Example 21 with SslContextBuilder
use of io.netty.handler.ssl.SslContextBuilder in project dubbo by alibaba.
the class SslContexts method buildClientSslContext.
public static SslContext buildClientSslContext(URL url) {
ConfigManager globalConfigManager = ApplicationModel.getConfigManager();
SslConfig sslConfig = globalConfigManager.getSsl().orElseThrow(() -> new IllegalStateException("Ssl enabled, but no ssl cert information provided!"));
SslContextBuilder builder = SslContextBuilder.forClient();
InputStream clientTrustCertCollectionPath = null;
InputStream clientCertChainFilePath = null;
InputStream clientPrivateKeyFilePath = null;
try {
clientTrustCertCollectionPath = sslConfig.getClientTrustCertCollectionPathStream();
if (clientTrustCertCollectionPath != null) {
builder.trustManager(clientTrustCertCollectionPath);
}
clientCertChainFilePath = sslConfig.getClientKeyCertChainPathStream();
clientPrivateKeyFilePath = sslConfig.getClientPrivateKeyPathStream();
if (clientCertChainFilePath != null && clientPrivateKeyFilePath != null) {
String password = sslConfig.getClientKeyPassword();
if (password != null) {
builder.keyManager(clientCertChainFilePath, clientPrivateKeyFilePath, password);
} else {
builder.keyManager(clientCertChainFilePath, clientPrivateKeyFilePath);
}
}
if (sslConfig.getCiphers() != null) {
builder.ciphers(sslConfig.getCiphers());
}
if (sslConfig.getProtocols() != null) {
builder.protocols(sslConfig.getProtocols());
}
} catch (Exception e) {
throw new IllegalArgumentException("Could not find certificate file or find invalid certificate.", e);
} finally {
safeCloseStream(clientTrustCertCollectionPath);
safeCloseStream(clientCertChainFilePath);
safeCloseStream(clientPrivateKeyFilePath);
}
try {
return builder.sslProvider(findSslProvider()).build();
} catch (SSLException e) {
throw new IllegalStateException("Build SslSession failed.", e);
}
}
Also used :
SslConfig(org.apache.dubbo.config.SslConfig)
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
InputStream(java.io.InputStream)
SSLException(javax.net.ssl.SSLException)
ConfigManager(org.apache.dubbo.config.context.ConfigManager)
IOException(java.io.IOException)
SSLException(javax.net.ssl.SSLException)
Example 22 with SslContextBuilder
use of io.netty.handler.ssl.SslContextBuilder in project graylog2-server by Graylog2.
the class AbstractTcpTransport method buildSslHandlerCallable.
private Callable<ChannelHandler> buildSslHandlerCallable(SslProvider tlsProvider, File certFile, File keyFile, String password, ClientAuth clientAuth, File clientAuthCertFile, MessageInput input) {
return new Callable<ChannelHandler>() {
@Override
public ChannelHandler call() throws Exception {
try {
return new SslHandler(createSslEngine(input));
} catch (SSLException e) {
LOG.error("Error creating SSL context. Make sure the certificate and key are in the correct format: cert=X.509 key=PKCS#8");
throw e;
}
}
private SSLEngine createSslEngine(MessageInput input) throws IOException, CertificateException, OperatorCreationException, PKCSException {
final X509Certificate[] clientAuthCerts;
if (EnumSet.of(ClientAuth.OPTIONAL, ClientAuth.REQUIRE).contains(clientAuth)) {
if (clientAuthCertFile.exists()) {
clientAuthCerts = KeyUtil.loadX509Certificates(clientAuthCertFile.toPath());
} else {
LOG.warn("Client auth configured, but no authorized certificates / certificate authorities configured for input [{}/{}]", input.getName(), input.getId());
clientAuthCerts = null;
}
} else {
clientAuthCerts = null;
}
// Netty's SSLContextBuilder chokes on some PKCS8 key file formats. So we need to pass a
// private key and keyCertChain instead of the corresponding files.
PrivateKey privateKey = KeyUtil.privateKeyFromFile(password, keyFile);
X509Certificate[] keyCertChain = KeyUtil.loadX509Certificates(certFile.toPath());
final SslContextBuilder sslContext = SslContextBuilder.forServer(privateKey, keyCertChain).sslProvider(tlsProvider).clientAuth(clientAuth).trustManager(clientAuthCerts);
sslContext.protocols(enabledTLSProtocols);
if (tlsProvider.equals(SslProvider.OPENSSL)) {
if (!enabledTLSProtocols.contains("TLSv1") && !enabledTLSProtocols.contains("TLSv1.1")) {
// Netty tcnative does not adhere jdk.tls.disabledAlgorithms: https://github.com/netty/netty-tcnative/issues/530
// We need to build our own cipher list
sslContext.ciphers(secureDefaultCiphers.get());
}
}
// TODO: Use byte buffer allocator of channel
return sslContext.build().newEngine(ByteBufAllocator.DEFAULT);
}
};
}
Also used :
PrivateKey(java.security.PrivateKey)
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
MessageInput(org.graylog2.plugin.inputs.MessageInput)
SSLException(javax.net.ssl.SSLException)
Callable(java.util.concurrent.Callable)
SslHandler(io.netty.handler.ssl.SslHandler)
X509Certificate(java.security.cert.X509Certificate)
Example 23 with SslContextBuilder
use of io.netty.handler.ssl.SslContextBuilder in project java by wavefrontHQ.
the class SslSimpleBuilder method build.
public SslHandler build(ByteBufAllocator bufferAllocator) throws IOException, NoSuchAlgorithmException, CertificateException {
SslContextBuilder builder = SslContextBuilder.forServer(sslCertificateFile, sslKeyFile, passPhrase);
if (logger.isDebugEnabled())
logger.debug("Available ciphers:" + Arrays.toString(OpenSsl.availableOpenSslCipherSuites().toArray()));
logger.debug("Ciphers: " + Arrays.toString(ciphers));
builder.ciphers(Arrays.asList(ciphers));
if (requireClientAuth()) {
if (logger.isDebugEnabled())
logger.debug("Certificate Authorities: " + Arrays.toString(certificateAuthorities));
builder.trustManager(loadCertificateCollection(certificateAuthorities));
}
SslContext context = builder.build();
SslHandler sslHandler = context.newHandler(bufferAllocator);
if (logger.isDebugEnabled())
logger.debug("TLS: " + Arrays.toString(protocols));
SSLEngine engine = sslHandler.engine();
engine.setEnabledProtocols(protocols);
if (requireClientAuth()) {
// server is doing the handshake
engine.setUseClientMode(false);
if (verifyMode == SslClientVerifyMode.FORCE_PEER) {
// Explicitely require a client certificate
engine.setNeedClientAuth(true);
} else if (verifyMode == SslClientVerifyMode.VERIFY_PEER) {
// If the client supply a client certificate we will verify it.
engine.setWantClientAuth(true);
}
}
sslHandler.setHandshakeTimeoutMillis(handshakeTimeoutMilliseconds);
return sslHandler;
}
Also used :
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
SSLEngine(javax.net.ssl.SSLEngine)
SslHandler(io.netty.handler.ssl.SslHandler)
SslContext(io.netty.handler.ssl.SslContext)
Example 24 with SslContextBuilder
use of io.netty.handler.ssl.SslContextBuilder in project thingsboard by thingsboard.
the class CertPemCredentials method initSslContext.
@Override
public SslContext initSslContext() {
try {
Security.addProvider(new BouncyCastleProvider());
SslContextBuilder builder = SslContextBuilder.forClient();
if (StringUtils.hasLength(caCert)) {
builder.trustManager(createAndInitTrustManagerFactory());
}
if (StringUtils.hasLength(cert) && StringUtils.hasLength(privateKey)) {
builder.keyManager(createAndInitKeyManagerFactory());
}
return builder.build();
} catch (Exception e) {
log.error("[{}:{}] Creating TLS factory failed!", caCert, cert, e);
throw new RuntimeException("Creating TLS factory failed!", e);
}
}
Also used :
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Example 25 with SslContextBuilder
use of io.netty.handler.ssl.SslContextBuilder in project grpc-java by grpc.
the class TlsTest method serverBuilder.
private ServerBuilder<?> serverBuilder(int port, File serverCertChainFile, File serverPrivateKeyFile, X509Certificate[] serverTrustedCaCerts) throws IOException {
SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(serverCertChainFile, serverPrivateKeyFile);
GrpcSslContexts.configure(sslContextBuilder, sslProvider);
sslContextBuilder.trustManager(serverTrustedCaCerts).clientAuth(ClientAuth.REQUIRE);
return NettyServerBuilder.forPort(port).sslContext(sslContextBuilder.build());
}
Also used :
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
Aggregations
SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)49
SslContext (io.netty.handler.ssl.SslContext)14
SSLException (javax.net.ssl.SSLException)12
KeyManagerFactory (javax.net.ssl.KeyManagerFactory)11
InputStream (java.io.InputStream)10
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)10
SslProvider (io.netty.handler.ssl.SslProvider)9
File (java.io.File)9
IOException (java.io.IOException)9
KeyStore (java.security.KeyStore)7
X509Certificate (java.security.cert.X509Certificate)7
ApplicationProtocolConfig (io.netty.handler.ssl.ApplicationProtocolConfig)5
PrivateKey (java.security.PrivateKey)5
SslHandler (io.netty.handler.ssl.SslHandler)4
SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)4
FileInputStream (java.io.FileInputStream)4
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4
CertificateException (java.security.cert.CertificateException)4
NettyChannelBuilder (io.grpc.netty.NettyChannelBuilder)3
Bootstrap (io.netty.bootstrap.Bootstrap)3
