Example 61 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project neo4j by neo4j.
the class BoltServer method createExternalProtocolInitializer.
private ProtocolInitializer createExternalProtocolInitializer(BoltProtocolFactory boltProtocolFactory, TransportThrottleGroup throttleGroup, Log log, ByteBufAllocator bufferAllocator) {
SslContext sslCtx;
boolean requireEncryption;
BoltConnector.EncryptionLevel encryptionLevel = config.get(BoltConnector.encryption_level);
SslPolicyLoader sslPolicyLoader = dependencyResolver.resolveDependency(SslPolicyLoader.class);
switch(encryptionLevel) {
case REQUIRED:
// Encrypted connections are mandatory.
requireEncryption = true;
sslCtx = createSslContext(sslPolicyLoader);
break;
case OPTIONAL:
// Encrypted connections are optional.
requireEncryption = false;
sslCtx = createSslContext(sslPolicyLoader);
break;
case DISABLED:
// Encryption is turned off.
requireEncryption = false;
sslCtx = null;
break;
default:
// In the unlikely event that we happen to fall through to the default option here,
// there is a mismatch between the BoltConnector.EncryptionLevel enum and the options
// handled in this switch statement. In this case, we'll log a warning and default to
// disabling encryption, since this mirrors the functionality introduced in 3.0.
log.warn("Unhandled encryption level %s - assuming DISABLED.", encryptionLevel.name());
requireEncryption = false;
sslCtx = null;
break;
}
SocketAddress listenAddress = config.get(BoltConnector.listen_address).socketAddress();
Duration channelTimeout = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_timeout);
long maxMessageSize = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_max_inbound_bytes);
return new SocketTransport(BoltConnector.NAME, listenAddress, sslCtx, requireEncryption, logService.getInternalLogProvider(), throttleGroup, boltProtocolFactory, connectionTracker, channelTimeout, maxMessageSize, bufferAllocator, boltMemoryPool);
}
Also used :
BoltConnector(org.neo4j.configuration.connectors.BoltConnector)
SocketTransport(org.neo4j.bolt.transport.SocketTransport)
SslPolicyLoader(org.neo4j.ssl.config.SslPolicyLoader)
Duration(java.time.Duration)
SocketAddress(java.net.SocketAddress)
DomainSocketAddress(io.netty.channel.unix.DomainSocketAddress)
InetSocketAddress(java.net.InetSocketAddress)
SslContext(io.netty.handler.ssl.SslContext)
Example 62 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project neo4j by neo4j.
the class TransportSelectionHandlerTest method shouldPreventMultipleLevelsOfSslEncryption.
@Test
void shouldPreventMultipleLevelsOfSslEncryption() throws Exception {
// Given
ChannelHandlerContext context = channelHandlerContextMockSslAlreadyConfigured();
AssertableLogProvider logging = new AssertableLogProvider();
SslContext sslCtx = mock(SslContext.class);
var memoryTracker = mock(MemoryTracker.class);
TransportSelectionHandler handler = new TransportSelectionHandler(null, sslCtx, false, false, logging, null, null, memoryTracker);
// encrypted
final ByteBuf payload = Unpooled.wrappedBuffer(new byte[] { 22, 3, 1, 0, 5 });
// When
handler.decode(context, payload, null);
// Then
verify(context).close();
assertThat(logging).forClass(TransportSelectionHandler.class).forLevel(ERROR).containsMessageWithArguments("Fatal error: multiple levels of SSL encryption detected." + " Terminating connection: %s", context.channel());
}
Also used :
ChannelHandlerContext(io.netty.channel.ChannelHandlerContext)
ByteBuf(io.netty.buffer.ByteBuf)
AssertableLogProvider(org.neo4j.logging.AssertableLogProvider)
SslContext(io.netty.handler.ssl.SslContext)
Test(org.junit.jupiter.api.Test)
Example 63 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project flink by apache.
the class SSLUtils method createRestClientSSLEngineFactory.
/**
* Creates a {@link SSLHandlerFactory} to be used by the REST Clients.
*
* @param config The application configuration.
*/
public static SSLHandlerFactory createRestClientSSLEngineFactory(final Configuration config) throws Exception {
ClientAuth clientAuth = SecurityOptions.isRestSSLAuthenticationEnabled(config) ? ClientAuth.REQUIRE : ClientAuth.NONE;
SslContext sslContext = createRestNettySSLContext(config, true, clientAuth);
if (sslContext == null) {
throw new IllegalConfigurationException("SSL is not enabled for REST endpoints.");
}
return new SSLHandlerFactory(sslContext, -1, -1);
}
Also used :
IllegalConfigurationException(org.apache.flink.configuration.IllegalConfigurationException)
SSLHandlerFactory(org.apache.flink.runtime.io.network.netty.SSLHandlerFactory)
ClientAuth(org.apache.flink.shaded.netty4.io.netty.handler.ssl.ClientAuth)
JdkSslContext(org.apache.flink.shaded.netty4.io.netty.handler.ssl.JdkSslContext)
SslContext(org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext)
Example 64 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project flink by apache.
the class SSLUtils method createInternalNettySSLContext.
/**
* Creates the SSL Context for internal SSL, if internal SSL is configured. For internal SSL,
* the client and server side configuration are identical, because of mutual authentication.
*/
@Nullable
private static SslContext createInternalNettySSLContext(Configuration config, boolean clientMode, SslProvider provider) throws Exception {
checkNotNull(config, "config");
if (!SecurityOptions.isInternalSSLEnabled(config)) {
return null;
}
String[] sslProtocols = getEnabledProtocols(config);
List<String> ciphers = Arrays.asList(getEnabledCipherSuites(config));
int sessionCacheSize = config.getInteger(SecurityOptions.SSL_INTERNAL_SESSION_CACHE_SIZE);
int sessionTimeoutMs = config.getInteger(SecurityOptions.SSL_INTERNAL_SESSION_TIMEOUT);
KeyManagerFactory kmf = getKeyManagerFactory(config, true, provider);
TrustManagerFactory tmf = getTrustManagerFactory(config, true);
ClientAuth clientAuth = ClientAuth.REQUIRE;
final SslContextBuilder sslContextBuilder;
if (clientMode) {
sslContextBuilder = SslContextBuilder.forClient().keyManager(kmf);
} else {
sslContextBuilder = SslContextBuilder.forServer(kmf);
}
return sslContextBuilder.sslProvider(provider).protocols(sslProtocols).ciphers(ciphers).trustManager(tmf).clientAuth(clientAuth).sessionCacheSize(sessionCacheSize).sessionTimeout(sessionTimeoutMs / 1000).build();
}
Also used :
SslContextBuilder(org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContextBuilder)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
FingerprintTrustManagerFactory(org.apache.flink.shaded.netty4.io.netty.handler.ssl.util.FingerprintTrustManagerFactory)
ClientAuth(org.apache.flink.shaded.netty4.io.netty.handler.ssl.ClientAuth)
OpenSslX509KeyManagerFactory(org.apache.flink.shaded.netty4.io.netty.handler.ssl.OpenSslX509KeyManagerFactory)
KeyManagerFactory(javax.net.ssl.KeyManagerFactory)
Nullable(javax.annotation.Nullable)
Example 65 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project pinpoint by naver.
the class PinpointNettyServerBuilder method useTransportSecurity.
@Override
public PinpointNettyServerBuilder useTransportSecurity(File certChain, File privateKey) {
checkState(!freezeProtocolNegotiatorFactory, "Cannot change security when using ServerCredentials");
SslContext sslContext;
try {
sslContext = GrpcSslContexts.forServer(certChain, privateKey).build();
} catch (SSLException e) {
// This should likely be some other, easier to catch exception.
throw new RuntimeException(e);
}
protocolNegotiatorFactory = ProtocolNegotiators.serverTlsFactory(sslContext);
return this;
}
Also used :
SSLException(javax.net.ssl.SSLException)
SslContext(io.netty.handler.ssl.SslContext)
Aggregations
SslContext (io.netty.handler.ssl.SslContext)221
NioEventLoopGroup (io.netty.channel.nio.NioEventLoopGroup)67
SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)59
EventLoopGroup (io.netty.channel.EventLoopGroup)52
Channel (io.netty.channel.Channel)48
Test (org.junit.Test)48
SSLException (javax.net.ssl.SSLException)46
ServerBootstrap (io.netty.bootstrap.ServerBootstrap)41
SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)37
NioSocketChannel (io.netty.channel.socket.nio.NioSocketChannel)36
Bootstrap (io.netty.bootstrap.Bootstrap)35
LoggingHandler (io.netty.handler.logging.LoggingHandler)35
SocketChannel (io.netty.channel.socket.SocketChannel)34
NioServerSocketChannel (io.netty.channel.socket.nio.NioServerSocketChannel)33
InetSocketAddress (java.net.InetSocketAddress)31
SslHandler (io.netty.handler.ssl.SslHandler)30
CertificateException (java.security.cert.CertificateException)29
IOException (java.io.IOException)26
File (java.io.File)24
ChannelPipeline (io.netty.channel.ChannelPipeline)23
