Example 1 with ReferenceCountedOpenSslContext
use of io.netty.handler.ssl.ReferenceCountedOpenSslContext in project netty by netty.
the class OcspClientExample method main.
public static void main(String[] args) throws Exception {
if (!OpenSsl.isAvailable()) {
throw new IllegalStateException("OpenSSL is not available!");
}
if (!OpenSsl.isOcspSupported()) {
throw new IllegalStateException("OCSP is not supported!");
}
// Using Wikipedia as an example. I'd rather use Netty's own website
// but the server (Cloudflare) doesn't support OCSP stapling. A few
// other examples could be Microsoft or Squarespace. Use OpenSSL's
// CLI client to assess if a server supports OCSP stapling. E.g.:
//
// openssl s_client -tlsextdebug -status -connect www.squarespace.com:443
//
String host = "www.wikipedia.org";
ReferenceCountedOpenSslContext context = (ReferenceCountedOpenSslContext) SslContextBuilder.forClient().sslProvider(SslProvider.OPENSSL).enableOcsp(true).build();
try {
EventLoopGroup group = new NioEventLoopGroup();
try {
Promise<FullHttpResponse> promise = group.next().newPromise();
Bootstrap bootstrap = new Bootstrap().channel(NioSocketChannel.class).group(group).option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 5 * 1000).handler(newClientHandler(context, host, promise));
Channel channel = bootstrap.connect(host, 443).syncUninterruptibly().channel();
try {
FullHttpResponse response = promise.get();
ReferenceCountUtil.release(response);
} finally {
channel.close();
}
} finally {
group.shutdownGracefully();
}
} finally {
context.release();
}
}
Also used :
NioSocketChannel(io.netty.channel.socket.nio.NioSocketChannel)
ReferenceCountedOpenSslContext(io.netty.handler.ssl.ReferenceCountedOpenSslContext)
EventLoopGroup(io.netty.channel.EventLoopGroup)
NioEventLoopGroup(io.netty.channel.nio.NioEventLoopGroup)
NioSocketChannel(io.netty.channel.socket.nio.NioSocketChannel)
Channel(io.netty.channel.Channel)
Bootstrap(io.netty.bootstrap.Bootstrap)
FullHttpResponse(io.netty.handler.codec.http.FullHttpResponse)
NioEventLoopGroup(io.netty.channel.nio.NioEventLoopGroup)
Example 2 with ReferenceCountedOpenSslContext
use of io.netty.handler.ssl.ReferenceCountedOpenSslContext in project dubbo by alibaba.
the class SslContextsTest method testSslContextsItem.
protected void testSslContextsItem() throws NoSuchFieldException, IllegalAccessException {
String cipher = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
String protocol = "TLSv1.3";
ConfigManager globalConfigManager = ApplicationModel.getConfigManager();
SslConfig sslConfig = new SslConfig();
sslConfig.setCiphers(Arrays.asList(cipher));
sslConfig.setProtocols(Arrays.asList(protocol));
globalConfigManager.setSsl(sslConfig);
SslContext sslContext = SslContexts.buildClientSslContext(null);
if (sslContext instanceof JdkSslContext) {
JdkSslContext jdkSslContext = (JdkSslContext) sslContext;
List<String> cipherSuites = jdkSslContext.cipherSuites();
Assertions.assertTrue(cipherSuites.size() == 1 && cipherSuites.get(0).equals(cipher));
Field protocols = JdkSslContext.class.getDeclaredField("protocols");
protocols.setAccessible(true);
String[] item = (String[]) protocols.get(jdkSslContext);
Assertions.assertTrue(item.length == 1 && item[0].equals(protocol));
} else if (sslContext instanceof OpenSslContext) {
OpenSslContext openSslContext = (OpenSslContext) sslContext;
Assertions.assertTrue(openSslContext instanceof ReferenceCountedOpenSslContext);
List<String> cipherSuites = openSslContext.cipherSuites();
Assertions.assertTrue(cipherSuites.size() == 1 && cipherSuites.get(0).equals(cipher));
Field protocols = ReferenceCountedOpenSslContext.class.getDeclaredField("protocols");
protocols.setAccessible(true);
final String[] item = (String[]) protocols.get(openSslContext);
Assertions.assertTrue(item.length == 1 && item[0].equals(protocol));
}
}
Also used :
Field(java.lang.reflect.Field)
SslConfig(org.apache.dubbo.config.SslConfig)
ReferenceCountedOpenSslContext(io.netty.handler.ssl.ReferenceCountedOpenSslContext)
JdkSslContext(io.netty.handler.ssl.JdkSslContext)
OpenSslContext(io.netty.handler.ssl.OpenSslContext)
ReferenceCountedOpenSslContext(io.netty.handler.ssl.ReferenceCountedOpenSslContext)
List(java.util.List)
ConfigManager(org.apache.dubbo.config.context.ConfigManager)
JdkSslContext(io.netty.handler.ssl.JdkSslContext)
SslContext(io.netty.handler.ssl.SslContext)
OpenSslContext(io.netty.handler.ssl.OpenSslContext)
ReferenceCountedOpenSslContext(io.netty.handler.ssl.ReferenceCountedOpenSslContext)
Example 3 with ReferenceCountedOpenSslContext
use of io.netty.handler.ssl.ReferenceCountedOpenSslContext in project netty by netty.
the class OcspServerExample method main.
public static void main(String[] args) throws Exception {
// We assume there's a private key.
PrivateKey privateKey = null;
// Step 1: Load the certificate chain for netty.io. We'll need the certificate
// and the issuer's certificate and we don't need any of the intermediate certs.
// The array is assumed to be a certain order to keep things simple.
X509Certificate[] keyCertChain = parseCertificates(OcspServerExample.class, "netty_io_chain.pem");
X509Certificate certificate = keyCertChain[0];
X509Certificate issuer = keyCertChain[keyCertChain.length - 1];
// Step 2: We need the URL of the CA's OCSP responder server. It's somewhere encoded
// into the certificate! Notice that it's an HTTP URL.
URI uri = OcspUtils.ocspUri(certificate);
System.out.println("OCSP Responder URI: " + uri);
if (uri == null) {
throw new IllegalStateException("The CA/certificate doesn't have an OCSP responder");
}
// Step 3: Construct the OCSP request
OCSPReq request = new OcspRequestBuilder().certificate(certificate).issuer(issuer).build();
// Step 4: Do the request to the CA's OCSP responder
OCSPResp response = OcspUtils.request(uri, request, 5L, TimeUnit.SECONDS);
if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
throw new IllegalStateException("response-status=" + response.getStatus());
}
// Step 5: Is my certificate any good or has the CA revoked it?
BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject();
SingleResp first = basicResponse.getResponses()[0];
CertificateStatus status = first.getCertStatus();
System.out.println("Status: " + (status == CertificateStatus.GOOD ? "Good" : status));
System.out.println("This Update: " + first.getThisUpdate());
System.out.println("Next Update: " + first.getNextUpdate());
if (status != null) {
throw new IllegalStateException("certificate-status=" + status);
}
BigInteger certSerial = certificate.getSerialNumber();
BigInteger ocspSerial = first.getCertID().getSerialNumber();
if (!certSerial.equals(ocspSerial)) {
throw new IllegalStateException("Bad Serials=" + certSerial + " vs. " + ocspSerial);
}
if (!OpenSsl.isAvailable()) {
throw new IllegalStateException("OpenSSL is not available!");
}
if (!OpenSsl.isOcspSupported()) {
throw new IllegalStateException("OCSP is not supported!");
}
if (privateKey == null) {
throw new IllegalStateException("Because we don't have a PrivateKey we can't continue past this point.");
}
ReferenceCountedOpenSslContext context = (ReferenceCountedOpenSslContext) SslContextBuilder.forServer(privateKey, keyCertChain).sslProvider(SslProvider.OPENSSL).enableOcsp(true).build();
try {
ServerBootstrap bootstrap = new ServerBootstrap().childHandler(newServerHandler(context, response));
// so on and so forth...
} finally {
context.release();
}
}
Also used :
PrivateKey(java.security.PrivateKey)
CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus)
URI(java.net.URI)
X509Certificate(java.security.cert.X509Certificate)
ServerBootstrap(io.netty.bootstrap.ServerBootstrap)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
ReferenceCountedOpenSslContext(io.netty.handler.ssl.ReferenceCountedOpenSslContext)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
BigInteger(java.math.BigInteger)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
Example 4 with ReferenceCountedOpenSslContext
use of io.netty.handler.ssl.ReferenceCountedOpenSslContext in project zuul by Netflix.
the class BaseSslContextFactory method configureOpenSslStatsMetrics.
public void configureOpenSslStatsMetrics(SslContext sslContext, String sslContextId) {
// Setup metrics tracking the OpenSSL stats.
if (sslContext instanceof ReferenceCountedOpenSslContext) {
OpenSslSessionStats stats = ((ReferenceCountedOpenSslContext) sslContext).sessionContext().stats();
openSslStatGauge(stats, sslContextId, "accept", OpenSslSessionStats::accept);
openSslStatGauge(stats, sslContextId, "accept_good", OpenSslSessionStats::acceptGood);
openSslStatGauge(stats, sslContextId, "accept_renegotiate", OpenSslSessionStats::acceptRenegotiate);
openSslStatGauge(stats, sslContextId, "number", OpenSslSessionStats::number);
openSslStatGauge(stats, sslContextId, "connect", OpenSslSessionStats::connect);
openSslStatGauge(stats, sslContextId, "connect_good", OpenSslSessionStats::connectGood);
openSslStatGauge(stats, sslContextId, "connect_renegotiate", OpenSslSessionStats::connectRenegotiate);
openSslStatGauge(stats, sslContextId, "hits", OpenSslSessionStats::hits);
openSslStatGauge(stats, sslContextId, "cb_hits", OpenSslSessionStats::cbHits);
openSslStatGauge(stats, sslContextId, "misses", OpenSslSessionStats::misses);
openSslStatGauge(stats, sslContextId, "timeouts", OpenSslSessionStats::timeouts);
openSslStatGauge(stats, sslContextId, "cache_full", OpenSslSessionStats::cacheFull);
openSslStatGauge(stats, sslContextId, "ticket_key_fail", OpenSslSessionStats::ticketKeyFail);
openSslStatGauge(stats, sslContextId, "ticket_key_new", OpenSslSessionStats::ticketKeyNew);
openSslStatGauge(stats, sslContextId, "ticket_key_renew", OpenSslSessionStats::ticketKeyRenew);
openSslStatGauge(stats, sslContextId, "ticket_key_resume", OpenSslSessionStats::ticketKeyResume);
}
}
Also used :
ReferenceCountedOpenSslContext(io.netty.handler.ssl.ReferenceCountedOpenSslContext)
OpenSslSessionStats(io.netty.handler.ssl.OpenSslSessionStats)
Aggregations
ReferenceCountedOpenSslContext (io.netty.handler.ssl.ReferenceCountedOpenSslContext)4
Bootstrap (io.netty.bootstrap.Bootstrap)1
ServerBootstrap (io.netty.bootstrap.ServerBootstrap)1
Channel (io.netty.channel.Channel)1
EventLoopGroup (io.netty.channel.EventLoopGroup)1
NioEventLoopGroup (io.netty.channel.nio.NioEventLoopGroup)1
NioSocketChannel (io.netty.channel.socket.nio.NioSocketChannel)1
FullHttpResponse (io.netty.handler.codec.http.FullHttpResponse)1
JdkSslContext (io.netty.handler.ssl.JdkSslContext)1
OpenSslContext (io.netty.handler.ssl.OpenSslContext)1
OpenSslSessionStats (io.netty.handler.ssl.OpenSslSessionStats)1
SslContext (io.netty.handler.ssl.SslContext)1
Field (java.lang.reflect.Field)1
BigInteger (java.math.BigInteger)1
URI (java.net.URI)1
PrivateKey (java.security.PrivateKey)1
X509Certificate (java.security.cert.X509Certificate)1
List (java.util.List)1
SslConfig (org.apache.dubbo.config.SslConfig)1
ConfigManager (org.apache.dubbo.config.context.ConfigManager)1
