Example 41 with SslContextBuilder
use of io.netty.handler.ssl.SslContextBuilder in project ambry by linkedin.
the class NettySslHttp2Factory method getServerSslContext.
/**
* @param config the {@link SSLConfig}
* @return a configured {@link SslContext} object for a client.
* @throws GeneralSecurityException
* @throws IOException
*/
static SslContext getServerSslContext(SSLConfig config) throws GeneralSecurityException, IOException {
logger.info("Using {} provider for server SslContext", SslContext.defaultServerProvider());
SslContextBuilder sslContextBuilder;
if (config.sslHttp2SelfSign) {
// Both server and client should use InsecureTrustManage for self-sign case.
SelfSignedCertificate ssc = new SelfSignedCertificate();
sslContextBuilder = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()).trustManager(InsecureTrustManagerFactory.INSTANCE);
logger.info("Server Uses Self Signed Certificate.");
} else {
sslContextBuilder = SslContextBuilder.forServer(NettySslFactory.getKeyManagerFactory(config)).trustManager(NettySslFactory.getTrustManagerFactory(config));
}
return sslContextBuilder.sslProvider(SslContext.defaultClientProvider()).clientAuth(NettySslFactory.getClientAuth(config)).ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE).applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2)).build();
}
Also used :
SelfSignedCertificate(io.netty.handler.ssl.util.SelfSignedCertificate)
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
ApplicationProtocolConfig(io.netty.handler.ssl.ApplicationProtocolConfig)
Example 42 with SslContextBuilder
use of io.netty.handler.ssl.SslContextBuilder in project ambry by linkedin.
the class NettySslHttp2Factory method getClientSslContext.
/**
* @param config the {@link SSLConfig}
* @return a configured {@link SslContext} object for a server.
* @throws GeneralSecurityException
* @throws IOException
*/
public static SslContext getClientSslContext(SSLConfig config) throws GeneralSecurityException, IOException {
logger.info("Using {} provider for client ", SslContext.defaultClientProvider());
SslContextBuilder sslContextBuilder;
if (config.sslHttp2SelfSign) {
// Both server and client should use InsecureTrustManage for self-sign case.
SelfSignedCertificate ssc = new SelfSignedCertificate();
sslContextBuilder = SslContextBuilder.forClient().keyManager(ssc.certificate(), ssc.privateKey()).trustManager(InsecureTrustManagerFactory.INSTANCE);
logger.info("Client Uses Self Signed Certificate.");
} else {
sslContextBuilder = SslContextBuilder.forClient().keyManager(NettySslFactory.getKeyManagerFactory(config)).trustManager(NettySslFactory.getTrustManagerFactory(config));
}
return sslContextBuilder.sslProvider(SslContext.defaultClientProvider()).ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE).applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2)).build();
}
Also used :
SelfSignedCertificate(io.netty.handler.ssl.util.SelfSignedCertificate)
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
ApplicationProtocolConfig(io.netty.handler.ssl.ApplicationProtocolConfig)
Example 43 with SslContextBuilder
use of io.netty.handler.ssl.SslContextBuilder in project uploader by smoketurner.
the class UploadInitializer method getSslContext.
/**
* Construct an {@link SslContext} from the configuration
*
* @return SslContext or null
*/
@Nullable
private SslContext getSslContext() {
if (!configuration.isSsl()) {
LOGGER.warn("SSL DISABLED: via configuration");
return null;
}
if (SslContext.defaultServerProvider() == SslProvider.OPENSSL) {
LOGGER.info("SSL Provider: OpenSSL");
} else {
LOGGER.info("SSL Provider: JDK");
}
if (configuration.isSelfSignedCert()) {
try {
final SelfSignedCertificate ssc = new SelfSignedCertificate();
final SslContext sslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()).build();
LOGGER.info("SSL ENABLED (using self-signed certificate)");
return sslCtx;
} catch (CertificateException | SSLException e) {
LOGGER.warn("SSL DISABLED: Unable to generate self-signed certificate", e);
return null;
}
}
if (Strings.isNullOrEmpty(configuration.getKeyCertChainFile()) || Strings.isNullOrEmpty(configuration.getKeyFile())) {
LOGGER.warn("SSL DISABLED: no server certificate or key provided");
return null;
}
final SslContextBuilder builder = SslContextBuilder.forServer(new File(configuration.getKeyCertChainFile()), new File(configuration.getKeyFile()), configuration.getKeyPassword());
if (configuration.isClientAuth() && !Strings.isNullOrEmpty(configuration.getTrustCertCollectionFile())) {
builder.trustManager(new File(configuration.getTrustCertCollectionFile()));
}
try {
final SslContext sslCtx = builder.build();
LOGGER.info("SSL ENABLED (certificate: '{}', key: '{}', trust store: '{}')", configuration.getKeyCertChainFile(), configuration.getKeyFile(), configuration.getTrustCertCollectionFile());
return sslCtx;
} catch (SSLException e) {
LOGGER.error("SSL DISABLED: Unable to create SSL context", e);
}
return null;
}
Also used :
SelfSignedCertificate(io.netty.handler.ssl.util.SelfSignedCertificate)
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
CertificateException(java.security.cert.CertificateException)
SSLException(javax.net.ssl.SSLException)
File(java.io.File)
SslContext(io.netty.handler.ssl.SslContext)
Nullable(javax.annotation.Nullable)
Example 44 with SslContextBuilder
use of io.netty.handler.ssl.SslContextBuilder in project rocketmq by apache.
the class TlsHelper method buildSslContext.
public static SslContext buildSslContext(boolean forClient) throws IOException, CertificateException {
File configFile = new File(TlsSystemConfig.tlsConfigFile);
extractTlsConfigFromFile(configFile);
logTheFinalUsedTlsConfig();
SslProvider provider;
if (OpenSsl.isAvailable()) {
provider = SslProvider.OPENSSL;
LOGGER.info("Using OpenSSL provider");
} else {
provider = SslProvider.JDK;
LOGGER.info("Using JDK SSL provider");
}
if (forClient) {
if (tlsTestModeEnable) {
return SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(InsecureTrustManagerFactory.INSTANCE).build();
} else {
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient().sslProvider(SslProvider.JDK);
if (!tlsClientAuthServer) {
sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
} else {
if (!isNullOrEmpty(tlsClientTrustCertPath)) {
sslContextBuilder.trustManager(new File(tlsClientTrustCertPath));
}
}
return sslContextBuilder.keyManager(!isNullOrEmpty(tlsClientCertPath) ? new FileInputStream(tlsClientCertPath) : null, !isNullOrEmpty(tlsClientKeyPath) ? decryptionStrategy.decryptPrivateKey(tlsClientKeyPath, true) : null, !isNullOrEmpty(tlsClientKeyPassword) ? tlsClientKeyPassword : null).build();
}
} else {
if (tlsTestModeEnable) {
SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
return SslContextBuilder.forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey()).sslProvider(SslProvider.JDK).clientAuth(ClientAuth.OPTIONAL).build();
} else {
SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(!isNullOrEmpty(tlsServerCertPath) ? new FileInputStream(tlsServerCertPath) : null, !isNullOrEmpty(tlsServerKeyPath) ? decryptionStrategy.decryptPrivateKey(tlsServerKeyPath, false) : null, !isNullOrEmpty(tlsServerKeyPassword) ? tlsServerKeyPassword : null).sslProvider(provider);
if (!tlsServerAuthClient) {
sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
} else {
if (!isNullOrEmpty(tlsServerTrustCertPath)) {
sslContextBuilder.trustManager(new File(tlsServerTrustCertPath));
}
}
sslContextBuilder.clientAuth(parseClientAuthMode(tlsServerNeedClientAuth));
return sslContextBuilder.build();
}
}
}
Also used :
SelfSignedCertificate(io.netty.handler.ssl.util.SelfSignedCertificate)
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
SslProvider(io.netty.handler.ssl.SslProvider)
File(java.io.File)
FileInputStream(java.io.FileInputStream)
Example 45 with SslContextBuilder
use of io.netty.handler.ssl.SslContextBuilder in project cassandra by apache.
the class AbstractSslContextFactory method createNettySslContext.
@Override
public SslContext createNettySslContext(boolean verifyPeerCertificate, SocketType socketType, CipherSuiteFilter cipherFilter) throws SSLException {
/*
There is a case where the netty/openssl combo might not support using KeyManagerFactory. Specifically,
I've seen this with the netty-tcnative dynamic openssl implementation. Using the netty-tcnative
static-boringssl works fine with KeyManagerFactory. If we want to support all of the netty-tcnative
options, we would need to fall back to passing in a file reference for both a x509 and PKCS#8 private
key file in PEM format (see {@link SslContextBuilder#forServer(File, File, String)}). However, we are
not supporting that now to keep the config/yaml API simple.
*/
KeyManagerFactory kmf = buildKeyManagerFactory();
SslContextBuilder builder;
if (socketType == SocketType.SERVER) {
builder = SslContextBuilder.forServer(kmf).clientAuth(this.require_client_auth ? ClientAuth.REQUIRE : ClientAuth.NONE);
} else {
builder = SslContextBuilder.forClient().keyManager(kmf);
}
builder.sslProvider(getSslProvider()).protocols(getAcceptedProtocols());
// for each ssl implemention (jdk or openssl)
if (cipher_suites != null && !cipher_suites.isEmpty())
builder.ciphers(cipher_suites, cipherFilter);
if (verifyPeerCertificate)
builder.trustManager(buildTrustManagerFactory());
return builder.build();
}
Also used :
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
KeyManagerFactory(javax.net.ssl.KeyManagerFactory)
Aggregations
SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)49
SslContext (io.netty.handler.ssl.SslContext)14
SSLException (javax.net.ssl.SSLException)12
KeyManagerFactory (javax.net.ssl.KeyManagerFactory)11
InputStream (java.io.InputStream)10
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)10
SslProvider (io.netty.handler.ssl.SslProvider)9
File (java.io.File)9
IOException (java.io.IOException)9
KeyStore (java.security.KeyStore)7
X509Certificate (java.security.cert.X509Certificate)7
ApplicationProtocolConfig (io.netty.handler.ssl.ApplicationProtocolConfig)5
PrivateKey (java.security.PrivateKey)5
SslHandler (io.netty.handler.ssl.SslHandler)4
SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)4
FileInputStream (java.io.FileInputStream)4
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4
CertificateException (java.security.cert.CertificateException)4
NettyChannelBuilder (io.grpc.netty.NettyChannelBuilder)3
Bootstrap (io.netty.bootstrap.Bootstrap)3
