use of io.netty.handler.ssl.SslContextBuilder in project jetcd by coreos.
the class ClientBuilder method sslContext.
/**
* Configure SSL/TLS context create through {@link GrpcSslContexts#forClient} to use.
*
* @param consumer the SslContextBuilder consumer
* @return this builder
* @throws SSLException if the SslContextBuilder fails
*/
public ClientBuilder sslContext(Consumer<SslContextBuilder> consumer) throws SSLException {
SslContextBuilder builder = GrpcSslContexts.forClient();
consumer.accept(builder);
return sslContext(builder.build());
}
use of io.netty.handler.ssl.SslContextBuilder in project dubbo by alibaba.
the class GrpcOptionsUtils method buildClientSslContext.
private static SslContext buildClientSslContext(URL url) {
ConfigManager globalConfigManager = ApplicationModel.getConfigManager();
SslConfig sslConfig = globalConfigManager.getSsl().orElseThrow(() -> new IllegalStateException("Ssl enabled, but no ssl cert information provided!"));
SslContextBuilder builder = GrpcSslContexts.forClient();
InputStream trustCertCollectionFilePath = null;
InputStream clientCertChainFilePath = null;
InputStream clientPrivateKeyFilePath = null;
try {
trustCertCollectionFilePath = sslConfig.getClientTrustCertCollectionPathStream();
if (trustCertCollectionFilePath != null) {
builder.trustManager(trustCertCollectionFilePath);
}
clientCertChainFilePath = sslConfig.getClientKeyCertChainPathStream();
clientPrivateKeyFilePath = sslConfig.getClientPrivateKeyPathStream();
if (clientCertChainFilePath != null && clientPrivateKeyFilePath != null) {
String password = sslConfig.getClientKeyPassword();
if (password != null) {
builder.keyManager(clientCertChainFilePath, clientPrivateKeyFilePath, password);
} else {
builder.keyManager(clientCertChainFilePath, clientPrivateKeyFilePath);
}
}
} catch (Exception e) {
throw new IllegalArgumentException("Could not find certificate file or find invalid certificate.", e);
} finally {
safeCloseStream(trustCertCollectionFilePath);
safeCloseStream(clientCertChainFilePath);
safeCloseStream(clientPrivateKeyFilePath);
}
try {
return builder.build();
} catch (SSLException e) {
throw new IllegalStateException("Build SslSession failed.", e);
}
}
use of io.netty.handler.ssl.SslContextBuilder in project cxf by apache.
the class NettyHttpServletPipelineFactory method configureServerHttp2SSLOnDemand.
private SslContext configureServerHttp2SSLOnDemand() throws Exception {
if (tlsServerParameters != null) {
final SSLContextInitParameters initParams = SSLUtils.getSSLContextInitParameters(tlsServerParameters);
// Use only JDK provider for now, leaving OpenSsl as an option
final SslProvider provider = SslProvider.JDK;
final KeyManager[] keyManagers = initParams.getKeyManagers();
if (keyManagers == null || keyManagers.length == 0) {
throw new IllegalStateException("No KeyManagers are configured, unable " + "to create Netty's SslContext instance");
}
final String[] cipherSuites = org.apache.cxf.configuration.jsse.SSLUtils.getCiphersuitesToInclude(tlsServerParameters.getCipherSuites(), tlsServerParameters.getCipherSuitesFilter(), SSLContext.getDefault().getDefaultSSLParameters().getCipherSuites(), Http2SecurityUtil.CIPHERS.toArray(new String[] {}), LOG);
final SslContextBuilder builder = SslContextBuilder.forServer(keyManagers[0]).sslProvider(provider).ciphers(Arrays.asList(cipherSuites), SupportedCipherSuiteFilter.INSTANCE).applicationProtocolConfig(new ApplicationProtocolConfig(Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1));
final TrustManager[] trustManagers = initParams.getTrustManagers();
if (trustManagers != null && trustManagers.length > 0) {
builder.trustManager(trustManagers[0]);
}
final ClientAuthentication clientAuth = tlsServerParameters.getClientAuthentication();
if (clientAuth != null) {
if (clientAuth.isSetRequired() && clientAuth.isRequired()) {
builder.clientAuth(ClientAuth.REQUIRE);
} else if (clientAuth.isSetWant() && clientAuth.isWant()) {
builder.clientAuth(ClientAuth.OPTIONAL);
}
}
return builder.build();
}
return null;
}
use of io.netty.handler.ssl.SslContextBuilder in project grpc-java by grpc.
the class DynamicSslContextProvider method updateSslContext.
// this gets called only when requested secrets are ready...
protected final void updateSslContext() {
try {
CertificateValidationContext localCertValidationContext = generateCertificateValidationContext();
SslContextBuilder sslContextBuilder = getSslContextBuilder(localCertValidationContext);
CommonTlsContext commonTlsContext = getCommonTlsContext();
if (commonTlsContext != null && commonTlsContext.getAlpnProtocolsCount() > 0) {
List<String> alpnList = commonTlsContext.getAlpnProtocolsList();
ApplicationProtocolConfig apn = new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, alpnList);
sslContextBuilder.applicationProtocolConfig(apn);
}
List<Callback> pendingCallbacksCopy;
SslContext sslContextCopy;
synchronized (pendingCallbacks) {
sslContext = sslContextBuilder.build();
sslContextCopy = sslContext;
pendingCallbacksCopy = clonePendingCallbacksAndClear();
}
makePendingCallbacks(sslContextCopy, pendingCallbacksCopy);
} catch (Exception e) {
onError(Status.fromThrowable(e));
throw new RuntimeException(e);
}
}
use of io.netty.handler.ssl.SslContextBuilder in project grpc-java by grpc.
the class TlsTest method serverBuilder.
private ServerBuilder<?> serverBuilder(int port, File serverCertChainFile, File serverPrivateKeyFile, X509Certificate[] serverTrustedCaCerts) throws IOException {
SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(serverCertChainFile, serverPrivateKeyFile);
if (sslProvider == SslProvider.JDK) {
GrpcSslContexts.configure(sslContextBuilder, jdkProvider);
} else {
GrpcSslContexts.configure(sslContextBuilder, sslProvider);
}
sslContextBuilder.trustManager(serverTrustedCaCerts).clientAuth(ClientAuth.REQUIRE);
return NettyServerBuilder.forPort(port).sslContext(sslContextBuilder.build());
}
Aggregations