Examples with SSLContextInitParameters - org.apache.cxf.transport.https.SSLContextInitParameters

Example 1 with SSLContextInitParameters

use of org.apache.cxf.transport.https.SSLContextInitParameters in project cxf by apache.

the class NettyHttpServletPipelineFactory method configureServerHttp2SSLOnDemand.

private SslContext configureServerHttp2SSLOnDemand() throws Exception {
    if (tlsServerParameters != null) {
        final SSLContextInitParameters initParams = SSLUtils.getSSLContextInitParameters(tlsServerParameters);
        // Use only JDK provider for now, leaving OpenSsl as an option
        final SslProvider provider = SslProvider.JDK;
        final KeyManager[] keyManagers = initParams.getKeyManagers();
        if (keyManagers == null || keyManagers.length == 0) {
            throw new IllegalStateException("No KeyManagers are configured, unable " + "to create Netty's SslContext instance");
        }
        final String[] cipherSuites = org.apache.cxf.configuration.jsse.SSLUtils.getCiphersuitesToInclude(tlsServerParameters.getCipherSuites(), tlsServerParameters.getCipherSuitesFilter(), SSLContext.getDefault().getDefaultSSLParameters().getCipherSuites(), Http2SecurityUtil.CIPHERS.toArray(new String[] {}), LOG);
        final SslContextBuilder builder = SslContextBuilder.forServer(keyManagers[0]).sslProvider(provider).ciphers(Arrays.asList(cipherSuites), SupportedCipherSuiteFilter.INSTANCE).applicationProtocolConfig(new ApplicationProtocolConfig(Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
        SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
        SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1));
        final TrustManager[] trustManagers = initParams.getTrustManagers();
        if (trustManagers != null && trustManagers.length > 0) {
            builder.trustManager(trustManagers[0]);
        }
        final ClientAuthentication clientAuth = tlsServerParameters.getClientAuthentication();
        if (clientAuth != null) {
            if (clientAuth.isSetRequired() && clientAuth.isRequired()) {
                builder.clientAuth(ClientAuth.REQUIRE);
            } else if (clientAuth.isSetWant() && clientAuth.isWant()) {
                builder.clientAuth(ClientAuth.OPTIONAL);
            }
        }
        return builder.build();
    }
    return null;
}

Also used : SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) AsciiString(io.netty.util.AsciiString) SSLContextInitParameters(org.apache.cxf.transport.https.SSLContextInitParameters) SslProvider(io.netty.handler.ssl.SslProvider) KeyManager(javax.net.ssl.KeyManager) ClientAuthentication(org.apache.cxf.configuration.security.ClientAuthentication) ApplicationProtocolConfig(io.netty.handler.ssl.ApplicationProtocolConfig) TrustManager(javax.net.ssl.TrustManager)

Aggregations

ApplicationProtocolConfig (io.netty.handler.ssl.ApplicationProtocolConfig)1 SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)1 SslProvider (io.netty.handler.ssl.SslProvider)1 AsciiString (io.netty.util.AsciiString)1 KeyManager (javax.net.ssl.KeyManager)1 TrustManager (javax.net.ssl.TrustManager)1 ClientAuthentication (org.apache.cxf.configuration.security.ClientAuthentication)1 SSLContextInitParameters (org.apache.cxf.transport.https.SSLContextInitParameters)1