io.netty.handler.ssl.SupportedCipherSuiteFilter Java Examples

@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
  // Starts the server with HTTPS.
  try {
    return NettyServerBuilder.forPort(0)
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(GrpcSslContexts
            .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
            .clientAuth(ClientAuth.REQUIRE)
            .trustManager(TestUtils.loadCert("ca.pem"))
            .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
            .build());
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 

/**
 * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
 * from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
 * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
 * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
 * certificates).
 *
 * @param cipherSuites    cipher suites to allow when connecting to the upstream server
 * @param trustSource     the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
 * @return an SSLContext to connect to upstream servers with
 */
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
    SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();

    if (trustSource == null) {
        log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");

        sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
    } else {
        sslContextBuilder.trustManager(trustSource.getTrustedCAs());
    }

    sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);

    try {
        return sslContextBuilder.build();
    } catch (SSLException e) {
        throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
    }
}
 

private SslContext getSslContext() {
    SslContext sslCtx = null;

    final SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;

    try {
        sslCtx = SslContextBuilder.forClient()
            .sslProvider(provider)
            .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .applicationProtocolConfig(new ApplicationProtocolConfig(
                Protocol.ALPN,
                SelectorFailureBehavior.NO_ADVERTISE,
                SelectedListenerFailureBehavior.ACCEPT,
                ApplicationProtocolNames.HTTP_2))
            .build();
    } catch(SSLException exception) {
        return null;
    }

    return sslCtx;
}
 

@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
  // Starts the server with HTTPS.
  try {
    SslProvider sslProvider = SslContext.defaultServerProvider();
    if (sslProvider == SslProvider.OPENSSL && !OpenSsl.isAlpnSupported()) {
      // OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we
      // are forced to use Jetty ALPN for Netty instead of OpenSSL.
      sslProvider = SslProvider.JDK;
    }
    SslContextBuilder contextBuilder = SslContextBuilder
        .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
    GrpcSslContexts.configure(contextBuilder, sslProvider);
    contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE);
    return NettyServerBuilder.forPort(0)
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(contextBuilder.build());
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 

/**
 * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
 * from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
 * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
 * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
 * certificates).
 *
 * @param cipherSuites    cipher suites to allow when connecting to the upstream server
 * @param trustSource     the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
 * @return an SSLContext to connect to upstream servers with
 */
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
    SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();

    if (trustSource == null) {
        log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");

        sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
    } else {
        sslContextBuilder.trustManager(trustSource.getTrustedCAs());
    }

    sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);

    try {
        return sslContextBuilder.build();
    } catch (SSLException e) {
        throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
    }
}
 

private SslContext sslContext(URI targetAddress) {
    URI proxyAddress = proxyAddress(targetAddress);

    boolean needContext = targetAddress.getScheme().equalsIgnoreCase("https")
            || proxyAddress != null && proxyAddress.getScheme().equalsIgnoreCase("https");

    if (!needContext) {
        return null;
    }

    try {
        return SslContextBuilder.forClient()
                                .sslProvider(sslProvider)
                                .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                                .trustManager(getTrustManager())
                                .keyManager(getKeyManager())
                                .build();
    } catch (SSLException e) {
        throw new RuntimeException(e);
    }
}
 

@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
  // Starts the server with HTTPS.
  try {
    SslProvider sslProvider = SslContext.defaultServerProvider();
    if (sslProvider == SslProvider.OPENSSL && !SslProvider.isAlpnSupported(SslProvider.OPENSSL)) {
      // OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we
      // are forced to use Jetty ALPN for Netty instead of OpenSSL.
      sslProvider = SslProvider.JDK;
    }
    SslContextBuilder contextBuilder = SslContextBuilder
        .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
    GrpcSslContexts.configure(contextBuilder, sslProvider);
    contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE);
    return NettyServerBuilder.forPort(0)
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(contextBuilder.build());
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 

private SslContext buildSslCtx() {
  SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;
  try {
    return SslContextBuilder.forClient()
        .sslProvider(provider)
        .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
        .trustManager(InsecureTrustManagerFactory.INSTANCE)
        // TODO(JR): Make a seperate Handler Class for http2 as opposed to autoneg
        //        .applicationProtocolConfig(new ApplicationProtocolConfig(
        //          ApplicationProtocolConfig.Protocol.ALPN,
        //          // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK
        //             providers.
        //          ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
        //          // ACCEPT is currently the only mode supported by both OpenSsl and JDK
        //             providers.
        //          ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
        //          ApplicationProtocolNames.HTTP_2,
        //          ApplicationProtocolNames.HTTP_1_1))
        .build();
  } catch (SSLException e) {
    e.printStackTrace();
  }

  return null;
}
 

/**
 * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
 * from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
 * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
 * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
 * certificates).
 *
 * @param cipherSuites    cipher suites to allow when connecting to the upstream server
 * @param trustSource     the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
 * @return an SSLContext to connect to upstream servers with
 */
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
    SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();

    if (trustSource == null) {
        log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");

        sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
    } else {
        sslContextBuilder.trustManager(trustSource.getTrustedCAs());
    }

    sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);

    try {
        return sslContextBuilder.build();
    } catch (SSLException e) {
        throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
    }
}
 

@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
  // Starts the server with HTTPS.
  try {
    return NettyServerBuilder.forPort(0)
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(GrpcSslContexts
            .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
            .clientAuth(ClientAuth.REQUIRE)
            .trustManager(TestUtils.loadCert("ca.pem"))
            .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
            .build());
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 

@Override
protected ManagedChannel createChannel() {
  try {
    NettyChannelBuilder builder = NettyChannelBuilder
        .forAddress(TestUtils.testServerAddress((InetSocketAddress) getListenAddress()))
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(GrpcSslContexts
            .forClient()
            .keyManager(TestUtils.loadCert("client.pem"), TestUtils.loadCert("client.key"))
            .trustManager(TestUtils.loadX509Cert("ca.pem"))
            .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
            .build());
    // Disable the default census stats interceptor, use testing interceptor instead.
    io.grpc.internal.TestingAccessor.setStatsEnabled(builder, false);
    return builder.intercept(createCensusStatsClientInterceptor()).build();
  } catch (Exception ex) {
    throw new RuntimeException(ex);
  }
}
 

@NotNull
public SslContext createSslServerContext(@NotNull final KeyManagerFactory kmf, @Nullable final TrustManagerFactory tmFactory, @Nullable final List<String> cipherSuites, @Nullable final List<String> protocols) throws SSLException {

    final SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(kmf);

    sslContextBuilder.sslProvider(SslProvider.JDK).trustManager(tmFactory);

    if (protocols != null && !protocols.isEmpty()) {
        sslContextBuilder.protocols(protocols.toArray(new String[0]));
    }

    //set chosen cipher suites if available
    if (cipherSuites != null && cipherSuites.size() > 0) {
        sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);
    } else {
        sslContextBuilder.ciphers(null, SupportedCipherSuiteFilter.INSTANCE);
    }
    return sslContextBuilder.build();
}
 

/**
 * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
 * from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
 * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
 * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
 * certificates).
 *
 * @param cipherSuites    cipher suites to allow when connecting to the upstream server
 * @param trustSource     the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
 * @return an SSLContext to connect to upstream servers with
 */
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
    SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();

    if (trustSource == null) {
        log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");

        sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
    } else {
        sslContextBuilder.trustManager(trustSource.getTrustedCAs());
    }

    sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);

    try {
        return sslContextBuilder.build();
    } catch (SSLException e) {
        throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
    }
}
 

/**
 * @param config the {@link SSLConfig}
 * @return a configured {@link SslContext} object for a client.
 * @throws GeneralSecurityException
 * @throws IOException
 */
static SslContext getServerSslContext(SSLConfig config) throws GeneralSecurityException, IOException {
  logger.info("Using {} provider for server SslContext", SslContext.defaultServerProvider());
  SslContextBuilder sslContextBuilder;
  if (config.sslHttp2SelfSign) {
    SelfSignedCertificate ssc = new SelfSignedCertificate();
    sslContextBuilder = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
    logger.info("Using Self Signed Certificate.");
  } else {
    sslContextBuilder = SslContextBuilder.forServer(NettySslFactory.getKeyManagerFactory(config))
        .trustManager(NettySslFactory.getTrustManagerFactory(config));
  }
  return sslContextBuilder.sslProvider(SslContext.defaultClientProvider())
      .clientAuth(NettySslFactory.getClientAuth(config))
      /* NOTE: the cipher filter may not include all ciphers required by the HTTP/2 specification.
       * Please refer to the HTTP/2 specification for cipher requirements. */
      .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN,
          // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
          ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
          // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
          ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2))
      .build();
}
 

/**
 * @param config the {@link SSLConfig}
 * @return a configured {@link SslContext} object for a server.
 * @throws GeneralSecurityException
 * @throws IOException
 */
public static SslContext getClientSslContext(SSLConfig config) throws GeneralSecurityException, IOException {
  logger.info("Using {} provider for client ", SslContext.defaultClientProvider());
  SslContextBuilder sslContextBuilder;
  if (config.sslHttp2SelfSign) {
    sslContextBuilder = SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE);
    logger.info("Using Self Signed Certificate.");
  } else {
    sslContextBuilder = SslContextBuilder.forClient()
        .keyManager(NettySslFactory.getKeyManagerFactory(config))
        .trustManager(NettySslFactory.getTrustManagerFactory(config));
  }
  return sslContextBuilder.sslProvider(SslContext.defaultClientProvider())
      /* NOTE: the cipher filter may not include all ciphers required by the HTTP/2 specification.
       * Please refer to the HTTP/2 specification for cipher requirements. */
      .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN,
          // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
          ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
          // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
          ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2))
      .build();
}
 

@Override
protected ManagedChannel createChannel() {
  try {
    NettyChannelBuilder builder = NettyChannelBuilder
        .forAddress(TestUtils.testServerAddress(getPort()))
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(GrpcSslContexts
            .forClient()
            .keyManager(TestUtils.loadCert("client.pem"), TestUtils.loadCert("client.key"))
            .trustManager(TestUtils.loadX509Cert("ca.pem"))
            .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
            .build());
    io.grpc.internal.TestingAccessor.setStatsImplementation(
        builder, createClientCensusStatsModule());
    return builder.build();
  } catch (Exception ex) {
    throw new RuntimeException(ex);
  }
}
 

private static SslContext createSslContext() {
  try {
    File serverCert = TestUtils.loadCert("server1.pem");
    File key = TestUtils.loadCert("server1.key");
    return GrpcSslContexts.forServer(serverCert, key)
        .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).build();
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 

/**
 * Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
 * an application requires particular settings it should override the options set here.
 */
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, Provider jdkProvider) {
  ApplicationProtocolConfig apc;
  if (SUN_PROVIDER_NAME.equals(jdkProvider.getName())) {
    // Jetty ALPN/NPN only supports one of NPN or ALPN
    if (JettyTlsUtil.isJettyAlpnConfigured()) {
      apc = ALPN;
    } else if (JettyTlsUtil.isJettyNpnConfigured()) {
      apc = NPN;
    } else if (JettyTlsUtil.isJava9AlpnAvailable()) {
      apc = ALPN;
    } else {
      throw new IllegalArgumentException(
          SUN_PROVIDER_NAME + " selected, but Java 9+ and Jetty NPN/ALPN unavailable");
    }
  } else if (ConscryptLoader.isConscrypt(jdkProvider)) {
    apc = ALPN;
  } else {
    throw new IllegalArgumentException("Unknown provider; can't configure: " + jdkProvider);
  }
  return builder
      .sslProvider(SslProvider.JDK)
      .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(apc)
      .sslContextProvider(jdkProvider);
}
 

/**
 * Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
 * an application requires particular settings it should override the options set here.
 */
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/1784")
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, SslProvider provider) {
  switch (provider) {
    case JDK:
    {
      Provider jdkProvider = findJdkProvider();
      if (jdkProvider == null) {
        throw new IllegalArgumentException(
            "Could not find Jetty NPN/ALPN or Conscrypt as installed JDK providers");
      }
      return configure(builder, jdkProvider);
    }
    case OPENSSL:
    {
      ApplicationProtocolConfig apc;
      if (OpenSsl.isAlpnSupported()) {
        apc = NPN_AND_ALPN;
      } else {
        apc = NPN;
      }
      return builder
          .sslProvider(SslProvider.OPENSSL)
          .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
          .applicationProtocolConfig(apc);
    }
    default:
      throw new IllegalArgumentException("Unsupported provider: " + provider);
  }
}
 

@Before
public void setUp() throws Exception {
  File serverCert = TestUtils.loadCert("server1.pem");
  File key = TestUtils.loadCert("server1.key");
  sslContext = GrpcSslContexts.forServer(serverCert, key)
      .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).build();
  engine = SSLContext.getDefault().createSSLEngine();
  engine.setUseClientMode(true);
}
 

@Test
public void serverTlsHandler_userEventTriggeredSslEvent_supportedProtocolCustom()
    throws Exception {
  SslHandler goodSslHandler = new SslHandler(engine, false) {
    @Override
    public String applicationProtocol() {
      return "managed_mtls";
    }
  };

  File serverCert = TestUtils.loadCert("server1.pem");
  File key = TestUtils.loadCert("server1.key");
  List<String> alpnList = Arrays.asList("managed_mtls", "h2");
  ApplicationProtocolConfig apn = new ApplicationProtocolConfig(
      ApplicationProtocolConfig.Protocol.ALPN,
      ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
      ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
      alpnList);

  sslContext = GrpcSslContexts.forServer(serverCert, key)
      .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(apn).build();

  ChannelHandler handler = new ServerTlsHandler(grpcHandler, sslContext, null);
  pipeline.addLast(handler);

  pipeline.replace(SslHandler.class, null, goodSslHandler);
  channelHandlerCtx = pipeline.context(handler);
  Object sslEvent = SslHandshakeCompletionEvent.SUCCESS;

  pipeline.fireUserEventTriggered(sslEvent);

  assertTrue(channel.isOpen());
  ChannelHandlerContext grpcHandlerCtx = pipeline.context(grpcHandler);
  assertNotNull(grpcHandlerCtx);
}
 

@Test
public void clientTlsHandler_userEventTriggeredSslEvent_supportedProtocolCustom()
    throws Exception {
  SslHandler goodSslHandler = new SslHandler(engine, false) {
    @Override
    public String applicationProtocol() {
      return "managed_mtls";
    }
  };
  DefaultEventLoopGroup elg = new DefaultEventLoopGroup(1);

  File clientCert = TestUtils.loadCert("client.pem");
  File key = TestUtils.loadCert("client.key");
  List<String> alpnList = Arrays.asList("managed_mtls", "h2");
  ApplicationProtocolConfig apn = new ApplicationProtocolConfig(
      ApplicationProtocolConfig.Protocol.ALPN,
      ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
      ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
      alpnList);

  sslContext = GrpcSslContexts.forClient()
      .keyManager(clientCert, key)
      .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(apn).build();

  ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext, "authority", elg);
  pipeline.addLast(handler);
  pipeline.replace(SslHandler.class, null, goodSslHandler);
  pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
  channelHandlerCtx = pipeline.context(handler);
  Object sslEvent = SslHandshakeCompletionEvent.SUCCESS;

  pipeline.fireUserEventTriggered(sslEvent);

  ChannelHandlerContext grpcHandlerCtx = pipeline.context(grpcHandler);
  assertNotNull(grpcHandlerCtx);
}
 

public static void createAndAttachSSLClient(ServiceHost h) throws Throwable {
    // we create a random userAgent string to validate host to host communication when
    // the client appears to be from an external, non-Xenon source.
    ServiceClient client = NettyHttpServiceClient.create(UUID.randomUUID().toString(),
            null,
            h.getScheduledExecutor(), h);

    if (NettyChannelContext.isALPNEnabled()) {
        SslContext http2ClientContext = SslContextBuilder.forClient()
                .trustManager(InsecureTrustManagerFactory.INSTANCE)
                .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                .applicationProtocolConfig(new ApplicationProtocolConfig(
                        ApplicationProtocolConfig.Protocol.ALPN,
                        ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
                        ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
                        ApplicationProtocolNames.HTTP_2))
                .build();
        ((NettyHttpServiceClient) client).setHttp2SslContext(http2ClientContext);
    }

    SSLContext clientContext = SSLContext.getInstance(ServiceClient.TLS_PROTOCOL_NAME);
    clientContext.init(null, InsecureTrustManagerFactory.INSTANCE.getTrustManagers(), null);
    client.setSSLContext(clientContext);
    h.setClient(client);

    SelfSignedCertificate ssc = new SelfSignedCertificate();
    h.setCertificateFileReference(ssc.certificate().toURI());
    h.setPrivateKeyFileReference(ssc.privateKey().toURI());
}
 

public static SslContext createSSLContext(boolean isServer) throws SSLException, CertificateException {

        SslContext sslCtx;

        SelfSignedCertificate ssc = new SelfSignedCertificate();

        if (isServer) {
            sslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
                .sslProvider(SslProvider.JDK)
                .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                .applicationProtocolConfig(new ApplicationProtocolConfig(Protocol.ALPN,
                    SelectorFailureBehavior.NO_ADVERTISE,
                    SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1))
                .build();
        } else {
            sslCtx = SslContextBuilder.forClient()
                .sslProvider(SslProvider.JDK)
                .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                .trustManager(InsecureTrustManagerFactory.INSTANCE)
                .applicationProtocolConfig(new ApplicationProtocolConfig(Protocol.ALPN,
                    SelectorFailureBehavior.NO_ADVERTISE,
                    SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2))
                .build();
        }
        return sslCtx;

    }
 

public static void createAndAttachSSLClient(ServiceHost h) throws Throwable {
    // we create a random userAgent string to validate host to host communication when
    // the client appears to be from an external, non-Xenon source.
    ServiceClient client = NettyHttpServiceClient.create(UUID.randomUUID().toString(),
            null,
            h.getScheduledExecutor(), h);

    if (NettyChannelContext.isALPNEnabled()) {
        SslContext http2ClientContext = SslContextBuilder.forClient()
                .trustManager(InsecureTrustManagerFactory.INSTANCE)
                .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                .applicationProtocolConfig(new ApplicationProtocolConfig(
                        ApplicationProtocolConfig.Protocol.ALPN,
                        ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
                        ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
                        ApplicationProtocolNames.HTTP_2))
                .build();
        ((NettyHttpServiceClient) client).setHttp2SslContext(http2ClientContext);
    }

    SSLContext clientContext = SSLContext.getInstance(ServiceClient.TLS_PROTOCOL_NAME);
    clientContext.init(null, InsecureTrustManagerFactory.INSTANCE.getTrustManagers(), null);
    client.setSSLContext(clientContext);
    h.setClient(client);

    SelfSignedCertificate ssc = new SelfSignedCertificate();
    h.setCertificateFileReference(ssc.certificate().toURI());
    h.setPrivateKeyFileReference(ssc.privateKey().toURI());
}
 

private static SslContextBuilder configure(TlsConfig config, SslContextBuilder builder) {
  return builder
      .applicationProtocolConfig(config.getAlpnConfig())
      .ciphers(config.getCiphers(), SupportedCipherSuiteFilter.INSTANCE)
      .clientAuth(config.getClientAuth())
      .enableOcsp(config.isEnableOcsp())
      .protocols(config.getProtocols())
      .sessionCacheSize(config.getSessionCacheSize())
      .sessionTimeout(config.getSessionTimeout())
      .sslProvider(config.getSslProvider());
}
 

void updateDefaultConfiguration() {
	switch (type) {
		case H2:
			sslContextBuilder.sslProvider(
			                     io.netty.handler.ssl.SslProvider.isAlpnSupported(io.netty.handler.ssl.SslProvider.OPENSSL) ?
			                             io.netty.handler.ssl.SslProvider.OPENSSL :
			                             io.netty.handler.ssl.SslProvider.JDK)
			                 .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
			                 .applicationProtocolConfig(new ApplicationProtocolConfig(
			                     ApplicationProtocolConfig.Protocol.ALPN,
			                     ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
			                     ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
			                     ApplicationProtocolNames.HTTP_2,
			                     ApplicationProtocolNames.HTTP_1_1));
			break;
		case TCP:
			sslContextBuilder.sslProvider(
			                     OpenSsl.isAvailable() ?
			                             io.netty.handler.ssl.SslProvider.OPENSSL :
			                             io.netty.handler.ssl.SslProvider.JDK)
			                 .ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
			                 .applicationProtocolConfig(null);
			break;
		case NONE:
			break; //no default configuration
	}
}
 

/**
 * Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
 * an application requires particular settings it should override the options set here.
 */
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/1784")
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, SslProvider provider) {
  switch (provider) {
    case JDK:
    {
      Provider jdkProvider = findJdkProvider();
      if (jdkProvider == null) {
        throw new IllegalArgumentException(
            "Could not find Jetty NPN/ALPN or Conscrypt as installed JDK providers");
      }
      return configure(builder, jdkProvider);
    }
    case OPENSSL:
    {
      ApplicationProtocolConfig apc;
      if (OpenSsl.isAlpnSupported()) {
        apc = NPN_AND_ALPN;
      } else {
        apc = NPN;
      }
      return builder
          .sslProvider(SslProvider.OPENSSL)
          .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
          .applicationProtocolConfig(apc);
    }
    default:
      throw new IllegalArgumentException("Unsupported provider: " + provider);
  }
}
 

/**
 * Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
 * an application requires particular settings it should override the options set here.
 */
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, Provider jdkProvider) {
  ApplicationProtocolConfig apc;
  if (SUN_PROVIDER_NAME.equals(jdkProvider.getName())) {
    // Jetty ALPN/NPN only supports one of NPN or ALPN
    if (JettyTlsUtil.isJettyAlpnConfigured()) {
      apc = ALPN;
    } else if (JettyTlsUtil.isJettyNpnConfigured()) {
      apc = NPN;
    } else if (JettyTlsUtil.isJava9AlpnAvailable()) {
      apc = ALPN;
    } else {
      throw new IllegalArgumentException(
          SUN_PROVIDER_NAME + " selected, but Jetty NPN/ALPN unavailable");
    }
  } else if (isConscrypt(jdkProvider)) {
    apc = ALPN;
  } else {
    throw new IllegalArgumentException("Unknown provider; can't configure: " + jdkProvider);
  }
  return builder
      .sslProvider(SslProvider.JDK)
      .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(apc)
      .sslContextProvider(jdkProvider);
}
 

@Test
public void channelConfigOptionCheck() throws SSLException {
    targetUri = URI.create("https://some-awesome-service-1234.amazonaws.com:8080");

    SslContext sslContext = SslContextBuilder.forClient()
                                             .sslProvider(SslProvider.JDK)
                                             .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                                             .build();

    AtomicReference<ChannelPool> channelPoolRef = new AtomicReference<>();

    NettyConfiguration nettyConfiguration = new NettyConfiguration(GLOBAL_HTTP_DEFAULTS);

    pipelineInitializer = new ChannelPipelineInitializer(Protocol.HTTP1_1,
                                                         sslContext,
                                                         SslProvider.JDK,
                                                         100,
                                                         1024,
                                                         Duration.ZERO,
                                                         channelPoolRef,
                                                         nettyConfiguration,
                                                         targetUri);

    Channel channel = new EmbeddedChannel();

    pipelineInitializer.channelCreated(channel);

    assertThat(channel.config().getOption(ChannelOption.ALLOCATOR), is(UnpooledByteBufAllocator.DEFAULT));

}