Example 11 with SSLEngine
use of javax.net.ssl.SSLEngine in project kafka by apache.
the class SslFactory method createSslEngine.
public SSLEngine createSslEngine(String peerHost, int peerPort) {
SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort);
if (cipherSuites != null)
sslEngine.setEnabledCipherSuites(cipherSuites);
if (enabledProtocols != null)
sslEngine.setEnabledProtocols(enabledProtocols);
if (mode == Mode.SERVER) {
sslEngine.setUseClientMode(false);
if (needClientAuth)
sslEngine.setNeedClientAuth(needClientAuth);
else
sslEngine.setWantClientAuth(wantClientAuth);
} else {
sslEngine.setUseClientMode(true);
SSLParameters sslParams = sslEngine.getSSLParameters();
sslParams.setEndpointIdentificationAlgorithm(endpointIdentification);
sslEngine.setSSLParameters(sslParams);
}
return sslEngine;
}
Also used :
SSLParameters(javax.net.ssl.SSLParameters)
SSLEngine(javax.net.ssl.SSLEngine)
Example 12 with SSLEngine
use of javax.net.ssl.SSLEngine in project flink by apache.
the class NettyServer method init.
void init(final NettyProtocol protocol, NettyBufferPool nettyBufferPool) throws IOException {
checkState(bootstrap == null, "Netty server has already been initialized.");
long start = System.currentTimeMillis();
bootstrap = new ServerBootstrap();
switch(config.getTransportType()) {
case NIO:
initNioBootstrap();
break;
case EPOLL:
initEpollBootstrap();
break;
case AUTO:
if (Epoll.isAvailable()) {
initEpollBootstrap();
LOG.info("Transport type 'auto': using EPOLL.");
} else {
initNioBootstrap();
LOG.info("Transport type 'auto': using NIO.");
}
}
// --------------------------------------------------------------------
// Configuration
// --------------------------------------------------------------------
// Server bind address
bootstrap.localAddress(config.getServerAddress(), config.getServerPort());
// Pooled allocators for Netty's ByteBuf instances
bootstrap.option(ChannelOption.ALLOCATOR, nettyBufferPool);
bootstrap.childOption(ChannelOption.ALLOCATOR, nettyBufferPool);
if (config.getServerConnectBacklog() > 0) {
bootstrap.option(ChannelOption.SO_BACKLOG, config.getServerConnectBacklog());
}
// Receive and send buffer size
int receiveAndSendBufferSize = config.getSendAndReceiveBufferSize();
if (receiveAndSendBufferSize > 0) {
bootstrap.childOption(ChannelOption.SO_SNDBUF, receiveAndSendBufferSize);
bootstrap.childOption(ChannelOption.SO_RCVBUF, receiveAndSendBufferSize);
}
// Low and high water marks for flow control
bootstrap.childOption(ChannelOption.WRITE_BUFFER_LOW_WATER_MARK, config.getMemorySegmentSize() + 1);
bootstrap.childOption(ChannelOption.WRITE_BUFFER_HIGH_WATER_MARK, 2 * config.getMemorySegmentSize());
// SSL related configuration
try {
serverSSLContext = config.createServerSSLContext();
} catch (Exception e) {
throw new IOException("Failed to initialize SSL Context for the Netty Server", e);
}
// --------------------------------------------------------------------
// Child channel pipeline for accepted connections
// --------------------------------------------------------------------
bootstrap.childHandler(new ChannelInitializer<SocketChannel>() {
@Override
public void initChannel(SocketChannel channel) throws Exception {
if (serverSSLContext != null) {
SSLEngine sslEngine = serverSSLContext.createSSLEngine();
config.setSSLVerAndCipherSuites(sslEngine);
sslEngine.setUseClientMode(false);
channel.pipeline().addLast("ssl", new SslHandler(sslEngine));
}
channel.pipeline().addLast(protocol.getServerChannelHandlers());
}
});
// --------------------------------------------------------------------
// Start Server
// --------------------------------------------------------------------
bindFuture = bootstrap.bind().syncUninterruptibly();
localAddress = (InetSocketAddress) bindFuture.channel().localAddress();
long end = System.currentTimeMillis();
LOG.info("Successful initialization (took {} ms). Listening on SocketAddress {}.", (end - start), bindFuture.channel().localAddress().toString());
}
Also used :
NioServerSocketChannel(io.netty.channel.socket.nio.NioServerSocketChannel)
EpollServerSocketChannel(io.netty.channel.epoll.EpollServerSocketChannel)
SocketChannel(io.netty.channel.socket.SocketChannel)
SSLEngine(javax.net.ssl.SSLEngine)
IOException(java.io.IOException)
ServerBootstrap(io.netty.bootstrap.ServerBootstrap)
IOException(java.io.IOException)
SslHandler(io.netty.handler.ssl.SslHandler)
Example 13 with SSLEngine
use of javax.net.ssl.SSLEngine in project camel by apache.
the class LumberjackChannelInitializer method initChannel.
@Override
protected void initChannel(Channel ch) throws Exception {
ChannelPipeline pipeline = ch.pipeline();
// Add SSL support if configured
if (sslContext != null) {
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
pipeline.addLast(new SslHandler(sslEngine));
}
LumberjackSessionHandler sessionHandler = new LumberjackSessionHandler();
// Add the primary lumberjack frame decoder
pipeline.addLast(new LumberjackFrameDecoder(sessionHandler));
// Add the secondary lumberjack frame decoder, used when the first one is processing compressed frames
pipeline.addLast(new LumberjackFrameDecoder(sessionHandler));
// Add the bridge to Camel
pipeline.addLast(messageExecutorService, new LumberjackMessageHandler(sessionHandler, messageProcessor));
}
Also used :
SSLEngine(javax.net.ssl.SSLEngine)
ChannelPipeline(io.netty.channel.ChannelPipeline)
SslHandler(io.netty.handler.ssl.SslHandler)
Example 14 with SSLEngine
use of javax.net.ssl.SSLEngine in project hadoop by apache.
the class SSLFactory method createSSLEngine.
/**
* Returns a configured SSLEngine.
*
* @return the configured SSLEngine.
* @throws GeneralSecurityException thrown if the SSL engine could not
* be initialized.
* @throws IOException thrown if and IO error occurred while loading
* the server keystore.
*/
public SSLEngine createSSLEngine() throws GeneralSecurityException, IOException {
SSLEngine sslEngine = context.createSSLEngine();
if (mode == Mode.CLIENT) {
sslEngine.setUseClientMode(true);
} else {
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(requireClientCert);
disableExcludedCiphers(sslEngine);
}
sslEngine.setEnabledProtocols(enabledProtocols);
return sslEngine;
}
Also used :
SSLEngine(javax.net.ssl.SSLEngine)
Example 15 with SSLEngine
use of javax.net.ssl.SSLEngine in project hadoop by apache.
the class TestSSLFactory method testServerWeakCiphers.
@Test
public void testServerWeakCiphers() throws Exception {
// a simple test case to verify that SSL server rejects weak cipher suites,
// inspired by https://docs.oracle.com/javase/8/docs/technotes/guides/
// security/jsse/samples/sslengine/SSLEngineSimpleDemo.java
// set up a client and a server SSLEngine object, and let them exchange
// data over ByteBuffer instead of network socket.
GenericTestUtils.setLogLevel(SSLFactory.LOG, Level.DEBUG);
final Configuration conf = createConfiguration(true, true);
SSLFactory serverSSLFactory = new SSLFactory(SSLFactory.Mode.SERVER, conf);
SSLFactory clientSSLFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
serverSSLFactory.init();
clientSSLFactory.init();
SSLEngine serverSSLEngine = serverSSLFactory.createSSLEngine();
SSLEngine clientSSLEngine = clientSSLFactory.createSSLEngine();
// client selects cipher suites excluded by server
clientSSLEngine.setEnabledCipherSuites(excludeCiphers.split(","));
// use the same buffer size for server and client.
SSLSession session = clientSSLEngine.getSession();
int appBufferMax = session.getApplicationBufferSize();
int netBufferMax = session.getPacketBufferSize();
ByteBuffer clientOut = ByteBuffer.wrap("client".getBytes());
ByteBuffer clientIn = ByteBuffer.allocate(appBufferMax);
ByteBuffer serverOut = ByteBuffer.wrap("server".getBytes());
ByteBuffer serverIn = ByteBuffer.allocate(appBufferMax);
// send data from client to server
ByteBuffer cTOs = ByteBuffer.allocateDirect(netBufferMax);
// send data from server to client
ByteBuffer sTOc = ByteBuffer.allocateDirect(netBufferMax);
boolean dataDone = false;
try {
/**
* Server and client engines call wrap()/unwrap() to perform handshaking,
* until both engines are closed.
*/
while (!isEngineClosed(clientSSLEngine) || !isEngineClosed(serverSSLEngine)) {
LOG.info("client wrap " + wrap(clientSSLEngine, clientOut, cTOs));
LOG.info("server wrap " + wrap(serverSSLEngine, serverOut, sTOc));
cTOs.flip();
sTOc.flip();
LOG.info("client unwrap " + unwrap(clientSSLEngine, sTOc, clientIn));
LOG.info("server unwrap " + unwrap(serverSSLEngine, cTOs, serverIn));
cTOs.compact();
sTOc.compact();
if (!dataDone && (clientOut.limit() == serverIn.position()) && (serverOut.limit() == clientIn.position())) {
checkTransfer(serverOut, clientIn);
checkTransfer(clientOut, serverIn);
LOG.info("closing client");
clientSSLEngine.closeOutbound();
dataDone = true;
}
}
Assert.fail("The exception was not thrown");
} catch (SSLHandshakeException e) {
GenericTestUtils.assertExceptionContains("no cipher suites in common", e);
}
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
SSLEngine(javax.net.ssl.SSLEngine)
SSLSession(javax.net.ssl.SSLSession)
ByteBuffer(java.nio.ByteBuffer)
SSLHandshakeException(javax.net.ssl.SSLHandshakeException)
Test(org.junit.Test)
Aggregations
SSLEngine (javax.net.ssl.SSLEngine)494
IOException (java.io.IOException)97
SSLContext (javax.net.ssl.SSLContext)97
ByteBuffer (java.nio.ByteBuffer)91
SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)75
SSLException (javax.net.ssl.SSLException)71
Test (org.junit.Test)64
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)54
SslHandler (io.netty.handler.ssl.SslHandler)52
SSLEngineResult (javax.net.ssl.SSLEngineResult)50
ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)47
MethodSource (org.junit.jupiter.params.provider.MethodSource)44
SSLParameters (javax.net.ssl.SSLParameters)43
InetSocketAddress (java.net.InetSocketAddress)42
KeyManagementException (java.security.KeyManagementException)42
ReadOnlyBufferException (java.nio.ReadOnlyBufferException)35
KeyStore (java.security.KeyStore)28
Test (org.junit.jupiter.api.Test)22
ChannelHandlerContext (io.netty.channel.ChannelHandlerContext)21
Socket (java.net.Socket)21
