Example 51 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project component-runtime by Talend.
the class HttpApiHandler method activeSsl.
public T activeSsl() {
if (sslContext == null) {
try {
final SelfSignedCertificate certificate = new SelfSignedCertificate();
final SslContext nettyContext = SslContextBuilder.forServer(certificate.certificate(), certificate.privateKey()).trustManager(InsecureTrustManagerFactory.INSTANCE).sslProvider(SslProvider.JDK).build();
sslContext = JdkSslContext.class.cast(nettyContext).context();
} catch (final SSLException | CertificateException e) {
throw new IllegalStateException(e);
}
}
return (T) this;
}
Also used :
SelfSignedCertificate(io.netty.handler.ssl.util.SelfSignedCertificate)
CertificateException(java.security.cert.CertificateException)
SSLException(javax.net.ssl.SSLException)
JdkSslContext(io.netty.handler.ssl.JdkSslContext)
SslContext(io.netty.handler.ssl.SslContext)
Example 52 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project redisson by redisson.
the class RedisChannelInitializer method initSsl.
private void initSsl(final RedisClientConfig config, Channel ch) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, SSLException, UnrecoverableKeyException {
if (!config.getAddress().isSsl()) {
return;
}
io.netty.handler.ssl.SslProvider provided = io.netty.handler.ssl.SslProvider.JDK;
if (config.getSslProvider() == SslProvider.OPENSSL) {
provided = io.netty.handler.ssl.SslProvider.OPENSSL;
}
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient().sslProvider(provided);
sslContextBuilder.protocols(config.getSslProtocols());
if (config.getSslTruststore() != null) {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream stream = config.getSslTruststore().openStream();
try {
char[] password = null;
if (config.getSslTruststorePassword() != null) {
password = config.getSslTruststorePassword().toCharArray();
}
keyStore.load(stream, password);
} finally {
stream.close();
}
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
sslContextBuilder.trustManager(trustManagerFactory);
}
if (config.getSslKeystore() != null) {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream stream = config.getSslKeystore().openStream();
char[] password = null;
if (config.getSslKeystorePassword() != null) {
password = config.getSslKeystorePassword().toCharArray();
}
try {
keyStore.load(stream, password);
} finally {
stream.close();
}
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);
sslContextBuilder.keyManager(keyManagerFactory);
}
SSLParameters sslParams = new SSLParameters();
if (config.isSslEnableEndpointIdentification()) {
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
} else {
if (config.getSslTruststore() == null) {
sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
}
}
SslContext sslContext = sslContextBuilder.build();
String hostname = config.getSslHostname();
if (hostname == null || NetUtil.createByteArrayFromIpAddressString(hostname) != null) {
hostname = config.getAddress().getHost();
}
SSLEngine sslEngine = sslContext.newEngine(ch.alloc(), hostname, config.getAddress().getPort());
sslEngine.setSSLParameters(sslParams);
SslHandler sslHandler = new SslHandler(sslEngine);
ch.pipeline().addLast(sslHandler);
ch.pipeline().addLast(new ChannelInboundHandlerAdapter() {
volatile boolean sslInitDone;
@Override
public void channelActive(ChannelHandlerContext ctx) throws Exception {
if (sslInitDone) {
super.channelActive(ctx);
}
}
@Override
public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
if (!sslInitDone && (evt instanceof SslHandshakeCompletionEvent)) {
SslHandshakeCompletionEvent e = (SslHandshakeCompletionEvent) evt;
if (e.isSuccess()) {
sslInitDone = true;
ctx.fireChannelActive();
} else {
RedisConnection connection = RedisConnection.getFrom(ctx.channel());
connection.closeAsync();
connection.getConnectionPromise().completeExceptionally(e.cause());
}
}
super.userEventTriggered(ctx, evt);
}
});
}
Also used :
SslHandshakeCompletionEvent(io.netty.handler.ssl.SslHandshakeCompletionEvent)
InputStream(java.io.InputStream)
ChannelHandlerContext(io.netty.channel.ChannelHandlerContext)
javax.net.ssl(javax.net.ssl)
KeyStore(java.security.KeyStore)
SslHandler(io.netty.handler.ssl.SslHandler)
IOException(java.io.IOException)
KeyStoreException(java.security.KeyStoreException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
InsecureTrustManagerFactory(io.netty.handler.ssl.util.InsecureTrustManagerFactory)
SslContext(io.netty.handler.ssl.SslContext)
ChannelInboundHandlerAdapter(io.netty.channel.ChannelInboundHandlerAdapter)
RedisConnection(org.redisson.client.RedisConnection)
Example 53 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project cassandra by apache.
the class SSLFactory method getOrCreateSslContext.
/**
* get a netty {@link SslContext} instance
*/
public static SslContext getOrCreateSslContext(EncryptionOptions options, boolean verifyPeerCertificate, SocketType socketType) throws IOException {
CacheKey key = new CacheKey(options, socketType);
SslContext sslContext;
sslContext = cachedSslContexts.get(key);
if (sslContext != null)
return sslContext;
sslContext = createNettySslContext(options, verifyPeerCertificate, socketType);
SslContext previous = cachedSslContexts.putIfAbsent(key, sslContext);
if (previous == null)
return sslContext;
ReferenceCountUtil.release(sslContext);
return previous;
}
Also used :
SslContext(io.netty.handler.ssl.SslContext)
Example 54 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project cassandra by apache.
the class PipelineConfigurator method encryptionConfig.
protected EncryptionConfig encryptionConfig() {
final EncryptionOptions encryptionOptions = DatabaseDescriptor.getNativeProtocolEncryptionOptions();
switch(tlsEncryptionPolicy) {
case UNENCRYPTED:
// if encryption is not enabled, no further steps are required after the initial setup
return channel -> {
};
case OPTIONAL:
// If optional, install a handler which detects whether or not the client is sending
// encrypted bytes. If so, on receipt of the next bytes, replace that handler with
// an SSL Handler, otherwise just remove it and proceed with an unencrypted channel.
logger.debug("Enabling optionally encrypted CQL connections between client and server");
return channel -> {
SslContext sslContext = SSLFactory.getOrCreateSslContext(encryptionOptions, encryptionOptions.require_client_auth, ISslContextFactory.SocketType.SERVER);
channel.pipeline().addFirst(SSL_HANDLER, new ByteToMessageDecoder() {
@Override
protected void decode(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf, List<Object> list) throws Exception {
if (byteBuf.readableBytes() < 5) {
// once more bytes a ready.
return;
}
if (SslHandler.isEncrypted(byteBuf)) {
// Connection uses SSL/TLS, replace the detection handler with a SslHandler and so use
// encryption.
SslHandler sslHandler = sslContext.newHandler(channel.alloc());
channelHandlerContext.pipeline().replace(SSL_HANDLER, SSL_HANDLER, sslHandler);
} else {
// Connection use no TLS/SSL encryption, just remove the detection handler and continue without
// SslHandler in the pipeline.
channelHandlerContext.pipeline().remove(SSL_HANDLER);
}
}
});
};
case ENCRYPTED:
logger.debug("Enabling encrypted CQL connections between client and server");
return channel -> {
SslContext sslContext = SSLFactory.getOrCreateSslContext(encryptionOptions, encryptionOptions.require_client_auth, ISslContextFactory.SocketType.SERVER);
channel.pipeline().addFirst(SSL_HANDLER, sslContext.newHandler(channel.alloc()));
};
default:
throw new IllegalStateException("Unrecognized TLS encryption policy: " + this.tlsEncryptionPolicy);
}
}
Also used :
LoggingHandler(io.netty.handler.logging.LoggingHandler)
ISslContextFactory(org.apache.cassandra.security.ISslContextFactory)
LoggerFactory(org.slf4j.LoggerFactory)
EncryptionOptions(org.apache.cassandra.config.EncryptionOptions)
Strings(com.google.common.base.Strings)
ByteBuf(io.netty.buffer.ByteBuf)
EpollServerSocketChannel(io.netty.channel.epoll.EpollServerSocketChannel)
SSLFactory(org.apache.cassandra.security.SSLFactory)
Map(java.util.Map)
StartupMessage(org.apache.cassandra.transport.messages.StartupMessage)
io.netty.channel(io.netty.channel)
ByteToMessageDecoder(io.netty.handler.codec.ByteToMessageDecoder)
DatabaseDescriptor(org.apache.cassandra.config.DatabaseDescriptor)
Logger(org.slf4j.Logger)
IdleStateEvent(io.netty.handler.timeout.IdleStateEvent)
SslContext(io.netty.handler.ssl.SslContext)
NioServerSocketChannel(io.netty.channel.socket.nio.NioServerSocketChannel)
InetSocketAddress(java.net.InetSocketAddress)
TimeUnit(java.util.concurrent.TimeUnit)
IdleStateHandler(io.netty.handler.timeout.IdleStateHandler)
Version(io.netty.util.Version)
List(java.util.List)
LogLevel(io.netty.handler.logging.LogLevel)
SslHandler(io.netty.handler.ssl.SslHandler)
ServerBootstrap(io.netty.bootstrap.ServerBootstrap)
org.apache.cassandra.net(org.apache.cassandra.net)
List(java.util.List)
EncryptionOptions(org.apache.cassandra.config.EncryptionOptions)
ByteToMessageDecoder(io.netty.handler.codec.ByteToMessageDecoder)
ByteBuf(io.netty.buffer.ByteBuf)
SslHandler(io.netty.handler.ssl.SslHandler)
SslContext(io.netty.handler.ssl.SslContext)
Example 55 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project cassandra by apache.
the class SSLFactoryTest method getSslContext_ParamChanges.
@Test
public void getSslContext_ParamChanges() throws IOException {
EncryptionOptions options = addKeystoreOptions(encryptionOptions).withEnabled(true).withCipherSuites("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
SslContext ctx1 = SSLFactory.getOrCreateSslContext(options, true, ISslContextFactory.SocketType.SERVER);
Assert.assertTrue(ctx1.isServer());
Assert.assertEquals(ctx1.cipherSuites(), options.cipher_suites);
options = options.withCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
SslContext ctx2 = SSLFactory.getOrCreateSslContext(options, true, ISslContextFactory.SocketType.CLIENT);
Assert.assertTrue(ctx2.isClient());
Assert.assertEquals(ctx2.cipherSuites(), options.cipher_suites);
}
Also used :
EncryptionOptions(org.apache.cassandra.config.EncryptionOptions)
ServerEncryptionOptions(org.apache.cassandra.config.EncryptionOptions.ServerEncryptionOptions)
SslContext(io.netty.handler.ssl.SslContext)
Test(org.junit.Test)
Aggregations
SslContext (io.netty.handler.ssl.SslContext)221
NioEventLoopGroup (io.netty.channel.nio.NioEventLoopGroup)67
SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)59
EventLoopGroup (io.netty.channel.EventLoopGroup)52
Channel (io.netty.channel.Channel)48
Test (org.junit.Test)48
SSLException (javax.net.ssl.SSLException)46
ServerBootstrap (io.netty.bootstrap.ServerBootstrap)41
SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)37
NioSocketChannel (io.netty.channel.socket.nio.NioSocketChannel)36
Bootstrap (io.netty.bootstrap.Bootstrap)35
LoggingHandler (io.netty.handler.logging.LoggingHandler)35
SocketChannel (io.netty.channel.socket.SocketChannel)34
NioServerSocketChannel (io.netty.channel.socket.nio.NioServerSocketChannel)33
InetSocketAddress (java.net.InetSocketAddress)31
SslHandler (io.netty.handler.ssl.SslHandler)30
CertificateException (java.security.cert.CertificateException)29
IOException (java.io.IOException)26
File (java.io.File)24
ChannelPipeline (io.netty.channel.ChannelPipeline)23
