io.netty.handler.ssl.ClientAuth Java Examples

private static SslContextBuilder getSslContextBuilder() {
  ClassLoader classLoader = LoadBalanceClusterMessageSenderWithTLSTest.class.getClassLoader();
  SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(
      new File(classLoader.getResource("server.crt").getFile()),
      new File(classLoader.getResource("server.pem").getFile()))
      .protocols("TLSv1.2","TLSv1.1")
      .ciphers(Arrays.asList("ECDHE-RSA-AES128-GCM-SHA256",
          "ECDHE-RSA-AES256-GCM-SHA384",
          "ECDHE-ECDSA-AES128-SHA256"));

    sslClientContextBuilder.trustManager(new File(classLoader.getResource("client.crt").getFile()));
    sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);

  return GrpcSslContexts.configure(sslClientContextBuilder,
      SslProvider.OPENSSL);
}
 

private SslContextBuilder getSslContextBuilder(GrpcServerConfig config) {

    Properties prop = new Properties();
    ClassLoader classLoader = getClass().getClassLoader();
    try {
      prop.load(classLoader.getResourceAsStream("ssl.properties"));
    } catch (IOException e) {
      throw new IllegalStateException("Unable to read ssl.properties.", e);
    }

    InputStream cert = getInputStream(classLoader, config.getCert(), "Server Cert");
    InputStream key = getInputStream(classLoader, config.getKey(), "Server Key");

    SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(cert, key)
        .protocols(prop.getProperty("protocols"))
        .ciphers(Arrays.asList(prop.getProperty("ciphers").split(",")));
    if (config.isMutualAuth()) {
      InputStream clientCert = getInputStream(classLoader, config.getClientCert(), "Client Cert");
      sslClientContextBuilder.trustManager(clientCert);
      sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
    }
    return GrpcSslContexts.configure(sslClientContextBuilder,
        SslProvider.OPENSSL);
  }
 

/**
 * init SslContext for p2p connection
 *
 * @param caCrt
 * @param nodeCrt
 * @param nodeKey
 * @return
 * @throws IOException
 */
public SslContext initSslContextForServer(
        org.springframework.core.io.Resource caCrt,
        org.springframework.core.io.Resource nodeCrt,
        org.springframework.core.io.Resource nodeKey)
        throws IOException {

    SslContext sslCtx =
            SslContextBuilder.forServer(nodeCrt.getInputStream(), nodeKey.getInputStream())
                    .trustManager(caCrt.getInputStream())
                    .sslProvider(SslProvider.JDK)
                    .clientAuth(ClientAuth.REQUIRE)
                    .build();

    return sslCtx;
}
 

/**
 * init SslContext for http server
 *
 * @param caCrt
 * @param nodeCrt
 * @param nodeKey
 * @return
 * @throws IOException
 */
public SslContext initSslContextForServer(
        org.springframework.core.io.Resource caCrt,
        org.springframework.core.io.Resource nodeCrt,
        org.springframework.core.io.Resource nodeKey,
        int sslSwitch)
        throws IOException {

    SslContextBuilder sslContextBuilder =
            SslContextBuilder.forServer(nodeCrt.getInputStream(), nodeKey.getInputStream())
                    .trustManager(caCrt.getInputStream())
                    .sslProvider(SslProvider.JDK);

    if (sslSwitch == RPCConfig.SSLSwitch.SSL_ON_CLIENT_AUTH.getSwh()) {
        logger.info(" clientAuth ");
        sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
    }

    return sslContextBuilder.build();
}
 

@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
  // Starts the server with HTTPS.
  try {
    return NettyServerBuilder.forPort(0)
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(GrpcSslContexts
            .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
            .clientAuth(ClientAuth.REQUIRE)
            .trustManager(TestUtils.loadCert("ca.pem"))
            .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
            .build());
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 

/**
 * Creates and starts a new {@link TestServiceImpl} server.
 */
private Server newServer() throws CertificateException, IOException {
  File serverCertChainFile = TestUtils.loadCert("server1.pem");
  File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
  X509Certificate[] serverTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };

  SslContext sslContext =
      GrpcSslContexts.forServer(serverCertChainFile, serverPrivateKeyFile)
                     .trustManager(serverTrustedCaCerts)
                     .clientAuth(ClientAuth.REQUIRE)
                     .build();

  return NettyServerBuilder.forPort(0)
      .sslContext(sslContext)
      .addService(new TestServiceImpl(serverExecutor))
      .build()
      .start();
}
 

public static SslContext buildServerContext(
    TlsConfig config, TrustManagerFactory trustManager, @Nullable ClientAuth clientAuth) {
  try {
    SslContextBuilder builder =
        configure(config, newServerBuilder(config))
            .trustManager(new XioTrustManagerFactory(trustManager));

    if (clientAuth != null) {
      builder.clientAuth(clientAuth);
    }

    return builder.build();
  } catch (SSLException e) {
    return null;
  }
}
 

@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
  // Starts the server with HTTPS.
  try {
    return NettyServerBuilder.forPort(0)
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(GrpcSslContexts
            .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
            .clientAuth(ClientAuth.REQUIRE)
            .trustManager(TestUtils.loadCert("ca.pem"))
            .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
            .build());
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 

private static SslContext createSSLContext(boolean useClientCA, String sslKeyStoreType, String sslKeyFilePath, String sslManagerPwd, String sslStorePwd) {
    try {
        InputStream ksInputStream = new FileInputStream(sslKeyFilePath);
        KeyStore ks = KeyStore.getInstance(sslKeyStoreType);
        ks.load(ksInputStream, sslStorePwd.toCharArray());


        final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        kmf.init(ks, sslManagerPwd.toCharArray());
        SslContextBuilder contextBuilder = SslContextBuilder.forServer(kmf);

        // whether need client CA(two-way authentication)
        if (useClientCA) {
            contextBuilder.clientAuth(ClientAuth.REQUIRE);
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(ks);
            contextBuilder.trustManager(tmf);
        }
        return contextBuilder.sslProvider(SslProvider.valueOf("JDK")).build();
    } catch (Exception ex) {
        log.error("Create ssl context failure.cause={}", ex);
        return null;
    }
}
 

public static void main(String[] args) throws Exception {
    SelfSignedCertificate ssc = new SelfSignedCertificate();
    SslContext sslCtx = SslContextGMBuilder.forServer(ENC_CERT, ENC_KEY, SIGN_CERT, SIGN_KEY, null)
            /* 默认协商出来的是ECDHE_SM4_SM3算法，所以必须是双向SSL，并且客户端和服务端必须要有加密证书和签名证书 */
            .clientAuth(ClientAuth.REQUIRE)
            .build();

    EventLoopGroup bossGroup = new NioEventLoopGroup(1);
    EventLoopGroup workerGroup = new NioEventLoopGroup();
    try {
        ServerBootstrap b = new ServerBootstrap();
        b.group(bossGroup, workerGroup)
         .channel(NioServerSocketChannel.class)
         .handler(new LoggingHandler(LogLevel.INFO))
         .childHandler(new SecureChatServerInitializer(sslCtx));

        b.bind(PORT).sync().channel().closeFuture().sync();
    } finally {
        bossGroup.shutdownGracefully();
        workerGroup.shutdownGracefully();
    }
}
 

private void initSsl(String addr, NettyRequestFactory factory) throws Exception {
    SSLContext sslc = SSLContext.getInstance("TLS");
    if(!checkSsl) {
        log.debug("disable any SSL check on {} address", addr);
        sslc.init(null, new TrustManager[]{new SSLUtil.NullX509TrustManager()}, null);
    } else if(StringUtils.hasText(keystore)) {
        log.debug("use SSL trusted store {} on {} address", keystore, addr);
        final String alg = TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory def = TrustManagerFactory.getInstance(alg);
        def.init((KeyStore)null);// initialize default list of trust managers
        Resource resource = resourceLoader.getResource(keystore);
        if(!resource.exists()) {
            log.warn("Specified JKS {} is not exists.", keystore);
            return;
        }
        KeyStore ks = KeyStore.getInstance("JKS");
        try(InputStream is = resource.getInputStream()) {
            ks.load(is, storepass == null? new char[0] : storepass.toCharArray());
        }
        TrustManagerFactory local = TrustManagerFactory.getInstance(alg);
        local.init(ks);
        TrustManager tm = SSLUtil.combineX509TrustManagers(local.getTrustManagers(), def.getTrustManagers());
        sslc.init(null, new TrustManager[]{tm}, null);
    }
    factory.setSslContext(new JdkSslContext(sslc, true, ClientAuth.OPTIONAL));
}
 

public static SslContext createSslContext(String certFilePath, String keyFilePath) {
    if (null == sslContext) {
        synchronized (SslFactory.class) {
            if (null == sslContext) {
                File certFile = new File(certFilePath);
                File keyFile = new File(keyFilePath);//此处需要PKS8编码的.key后缀文件
                try {
                    sslContext = SslContextBuilder.forServer(certFile, keyFile)
                            .clientAuth(ClientAuth.NONE).ciphers(Arrays.asList(CIPHER_ARRAY), IdentityCipherSuiteFilter.INSTANCE_DEFAULTING_TO_SUPPORTED_CIPHERS)//只允许用上面的三种128位加密套件，一般情况下去除这一行
                            .build();
                } catch (SSLException e) {
                    logger.error("SSL错误：" + e.toString());
                }
            }
        }
    }
    return sslContext;
}
 

@Substitute
static SslContext newServerContextInternal(SslProvider provider,
        Provider sslContextProvider,
        X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
        X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
        Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
        long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth, String[] protocols, boolean startTls,
        boolean enableOcsp, String keyStoreType)
        throws SSLException {

    if (enableOcsp) {
        throw new IllegalArgumentException("OCSP is not supported with this SslProvider: " + provider);
    }
    return (SslContext) (Object) new Target_io_netty_handler_ssl_JdkSslServerContext(sslContextProvider,
            trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
            keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
            clientAuth, protocols, startTls, keyStoreType);
}
 

private SslContextBuilder getSslContextBuilder(GrpcServerConfig config) {

    Properties prop = new Properties();
    ClassLoader classLoader = getClass().getClassLoader();
    try {
      prop.load(classLoader.getResourceAsStream("ssl.properties"));
    } catch (IOException e) {
      throw new IllegalStateException("Unable to read ssl.properties.", e);
    }

    InputStream cert = getInputStream(classLoader, config.getCert(), "Server Cert");
    InputStream key = getInputStream(classLoader, config.getKey(), "Server Key");

    SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(cert, key)
        .protocols(prop.getProperty("protocols"))
        .ciphers(Arrays.asList(prop.getProperty("ciphers").split(",")));
    if (config.isMutualAuth()) {
      InputStream clientCert = getInputStream(classLoader, config.getClientCert(), "Client Cert");
      sslClientContextBuilder.trustManager(clientCert);
      sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
    }
    return GrpcSslContexts.configure(sslClientContextBuilder,
        SslProvider.OPENSSL);
  }
 

private SslContextBuilder getSslContextBuilder() {
    SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(new File(certChainFilePath),
            new File(privateKeyFilePath));
    if (trustCertCollectionFilePath != null) {
        sslClientContextBuilder.trustManager(new File(trustCertCollectionFilePath));
        sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
    }
    return GrpcSslContexts.configure(sslClientContextBuilder);
}
 

public ServerSslConfig(
        String[] protocols, String[] ciphers, File certChainFile, File keyFile, ClientAuth clientAuth,
        File clientAuthTrustStoreFile, String clientAuthTrustStorePassword, boolean sessionTicketsEnabled) {
    this.protocols = protocols;
    this.ciphers = Arrays.asList(ciphers);
    this.certChainFile = certChainFile;
    this.keyFile = keyFile;
    this.clientAuth = clientAuth;
    this.clientAuthTrustStoreFile = clientAuthTrustStoreFile;
    this.clientAuthTrustStorePassword = clientAuthTrustStorePassword;
    this.clientAuthTrustStorePasswordFile = null;
    this.sessionTimeout = DEFAULT_SESSION_TIMEOUT.get();
    this.sessionTicketsEnabled = sessionTicketsEnabled;
}
 

protected void setClientAuthValues(
    SslContextBuilder sslContextBuilder, CertificateValidationContext localCertValidationContext)
    throws CertificateException, IOException, CertStoreException {
  DownstreamTlsContext downstreamTlsContext = getDownstreamTlsContext();
  if (localCertValidationContext != null) {
    sslContextBuilder.trustManager(new SdsTrustManagerFactory(localCertValidationContext));
    sslContextBuilder.clientAuth(
        downstreamTlsContext.isRequireClientCertificate()
            ? ClientAuth.REQUIRE
            : ClientAuth.OPTIONAL);
  } else {
    sslContextBuilder.clientAuth(ClientAuth.NONE);
  }
}
 

@VisibleForTesting
boolean connectionIsUsingMutualSSLWithAuthEnforced(Channel ch)
{
    boolean is = false;
    SslHandshakeInfo sslHandshakeInfo = ch.attr(SslHandshakeInfoHandler.ATTR_SSL_INFO).get();
    if (sslHandshakeInfo != null) {
        if (sslHandshakeInfo.getClientAuthRequirement() == ClientAuth.REQUIRE) {
            is = true;
        }
    }
    return is;
}
 

private ServerBuilder<?> serverBuilder(int port, File serverCertChainFile,
    File serverPrivateKeyFile, X509Certificate[] serverTrustedCaCerts) throws IOException {
  SslContextBuilder sslContextBuilder
      = SslContextBuilder.forServer(serverCertChainFile, serverPrivateKeyFile);
  if (sslProvider == SslProvider.JDK) {
    GrpcSslContexts.configure(sslContextBuilder, jdkProvider);
  } else {
    GrpcSslContexts.configure(sslContextBuilder, sslProvider);
  }
  sslContextBuilder.trustManager(serverTrustedCaCerts)
      .clientAuth(ClientAuth.REQUIRE);

  return NettyServerBuilder.forPort(port)
      .sslContext(sslContextBuilder.build());
}
 

/**
 * @param config the {@link SSLConfig}.
 * @return the {@link ClientAuth} setting.
 */
static ClientAuth getClientAuth(SSLConfig config) {
  switch (config.sslClientAuthentication) {
    case "required":
      return ClientAuth.REQUIRE;
    case "requested":
      return ClientAuth.OPTIONAL;
    default:
      return ClientAuth.NONE;
  }
}
 

private SslContextBuilder getSslContextBuilder(RemoteWorkerOptions workerOptions) {
  SslContextBuilder sslContextBuilder =
      SslContextBuilder.forServer(
          new File(workerOptions.tlsCertificate), new File(workerOptions.tlsPrivateKey));
  if (workerOptions.tlsCaCertificate != null) {
    sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
    sslContextBuilder.trustManager(new File(workerOptions.tlsCaCertificate));
  }
  return GrpcSslContexts.configure(sslContextBuilder, SslProvider.OPENSSL);
}
 

private static void setupClientAuthentication(SslContextBuilder builder,
    boolean requireTrustedClientCertOnConnect) {
    if (requireTrustedClientCertOnConnect) {
        builder.clientAuth(ClientAuth.REQUIRE);
    } else {
        builder.clientAuth(ClientAuth.OPTIONAL);
    }
}
 

private static ClientAuth parseClientAuthMode(String authMode) {
    if (null == authMode || authMode.trim().isEmpty()) {
        return ClientAuth.NONE;
    }

    for (ClientAuth clientAuth : ClientAuth.values()) {
        if (clientAuth.name().equals(authMode.toUpperCase())) {
            return clientAuth;
        }
    }

    return ClientAuth.NONE;
}
 

protected SslContext createSSLContext(Configuration config) throws Exception {

        ServerSsl sslCfg = config.getSecurity().getServerSsl();
        Boolean generate = sslCfg.isUseGeneratedKeypair();
        SslContextBuilder ssl;
        if (generate) {
            LOG.warn("Using generated self signed server certificate");
            Date begin = new Date();
            Date end = new Date(begin.getTime() + TimeUnit.DAYS.toMillis(7));
            SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end);
            ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
        } else {
            String cert = sslCfg.getCertificateFile();
            String key = sslCfg.getKeyFile();
            String keyPass = sslCfg.getKeyPassword();
            if (null == cert || null == key) {
                throw new IllegalArgumentException("Check your SSL properties, something is wrong.");
            }
            ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass);
        }

        ssl.ciphers(sslCfg.getUseCiphers());

        // Can't set to REQUIRE because the CORS pre-flight requests will fail.
        ssl.clientAuth(ClientAuth.OPTIONAL);

        Boolean useOpenSSL = sslCfg.isUseOpenssl();
        if (useOpenSSL) {
            ssl.sslProvider(SslProvider.OPENSSL);
        } else {
            ssl.sslProvider(SslProvider.JDK);
        }
        String trustStore = sslCfg.getTrustStoreFile();
        if (null != trustStore) {
            if (!trustStore.isEmpty()) {
                ssl.trustManager(new File(trustStore));
            }
        }
        return ssl.build();
    }
 

protected SslContext createSSLContext(GrafanaAuthConfiguration config) throws Exception {

        ServerSsl sslCfg = config.getSecurity().getServerSsl();
        Boolean generate = sslCfg.isUseGeneratedKeypair();
        SslContextBuilder ssl;
        if (generate) {
            LOG.warn("Using generated self signed server certificate");
            Date begin = new Date();
            Date end = new Date(begin.getTime() + 86400000);
            SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end);
            ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
        } else {
            String cert = sslCfg.getCertificateFile();
            String key = sslCfg.getKeyFile();
            String keyPass = sslCfg.getKeyPassword();
            if (null == cert || null == key) {
                throw new IllegalArgumentException("Check your SSL properties, something is wrong.");
            }
            ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass);
        }

        ssl.ciphers(sslCfg.getUseCiphers());

        // Can't set to REQUIRE because the CORS pre-flight requests will fail.
        ssl.clientAuth(ClientAuth.OPTIONAL);

        Boolean useOpenSSL = sslCfg.isUseOpenssl();
        if (useOpenSSL) {
            ssl.sslProvider(SslProvider.OPENSSL);
        } else {
            ssl.sslProvider(SslProvider.JDK);
        }
        String trustStore = sslCfg.getTrustStoreFile();
        if (null != trustStore) {
            if (!trustStore.isEmpty()) {
                ssl.trustManager(new File(trustStore));
            }
        }
        return ssl.build();
    }
 

private SslContextBuilder getSslContextBuilder() {
    SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(new File(certChainFilePath),
            new File(privateKeyFilePath));
    if (trustCertCollectionFilePath != null) {
        sslClientContextBuilder.trustManager(new File(trustCertCollectionFilePath));
        sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
    }
    return GrpcSslContexts.configure(sslClientContextBuilder,
            SslProvider.OPENSSL);
}
 

protected SslContext createSSLContext(BalancerConfiguration config) throws Exception {

        ServerSsl sslCfg = config.getSecurity().getServerSsl();
        Boolean generate = sslCfg.isUseGeneratedKeypair();
        SslContextBuilder ssl;
        if (generate) {
            LOG.warn("Using generated self signed server certificate");
            Date begin = new Date();
            Date end = new Date(begin.getTime() + 86400000);
            SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end);
            ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
        } else {
            String cert = sslCfg.getCertificateFile();
            String key = sslCfg.getKeyFile();
            String keyPass = sslCfg.getKeyPassword();
            if (null == cert || null == key) {
                throw new IllegalArgumentException("Check your SSL properties, something is wrong.");
            }
            ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass);
        }

        ssl.ciphers(sslCfg.getUseCiphers());

        // Can't set to REQUIRE because the CORS pre-flight requests will fail.
        ssl.clientAuth(ClientAuth.OPTIONAL);

        Boolean useOpenSSL = sslCfg.isUseOpenssl();
        if (useOpenSSL) {
            ssl.sslProvider(SslProvider.OPENSSL);
        } else {
            ssl.sslProvider(SslProvider.JDK);
        }
        String trustStore = sslCfg.getTrustStoreFile();
        if (null != trustStore) {
            if (!trustStore.isEmpty()) {
                ssl.trustManager(new File(trustStore));
            }
        }
        return ssl.build();
    }
 

@Override
public SslContextBuilder newServerContextBuilder() throws SSLException {
  return SslContextBuilder.forServer(keyManagerFactory)
    .trustManager(trustManagerFactory)
    .clientAuth(sslConfig.disablePeerVerification() ? ClientAuth.OPTIONAL : ClientAuth.REQUIRE)
    .sslProvider(SSL_PROVIDER)
    .protocols(SSL_PROTOCOLS)
    .ciphers(SSL_CIPHERS);
}
 

/**
 * Create a {@link ClientHttpConnector} for the given {@link ClientOptions}.
 * @param options must not be {@literal null}
 * @return a new {@link ClientHttpConnector}.
 */
public static ClientHttpConnector create(ClientOptions options) {
	HttpClient httpClient = HttpClient.create();

	if (usingCustomCerts(options)) {
		TrustManagerFactory trustManagerFactory = sslCertificateUtils
				.createTrustManagerFactory(options.getCaCertFiles());

		httpClient = httpClient.secure((sslContextSpec) -> sslContextSpec.sslContext(
				SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(trustManagerFactory)));
	}
	else {
		httpClient = httpClient.secure((sslContextSpec) -> {
			try {
				sslContextSpec.sslContext(new JdkSslContext(SSLContext.getDefault(), true, null,
						IdentityCipherSuiteFilter.INSTANCE, null, ClientAuth.REQUIRE, null, false));
			}
			catch (NoSuchAlgorithmException ex) {
				logger.error("Error configuring HTTP connections", ex);
				throw new RuntimeException("Error configuring HTTP connections", ex);
			}
		});
	}

	if (options.getConnectionTimeout() != null) {
		httpClient = httpClient
				.tcpConfiguration((tcpClient) -> tcpClient.option(ChannelOption.CONNECT_TIMEOUT_MILLIS,
						Math.toIntExact(options.getConnectionTimeout().toMillis())));
	}

	return new ReactorClientHttpConnector(httpClient);
}
 

public SslContext buildContext() throws IOException, CertificateException  {
    io.netty.handler.ssl.SslContextBuilder builder = io.netty.handler.ssl.SslContextBuilder.forServer(sslCertificateFile, sslKeyFile, passPhrase);

    if (logger.isDebugEnabled()) {
        logger.debug("Available ciphers: " + Arrays.toString(supportedCiphers));
        logger.debug("Ciphers:  " + Arrays.toString(ciphers));
    }

    builder.ciphers(Arrays.asList(ciphers));

    if(requireClientAuth()) {
        if (logger.isDebugEnabled())
            logger.debug("Certificate Authorities: " + Arrays.toString(certificateAuthorities));

        builder.trustManager(loadCertificateCollection(certificateAuthorities));
        if(verifyMode == SslClientVerifyMode.FORCE_PEER) {
            // Explicitly require a client certificate
            builder.clientAuth(ClientAuth.REQUIRE);
        } else if(verifyMode == SslClientVerifyMode.VERIFY_PEER) {
            // If the client supply a client certificate we will verify it.
            builder.clientAuth(ClientAuth.OPTIONAL);
        }
    }else{
        builder.clientAuth(ClientAuth.NONE);
    }
    builder.protocols(protocols);
    return builder.build();
}