Search in sources :

Example 51 with SslHandler

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler in project netty by netty.

the class OcspServerExample method newServerHandler.

private static ChannelInitializer<Channel> newServerHandler(final ReferenceCountedOpenSslContext context, final OCSPResp response) {
    return new ChannelInitializer<Channel>() {

        @Override
        protected void initChannel(Channel ch) throws Exception {
            SslHandler sslHandler = context.newHandler(ch.alloc());
            if (response != null) {
                ReferenceCountedOpenSslEngine engine = (ReferenceCountedOpenSslEngine) sslHandler.engine();
                engine.setOcspResponse(response.getEncoded());
            }
            ChannelPipeline pipeline = ch.pipeline();
            pipeline.addLast(sslHandler);
        // so on and so forth...
        }
    };
}
Also used : ReferenceCountedOpenSslEngine(io.netty.handler.ssl.ReferenceCountedOpenSslEngine) Channel(io.netty.channel.Channel) ChannelInitializer(io.netty.channel.ChannelInitializer) SslHandler(io.netty.handler.ssl.SslHandler) ChannelPipeline(io.netty.channel.ChannelPipeline)

Example 52 with SslHandler

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler in project zuul by Netflix.

the class Http1MutualSslChannelInitializer method initChannel.

@Override
protected void initChannel(Channel ch) throws Exception {
    SslHandler sslHandler = sslContext.newHandler(ch.alloc());
    sslHandler.engine().setEnabledProtocols(sslContextFactory.getProtocols());
    // Configure our pipeline of ChannelHandlerS.
    ChannelPipeline pipeline = ch.pipeline();
    storeChannel(ch);
    addTimeoutHandlers(pipeline);
    addPassportHandler(pipeline);
    addTcpRelatedHandlers(pipeline);
    pipeline.addLast("ssl", sslHandler);
    addSslInfoHandlers(pipeline, isSSlFromIntermediary);
    addSslClientCertChecks(pipeline);
    addHttp1Handlers(pipeline);
    addHttpRelatedHandlers(pipeline);
    addZuulHandlers(pipeline);
}
Also used : SslHandler(io.netty.handler.ssl.SslHandler) ChannelPipeline(io.netty.channel.ChannelPipeline)

Example 53 with SslHandler

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler in project zuul by Netflix.

the class Http2SslChannelInitializer method initChannel.

@Override
protected void initChannel(Channel ch) throws Exception {
    SslHandler sslHandler = sslContext.newHandler(ch.alloc());
    sslHandler.engine().setEnabledProtocols(serverSslConfig.getProtocols());
    if (LOG.isDebugEnabled()) {
        LOG.debug("ssl protocols supported: {}", String.join(", ", sslHandler.engine().getSupportedProtocols()));
        LOG.debug("ssl protocols enabled: {}", String.join(", ", sslHandler.engine().getEnabledProtocols()));
        LOG.debug("ssl ciphers supported: {}", String.join(", ", sslHandler.engine().getSupportedCipherSuites()));
        LOG.debug("ssl ciphers enabled: {}", String.join(", ", sslHandler.engine().getEnabledCipherSuites()));
    }
    // Configure our pipeline of ChannelHandlerS.
    ChannelPipeline pipeline = ch.pipeline();
    storeChannel(ch);
    addTimeoutHandlers(pipeline);
    addPassportHandler(pipeline);
    addTcpRelatedHandlers(pipeline);
    pipeline.addLast(new Http2FrameLoggingPerClientIpHandler());
    pipeline.addLast("ssl", sslHandler);
    addSslInfoHandlers(pipeline, isSSlFromIntermediary);
    addSslClientCertChecks(pipeline);
    Http2MetricsChannelHandlers http2MetricsChannelHandlers = new Http2MetricsChannelHandlers(registry, "server", "http2-" + metricId);
    Http2ConnectionCloseHandler connectionCloseHandler = new Http2ConnectionCloseHandler(registry);
    Http2ConnectionExpiryHandler connectionExpiryHandler = new Http2ConnectionExpiryHandler(maxRequestsPerConnection, maxRequestsPerConnectionInBrownout, connectionExpiry);
    pipeline.addLast("http2CodecSwapper", new Http2OrHttpHandler(new Http2StreamInitializer(ch, this::http1Handlers, http2MetricsChannelHandlers, connectionCloseHandler, connectionExpiryHandler), channelConfig, cp -> {
        http1Codec(cp);
        http1Handlers(cp);
    }));
    pipeline.addLast("codec_placeholder", DUMMY_HANDLER);
    pipeline.addLast(swallowSomeHttp2ExceptionsHandler);
}
Also used : Http2FrameLoggingPerClientIpHandler(com.netflix.zuul.logging.Http2FrameLoggingPerClientIpHandler) ChannelGroup(io.netty.channel.group.ChannelGroup) Logger(org.slf4j.Logger) SslContext(io.netty.handler.ssl.SslContext) SwallowSomeHttp2ExceptionsHandler(com.netflix.netty.common.SwallowSomeHttp2ExceptionsHandler) ServerSslConfig(com.netflix.netty.common.ssl.ServerSslConfig) Preconditions.checkNotNull(com.google.common.base.Preconditions.checkNotNull) LoggerFactory(org.slf4j.LoggerFactory) ChannelPipeline(io.netty.channel.ChannelPipeline) BaseZuulChannelInitializer(com.netflix.zuul.netty.server.BaseZuulChannelInitializer) CommonChannelConfigKeys(com.netflix.netty.common.channel.config.CommonChannelConfigKeys) Channel(io.netty.channel.Channel) SslHandler(io.netty.handler.ssl.SslHandler) Http2ConnectionExpiryHandler(com.netflix.netty.common.Http2ConnectionExpiryHandler) SslContextFactory(com.netflix.zuul.netty.ssl.SslContextFactory) Http2ConnectionCloseHandler(com.netflix.netty.common.Http2ConnectionCloseHandler) ChannelConfig(com.netflix.netty.common.channel.config.ChannelConfig) Http2MetricsChannelHandlers(com.netflix.netty.common.metrics.Http2MetricsChannelHandlers) Http2FrameLoggingPerClientIpHandler(com.netflix.zuul.logging.Http2FrameLoggingPerClientIpHandler) Http2MetricsChannelHandlers(com.netflix.netty.common.metrics.Http2MetricsChannelHandlers) Http2ConnectionExpiryHandler(com.netflix.netty.common.Http2ConnectionExpiryHandler) Http2ConnectionCloseHandler(com.netflix.netty.common.Http2ConnectionCloseHandler) SslHandler(io.netty.handler.ssl.SslHandler) ChannelPipeline(io.netty.channel.ChannelPipeline)

Example 54 with SslHandler

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler in project zuul by Netflix.

the class SslHandshakeInfoHandler method userEventTriggered.

@Override
public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
    if (evt instanceof SslHandshakeCompletionEvent) {
        try {
            SslHandshakeCompletionEvent sslEvent = (SslHandshakeCompletionEvent) evt;
            if (sslEvent.isSuccess()) {
                CurrentPassport.fromChannel(ctx.channel()).add(PassportState.SERVER_CH_SSL_HANDSHAKE_COMPLETE);
                SslHandler sslhandler = ctx.channel().pipeline().get(SslHandler.class);
                SSLSession session = sslhandler.engine().getSession();
                ClientAuth clientAuth = whichClientAuthEnum(sslhandler);
                Certificate serverCert = null;
                X509Certificate peerCert = null;
                if ((clientAuth == ClientAuth.REQUIRE || clientAuth == ClientAuth.OPTIONAL) && session.getPeerCertificates() != null && session.getPeerCertificates().length > 0) {
                    peerCert = (X509Certificate) session.getPeerCertificates()[0];
                }
                if (session.getLocalCertificates() != null && session.getLocalCertificates().length > 0) {
                    serverCert = session.getLocalCertificates()[0];
                }
                SslHandshakeInfo info = new SslHandshakeInfo(isSSlFromIntermediary, session.getProtocol(), session.getCipherSuite(), clientAuth, serverCert, peerCert);
                ctx.channel().attr(ATTR_SSL_INFO).set(info);
                // Metrics.
                incrementCounters(sslEvent, info);
                logger.debug("Successful SSL Handshake: {}", info);
            } else {
                String clientIP = ctx.channel().attr(SourceAddressChannelHandler.ATTR_SOURCE_ADDRESS).get();
                Throwable cause = sslEvent.cause();
                PassportState passportState = CurrentPassport.fromChannel(ctx.channel()).getState();
                if (cause instanceof ClosedChannelException && (PassportState.SERVER_CH_INACTIVE.equals(passportState) || PassportState.SERVER_CH_IDLE_TIMEOUT.equals(passportState))) {
                    // Either client closed the connection without/before having completed a handshake, or
                    // the connection idle timed-out before handshake.
                    // NOTE: we were seeing a lot of these in prod and can repro by just telnetting to port and then closing terminal
                    // without sending anything.
                    // So don't treat these as SSL handshake failures.
                    logger.debug("Client closed connection or it idle timed-out without doing an ssl handshake. " + ", client_ip = " + clientIP + ", channel_info = " + ChannelUtils.channelInfoForLogging(ctx.channel()));
                } else if (cause instanceof SSLException && cause.getMessage().contains("handshake timed out")) {
                    logger.debug("Client timed-out doing the ssl handshake. " + ", client_ip = " + clientIP + ", channel_info = " + ChannelUtils.channelInfoForLogging(ctx.channel()));
                } else if (cause instanceof SSLException && cause.getMessage().contains("failure when writing TLS control frames")) {
                    // This can happen if the ClientHello is sent followed  by a RST packet, before we can respond.
                    logger.debug("Client terminated handshake early." + ", client_ip = " + clientIP + ", channel_info = " + ChannelUtils.channelInfoForLogging(ctx.channel()));
                } else {
                    String msg = "Unsuccessful SSL Handshake: " + sslEvent + ", client_ip = " + clientIP + ", channel_info = " + ChannelUtils.channelInfoForLogging(ctx.channel()) + ", error = " + cause;
                    if (cause instanceof ClosedChannelException) {
                        logger.debug(msg);
                    } else {
                        logger.debug(msg, cause);
                    }
                    incrementCounters(sslEvent, null);
                }
            }
        } catch (Throwable e) {
            logger.warn("Error getting the SSL handshake info.", e);
        } finally {
            // Now remove this handler from the pipeline as no longer needed once the ssl handshake has completed.
            ctx.pipeline().remove(this);
        }
    } else if (evt instanceof SslCloseCompletionEvent) {
    // TODO - increment a separate metric for this event?
    } else if (evt instanceof SniCompletionEvent) {
        logger.debug("SNI Parsing Complete: {}", evt);
        SniCompletionEvent sniCompletionEvent = (SniCompletionEvent) evt;
        if (sniCompletionEvent.isSuccess()) {
            spectatorRegistry.counter("zuul.sni.parse.success").increment();
        } else {
            Throwable cause = sniCompletionEvent.cause();
            spectatorRegistry.counter("zuul.sni.parse.failure", "cause", cause != null ? cause.getMessage() : "UNKNOWN").increment();
        }
    }
    super.userEventTriggered(ctx, evt);
}
Also used : ClosedChannelException(java.nio.channels.ClosedChannelException) SslHandshakeCompletionEvent(io.netty.handler.ssl.SslHandshakeCompletionEvent) SniCompletionEvent(io.netty.handler.ssl.SniCompletionEvent) SSLSession(javax.net.ssl.SSLSession) ClientAuth(io.netty.handler.ssl.ClientAuth) SSLException(javax.net.ssl.SSLException) SslHandler(io.netty.handler.ssl.SslHandler) X509Certificate(java.security.cert.X509Certificate) PassportState(com.netflix.zuul.passport.PassportState) SslHandshakeInfo(com.netflix.netty.common.ssl.SslHandshakeInfo) SslCloseCompletionEvent(io.netty.handler.ssl.SslCloseCompletionEvent) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 55 with SslHandler

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler in project grpc-java by grpc.

the class ProtocolNegotiatorsTest method tlsHandler_handlerAddedAddsSslHandler.

@Test
public void tlsHandler_handlerAddedAddsSslHandler() throws Exception {
    ChannelHandler handler = new ServerTlsHandler(grpcHandler, sslContext, null);
    pipeline.addLast(handler);
    assertTrue(pipeline.first() instanceof SslHandler);
}
Also used : ServerTlsHandler(io.grpc.netty.ProtocolNegotiators.ServerTlsHandler) ChannelHandler(io.netty.channel.ChannelHandler) SslHandler(io.netty.handler.ssl.SslHandler) Test(org.junit.Test)

Aggregations

SslHandler (io.netty.handler.ssl.SslHandler)141 SSLEngine (javax.net.ssl.SSLEngine)51 ChannelPipeline (io.netty.channel.ChannelPipeline)37 Channel (io.netty.channel.Channel)29 ChannelHandler (io.netty.channel.ChannelHandler)23 ChannelHandlerContext (io.netty.channel.ChannelHandlerContext)23 SslContext (io.netty.handler.ssl.SslContext)21 IOException (java.io.IOException)16 NioSocketChannel (io.netty.channel.socket.nio.NioSocketChannel)15 Test (org.junit.Test)15 NioEventLoopGroup (io.netty.channel.nio.NioEventLoopGroup)14 ChannelInitializer (io.netty.channel.ChannelInitializer)13 SocketChannel (io.netty.channel.socket.SocketChannel)13 SSLSession (javax.net.ssl.SSLSession)12 ByteBuf (io.netty.buffer.ByteBuf)11 ChunkedWriteHandler (io.netty.handler.stream.ChunkedWriteHandler)11 IdleStateHandler (io.netty.handler.timeout.IdleStateHandler)11 ServerBootstrap (io.netty.bootstrap.ServerBootstrap)10 HttpObjectAggregator (io.netty.handler.codec.http.HttpObjectAggregator)10 File (java.io.File)10