Examples with InsecureTlsPolicy com.intel.mtwilson.tls.InsecureTlsPolicy used on opensource projects
Example 1 with InsecureTlsPolicy
use of com.intel.mtwilson.tls.InsecureTlsPolicy in project OpenAttestation by OpenAttestation.
the class ApacheHttpClient method createTlsPolicy.
/**
* Used in Mt Wilson 1.1
*
* If the configuration mentions a specific TLS Policy (new in 1.1) that
* one is used, otherwise the trusted certificate and verify hostname
* settings used in 1.0-RC2 are used to choose an appropriate TLS Policy.
*
* XXX should this go into a TlsPolicyFactory class in the http-authorization project?
*
* @param config
* @param sslKeystore
* @return
*/
private ApacheTlsPolicy createTlsPolicy(Configuration config, SimpleKeystore sslKeystore) {
String tlsPolicyName = config.getString("mtwilson.api.ssl.policy");
if (tlsPolicyName == null) {
// no 1.1 policy name, so use 1.0-RC2 settings to pick a policy
boolean requireTrustedCertificate = config.getBoolean("mtwilson.api.ssl.requireTrustedCertificate", true);
boolean verifyHostname = config.getBoolean("mtwilson.api.ssl.verifyHostname", true);
if (requireTrustedCertificate && verifyHostname) {
log.warn("Using TLS Policy TRUST_CA_VERIFY_HOSTNAME");
return new TrustCaAndVerifyHostnameTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
} else if (requireTrustedCertificate && !verifyHostname) {
// two choices: trust first certificate or trust known certificate; we choose trust first certificate as a usability default
// furthermore we assume that the api client keystore is a server-specific keystore (it's a client configured for a specific mt wilson server)
// that either has a server instance ssl cert or a cluster ssl cert. either should work.
log.warn("Using TLS Policy TRUST_FIRST_CERTIFICATE");
return new TrustFirstCertificateTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
} else {
// !requireTrustedCertificate && (verifyHostname || !verifyHostname)
log.warn("Using TLS Policy TRUST_FIRST_INSECURE");
return new InsecureTlsPolicy();
}
} else if (tlsPolicyName.equals("TRUST_CA_VERIFY_HOSTNAME")) {
log.info("TLS Policy: TRUST_CA_VERIFY_HOSTNAME");
return new TrustCaAndVerifyHostnameTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
} else if (tlsPolicyName.equals("TRUST_FIRST_CERTIFICATE")) {
log.info("TLS Policy: TRUST_FIRST_CERTIFICATE");
return new TrustFirstCertificateTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
} else if (tlsPolicyName.equals("TRUST_KNOWN_CERTIFICATE")) {
log.info("TLS Policy: TRUST_KNOWN_CERTIFICATE");
return new TrustKnownCertificateTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
} else if (tlsPolicyName.equals("INSECURE")) {
log.warn("TLS Policy: INSECURE");
return new InsecureTlsPolicy();
} else {
// unrecognized 1.1 policy defined, so use a secure default
log.error("Unknown TLS Policy Name: {}", tlsPolicyName);
return new TrustCaAndVerifyHostnameTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
}
}
Also used :
TrustFirstCertificateTlsPolicy(com.intel.mtwilson.tls.TrustFirstCertificateTlsPolicy)
TrustKnownCertificateTlsPolicy(com.intel.mtwilson.tls.TrustKnownCertificateTlsPolicy)
KeystoreCertificateRepository(com.intel.mtwilson.tls.KeystoreCertificateRepository)
TrustCaAndVerifyHostnameTlsPolicy(com.intel.mtwilson.tls.TrustCaAndVerifyHostnameTlsPolicy)
InsecureTlsPolicy(com.intel.mtwilson.tls.InsecureTlsPolicy)
Aggregations
InsecureTlsPolicy (com.intel.mtwilson.tls.InsecureTlsPolicy)1
KeystoreCertificateRepository (com.intel.mtwilson.tls.KeystoreCertificateRepository)1
TrustCaAndVerifyHostnameTlsPolicy (com.intel.mtwilson.tls.TrustCaAndVerifyHostnameTlsPolicy)1
TrustFirstCertificateTlsPolicy (com.intel.mtwilson.tls.TrustFirstCertificateTlsPolicy)1
TrustKnownCertificateTlsPolicy (com.intel.mtwilson.tls.TrustKnownCertificateTlsPolicy)1
