io.netty.handler.ssl.SslProvider Java Examples

The following examples show how to use io.netty.handler.ssl.SslProvider. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ChannelPipelineInitializer.java    From aws-sdk-java-v2 with Apache License 2.0 6 votes vote down vote up
public ChannelPipelineInitializer(Protocol protocol,
                                  SslContext sslCtx,
                                  SslProvider sslProvider,
                                  long clientMaxStreams,
                                  int clientInitialWindowSize,
                                  Duration healthCheckPingPeriod,
                                  AtomicReference<ChannelPool> channelPoolRef,
                                  NettyConfiguration configuration,
                                  URI poolKey) {
    this.protocol = protocol;
    this.sslCtx = sslCtx;
    this.sslProvider = sslProvider;
    this.clientMaxStreams = clientMaxStreams;
    this.clientInitialWindowSize = clientInitialWindowSize;
    this.healthCheckPingPeriod = healthCheckPingPeriod;
    this.channelPoolRef = channelPoolRef;
    this.configuration = configuration;
    this.poolKey = poolKey;
}
 
Example #2
Source File: NettySubstitutions.java    From quarkus with Apache License 2.0 6 votes vote down vote up
@Substitute
static SslContext newClientContextInternal(
        SslProvider provider,
        Provider sslContextProvider,
        X509Certificate[] trustCert, TrustManagerFactory trustManagerFactory,
        X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
        Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn, String[] protocols,
        long sessionCacheSize, long sessionTimeout, boolean enableOcsp, String keyStoreType) throws SSLException {
    if (enableOcsp) {
        throw new IllegalArgumentException("OCSP is not supported with this SslProvider: " + provider);
    }
    return (SslContext) (Object) new Target_io_netty_handler_ssl_JdkSslClientContext(sslContextProvider,
            trustCert, trustManagerFactory, keyCertChain, key, keyPassword,
            keyManagerFactory, ciphers, cipherFilter, apn, protocols, sessionCacheSize,
            sessionTimeout, keyStoreType);
}
 
Example #3
Source File: XConfigTest.java    From xrpc with Apache License 2.0 6 votes vote down vote up
@Test
void buildTlsConfig_shouldUseCorrectTlsConfigValues() {
  TlsConfig tlsConfig =
      XConfig.buildTlsConfig(
          ConfigFactory.parseResources(XConfig.class, "xrpc.conf").getConfig("tls"));

  List<String> defaultSupportedProtocols = tlsConfig.getCiphers();
  assertEquals(6, defaultSupportedProtocols.size());
  for (String protocol : defaultSupportedProtocols) {
    assertTrue(SUPPORTED_PROTOCOLS.contains(protocol));
  }

  ApplicationProtocolConfig applicationProtocolConfig = tlsConfig.getAlpnConfig();
  assertEquals(
      SUPPORTED_PROTOCOLS_IN_PREFERENCE_ORDER, applicationProtocolConfig.supportedProtocols());
  assertEquals(NO_ADVERTISE, applicationProtocolConfig.selectorFailureBehavior());
  assertEquals(ACCEPT, applicationProtocolConfig.selectedListenerFailureBehavior());
  assertEquals(ALPN, applicationProtocolConfig.protocol());
  assertTrue(tlsConfig.isLogInsecureConfig());
  assertTrue(tlsConfig.isUseSsl());
  assertEquals(ClientAuth.OPTIONAL, tlsConfig.getClientAuth());
  assertFalse(tlsConfig.isEnableOcsp());
  assertEquals(0, tlsConfig.getSessionTimeout());
  assertEquals(0, tlsConfig.getSessionCacheSize());
  assertEquals(SslProvider.OPENSSL, tlsConfig.getSslProvider());
}
 
Example #4
Source File: EppModule.java    From nomulus with Apache License 2.0 6 votes vote down vote up
/** {@link Provides} the {@link SslClientInitializer} used for the {@link EppProtocol}. */
@Provides
@EppProtocol
static SslClientInitializer<NioSocketChannel> provideSslClientInitializer(
    SslProvider sslProvider,
    @LocalSecrets Supplier<PrivateKey> privateKeySupplier,
    @LocalSecrets Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {

  return SslClientInitializer
      .createSslClientInitializerWithSystemTrustStoreAndClientAuthentication(
          sslProvider,
          channel -> channel.attr(REMOTE_ADDRESS_KEY).get(),
          channel -> channel.attr(PROTOCOL_KEY).get().port(),
          privateKeySupplier,
          certificatesSupplier);
}
 
Example #5
Source File: BaseSslContextFactory.java    From zuul with Apache License 2.0 6 votes vote down vote up
@Override
public SslContextBuilder createBuilderForServer() {
    try {
        ArrayList<X509Certificate> trustedCerts = getTrustedX509Certificates();
        SslProvider sslProvider = chooseSslProvider();

        LOG.debug("Using SslProvider of type {}", sslProvider.name());

        SslContextBuilder builder = newBuilderForServer()
                .ciphers(getCiphers(), getCiphersFilter())
                .sessionTimeout(serverSslConfig.getSessionTimeout())
                .sslProvider(sslProvider);

        if (serverSslConfig.getClientAuth() != null && trustedCerts != null && !trustedCerts.isEmpty()) {
            builder = builder
                    .trustManager(trustedCerts.toArray(new X509Certificate[0]))
                    .clientAuth(serverSslConfig.getClientAuth());
        }

        return builder;
    }
    catch (Exception e) {
        throw new RuntimeException("Error configuring SslContext!", e);
    }
}
 
Example #6
Source File: SslServerInitializer.java    From nomulus with Apache License 2.0 6 votes vote down vote up
public SslServerInitializer(
    boolean requireClientCert,
    boolean validateClientCert,
    SslProvider sslProvider,
    Supplier<PrivateKey> privateKeySupplier,
    Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
  logger.atInfo().log("Server SSL Provider: %s", sslProvider);
  checkArgument(
      requireClientCert || !validateClientCert,
      "Cannot validate client certificate if client certificate is not required.");
  this.requireClientCert = requireClientCert;
  this.validateClientCert = validateClientCert;
  this.sslProvider = sslProvider;
  this.privateKeySupplier = privateKeySupplier;
  this.certificatesSupplier = certificatesSupplier;
  this.supportedSslVersions =
      sslProvider == SslProvider.OPENSSL
          ? ImmutableList.of("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")
          // JDK support for TLS 1.3 won't be available until 2020-07-14 at the earliest.
          // See: https://java.com/en/jre-jdk-cryptoroadmap.html
          : ImmutableList.of("TLSv1.2", "TLSv1.1", "TLSv1");
}
 
Example #7
Source File: AlphaIntegrationWithSSLTest.java    From servicecomb-pack with Apache License 2.0 6 votes vote down vote up
private static SslContext getSslContext(){
  ClassLoader classLoader = AlphaIntegrationWithSSLTest.class.getClassLoader();
  SslContext sslContext = null;
  try {
    sslContext = GrpcSslContexts.forClient().sslProvider(SslProvider.OPENSSL)
        .protocols("TLSv1.2","TLSv1.1")
        .ciphers(Arrays.asList("ECDHE-RSA-AES128-GCM-SHA256",
            "ECDHE-RSA-AES256-GCM-SHA384"))
        .trustManager(new File(classLoader.getResource("ca.crt").getFile()))
        .keyManager(new File(classLoader.getResource("client.crt").getFile()),
            new File(classLoader.getResource("client.pem").getFile())).build();
  } catch (SSLException e) {
    e.printStackTrace();
  }
  return sslContext;
}
 
Example #8
Source File: NettyBootstrap.java    From WeCross with Apache License 2.0 6 votes vote down vote up
/**
 * init SslContext for p2p connection
 *
 * @param caCrt
 * @param nodeCrt
 * @param nodeKey
 * @return
 * @throws IOException
 */
public SslContext initSslContextForServer(
        org.springframework.core.io.Resource caCrt,
        org.springframework.core.io.Resource nodeCrt,
        org.springframework.core.io.Resource nodeKey)
        throws IOException {

    SslContext sslCtx =
            SslContextBuilder.forServer(nodeCrt.getInputStream(), nodeKey.getInputStream())
                    .trustManager(caCrt.getInputStream())
                    .sslProvider(SslProvider.JDK)
                    .clientAuth(ClientAuth.REQUIRE)
                    .build();

    return sslCtx;
}
 
Example #9
Source File: TransportSupport.java    From qpid-jms with Apache License 2.0 6 votes vote down vote up
private static KeyManagerFactory loadKeyManagerFactory(TransportOptions options, SslProvider provider) throws Exception {
    if (options.getKeyStoreLocation() == null) {
        return null;
    }

    final KeyManagerFactory factory;
    if (provider.equals(SslProvider.JDK)) {
        factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    } else {
        factory = new OpenSslX509KeyManagerFactory();
    }

    String storeLocation = options.getKeyStoreLocation();
    String storePassword = options.getKeyStorePassword();
    String storeType = options.getKeyStoreType();

    LOG.trace("Attempt to load KeyStore from location {} of type {}", storeLocation, storeType);

    KeyStore keyStore = loadStore(storeLocation, storePassword, storeType);
    factory.init(keyStore, storePassword != null ? storePassword.toCharArray() : null);

    return factory;
}
 
Example #10
Source File: LoadBalancedClusterMessageSender.java    From txle with Apache License 2.0 6 votes vote down vote up
private static SslContext buildSslContext(AlphaClusterConfig clusterConfig) throws SSLException {
  SslContextBuilder builder = GrpcSslContexts.forClient();
  // openssl must be used because some older JDk does not support cipher suites required by http2,
  // and the performance of JDK ssl is pretty low compared to openssl.
  builder.sslProvider(SslProvider.OPENSSL);

  Properties prop = new Properties();
  try {
    prop.load(LoadBalancedClusterMessageSender.class.getClassLoader().getResourceAsStream("ssl.properties"));
  } catch (IOException e) {
    throw new IllegalArgumentException("Unable to read ssl.properties.", e);
  }

  builder.protocols(prop.getProperty("protocols").split(","));
  builder.ciphers(Arrays.asList(prop.getProperty("ciphers").split(",")));
  builder.trustManager(new File(clusterConfig.getCertChain()));

  if (clusterConfig.isEnableMutualAuth()) {
    builder.keyManager(new File(clusterConfig.getCert()), new File(clusterConfig.getKey()));
  }

  return builder.build();
}
 
Example #11
Source File: NettySslHandler.java    From iot-mqtt with Apache License 2.0 6 votes vote down vote up
private static SslContext createSSLContext(boolean useClientCA, String sslKeyStoreType, String sslKeyFilePath, String sslManagerPwd, String sslStorePwd) {
    try {
        InputStream ksInputStream = new FileInputStream(sslKeyFilePath);
        KeyStore ks = KeyStore.getInstance(sslKeyStoreType);
        ks.load(ksInputStream, sslStorePwd.toCharArray());


        final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        kmf.init(ks, sslManagerPwd.toCharArray());
        SslContextBuilder contextBuilder = SslContextBuilder.forServer(kmf);

        // whether need client CA(two-way authentication)
        if (useClientCA) {
            contextBuilder.clientAuth(ClientAuth.REQUIRE);
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(ks);
            contextBuilder.trustManager(tmf);
        }
        return contextBuilder.sslProvider(SslProvider.valueOf("JDK")).build();
    } catch (Exception ex) {
        log.error("Create ssl context failure.cause={}", ex);
        return null;
    }
}
 
Example #12
Source File: NettyHttpClientH2Benchmark.java    From aws-sdk-java-v2 with Apache License 2.0 6 votes vote down vote up
@Setup(Level.Trial)
public void setup() throws Exception {
    mockServer = new MockH2Server(false);
    mockServer.start();

    SslProvider sslProvider = getSslProvider(sslProviderValue);

    sdkHttpClient = NettyNioAsyncHttpClient.builder()
                                           .sslProvider(sslProvider)
                                           .buildWithDefaults(trustAllTlsAttributeMapBuilder()
                                                                  .put(PROTOCOL, Protocol.HTTP2)
                                                                  .build());
    client = ProtocolRestJsonAsyncClient.builder()
                                        .endpointOverride(mockServer.getHttpsUri())
                                        .httpClient(sdkHttpClient)
                                        .build();

    // Making sure the request actually succeeds
    client.allTypes().join();
}
 
Example #13
Source File: GrpcSslContexts.java    From grpc-java with Apache License 2.0 6 votes vote down vote up
/**
 * Returns OpenSSL if available, otherwise returns the JDK provider.
 */
private static SslProvider defaultSslProvider() {
  if (OpenSsl.isAvailable()) {
    logger.log(Level.FINE, "Selecting OPENSSL");
    return SslProvider.OPENSSL;
  }
  Provider provider = findJdkProvider();
  if (provider != null) {
    logger.log(Level.FINE, "Selecting JDK with provider {0}", provider);
    return SslProvider.JDK;
  }
  logger.log(Level.INFO, "Java 9 ALPN API unavailable (this may be normal)");
  logger.log(Level.INFO, "netty-tcnative unavailable (this may be normal)",
      OpenSsl.unavailabilityCause());
  logger.log(Level.INFO, "Conscrypt not found (this may be normal)",
      ConscryptHolder.UNAVAILABILITY_CAUSE);
  logger.log(Level.INFO, "Jetty ALPN unavailable (this may be normal)",
      JettyTlsUtil.getJettyAlpnUnavailabilityCause());
  throw new IllegalStateException(
      "Could not find TLS ALPN provider; "
      + "no working netty-tcnative, Conscrypt, or Jetty NPN/ALPN available");
}
 
Example #14
Source File: Ssl.java    From zbus-server with MIT License 6 votes vote down vote up
private static SslContext buildSslContext() { 
	try {
		SslContextBuilder sslContextBuilder = SslContextBuilder.forClient()
				.sslProvider(SslProvider.JDK)
				.sessionCacheSize(0)
				.sessionTimeout(0);
		String[] protocols = new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" };
		sslContextBuilder.protocols(protocols);
		SslContext sslContext = sslContextBuilder.build();
		return sslContext;
		
	} catch (Exception e) {
		e.printStackTrace();
		return null;
	}
}
 
Example #15
Source File: OcspTest.java    From netty-4.1.22 with Apache License 2.0 6 votes vote down vote up
private static void testClientOcspNotEnabled(SslProvider sslProvider) throws Exception {
    SslContext context = SslContextBuilder.forClient()
            .sslProvider(sslProvider)
            .build();
    try {
        SslHandler sslHandler = context.newHandler(ByteBufAllocator.DEFAULT);
        ReferenceCountedOpenSslEngine engine = (ReferenceCountedOpenSslEngine) sslHandler.engine();
        try {
            engine.getOcspResponse();
        } finally {
            engine.release();
        }
    } finally {
        ReferenceCountUtil.release(context);
    }
}
 
Example #16
Source File: AwaitCloseChannelPoolMapTest.java    From aws-sdk-java-v2 with Apache License 2.0 6 votes vote down vote up
@Test
public void usingProxy_noSchemeGiven_defaultsToHttp() {
    ProxyConfiguration proxyConfiguration = ProxyConfiguration.builder()
            .host("localhost")
            .port(mockProxy.port())
            .build();

    channelPoolMap = AwaitCloseChannelPoolMap.builder()
            .proxyConfiguration(proxyConfiguration)
            .sdkChannelOptions(new SdkChannelOptions())
            .sdkEventLoopGroup(SdkEventLoopGroup.builder().build())
            .configuration(new NettyConfiguration(GLOBAL_HTTP_DEFAULTS))
            .protocol(Protocol.HTTP1_1)
            .maxStreams(100)
            .sslProvider(SslProvider.OPENSSL)
            .build();

    SimpleChannelPoolAwareChannelPool simpleChannelPoolAwareChannelPool = channelPoolMap.newPool(
            URI.create("https://some-awesome-service:443"));

    simpleChannelPoolAwareChannelPool.acquire().awaitUninterruptibly();

    String requests = recorder.requests().toString();

    assertThat(requests).contains("CONNECT some-awesome-service:443");
}
 
Example #17
Source File: SocketSslGreetingTest.java    From netty-4.1.22 with Apache License 2.0 6 votes vote down vote up
@Parameters(name = "{index}: serverEngine = {0}, clientEngine = {1}")
public static Collection<Object[]> data() throws Exception {
    List<SslContext> serverContexts = new ArrayList<SslContext>();
    serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE).sslProvider(SslProvider.JDK).build());

    List<SslContext> clientContexts = new ArrayList<SslContext>();
    clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(CERT_FILE).build());

    boolean hasOpenSsl = OpenSsl.isAvailable();
    if (hasOpenSsl) {
        serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE)
                                            .sslProvider(SslProvider.OPENSSL).build());
        clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.OPENSSL)
                                            .trustManager(CERT_FILE).build());
    } else {
        logger.warn("OpenSSL is unavailable and thus will not be tested.", OpenSsl.unavailabilityCause());
    }

    List<Object[]> params = new ArrayList<Object[]>();
    for (SslContext sc: serverContexts) {
        for (SslContext cc: clientContexts) {
            params.add(new Object[] { sc, cc });
        }
    }
    return params;
}
 
Example #18
Source File: NettyHttp2Client.java    From jmeter-http2-plugin with Apache License 2.0 6 votes vote down vote up
private SslContext getSslContext() {
    SslContext sslCtx = null;

    final SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;

    try {
        sslCtx = SslContextBuilder.forClient()
            .sslProvider(provider)
            .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .applicationProtocolConfig(new ApplicationProtocolConfig(
                Protocol.ALPN,
                SelectorFailureBehavior.NO_ADVERTISE,
                SelectedListenerFailureBehavior.ACCEPT,
                ApplicationProtocolNames.HTTP_2))
            .build();
    } catch(SSLException exception) {
        return null;
    }

    return sslCtx;
}
 
Example #19
Source File: GrpcStartable.java    From txle with Apache License 2.0 6 votes vote down vote up
private SslContextBuilder getSslContextBuilder(GrpcServerConfig config) {

    Properties prop = new Properties();
    ClassLoader classLoader = getClass().getClassLoader();
    try {
      prop.load(classLoader.getResourceAsStream("ssl.properties"));
    } catch (IOException e) {
      throw new IllegalStateException("Unable to read ssl.properties.", e);
    }

    InputStream cert = getInputStream(classLoader, config.getCert(), "Server Cert");
    InputStream key = getInputStream(classLoader, config.getKey(), "Server Key");

    SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(cert, key)
        .protocols(prop.getProperty("protocols"))
        .ciphers(Arrays.asList(prop.getProperty("ciphers").split(",")));
    if (config.isMutualAuth()) {
      InputStream clientCert = getInputStream(classLoader, config.getClientCert(), "Client Cert");
      sslClientContextBuilder.trustManager(clientCert);
      sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
    }
    return GrpcSslContexts.configure(sslClientContextBuilder,
        SslProvider.OPENSSL);
  }
 
Example #20
Source File: Endpoint.java    From fabric-sdk-java with Apache License 2.0 5 votes vote down vote up
SslContextBuilder getSslContextBuilder(X509Certificate[] clientCert, PrivateKey clientKey, SslProvider sslprovider) {
    SslContextBuilder clientContextBuilder = GrpcSslContexts.configure(SslContextBuilder.forClient(), sslprovider);
    if (clientKey != null && clientCert != null) {
        clientContextBuilder = clientContextBuilder.keyManager(clientKey, clientCert);
    } else {
        logger.debug(format("Endpoint %s with no ssl context", url));
    }
    return clientContextBuilder;
}
 
Example #21
Source File: WebSocketClientIT.java    From timely with Apache License 2.0 5 votes vote down vote up
private void setupSslCtx() throws Exception {
    Assert.assertNotNull(clientTrustStoreFile);
    SslContextBuilder builder = SslContextBuilder.forClient();
    builder.applicationProtocolConfig(ApplicationProtocolConfig.DISABLED);
    builder.sslProvider(SslProvider.JDK);
    builder.trustManager(clientTrustStoreFile); // Trust the server cert
    SslContext ctx = builder.build();
    Assert.assertTrue(ctx.isClient());
    Assert.assertTrue(ctx instanceof JdkSslContext);
    JdkSslContext jdk = (JdkSslContext) ctx;
    sslCtx = jdk.context();
}
 
Example #22
Source File: Balancer.java    From timely with Apache License 2.0 5 votes vote down vote up
protected SslContext createSSLContext(BalancerConfiguration config) throws Exception {

        ServerSsl sslCfg = config.getSecurity().getServerSsl();
        Boolean generate = sslCfg.isUseGeneratedKeypair();
        SslContextBuilder ssl;
        if (generate) {
            LOG.warn("Using generated self signed server certificate");
            Date begin = new Date();
            Date end = new Date(begin.getTime() + 86400000);
            SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end);
            ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
        } else {
            String cert = sslCfg.getCertificateFile();
            String key = sslCfg.getKeyFile();
            String keyPass = sslCfg.getKeyPassword();
            if (null == cert || null == key) {
                throw new IllegalArgumentException("Check your SSL properties, something is wrong.");
            }
            ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass);
        }

        ssl.ciphers(sslCfg.getUseCiphers());

        // Can't set to REQUIRE because the CORS pre-flight requests will fail.
        ssl.clientAuth(ClientAuth.OPTIONAL);

        Boolean useOpenSSL = sslCfg.isUseOpenssl();
        if (useOpenSSL) {
            ssl.sslProvider(SslProvider.OPENSSL);
        } else {
            ssl.sslProvider(SslProvider.JDK);
        }
        String trustStore = sslCfg.getTrustStoreFile();
        if (null != trustStore) {
            if (!trustStore.isEmpty()) {
                ssl.trustManager(new File(trustStore));
            }
        }
        return ssl.build();
    }
 
Example #23
Source File: Server.java    From timely with Apache License 2.0 5 votes vote down vote up
protected SslContext createSSLContext(Configuration config) throws Exception {

        ServerSsl sslCfg = config.getSecurity().getServerSsl();
        Boolean generate = sslCfg.isUseGeneratedKeypair();
        SslContextBuilder ssl;
        if (generate) {
            LOG.warn("Using generated self signed server certificate");
            Date begin = new Date();
            Date end = new Date(begin.getTime() + TimeUnit.DAYS.toMillis(7));
            SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end);
            ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
        } else {
            String cert = sslCfg.getCertificateFile();
            String key = sslCfg.getKeyFile();
            String keyPass = sslCfg.getKeyPassword();
            if (null == cert || null == key) {
                throw new IllegalArgumentException("Check your SSL properties, something is wrong.");
            }
            ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass);
        }

        ssl.ciphers(sslCfg.getUseCiphers());

        // Can't set to REQUIRE because the CORS pre-flight requests will fail.
        ssl.clientAuth(ClientAuth.OPTIONAL);

        Boolean useOpenSSL = sslCfg.isUseOpenssl();
        if (useOpenSSL) {
            ssl.sslProvider(SslProvider.OPENSSL);
        } else {
            ssl.sslProvider(SslProvider.JDK);
        }
        String trustStore = sslCfg.getTrustStoreFile();
        if (null != trustStore) {
            if (!trustStore.isEmpty()) {
                ssl.trustManager(new File(trustStore));
            }
        }
        return ssl.build();
    }
 
Example #24
Source File: TlsTest.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
private ServerBuilder<?> serverBuilder(int port, File serverCertChainFile,
    File serverPrivateKeyFile, X509Certificate[] serverTrustedCaCerts) throws IOException {
  SslContextBuilder sslContextBuilder
      = SslContextBuilder.forServer(serverCertChainFile, serverPrivateKeyFile);
  if (sslProvider == SslProvider.JDK) {
    GrpcSslContexts.configure(sslContextBuilder, jdkProvider);
  } else {
    GrpcSslContexts.configure(sslContextBuilder, sslProvider);
  }
  sslContextBuilder.trustManager(serverTrustedCaCerts)
      .clientAuth(ClientAuth.REQUIRE);

  return NettyServerBuilder.forPort(port)
      .sslContext(sslContextBuilder.build());
}
 
Example #25
Source File: OcspTest.java    From netty-4.1.22 with Apache License 2.0 5 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testJdkClientEnableOcsp() throws Exception {
    SslContextBuilder.forClient()
            .sslProvider(SslProvider.JDK)
            .enableOcsp(true)
            .build();
}
 
Example #26
Source File: HttpApiHandler.java    From component-runtime with Apache License 2.0 5 votes vote down vote up
public T activeSsl() {
    if (sslContext == null) {
        try {
            final SelfSignedCertificate certificate = new SelfSignedCertificate();
            final SslContext nettyContext = SslContext
                    .newServerContext(SslProvider.JDK, null, InsecureTrustManagerFactory.INSTANCE,
                            certificate.certificate(), certificate.privateKey(), null, null, null,
                            IdentityCipherSuiteFilter.INSTANCE, null, 0, 0);
            sslContext = JdkSslContext.class.cast(nettyContext).context();
        } catch (final SSLException | CertificateException e) {
            throw new IllegalStateException(e);
        }
    }
    return (T) this;
}
 
Example #27
Source File: TwoWaySSLFailureIT.java    From qonduit with Apache License 2.0 5 votes vote down vote up
protected SSLSocketFactory getSSLSocketFactory() throws Exception {
    SslContextBuilder builder = SslContextBuilder.forClient();
    builder.applicationProtocolConfig(ApplicationProtocolConfig.DISABLED);
    // Use server cert / key on client side
    builder.keyManager(serverCert.key(), (String) null, serverCert.cert());
    builder.sslProvider(SslProvider.JDK);
    builder.trustManager(clientTrustStoreFile); // Trust the server cert
    SslContext ctx = builder.build();
    Assert.assertTrue(ctx.isClient());
    JdkSslContext jdk = (JdkSslContext) ctx;
    SSLContext jdkSslContext = jdk.context();
    return jdkSslContext.getSocketFactory();
}
 
Example #28
Source File: MqttSslContextCreator.java    From spring-boot-protocol with Apache License 2.0 5 votes vote down vote up
public SslContext initSSLContext() {
    logger.info("Checking SSL configuration properties...");

    final String keyPassword = props.getProperty(BrokerConstants.KEY_MANAGER_PASSWORD_PROPERTY_NAME);
    if (keyPassword == null || keyPassword.isEmpty()) {
        logger.warn("The key manager password is null or empty. The SSL context won't be initialized.");
        return null;
    }

    try {
        SslProvider sslProvider = getSSLProvider();
        KeyStore ks = loadKeyStore();
        SslContextBuilder contextBuilder;
        switch (sslProvider) {
            case JDK:
                contextBuilder = builderWithJdkProvider(ks, keyPassword);
                break;
            case OPENSSL:
            case OPENSSL_REFCNT:
                contextBuilder = builderWithOpenSSLProvider(ks, keyPassword);
                break;
            default:
                logger.error("unsupported SSL provider "+ sslProvider);
                return null;
        }
        // if client authentification is enabled a trustmanager needs to be added to the ServerContext
        String sNeedsClientAuth = props.getProperty(BrokerConstants.NEED_CLIENT_AUTH, "false");
        if (Boolean.valueOf(sNeedsClientAuth)) {
            addClientAuthentication(ks, contextBuilder);
        }
        contextBuilder.sslProvider(sslProvider);
        SslContext sslContext = contextBuilder.build();
        logger.info("The SSL context has been initialized successfully.");
        return sslContext;
    } catch (GeneralSecurityException | IOException ex) {
        logger.error("Unable to initialize SSL context.", ex);
        return null;
    }
}
 
Example #29
Source File: ClientRemoteAutoConfiguration.java    From super-cloudops with Apache License 2.0 5 votes vote down vote up
/**
 * Clearly specify OpenSSL, because jdk8 may have performance problems, See:
 * https://www.cnblogs.com/wade-luffy/p/6019743.html#_label1
 * 
 * @return
 * @throws SSLException
 * @see {@link io.netty.handler.ssl.ReferenceCountedOpenSslContext}
 */
// @Bean
// @ConditionalOnMissingBean
public SslContext sslContext(RemoteProperties props) throws SSLException {
	SslProperties ssl = props.getSslProperties();
	List<String> ciphers = ssl.getCiphers() == null ? SslProperties.DEFAULT_CIPHERS : ssl.getCiphers();
	return SslContextBuilder.forServer(new File(ssl.getKeyCertChainFile()), new File(ssl.getKeyFile()))
			.sslProvider(SslProvider.OPENSSL).ciphers(ciphers).clientAuth(ClientAuth.REQUIRE)
			.trustManager(InsecureTrustManagerFactory.INSTANCE).build();
}
 
Example #30
Source File: GrpcSslContexts.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
/**
 * Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
 * an application requires particular settings it should override the options set here.
 */
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, Provider jdkProvider) {
  ApplicationProtocolConfig apc;
  if (SUN_PROVIDER_NAME.equals(jdkProvider.getName())) {
    // Jetty ALPN/NPN only supports one of NPN or ALPN
    if (JettyTlsUtil.isJettyAlpnConfigured()) {
      apc = ALPN;
    } else if (JettyTlsUtil.isJettyNpnConfigured()) {
      apc = NPN;
    } else if (JettyTlsUtil.isJava9AlpnAvailable()) {
      apc = ALPN;
    } else {
      throw new IllegalArgumentException(
          SUN_PROVIDER_NAME + " selected, but Java 9+ and Jetty NPN/ALPN unavailable");
    }
  } else if (ConscryptLoader.isConscrypt(jdkProvider)) {
    apc = ALPN;
  } else {
    throw new IllegalArgumentException("Unknown provider; can't configure: " + jdkProvider);
  }
  return builder
      .sslProvider(SslProvider.JDK)
      .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(apc)
      .sslContextProvider(jdkProvider);
}