Java Code Examples for io.netty.handler.ssl.SslContextBuilder#forServer()
The following examples show how to use
io.netty.handler.ssl.SslContextBuilder#forServer() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: Http2OkHttpTest.java From grpc-nebula-java with Apache License 2.0 | 6 votes |
|
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
// Starts the server with HTTPS.
try {
SslProvider sslProvider = SslContext.defaultServerProvider();
if (sslProvider == SslProvider.OPENSSL && !OpenSsl.isAlpnSupported()) {
// OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we
// are forced to use Jetty ALPN for Netty instead of OpenSSL.
sslProvider = SslProvider.JDK;
}
SslContextBuilder contextBuilder = SslContextBuilder
.forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
GrpcSslContexts.configure(contextBuilder, sslProvider);
contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE);
return NettyServerBuilder.forPort(0)
.flowControlWindow(65 * 1024)
.maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
.sslContext(contextBuilder.build());
} catch (IOException ex) {
throw new RuntimeException(ex);
}
}
Example 2
| Source File: NettySslHttp2Factory.java From ambry with Apache License 2.0 | 6 votes |
|
/**
* @param config the {@link SSLConfig}
* @return a configured {@link SslContext} object for a client.
* @throws GeneralSecurityException
* @throws IOException
*/
static SslContext getServerSslContext(SSLConfig config) throws GeneralSecurityException, IOException {
logger.info("Using {} provider for server SslContext", SslContext.defaultServerProvider());
SslContextBuilder sslContextBuilder;
if (config.sslHttp2SelfSign) {
SelfSignedCertificate ssc = new SelfSignedCertificate();
sslContextBuilder = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
logger.info("Using Self Signed Certificate.");
} else {
sslContextBuilder = SslContextBuilder.forServer(NettySslFactory.getKeyManagerFactory(config))
.trustManager(NettySslFactory.getTrustManagerFactory(config));
}
return sslContextBuilder.sslProvider(SslContext.defaultClientProvider())
.clientAuth(NettySslFactory.getClientAuth(config))
/* NOTE: the cipher filter may not include all ciphers required by the HTTP/2 specification.
* Please refer to the HTTP/2 specification for cipher requirements. */
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN,
// NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
// ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2))
.build();
}
Example 3
| Source File: Http2OkHttpTest.java From grpc-java with Apache License 2.0 | 6 votes |
|
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
// Starts the server with HTTPS.
try {
SslProvider sslProvider = SslContext.defaultServerProvider();
if (sslProvider == SslProvider.OPENSSL && !SslProvider.isAlpnSupported(SslProvider.OPENSSL)) {
// OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we
// are forced to use Jetty ALPN for Netty instead of OpenSSL.
sslProvider = SslProvider.JDK;
}
SslContextBuilder contextBuilder = SslContextBuilder
.forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
GrpcSslContexts.configure(contextBuilder, sslProvider);
contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE);
return NettyServerBuilder.forPort(0)
.flowControlWindow(65 * 1024)
.maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
.sslContext(contextBuilder.build());
} catch (IOException ex) {
throw new RuntimeException(ex);
}
}
Example 4
| Source File: HttpServerTests.java From reactor-netty with Apache License 2.0 | 5 votes |
|
@Test
public void testHttpServerWithDomainSockets() throws Exception {
HttpServer server = HttpServer.create();
HttpClient client = HttpClient.create();
doTestHttpServerWithDomainSockets(server, client);
SelfSignedCertificate cert = new SelfSignedCertificate();
SslContextBuilder serverCtx = SslContextBuilder.forServer(cert.certificate(), cert.privateKey());
SslContextBuilder clientCtx = SslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE);
doTestHttpServerWithDomainSockets(
server.protocol(HttpProtocol.H2).secure(spec -> spec.sslContext(serverCtx)),
client.protocol(HttpProtocol.H2).secure(spec -> spec.sslContext(clientCtx)));
}
Example 5
| Source File: HttpRedirectTest.java From reactor-netty with Apache License 2.0 | 5 votes |
|
@Test
public void testHttp2Redirect() throws Exception {
SelfSignedCertificate cert = new SelfSignedCertificate();
SslContextBuilder serverCtx = SslContextBuilder.forServer(cert.certificate(), cert.privateKey());
SslContextBuilder clientCtx = SslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE);
DisposableServer server =
HttpServer.create()
.port(0)
.host("localhost")
.wiretap(true)
.protocol(HttpProtocol.H2)
.secure(spec -> spec.sslContext(serverCtx))
.route(r -> r.get("/1", (req, res) -> res.sendRedirect("/3"))
.get("/3", (req, res) -> res.status(200)
.sendString(Mono.just("OK"))))
.wiretap(true)
.bindNow();
Tuple2<String, Integer> response =
HttpClient.create()
.remoteAddress(server::address)
.wiretap(true)
.followRedirect(true)
.protocol(HttpProtocol.H2)
.secure(spec -> spec.sslContext(clientCtx))
.get()
.uri("/1")
.responseSingle((res, bytes) -> bytes.asString()
.zipWith(Mono.just(res.status().code())))
.block(Duration.ofSeconds(30));
assertThat(response).isNotNull();
assertThat(response.getT2()).isEqualTo(200);
assertThat(response.getT1()).isEqualTo("OK");
server.disposeNow();
}
Example 6
| Source File: RemoteWorker.java From bazel with Apache License 2.0 | 5 votes |
|
private SslContextBuilder getSslContextBuilder(RemoteWorkerOptions workerOptions) {
SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(
new File(workerOptions.tlsCertificate), new File(workerOptions.tlsPrivateKey));
if (workerOptions.tlsCaCertificate != null) {
sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
sslContextBuilder.trustManager(new File(workerOptions.tlsCaCertificate));
}
return GrpcSslContexts.configure(sslContextBuilder, SslProvider.OPENSSL);
}
Example 7
| Source File: MqttSslContextCreator.java From spring-boot-protocol with Apache License 2.0 | 5 votes |
|
/**
* The OpenSSL provider does not support the {@link KeyManagerFactory}, so we have to lookup the integration
* certificate and key in order to provide it to OpenSSL.
* <p>
* TODO: SNI is currently not supported, we use only the first found private key.
*/
private static SslContextBuilder builderWithOpenSSLProvider(KeyStore ks, String keyPassword)
throws GeneralSecurityException {
for (String alias : Collections.list(ks.aliases())) {
if (ks.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
PrivateKey key = (PrivateKey) ks.getKey(alias, keyPassword.toCharArray());
Certificate[] chain = ks.getCertificateChain(alias);
X509Certificate[] certChain = new X509Certificate[chain.length];
System.arraycopy(chain, 0, certChain, 0, chain.length);
return SslContextBuilder.forServer(key, certChain);
}
}
throw new KeyManagementException("the SSL key-store does not contain a private key");
}
Example 8
| Source File: MqttSslContextCreator.java From spring-boot-protocol with Apache License 2.0 | 5 votes |
|
private SslContextBuilder builderWithJdkProvider(KeyStore ks, String keyPassword)
throws GeneralSecurityException {
logger.info("Initializing key manager...");
final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, keyPassword.toCharArray());
logger.info("Initializing SSL context...");
return SslContextBuilder.forServer(kmf);
}
Example 9
| Source File: HelloWorldServerTls.java From grpc-nebula-java with Apache License 2.0 | 5 votes |
|
private SslContextBuilder getSslContextBuilder() {
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(new File(certChainFilePath),
new File(privateKeyFilePath));
if (trustCertCollectionFilePath != null) {
sslClientContextBuilder.trustManager(new File(trustCertCollectionFilePath));
sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
}
return GrpcSslContexts.configure(sslClientContextBuilder,
SslProvider.OPENSSL);
}
Example 10
| Source File: TestSsl.java From dremio-flight-connector with Apache License 2.0 | 5 votes |
|
@Test
public void sslTest() throws Exception {
Pair<InputStream, InputStream> pair = SslHelper.ssl(dremioConfig, "localhost");
SslContextBuilder builder = SslContextBuilder.forServer(pair.getRight(), pair.getLeft());
SslContext context = builder.build();
Assert.assertNotNull(context);
}
Example 11
| Source File: SslProviderTests.java From reactor-netty with Apache License 2.0 | 5 votes |
|
@Before
public void setUp() throws Exception {
SelfSignedCertificate cert = new SelfSignedCertificate();
builder = SslContextBuilder.forServer(cert.certificate(), cert.privateKey());
protocols = new ArrayList<>();
server = HttpServer.create()
.port(0)
.doOnBind(conf -> {
SslProvider ssl = conf.sslProvider();
if (ssl != null) {
protocols.addAll(ssl.sslContext.applicationProtocolNegotiator().protocols());
sslContext = ssl.sslContext;
}
});
}
Example 12
| Source File: DefaultPooledConnectionProviderTest.java From reactor-netty with Apache License 2.0 | 5 votes |
|
@Test
public void testIssue903() throws CertificateException {
SelfSignedCertificate cert = new SelfSignedCertificate();
SslContextBuilder serverCtx = SslContextBuilder.forServer(cert.key(), cert.cert());
DisposableServer server =
HttpServer.create()
.secure(s -> s.sslContext(serverCtx))
.port(0)
.wiretap(true)
.handle((req, resp) -> resp.sendHeaders())
.bindNow();
DefaultPooledConnectionProvider provider = (DefaultPooledConnectionProvider) ConnectionProvider.create("testIssue903", 1);
HttpClient.create(provider)
.port(server.port())
.get()
.uri("/")
.response()
.onErrorResume(e -> Mono.empty())
.block(Duration.ofSeconds(30));
provider.channelPools.forEach((k, v) -> assertThat(v.metrics().acquiredSize()).isEqualTo(0));
provider.disposeLater()
.block(Duration.ofSeconds(30));
server.disposeNow();
}
Example 13
| Source File: Server.java From timely with Apache License 2.0 | 5 votes |
|
protected SslContext createSSLContext(Configuration config) throws Exception {
ServerSsl sslCfg = config.getSecurity().getServerSsl();
Boolean generate = sslCfg.isUseGeneratedKeypair();
SslContextBuilder ssl;
if (generate) {
LOG.warn("Using generated self signed server certificate");
Date begin = new Date();
Date end = new Date(begin.getTime() + TimeUnit.DAYS.toMillis(7));
SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end);
ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
} else {
String cert = sslCfg.getCertificateFile();
String key = sslCfg.getKeyFile();
String keyPass = sslCfg.getKeyPassword();
if (null == cert || null == key) {
throw new IllegalArgumentException("Check your SSL properties, something is wrong.");
}
ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass);
}
ssl.ciphers(sslCfg.getUseCiphers());
// Can't set to REQUIRE because the CORS pre-flight requests will fail.
ssl.clientAuth(ClientAuth.OPTIONAL);
Boolean useOpenSSL = sslCfg.isUseOpenssl();
if (useOpenSSL) {
ssl.sslProvider(SslProvider.OPENSSL);
} else {
ssl.sslProvider(SslProvider.JDK);
}
String trustStore = sslCfg.getTrustStoreFile();
if (null != trustStore) {
if (!trustStore.isEmpty()) {
ssl.trustManager(new File(trustStore));
}
}
return ssl.build();
}
Example 14
| Source File: DefaultCassandanaSslContextCreator.java From cassandana with Apache License 2.0 | 5 votes |
|
private static SslContextBuilder builderWithJdkProvider(KeyStore ks, String keyPassword)
throws GeneralSecurityException {
LOG.info("Initializing key manager...");
final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, keyPassword.toCharArray());
LOG.info("Initializing SSL context...");
return SslContextBuilder.forServer(kmf);
}
Example 15
| Source File: TlsTest.java From grpc-java with Apache License 2.0 | 5 votes |
|
private ServerBuilder<?> serverBuilder(int port, File serverCertChainFile,
File serverPrivateKeyFile, X509Certificate[] serverTrustedCaCerts) throws IOException {
SslContextBuilder sslContextBuilder
= SslContextBuilder.forServer(serverCertChainFile, serverPrivateKeyFile);
if (sslProvider == SslProvider.JDK) {
GrpcSslContexts.configure(sslContextBuilder, jdkProvider);
} else {
GrpcSslContexts.configure(sslContextBuilder, sslProvider);
}
sslContextBuilder.trustManager(serverTrustedCaCerts)
.clientAuth(ClientAuth.REQUIRE);
return NettyServerBuilder.forPort(port)
.sslContext(sslContextBuilder.build());
}
Example 16
| Source File: SslContextFactory.java From xio with Apache License 2.0 | 4 votes |
|
private static SslContextBuilder newServerBuilder(TlsConfig config) {
return SslContextBuilder.forServer(config.getPrivateKey(), config.getCertificateAndChain());
}
Example 17
| Source File: SslContextFactory.java From servicetalk with Apache License 2.0 | 4 votes |
|
/**
* A new context for a server using the passed {@code config}.
*
* @param config SSL config.
* @param supportedAlpnProtocols the list of supported ALPN protocols.
* @return A new {@link SslContext} for a server.
*/
public static SslContext forServer(ReadOnlyServerSecurityConfig config, List<String> supportedAlpnProtocols) {
requireNonNull(config);
SslContextBuilder builder;
KeyManagerFactory keyManagerFactory = config.keyManagerFactory();
if (keyManagerFactory != null) {
builder = SslContextBuilder.forServer(keyManagerFactory);
} else {
InputStream keyCertChainSupplier = null;
InputStream keySupplier = null;
try {
keyCertChainSupplier = config.keyCertChainSupplier().get();
keySupplier = config.keySupplier().get();
builder = SslContextBuilder.forServer(keyCertChainSupplier, keySupplier, config.keyPassword());
} finally {
try {
closeAndRethrowUnchecked(keyCertChainSupplier);
} finally {
closeAndRethrowUnchecked(keySupplier);
}
}
}
builder.sessionCacheSize(config.sessionCacheSize()).sessionTimeout(config.sessionTimeout())
.applicationProtocolConfig(nettyApplicationProtocol(supportedAlpnProtocols));
switch (config.clientAuth()) {
case NONE:
builder.clientAuth(ClientAuth.NONE);
break;
case OPTIONAL:
builder.clientAuth(ClientAuth.OPTIONAL);
break;
case REQUIRE:
builder.clientAuth(ClientAuth.REQUIRE);
break;
default:
throw new IllegalArgumentException("Unsupported ClientAuth value: " + config.clientAuth());
}
configureTrustManager(config, builder);
builder.protocols(config.protocols());
builder.ciphers(config.ciphers());
builder.sslProvider(toNettySslProvider(config.provider(), !supportedAlpnProtocols.isEmpty()));
try {
return builder.build();
} catch (SSLException e) {
throw new IllegalArgumentException(e);
}
}
Example 18
| Source File: ListenGRPC.java From nifi with Apache License 2.0 | 4 votes |
|
@OnScheduled
public void startServer(final ProcessContext context) throws NoSuchAlgorithmException, IOException, KeyStoreException, CertificateException, UnrecoverableKeyException {
final ComponentLog logger = getLogger();
// gather configured properties
final Integer port = context.getProperty(PROP_SERVICE_PORT).asInteger();
final Boolean useSecure = context.getProperty(PROP_USE_SECURE).asBoolean();
final Integer flowControlWindow = context.getProperty(PROP_FLOW_CONTROL_WINDOW).asDataSize(DataUnit.B).intValue();
final Integer maxMessageSize = context.getProperty(PROP_MAX_MESSAGE_SIZE).asDataSize(DataUnit.B).intValue();
final SSLContextService sslContextService = context.getProperty(PROP_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
final SSLContext sslContext = sslContextService == null ? null : sslContextService.createSSLContext(SslContextFactory.ClientAuth.NONE);
final Pattern authorizedDnPattern = Pattern.compile(context.getProperty(PROP_AUTHORIZED_DN_PATTERN).getValue());
final FlowFileIngestServiceInterceptor callInterceptor = new FlowFileIngestServiceInterceptor(getLogger());
callInterceptor.enforceDNPattern(authorizedDnPattern);
final FlowFileIngestService flowFileIngestService = new FlowFileIngestService(getLogger(),
sessionFactoryReference,
context);
NettyServerBuilder serverBuilder = NettyServerBuilder.forPort(port)
.addService(ServerInterceptors.intercept(flowFileIngestService, callInterceptor))
// default (de)compressor registries handle both plaintext and gzip compressed messages
.compressorRegistry(CompressorRegistry.getDefaultInstance())
.decompressorRegistry(DecompressorRegistry.getDefaultInstance())
.flowControlWindow(flowControlWindow)
.maxMessageSize(maxMessageSize);
if (useSecure && sslContext != null) {
// construct key manager
if (StringUtils.isBlank(sslContextService.getKeyStoreFile())) {
throw new IllegalStateException("SSL is enabled, but no keystore has been configured. You must configure a keystore.");
}
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm(),
sslContext.getProvider());
final KeyStore keyStore = KeyStore.getInstance(sslContextService.getKeyStoreType());
try (final InputStream is = new FileInputStream(sslContextService.getKeyStoreFile())) {
keyStore.load(is, sslContextService.getKeyStorePassword().toCharArray());
}
keyManagerFactory.init(keyStore, sslContextService.getKeyStorePassword().toCharArray());
SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(keyManagerFactory);
// if the trust store is configured, then client auth is required.
if (StringUtils.isNotBlank(sslContextService.getTrustStoreFile())) {
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm(),
sslContext.getProvider());
final KeyStore trustStore = KeyStore.getInstance(sslContextService.getTrustStoreType());
try (final InputStream is = new FileInputStream(sslContextService.getTrustStoreFile())) {
trustStore.load(is, sslContextService.getTrustStorePassword().toCharArray());
}
trustManagerFactory.init(trustStore);
sslContextBuilder = sslContextBuilder.trustManager(trustManagerFactory);
sslContextBuilder = sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
} else {
sslContextBuilder = sslContextBuilder.clientAuth(ClientAuth.NONE);
}
sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder);
serverBuilder = serverBuilder.sslContext(sslContextBuilder.build());
}
logger.info("Starting gRPC server on port: {}", new Object[]{port.toString()});
this.server = serverBuilder.build().start();
}
Example 19
| Source File: Http2Tests.java From reactor-netty with Apache License 2.0 | 4 votes |
|
@Test
public void testHttp2ForMemoryLeaks() throws Exception {
SelfSignedCertificate cert = new SelfSignedCertificate();
SslContextBuilder serverCtx = SslContextBuilder.forServer(cert.certificate(), cert.privateKey());
SslContextBuilder clientCtx = SslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE);
disposableServer =
HttpServer.create()
.port(0)
.protocol(HttpProtocol.H2)
.secure(spec -> spec.sslContext(serverCtx))
.handle((req, res) ->
res.sendString(Flux.range(0, 10)
.map(i -> "test")
.delayElements(Duration.ofMillis(4))))
.bindNow();
HttpClient client =
HttpClient.create()
.port(disposableServer.port())
.protocol(HttpProtocol.H2)
.secure(spec -> spec.sslContext(clientCtx));
for(int i = 0; i < 1000; ++i) {
try {
client.get()
.uri("/")
.responseContent()
.aggregate()
.asString()
.timeout(Duration.ofMillis(ThreadLocalRandom.current().nextInt(1, 35)))
.block(Duration.ofMillis(100));
}
catch (Throwable t) {
// ignore
}
}
System.gc();
for (int i = 0; i < 100000; ++i) {
@SuppressWarnings("UnusedVariable")
int[] arr = new int[100000];
}
System.gc();
}
Example 20
| Source File: Http2Tests.java From reactor-netty with Apache License 2.0 | 4 votes |
|
private void doTestConcurrentStreams(HttpClient baseClient, boolean isSecured,
HttpProtocol[] serverProtocols, HttpProtocol[] clientProtocols) throws Exception {
SelfSignedCertificate cert = new SelfSignedCertificate();
SslContextBuilder serverCtx = SslContextBuilder.forServer(cert.certificate(), cert.privateKey());
SslContextBuilder clientCtx = SslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE);
HttpServer httpServer =
HttpServer.create()
.port(0)
.protocol(serverProtocols).wiretap(true)
.handle((req, res) -> res.sendString(Mono.just("test")));
if (isSecured) {
httpServer = httpServer.secure(spec -> spec.sslContext(serverCtx));
}
disposableServer = httpServer.bindNow();
HttpClient client;
if (isSecured) {
client = baseClient.port(disposableServer.port()).wiretap(true)
.protocol(clientProtocols)
.secure(spec -> spec.sslContext(clientCtx));
}
else {
client = baseClient.port(disposableServer.port())
.protocol(clientProtocols);
}
CountDownLatch latch = new CountDownLatch(1);
List<String> responses =
Flux.range(0, 10)
.flatMapDelayError(i ->
client.get()
.uri("/")
.responseContent()
.aggregate()
.asString(),
256, 32)
.collectList()
.doFinally(fin -> latch.countDown())
.block(Duration.ofSeconds(30));
assertThat(responses).isNotNull();
assertThat(responses.size()).isEqualTo(10);
}
