Example 41 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project cassandra by apache.
the class SSLFactoryTest method testPEMSslContextReload_HappyPath.
@Test
public void testPEMSslContextReload_HappyPath() throws IOException, InterruptedException {
try {
ServerEncryptionOptions options = addPEMKeystoreOptions(encryptionOptions).withInternodeEncryption(ServerEncryptionOptions.InternodeEncryption.all);
SSLFactory.initHotReloading(options, options, true);
SslContext oldCtx = SSLFactory.getOrCreateSslContext(options, true, ISslContextFactory.SocketType.CLIENT);
File keystoreFile = new File(options.keystore);
SSLFactory.checkCertFilesForHotReloading(options, options);
keystoreFile.trySetLastModified(System.currentTimeMillis() + 15000);
SSLFactory.checkCertFilesForHotReloading(options, options);
SslContext newCtx = SSLFactory.getOrCreateSslContext(options, true, ISslContextFactory.SocketType.CLIENT);
Assert.assertNotSame(oldCtx, newCtx);
} catch (Exception e) {
throw e;
} finally {
DatabaseDescriptor.loadConfig();
}
}
Also used :
ServerEncryptionOptions(org.apache.cassandra.config.EncryptionOptions.ServerEncryptionOptions)
File(org.apache.cassandra.io.util.File)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
SslContext(io.netty.handler.ssl.SslContext)
Test(org.junit.Test)
Example 42 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project neo4j by neo4j.
the class BoltServer method createInternalProtocolInitializer.
private ProtocolInitializer createInternalProtocolInitializer(BoltProtocolFactory boltProtocolFactory, TransportThrottleGroup throttleGroup, ByteBufAllocator bufferAllocator) {
SslContext sslCtx = null;
SslPolicyLoader sslPolicyLoader = dependencyResolver.resolveDependency(SslPolicyLoader.class);
boolean requireEncryption = sslPolicyLoader.hasPolicyForSource(CLUSTER);
if (requireEncryption) {
try {
sslCtx = sslPolicyLoader.getPolicy(CLUSTER).nettyServerContext();
} catch (SSLException e) {
throw new RuntimeException("Failed to initialize SSL encryption support, which is required to start this connector. " + "Error was: " + e.getMessage(), e);
}
}
SocketAddress internalListenAddress;
if (config.isExplicitlySet(GraphDatabaseSettings.routing_listen_address)) {
internalListenAddress = config.get(GraphDatabaseSettings.routing_listen_address).socketAddress();
} else {
// otherwise use same host as external connector but with default internal port
internalListenAddress = new InetSocketAddress(config.get(BoltConnector.listen_address).getHostname(), config.get(GraphDatabaseSettings.routing_listen_address).getPort());
}
Duration channelTimeout = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_timeout);
long maxMessageSize = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_max_inbound_bytes);
return new SocketTransport(BoltConnector.NAME, internalListenAddress, sslCtx, requireEncryption, logService.getInternalLogProvider(), throttleGroup, boltProtocolFactory, connectionTracker, channelTimeout, maxMessageSize, bufferAllocator, boltMemoryPool);
}
Also used :
InetSocketAddress(java.net.InetSocketAddress)
SocketTransport(org.neo4j.bolt.transport.SocketTransport)
SslPolicyLoader(org.neo4j.ssl.config.SslPolicyLoader)
Duration(java.time.Duration)
SocketAddress(java.net.SocketAddress)
DomainSocketAddress(io.netty.channel.unix.DomainSocketAddress)
InetSocketAddress(java.net.InetSocketAddress)
SSLException(javax.net.ssl.SSLException)
SslContext(io.netty.handler.ssl.SslContext)
Example 43 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project neo4j by neo4j.
the class BoltServer method createExternalProtocolInitializer.
private ProtocolInitializer createExternalProtocolInitializer(BoltProtocolFactory boltProtocolFactory, TransportThrottleGroup throttleGroup, Log log, ByteBufAllocator bufferAllocator) {
SslContext sslCtx;
boolean requireEncryption;
BoltConnector.EncryptionLevel encryptionLevel = config.get(BoltConnector.encryption_level);
SslPolicyLoader sslPolicyLoader = dependencyResolver.resolveDependency(SslPolicyLoader.class);
switch(encryptionLevel) {
case REQUIRED:
// Encrypted connections are mandatory.
requireEncryption = true;
sslCtx = createSslContext(sslPolicyLoader);
break;
case OPTIONAL:
// Encrypted connections are optional.
requireEncryption = false;
sslCtx = createSslContext(sslPolicyLoader);
break;
case DISABLED:
// Encryption is turned off.
requireEncryption = false;
sslCtx = null;
break;
default:
// In the unlikely event that we happen to fall through to the default option here,
// there is a mismatch between the BoltConnector.EncryptionLevel enum and the options
// handled in this switch statement. In this case, we'll log a warning and default to
// disabling encryption, since this mirrors the functionality introduced in 3.0.
log.warn("Unhandled encryption level %s - assuming DISABLED.", encryptionLevel.name());
requireEncryption = false;
sslCtx = null;
break;
}
SocketAddress listenAddress = config.get(BoltConnector.listen_address).socketAddress();
Duration channelTimeout = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_timeout);
long maxMessageSize = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_max_inbound_bytes);
return new SocketTransport(BoltConnector.NAME, listenAddress, sslCtx, requireEncryption, logService.getInternalLogProvider(), throttleGroup, boltProtocolFactory, connectionTracker, channelTimeout, maxMessageSize, bufferAllocator, boltMemoryPool);
}
Also used :
BoltConnector(org.neo4j.configuration.connectors.BoltConnector)
SocketTransport(org.neo4j.bolt.transport.SocketTransport)
SslPolicyLoader(org.neo4j.ssl.config.SslPolicyLoader)
Duration(java.time.Duration)
SocketAddress(java.net.SocketAddress)
DomainSocketAddress(io.netty.channel.unix.DomainSocketAddress)
InetSocketAddress(java.net.InetSocketAddress)
SslContext(io.netty.handler.ssl.SslContext)
Example 44 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project neo4j by neo4j.
the class TransportSelectionHandlerTest method shouldPreventMultipleLevelsOfSslEncryption.
@Test
void shouldPreventMultipleLevelsOfSslEncryption() throws Exception {
// Given
ChannelHandlerContext context = channelHandlerContextMockSslAlreadyConfigured();
AssertableLogProvider logging = new AssertableLogProvider();
SslContext sslCtx = mock(SslContext.class);
var memoryTracker = mock(MemoryTracker.class);
TransportSelectionHandler handler = new TransportSelectionHandler(null, sslCtx, false, false, logging, null, null, memoryTracker);
// encrypted
final ByteBuf payload = Unpooled.wrappedBuffer(new byte[] { 22, 3, 1, 0, 5 });
// When
handler.decode(context, payload, null);
// Then
verify(context).close();
assertThat(logging).forClass(TransportSelectionHandler.class).forLevel(ERROR).containsMessageWithArguments("Fatal error: multiple levels of SSL encryption detected." + " Terminating connection: %s", context.channel());
}
Also used :
ChannelHandlerContext(io.netty.channel.ChannelHandlerContext)
ByteBuf(io.netty.buffer.ByteBuf)
AssertableLogProvider(org.neo4j.logging.AssertableLogProvider)
SslContext(io.netty.handler.ssl.SslContext)
Test(org.junit.jupiter.api.Test)
Example 45 with SslContext
use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext in project flink by apache.
the class SSLUtils method createRestClientSSLEngineFactory.
/**
* Creates a {@link SSLHandlerFactory} to be used by the REST Clients.
*
* @param config The application configuration.
*/
public static SSLHandlerFactory createRestClientSSLEngineFactory(final Configuration config) throws Exception {
ClientAuth clientAuth = SecurityOptions.isRestSSLAuthenticationEnabled(config) ? ClientAuth.REQUIRE : ClientAuth.NONE;
SslContext sslContext = createRestNettySSLContext(config, true, clientAuth);
if (sslContext == null) {
throw new IllegalConfigurationException("SSL is not enabled for REST endpoints.");
}
return new SSLHandlerFactory(sslContext, -1, -1);
}
Also used :
IllegalConfigurationException(org.apache.flink.configuration.IllegalConfigurationException)
SSLHandlerFactory(org.apache.flink.runtime.io.network.netty.SSLHandlerFactory)
ClientAuth(org.apache.flink.shaded.netty4.io.netty.handler.ssl.ClientAuth)
JdkSslContext(org.apache.flink.shaded.netty4.io.netty.handler.ssl.JdkSslContext)
SslContext(org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext)
Aggregations
SslContext (io.netty.handler.ssl.SslContext)220
NioEventLoopGroup (io.netty.channel.nio.NioEventLoopGroup)67
SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)59
EventLoopGroup (io.netty.channel.EventLoopGroup)52
Channel (io.netty.channel.Channel)48
Test (org.junit.Test)48
SSLException (javax.net.ssl.SSLException)46
ServerBootstrap (io.netty.bootstrap.ServerBootstrap)41
SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)37
NioSocketChannel (io.netty.channel.socket.nio.NioSocketChannel)36
Bootstrap (io.netty.bootstrap.Bootstrap)35
LoggingHandler (io.netty.handler.logging.LoggingHandler)35
SocketChannel (io.netty.channel.socket.SocketChannel)34
NioServerSocketChannel (io.netty.channel.socket.nio.NioServerSocketChannel)33
InetSocketAddress (java.net.InetSocketAddress)31
SslHandler (io.netty.handler.ssl.SslHandler)30
CertificateException (java.security.cert.CertificateException)29
IOException (java.io.IOException)26
ChannelPipeline (io.netty.channel.ChannelPipeline)23
File (java.io.File)23
