Search in sources :

Example 1 with SslClientAuthMode

use of org.xnio.SslClientAuthMode in project undertow by undertow-io.

the class UndertowAcceptingSslChannel method accept.

public UndertowSslConnection accept() throws IOException {
    final StreamConnection tcpConnection = tcpServer.accept();
    if (tcpConnection == null) {
        return null;
    }
    try {
        final InetSocketAddress peerAddress = tcpConnection.getPeerAddress(InetSocketAddress.class);
        final SSLEngine engine = ssl.getSslContext().createSSLEngine(getHostNameNoResolve(peerAddress), peerAddress.getPort());
        final boolean clientMode = useClientMode != 0;
        engine.setUseClientMode(clientMode);
        if (!clientMode) {
            final SslClientAuthMode clientAuthMode = UndertowAcceptingSslChannel.this.clientAuthMode;
            if (clientAuthMode != null)
                switch(clientAuthMode) {
                    case NOT_REQUESTED:
                        engine.setNeedClientAuth(false);
                        engine.setWantClientAuth(false);
                        break;
                    case REQUESTED:
                        engine.setWantClientAuth(true);
                        break;
                    case REQUIRED:
                        engine.setNeedClientAuth(true);
                        break;
                    default:
                        throw new IllegalStateException();
                }
        }
        engine.setEnableSessionCreation(enableSessionCreation != 0);
        final String[] cipherSuites = UndertowAcceptingSslChannel.this.cipherSuites;
        if (cipherSuites != null) {
            final Set<String> supported = new HashSet<>(Arrays.asList(engine.getSupportedCipherSuites()));
            final List<String> finalList = new ArrayList<>();
            for (String name : cipherSuites) {
                if (supported.contains(name)) {
                    finalList.add(name);
                }
            }
            engine.setEnabledCipherSuites(finalList.toArray(new String[finalList.size()]));
        }
        final String[] protocols = UndertowAcceptingSslChannel.this.protocols;
        if (protocols != null) {
            final Set<String> supported = new HashSet<>(Arrays.asList(engine.getSupportedProtocols()));
            final List<String> finalList = new ArrayList<>();
            for (String name : protocols) {
                if (supported.contains(name)) {
                    finalList.add(name);
                }
            }
            engine.setEnabledProtocols(finalList.toArray(new String[finalList.size()]));
        }
        return accept(tcpConnection, engine);
    } catch (IOException | RuntimeException e) {
        IoUtils.safeClose(tcpConnection);
        UndertowLogger.REQUEST_LOGGER.failedToAcceptSSLRequest(e);
        return null;
    }
}
Also used : InetSocketAddress(java.net.InetSocketAddress) SSLEngine(javax.net.ssl.SSLEngine) ArrayList(java.util.ArrayList) IOException(java.io.IOException) StreamConnection(org.xnio.StreamConnection) SslClientAuthMode(org.xnio.SslClientAuthMode) HashSet(java.util.HashSet)

Example 2 with SslClientAuthMode

use of org.xnio.SslClientAuthMode in project undertow by undertow-io.

the class ConnectionSSLSessionInfo method renegotiateNoRequest.

public void renegotiateNoRequest(HttpServerExchange exchange, SslClientAuthMode newAuthMode) throws IOException {
    AbstractServerConnection.ConduitState oldState = serverConnection.resetChannel();
    try {
        SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
        if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
            SslHandshakeWaiter waiter = new SslHandshakeWaiter();
            channel.getHandshakeSetter().set(waiter);
            //we use requested, to place nicely with other auth modes
            channel.setOption(Options.SSL_CLIENT_AUTH_MODE, newAuthMode);
            channel.getSslSession().invalidate();
            channel.startHandshake();
            serverConnection.getOriginalSinkConduit().flush();
            ByteBuffer buff = ByteBuffer.wrap(new byte[1]);
            long end = System.currentTimeMillis() + MAX_RENEGOTIATION_WAIT;
            while (!waiter.isDone() && serverConnection.isOpen() && System.currentTimeMillis() < end) {
                int read = serverConnection.getSourceChannel().read(buff);
                if (read != 0) {
                    throw new SSLPeerUnverifiedException("");
                }
                if (!waiter.isDone()) {
                    serverConnection.getSourceChannel().awaitReadable(end - System.currentTimeMillis(), TimeUnit.MILLISECONDS);
                }
            }
            if (!waiter.isDone()) {
                if (serverConnection.isOpen()) {
                    IoUtils.safeClose(serverConnection);
                    throw UndertowMessages.MESSAGES.rengotiationTimedOut();
                } else {
                    IoUtils.safeClose(serverConnection);
                    throw UndertowMessages.MESSAGES.rengotiationFailed();
                }
            }
        }
    } finally {
        if (oldState != null) {
            serverConnection.restoreChannel(oldState);
        }
    }
}
Also used : SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException) SslClientAuthMode(org.xnio.SslClientAuthMode) ByteBuffer(java.nio.ByteBuffer) PooledByteBuffer(io.undertow.connector.PooledByteBuffer)

Aggregations

SslClientAuthMode (org.xnio.SslClientAuthMode)2 PooledByteBuffer (io.undertow.connector.PooledByteBuffer)1 IOException (java.io.IOException)1 InetSocketAddress (java.net.InetSocketAddress)1 ByteBuffer (java.nio.ByteBuffer)1 ArrayList (java.util.ArrayList)1 HashSet (java.util.HashSet)1 SSLEngine (javax.net.ssl.SSLEngine)1 SSLPeerUnverifiedException (javax.net.ssl.SSLPeerUnverifiedException)1 StreamConnection (org.xnio.StreamConnection)1