutorService executor) {}
+
+  public void setShutdownExecutor(ExecutorService executor) {}
+
+  public void setHeartbeatExecutor(ScheduledExecutorService executor) {}
+
+  public ThreadFactory getThreadFactory() {
+    return null;
+  }
+
+  public void setThreadFactory(ThreadFactory threadFactory) {}
+
+  public boolean isSSL() {
+    return false;
+  }
+
+  public void useSslProtocol() throws NoSuchAlgorithmException, KeyManagementException {}
+
+  public void useSslProtocol(String protocol)
+      throws NoSuchAlgorithmException, KeyManagementException {}
+
+  public void useSslProtocol(String protocol, TrustManager trustManager)
+      throws NoSuchAlgorithmException, KeyManagementException {}
+
+  public void useSslProtocol(SSLContext context) {}
+
+  public void enableHostnameVerification() {}
+
+  public static String computeDefaultTlsProtocol(String[] supportedProtocols) {
+    return null;
+  }
+
+  public boolean isAutomaticRecoveryEnabled() {
+    return false;
+  }
+
+  public void setAutomaticRecoveryEnabled(boolean automaticRecovery) {}
+
+  public boolean isTopologyRecoveryEnabled() {
+    return false;
+  }
+
+  public void setTopologyRecoveryEnabled(boolean topologyRecovery) {}
+
+  public ExecutorService getTopologyRecoveryExecutor() {
+    return null;
+  }
+
+  public void setTopologyRecoveryExecutor(final ExecutorService topologyRecoveryExecutor) {}
+
+  public ConnectionFactory load(String propertyFileLocation) throws IOException {
+    return null;
+  }
+
+  public ConnectionFactory load(String propertyFileLocation, String prefix) throws IOException {
+    return null;
+  }
+
+  public ConnectionFactory load(Properties properties) {
+    return null;
+  }
+
+  public ConnectionFactory load(Properties properties, String prefix) {
+    return null;
+  }
+
+  public ConnectionFactory load(Map<String, String> properties) {
+    return null;
+  }
+
+  public ConnectionFactory load(Map<String, String> properties, String prefix) {
+    return null;
+  }
+
+  public long getNetworkRecoveryInterval() {
+    return 0;
+  }
+
+  public void setNetworkRecoveryInterval(int networkRecoveryInterval) {}
+
+  public void setNetworkRecoveryInterval(long networkRecoveryInterval) {}
+
+  public void useNio() {}
+
+  public void useBlockingIo() {}
+
+  public void setChannelRpcTimeout(int channelRpcTimeout) {}
+
+  public int getChannelRpcTimeout() {
+    return 0;
+  }
+
+  public void setChannelShouldCheckRpcResponseType(boolean channelShouldCheckRpcResponseType) {}
+
+  public boolean isChannelShouldCheckRpcResponseType() {
+    return false;
+  }
+
+  public void setWorkPoolTimeout(int workPoolTimeout) {}
+
+  public int getWorkPoolTimeout() {
+    return 0;
+  }
+
+  public static int ensureUnsignedShort(int value) {
+    return 0;
+  }
+
+}