use of io.netty.handler.ssl.SslContext in project neo4j by neo4j.
the class BoltKernelExtension method newInstance.
@Override
public Lifecycle newInstance(KernelContext context, Dependencies dependencies) throws Throwable {
Config config = dependencies.config();
GraphDatabaseService gdb = dependencies.db();
GraphDatabaseAPI api = (GraphDatabaseAPI) gdb;
LogService logService = dependencies.logService();
Clock clock = dependencies.clock();
Log log = logService.getInternalLog(WorkerFactory.class);
LifeSupport life = new LifeSupport();
JobScheduler scheduler = dependencies.scheduler();
InternalLoggerFactory.setDefaultFactory(new Netty4LoggerFactory(logService.getInternalLogProvider()));
Authentication authentication = authentication(dependencies.authManager(), dependencies.userManagerSupplier());
BoltFactory boltFactory = life.add(new BoltFactoryImpl(api, dependencies.usageData(), logService, dependencies.txBridge(), authentication, dependencies.sessionTracker(), config));
WorkerFactory workerFactory = createWorkerFactory(boltFactory, scheduler, dependencies, logService, clock);
List<ProtocolInitializer> connectors = config.enabledBoltConnectors().stream().map((connConfig) -> {
ListenSocketAddress listenAddress = config.get(connConfig.listen_address);
AdvertisedSocketAddress advertisedAddress = config.get(connConfig.advertised_address);
SslContext sslCtx;
boolean requireEncryption;
final BoltConnector.EncryptionLevel encryptionLevel = config.get(connConfig.encryption_level);
switch(encryptionLevel) {
case REQUIRED:
// Encrypted connections are mandatory, a self-signed certificate may be generated.
requireEncryption = true;
sslCtx = createSslContext(config, log, advertisedAddress);
break;
case OPTIONAL:
// Encrypted connections are optional, a self-signed certificate may be generated.
requireEncryption = false;
sslCtx = createSslContext(config, log, advertisedAddress);
break;
case DISABLED:
// Encryption is turned off, no self-signed certificate will be generated.
requireEncryption = false;
sslCtx = null;
break;
default:
// In the unlikely event that we happen to fall through to the default option here,
// there is a mismatch between the BoltConnector.EncryptionLevel enum and the options
// handled in this switch statement. In this case, we'll log a warning and default to
// disabling encryption, since this mirrors the functionality introduced in 3.0.
log.warn(format("Unhandled encryption level %s - assuming DISABLED.", encryptionLevel.name()));
requireEncryption = false;
sslCtx = null;
break;
}
final Map<Long, BiFunction<Channel, Boolean, BoltProtocol>> versions = newVersions(logService, workerFactory);
return new SocketTransport(listenAddress, sslCtx, requireEncryption, logService.getInternalLogProvider(), versions);
}).collect(toList());
if (connectors.size() > 0 && !config.get(GraphDatabaseSettings.disconnected)) {
life.add(new NettyServer(scheduler.threadFactory(boltNetworkIO), connectors));
log.info("Bolt Server extension loaded.");
for (ProtocolInitializer connector : connectors) {
logService.getUserLog(WorkerFactory.class).info("Bolt enabled on %s.", connector.address());
}
}
return life;
}
use of io.netty.handler.ssl.SslContext in project pulsar by yahoo.
the class DiscoveryServiceTest method connectToService.
/**
* creates ClientHandler channel to connect and communicate with server
*
* @param serviceUrl
* @param latch
* @return
* @throws URISyntaxException
*/
public static NioEventLoopGroup connectToService(String serviceUrl, CountDownLatch latch, boolean tls) throws URISyntaxException {
NioEventLoopGroup workerGroup = new NioEventLoopGroup();
Bootstrap b = new Bootstrap();
b.group(workerGroup);
b.channel(NioSocketChannel.class);
b.handler(new ChannelInitializer<SocketChannel>() {
@Override
public void initChannel(SocketChannel ch) throws Exception {
if (tls) {
SslContextBuilder builder = SslContextBuilder.forClient();
builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
X509Certificate[] certificates = SecurityUtility.loadCertificatesFromPemFile(TLS_CLIENT_CERT_FILE_PATH);
PrivateKey privateKey = SecurityUtility.loadPrivateKeyFromPemFile(TLS_CLIENT_KEY_FILE_PATH);
builder.keyManager(privateKey, (X509Certificate[]) certificates);
SslContext sslCtx = builder.build();
ch.pipeline().addLast("tls", sslCtx.newHandler(ch.alloc()));
}
ch.pipeline().addLast(new ClientHandler(latch));
}
});
URI uri = new URI(serviceUrl);
InetSocketAddress serviceAddress = new InetSocketAddress(uri.getHost(), uri.getPort());
b.connect(serviceAddress).addListener((ChannelFuture future) -> {
if (!future.isSuccess()) {
throw new IllegalStateException(future.cause());
}
});
return workerGroup;
}
use of io.netty.handler.ssl.SslContext in project grpc-java by grpc.
the class Utils method newNettyClientChannel.
private static NettyChannelBuilder newNettyClientChannel(Transport transport, SocketAddress address, boolean tls, boolean testca, int flowControlWindow, boolean useDefaultCiphers) throws IOException {
NettyChannelBuilder builder = NettyChannelBuilder.forAddress(address).flowControlWindow(flowControlWindow);
if (tls) {
builder.negotiationType(NegotiationType.TLS);
SslContext sslContext = null;
if (testca) {
File cert = TestUtils.loadCert("ca.pem");
SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient().trustManager(cert);
if (transport == Transport.NETTY_NIO) {
sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder, SslProvider.JDK);
} else {
// Native transport with OpenSSL
sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder, SslProvider.OPENSSL);
}
if (useDefaultCiphers) {
sslContextBuilder.ciphers(null);
}
sslContext = sslContextBuilder.build();
}
builder.sslContext(sslContext);
} else {
builder.negotiationType(NegotiationType.PLAINTEXT);
}
DefaultThreadFactory tf = new DefaultThreadFactory("client-elg-", true);
switch(transport) {
case NETTY_NIO:
builder.eventLoopGroup(new NioEventLoopGroup(0, tf)).channelType(NioSocketChannel.class);
break;
case NETTY_EPOLL:
// These classes only work on Linux.
builder.eventLoopGroup(new EpollEventLoopGroup(0, tf)).channelType(EpollSocketChannel.class);
break;
case NETTY_UNIX_DOMAIN_SOCKET:
// These classes only work on Linux.
builder.eventLoopGroup(new EpollEventLoopGroup(0, tf)).channelType(EpollDomainSocketChannel.class);
break;
default:
// Should never get here.
throw new IllegalArgumentException("Unsupported transport: " + transport);
}
return builder;
}
use of io.netty.handler.ssl.SslContext in project CorfuDB by CorfuDB.
the class CorfuServer method main.
public static void main(String[] args) {
serverRunning = true;
// Parse the options given, using docopt.
Map<String, Object> opts = new Docopt(USAGE).withVersion(GitRepositoryState.getRepositoryState().describe).parse(args);
int port = Integer.parseInt((String) opts.get("<port>"));
// Print a nice welcome message.
AnsiConsole.systemInstall();
printLogo();
System.out.println(ansi().a("Welcome to ").fg(RED).a("CORFU ").fg(MAGENTA).a("SERVER").reset());
System.out.println(ansi().a("Version ").a(Version.getVersionString()).a(" (").fg(BLUE).a(GitRepositoryState.getRepositoryState().commitIdAbbrev).reset().a(")"));
System.out.println(ansi().a("Serving on port ").fg(WHITE).a(port).reset());
System.out.println(ansi().a("Service directory: ").fg(WHITE).a((Boolean) opts.get("--memory") ? "MEMORY mode" : opts.get("--log-path")).reset());
// Pick the correct logging level before outputting error messages.
Logger root = (Logger) LoggerFactory.getLogger(Logger.ROOT_LOGGER_NAME);
switch((String) opts.get("--log-level")) {
case "ERROR":
root.setLevel(Level.ERROR);
break;
case "WARN":
root.setLevel(Level.WARN);
break;
case "INFO":
root.setLevel(Level.INFO);
break;
case "DEBUG":
root.setLevel(Level.DEBUG);
break;
case "TRACE":
root.setLevel(Level.TRACE);
break;
default:
root.setLevel(Level.INFO);
log.warn("Level {} not recognized, defaulting to level INFO", opts.get("--log-level"));
}
log.debug("Started with arguments: " + opts);
// Create the service directory if it does not exist.
if (!(Boolean) opts.get("--memory")) {
File serviceDir = new File((String) opts.get("--log-path"));
if (!serviceDir.exists()) {
if (serviceDir.mkdirs()) {
log.info("Created new service directory at {}.", serviceDir);
}
} else if (!serviceDir.isDirectory()) {
log.error("Service directory {} does not point to a directory. Aborting.", serviceDir);
throw new RuntimeException("Service directory must be a directory!");
}
}
// Now, we start the Netty router, and have it route to the correct port.
router = new NettyServerRouter(opts);
// Create a common Server Context for all servers to access.
serverContext = new ServerContext(opts, router);
// Add each role to the router.
addSequencer();
addLayoutServer();
addLogUnit();
addManagementServer();
router.baseServer.setOptionsMap(opts);
// Setup SSL if needed
Boolean tlsEnabled = (Boolean) opts.get("--enable-tls");
Boolean tlsMutualAuthEnabled = (Boolean) opts.get("--enable-tls-mutual-auth");
if (tlsEnabled) {
// Get the TLS cipher suites to enable
String ciphs = (String) opts.get("--tls-ciphers");
if (ciphs != null) {
List<String> ciphers = Pattern.compile(",").splitAsStream(ciphs).map(String::trim).collect(Collectors.toList());
enabledTlsCipherSuites = ciphers.toArray(new String[ciphers.size()]);
}
// Get the TLS protocols to enable
String protos = (String) opts.get("--tls-protocols");
if (protos != null) {
List<String> protocols = Pattern.compile(",").splitAsStream(protos).map(String::trim).collect(Collectors.toList());
enabledTlsProtocols = protocols.toArray(new String[protocols.size()]);
}
try {
sslContext = TlsUtils.enableTls(TlsUtils.SslContextType.SERVER_CONTEXT, (String) opts.get("--keystore"), e -> {
log.error("Could not load keys from the key store.");
System.exit(1);
}, (String) opts.get("--keystore-password-file"), e -> {
log.error("Could not read the key store password file.");
System.exit(1);
}, (String) opts.get("--truststore"), e -> {
log.error("Could not load keys from the trust store.");
System.exit(1);
}, (String) opts.get("--truststore-password-file"), e -> {
log.error("Could not read the trust store password file.");
System.exit(1);
});
} catch (Exception ex) {
log.error("Could not build the SSL context");
System.exit(1);
}
}
Boolean saslPlainTextAuth = (Boolean) opts.get("--enable-sasl-plain-text-auth");
// Create the event loops responsible for servicing inbound messages.
EventLoopGroup bossGroup;
EventLoopGroup workerGroup;
EventExecutorGroup ee;
bossGroup = new NioEventLoopGroup(1, new ThreadFactory() {
final AtomicInteger threadNum = new AtomicInteger(0);
@Override
public Thread newThread(Runnable r) {
Thread t = new Thread(r);
t.setName("accept-" + threadNum.getAndIncrement());
return t;
}
});
workerGroup = new NioEventLoopGroup(Runtime.getRuntime().availableProcessors() * 2, new ThreadFactory() {
final AtomicInteger threadNum = new AtomicInteger(0);
@Override
public Thread newThread(Runnable r) {
Thread t = new Thread(r);
t.setName("io-" + threadNum.getAndIncrement());
return t;
}
});
ee = new DefaultEventExecutorGroup(Runtime.getRuntime().availableProcessors() * 2, new ThreadFactory() {
final AtomicInteger threadNum = new AtomicInteger(0);
@Override
public Thread newThread(Runnable r) {
Thread t = new Thread(r);
t.setName("event-" + threadNum.getAndIncrement());
return t;
}
});
try {
ServerBootstrap b = new ServerBootstrap();
b.group(bossGroup, workerGroup).channel(NioServerSocketChannel.class).option(ChannelOption.SO_BACKLOG, 100).childOption(ChannelOption.SO_KEEPALIVE, true).childOption(ChannelOption.SO_REUSEADDR, true).childOption(ChannelOption.TCP_NODELAY, true).childOption(ChannelOption.ALLOCATOR, PooledByteBufAllocator.DEFAULT).childHandler(new ChannelInitializer<SocketChannel>() {
@Override
public void initChannel(io.netty.channel.socket.SocketChannel ch) throws Exception {
if (tlsEnabled) {
SSLEngine engine = sslContext.newEngine(ch.alloc());
engine.setEnabledCipherSuites(enabledTlsCipherSuites);
engine.setEnabledProtocols(enabledTlsProtocols);
if (tlsMutualAuthEnabled) {
engine.setNeedClientAuth(true);
}
ch.pipeline().addLast("ssl", new SslHandler(engine));
}
ch.pipeline().addLast(new LengthFieldPrepender(4));
ch.pipeline().addLast(new LengthFieldBasedFrameDecoder(Integer.MAX_VALUE, 0, 4, 0, 4));
if (saslPlainTextAuth) {
ch.pipeline().addLast("sasl/plain-text", new PlainTextSaslNettyServer());
}
ch.pipeline().addLast(ee, new NettyCorfuMessageDecoder());
ch.pipeline().addLast(ee, new NettyCorfuMessageEncoder());
ch.pipeline().addLast(ee, router);
}
});
ChannelFuture f = b.bind(port).sync();
while (true) {
try {
f.channel().closeFuture().sync();
} catch (InterruptedException ie) {
}
}
} catch (InterruptedException ie) {
} catch (Exception ex) {
log.error("Corfu server shut down unexpectedly due to exception", ex);
} finally {
bossGroup.shutdownGracefully();
workerGroup.shutdownGracefully();
}
}
use of io.netty.handler.ssl.SslContext in project pravega by pravega.
the class ConnectionFactoryImpl method establishConnection.
@Override
public CompletableFuture<ClientConnection> establishConnection(PravegaNodeUri location, ReplyProcessor rp) {
Preconditions.checkNotNull(location);
Exceptions.checkNotClosed(closed.get(), this);
final SslContext sslCtx;
if (clientConfig.isEnableTls()) {
try {
SslContextBuilder sslCtxFactory = SslContextBuilder.forClient();
if (Strings.isNullOrEmpty(clientConfig.getTrustStore())) {
sslCtxFactory = sslCtxFactory.trustManager(FingerprintTrustManagerFactory.getInstance(FingerprintTrustManagerFactory.getDefaultAlgorithm()));
} else {
sslCtxFactory = SslContextBuilder.forClient().trustManager(new File(clientConfig.getTrustStore()));
}
sslCtx = sslCtxFactory.build();
} catch (SSLException | NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
} else {
sslCtx = null;
}
AppendBatchSizeTracker batchSizeTracker = new AppendBatchSizeTrackerImpl();
ClientConnectionInboundHandler handler = new ClientConnectionInboundHandler(location.getEndpoint(), rp, batchSizeTracker);
Bootstrap b = new Bootstrap();
b.group(group).channel(nio ? NioSocketChannel.class : EpollSocketChannel.class).option(ChannelOption.TCP_NODELAY, true).handler(new ChannelInitializer<SocketChannel>() {
@Override
public void initChannel(SocketChannel ch) throws Exception {
ChannelPipeline p = ch.pipeline();
if (sslCtx != null) {
SslHandler sslHandler = sslCtx.newHandler(ch.alloc(), location.getEndpoint(), location.getPort());
if (clientConfig.isValidateHostName()) {
SSLEngine sslEngine = sslHandler.engine();
SSLParameters sslParameters = sslEngine.getSSLParameters();
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParameters);
}
p.addLast(sslHandler);
}
// p.addLast(new LoggingHandler(LogLevel.INFO));
p.addLast(new ExceptionLoggingHandler(location.getEndpoint()), new CommandEncoder(batchSizeTracker), new LengthFieldBasedFrameDecoder(WireCommands.MAX_WIRECOMMAND_SIZE, 4, 4), new CommandDecoder(), handler);
}
});
// Start the client.
CompletableFuture<ClientConnection> connectionComplete = new CompletableFuture<>();
try {
b.connect(location.getEndpoint(), location.getPort()).addListener(new ChannelFutureListener() {
@Override
public void operationComplete(ChannelFuture future) {
if (future.isSuccess()) {
// since ChannelFuture is complete future.channel() is not a blocking call.
Channel ch = future.channel();
log.debug("Connect operation completed for channel:{}, local address:{}, remote address:{}", ch.id(), ch.localAddress(), ch.remoteAddress());
// Once a channel is closed the channel group implementation removes it.
allChannels.add(ch);
connectionComplete.complete(handler);
} else {
connectionComplete.completeExceptionally(new ConnectionFailedException(future.cause()));
}
}
});
} catch (Exception e) {
connectionComplete.completeExceptionally(new ConnectionFailedException(e));
}
// check if channel is registered.
CompletableFuture<Void> channelRegisteredFuture = new CompletableFuture<>();
handler.completeWhenRegistered(channelRegisteredFuture);
return connectionComplete.thenCombine(channelRegisteredFuture, (clientConnection, v) -> clientConnection);
}
Aggregations