org.apache.rocketmq.remoting.common.TlsMode Java Examples

The following examples show how to use org.apache.rocketmq.remoting.common.TlsMode. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TlsTest.java    From rocketmq-read with Apache License 2.0 4 votes vote down vote up
@Before
public void setUp() throws InterruptedException {
    tlsMode = TlsMode.ENFORCING;
    tlsTestModeEnable = false;
    tlsServerNeedClientAuth = "require";
    tlsServerKeyPath = getCertsPath("server.key");
    tlsServerCertPath = getCertsPath("server.pem");
    tlsServerAuthClient = true;
    tlsServerTrustCertPath = getCertsPath("ca.pem");
    tlsClientKeyPath = getCertsPath("client.key");
    tlsClientCertPath = getCertsPath("client.pem");
    tlsClientAuthServer = true;
    tlsClientTrustCertPath = getCertsPath("ca.pem");
    tlsClientKeyPassword = "1234";
    tlsServerKeyPassword = "";

    NettyClientConfig clientConfig = new NettyClientConfig();
    clientConfig.setUseTLS(true);

    if ("serverRejectsUntrustedClientCert".equals(name.getMethodName())) {
        // Create a client. Its credentials come from a CA that the server does not trust. The client
        // trusts both test CAs to ensure the handshake failure is due to the server rejecting the client's cert.
        tlsClientKeyPath = getCertsPath("badClient.key");
        tlsClientCertPath = getCertsPath("badClient.pem");
    } else if ("serverAcceptsUntrustedClientCert".equals(name.getMethodName())) {
        tlsClientKeyPath = getCertsPath("badClient.key");
        tlsClientCertPath = getCertsPath("badClient.pem");
        tlsServerAuthClient = false;
    }
    else if ("noClientAuthFailure".equals(name.getMethodName())) {
        //Clear the client cert config to ensure produce the handshake error
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("clientRejectsUntrustedServerCert".equals(name.getMethodName())) {
        tlsServerKeyPath = getCertsPath("badServer.key");
        tlsServerCertPath = getCertsPath("badServer.pem");
    } else if ("clientAcceptsUntrustedServerCert".equals(name.getMethodName())) {
        tlsServerKeyPath = getCertsPath("badServer.key");
        tlsServerCertPath = getCertsPath("badServer.pem");
        tlsClientAuthServer = false;
    } else if ("serverNotNeedClientAuth".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "none";
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("serverWantClientAuth".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "optional";
    } else if ("serverWantClientAuth_ButClientNoCert".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "optional";
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("serverAcceptsUnAuthClient".equals(name.getMethodName())) {
        tlsMode = TlsMode.PERMISSIVE;
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
        clientConfig.setUseTLS(false);
    } else if ("serverRejectsSSLClient".equals(name.getMethodName())) {
        tlsMode = TlsMode.DISABLED;
    } else if ("reloadSslContextForServer".equals(name.getMethodName())) {
        tlsClientAuthServer = false;
        tlsServerNeedClientAuth = "none";
    }

    remotingServer = RemotingServerTest.createRemotingServer();
    remotingClient = RemotingServerTest.createRemotingClient(clientConfig);
}
 
Example #2
Source File: NamesrvController.java    From rocketmq with Apache License 2.0 4 votes vote down vote up
public boolean initialize() {

        this.kvConfigManager.load();

        this.remotingServer = new NettyRemotingServer(this.nettyServerConfig, this.brokerHousekeepingService);

        this.remotingExecutor =
            Executors.newFixedThreadPool(nettyServerConfig.getServerWorkerThreads(), new ThreadFactoryImpl("RemotingExecutorThread_"));

        this.registerProcessor();

        this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {

            @Override
            public void run() {
                NamesrvController.this.routeInfoManager.scanNotActiveBroker();
            }
        }, 5, 10, TimeUnit.SECONDS);

        this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {

            @Override
            public void run() {
                NamesrvController.this.kvConfigManager.printAllPeriodically();
            }
        }, 1, 10, TimeUnit.MINUTES);

        if (TlsSystemConfig.tlsMode != TlsMode.DISABLED) {
            // Register a listener to reload SslContext
            try {
                fileWatchService = new FileWatchService(
                    new String[] {
                        TlsSystemConfig.tlsServerCertPath,
                        TlsSystemConfig.tlsServerKeyPath,
                        TlsSystemConfig.tlsServerTrustCertPath
                    },
                    new FileWatchService.Listener() {
                        boolean certChanged, keyChanged = false;
                        @Override
                        public void onChanged(String path) {
                            if (path.equals(TlsSystemConfig.tlsServerTrustCertPath)) {
                                log.info("The trust certificate changed, reload the ssl context");
                                reloadServerSslContext();
                            }
                            if (path.equals(TlsSystemConfig.tlsServerCertPath)) {
                                certChanged = true;
                            }
                            if (path.equals(TlsSystemConfig.tlsServerKeyPath)) {
                                keyChanged = true;
                            }
                            if (certChanged && keyChanged) {
                                log.info("The certificate and private key changed, reload the ssl context");
                                certChanged = keyChanged = false;
                                reloadServerSslContext();
                            }
                        }
                        private void reloadServerSslContext() {
                            ((NettyRemotingServer) remotingServer).loadSslContext();
                        }
                    });
            } catch (Exception e) {
                log.warn("FileWatchService created error, can't load the certificate dynamically");
            }
        }

        return true;
    }
 
Example #3
Source File: TlsTest.java    From rocketmq with Apache License 2.0 4 votes vote down vote up
@After
public void tearDown() {
    remotingClient.shutdown();
    remotingServer.shutdown();
    tlsMode = TlsMode.PERMISSIVE;
}
 
Example #4
Source File: TlsTest.java    From rocketmq with Apache License 2.0 4 votes vote down vote up
@Before
public void setUp() throws InterruptedException {
    tlsMode = TlsMode.ENFORCING;
    tlsTestModeEnable = false;
    tlsServerNeedClientAuth = "require";
    tlsServerKeyPath = getCertsPath("server.key");
    tlsServerCertPath = getCertsPath("server.pem");
    tlsServerAuthClient = true;
    tlsServerTrustCertPath = getCertsPath("ca.pem");
    tlsClientKeyPath = getCertsPath("client.key");
    tlsClientCertPath = getCertsPath("client.pem");
    tlsClientAuthServer = true;
    tlsClientTrustCertPath = getCertsPath("ca.pem");
    tlsClientKeyPassword = "1234";
    tlsServerKeyPassword = "";

    NettyClientConfig clientConfig = new NettyClientConfig();
    clientConfig.setUseTLS(true);

    if ("serverRejectsUntrustedClientCert".equals(name.getMethodName())) {
        // Create a client. Its credentials come from a CA that the server does not trust. The client
        // trusts both test CAs to ensure the handshake failure is due to the server rejecting the client's cert.
        tlsClientKeyPath = getCertsPath("badClient.key");
        tlsClientCertPath = getCertsPath("badClient.pem");
    } else if ("serverAcceptsUntrustedClientCert".equals(name.getMethodName())) {
        tlsClientKeyPath = getCertsPath("badClient.key");
        tlsClientCertPath = getCertsPath("badClient.pem");
        tlsServerAuthClient = false;
    }
    else if ("noClientAuthFailure".equals(name.getMethodName())) {
        //Clear the client cert config to ensure produce the handshake error
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("clientRejectsUntrustedServerCert".equals(name.getMethodName())) {
        tlsServerKeyPath = getCertsPath("badServer.key");
        tlsServerCertPath = getCertsPath("badServer.pem");
    } else if ("clientAcceptsUntrustedServerCert".equals(name.getMethodName())) {
        tlsServerKeyPath = getCertsPath("badServer.key");
        tlsServerCertPath = getCertsPath("badServer.pem");
        tlsClientAuthServer = false;
    } else if ("serverNotNeedClientAuth".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "none";
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("serverWantClientAuth".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "optional";
    } else if ("serverWantClientAuth_ButClientNoCert".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "optional";
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("serverAcceptsUnAuthClient".equals(name.getMethodName())) {
        tlsMode = TlsMode.PERMISSIVE;
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
        clientConfig.setUseTLS(false);
    } else if ("serverRejectsSSLClient".equals(name.getMethodName())) {
        tlsMode = TlsMode.DISABLED;
    } else if ("reloadSslContextForServer".equals(name.getMethodName())) {
        tlsClientAuthServer = false;
        tlsServerNeedClientAuth = "none";
    }

    remotingServer = RemotingServerTest.createRemotingServer();
    remotingClient = RemotingServerTest.createRemotingClient(clientConfig);
}
 
Example #5
Source File: NettyRemotingServer.java    From rocketmq with Apache License 2.0 4 votes vote down vote up
@Override
protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {

    // mark the current position so that we can peek the first byte to determine if the content is starting with
    // TLS handshake
    msg.markReaderIndex();

    byte b = msg.getByte(0);

    if (b == HANDSHAKE_MAGIC_CODE) {
        switch (tlsMode) {
            case DISABLED:
                ctx.close();
                log.warn("Clients intend to establish an SSL connection while this server is running in SSL disabled mode");
                break;
            case PERMISSIVE:
            case ENFORCING:
                if (null != sslContext) {
                    ctx.pipeline()
                        .addAfter(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME, TLS_HANDLER_NAME, sslContext.newHandler(ctx.channel().alloc()))
                        .addAfter(defaultEventExecutorGroup, TLS_HANDLER_NAME, FILE_REGION_ENCODER_NAME, new FileRegionEncoder());
                    log.info("Handlers prepended to channel pipeline to establish SSL connection");
                } else {
                    ctx.close();
                    log.error("Trying to establish an SSL connection but sslContext is null");
                }
                break;

            default:
                log.warn("Unknown TLS mode");
                break;
        }
    } else if (tlsMode == TlsMode.ENFORCING) {
        ctx.close();
        log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode");
    }

    // reset the reader index so that handshake negotiation may proceed as normal.
    msg.resetReaderIndex();

    try {
        // Remove this handler
        ctx.pipeline().remove(this);
    } catch (NoSuchElementException e) {
        log.error("Error while removing HandshakeHandler", e);
    }

    // Hand over this message to the next .
    ctx.fireChannelRead(msg.retain());
}
 
Example #6
Source File: NettyRemotingServer.java    From rocketmq with Apache License 2.0 4 votes vote down vote up
HandshakeHandler(TlsMode tlsMode) {
    this.tlsMode = tlsMode;
}
 
Example #7
Source File: TlsTest.java    From DDMQ with Apache License 2.0 4 votes vote down vote up
@After
public void tearDown() {
    remotingClient.shutdown();
    remotingServer.shutdown();
    tlsMode = TlsMode.PERMISSIVE;
}
 
Example #8
Source File: TlsTest.java    From DDMQ with Apache License 2.0 4 votes vote down vote up
@Before
public void setUp() throws InterruptedException {
    tlsMode = TlsMode.ENFORCING;
    tlsTestModeEnable = false;
    tlsServerNeedClientAuth = "require";
    tlsServerKeyPath = getCertsPath("server.key");
    tlsServerCertPath = getCertsPath("server.pem");
    tlsServerAuthClient = true;
    tlsServerTrustCertPath = getCertsPath("ca.pem");
    tlsClientKeyPath = getCertsPath("client.key");
    tlsClientCertPath = getCertsPath("client.pem");
    tlsClientAuthServer = true;
    tlsClientTrustCertPath = getCertsPath("ca.pem");
    tlsClientKeyPassword = "1234";
    tlsServerKeyPassword = "";

    NettyClientConfig clientConfig = new NettyClientConfig();
    clientConfig.setUseTLS(true);

    if ("serverRejectsUntrustedClientCert".equals(name.getMethodName())) {
        // Create a client. Its credentials come from a CA that the server does not trust. The client
        // trusts both test CAs to ensure the handshake failure is due to the server rejecting the client's cert.
        tlsClientKeyPath = getCertsPath("badClient.key");
        tlsClientCertPath = getCertsPath("badClient.pem");
    } else if ("serverAcceptsUntrustedClientCert".equals(name.getMethodName())) {
        tlsClientKeyPath = getCertsPath("badClient.key");
        tlsClientCertPath = getCertsPath("badClient.pem");
        tlsServerAuthClient = false;
    }
    else if ("noClientAuthFailure".equals(name.getMethodName())) {
        //Clear the client cert config to ensure produce the handshake error
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("clientRejectsUntrustedServerCert".equals(name.getMethodName())) {
        tlsServerKeyPath = getCertsPath("badServer.key");
        tlsServerCertPath = getCertsPath("badServer.pem");
    } else if ("clientAcceptsUntrustedServerCert".equals(name.getMethodName())) {
        tlsServerKeyPath = getCertsPath("badServer.key");
        tlsServerCertPath = getCertsPath("badServer.pem");
        tlsClientAuthServer = false;
    } else if ("serverNotNeedClientAuth".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "none";
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("serverWantClientAuth".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "optional";
    } else if ("serverWantClientAuth_ButClientNoCert".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "optional";
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("serverAcceptsUnAuthClient".equals(name.getMethodName())) {
        tlsMode = TlsMode.PERMISSIVE;
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
        clientConfig.setUseTLS(false);
    } else if ("serverRejectsSSLClient".equals(name.getMethodName())) {
        tlsMode = TlsMode.DISABLED;
    }

    remotingServer = RemotingServerTest.createRemotingServer();
    remotingClient = RemotingServerTest.createRemotingClient(clientConfig);
}
 
Example #9
Source File: NettyRemotingServer.java    From DDMQ with Apache License 2.0 4 votes vote down vote up
@Override
protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {

    // mark the current position so that we can peek the first byte to determine if the content is starting with
    // TLS handshake
    msg.markReaderIndex();

    byte b = msg.getByte(0);

    if (b == HANDSHAKE_MAGIC_CODE) {
        switch (tlsMode) {
            case DISABLED:
                ctx.close();
                log.warn("Clients intend to establish a SSL connection while this server is running in SSL disabled mode");
                break;
            case PERMISSIVE:
            case ENFORCING:
                if (null != sslContext) {
                    ctx.pipeline()
                        .addAfter(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME, TLS_HANDLER_NAME, sslContext.newHandler(ctx.channel().alloc()))
                        .addAfter(defaultEventExecutorGroup, TLS_HANDLER_NAME, FILE_REGION_ENCODER_NAME, new FileRegionEncoder());
                    log.info("Handlers prepended to channel pipeline to establish SSL connection");
                } else {
                    ctx.close();
                    log.error("Trying to establish a SSL connection but sslContext is null");
                }
                break;

            default:
                log.warn("Unknown TLS mode");
                break;
        }
    } else if (tlsMode == TlsMode.ENFORCING) {
        ctx.close();
        log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode");
    }

    // reset the reader index so that handshake negotiation may proceed as normal.
    msg.resetReaderIndex();

    try {
        // Remove this handler
        ctx.pipeline().remove(this);
    } catch (NoSuchElementException e) {
        log.error("Error while removing HandshakeHandler", e);
    }

    // Hand over this message to the next .
    ctx.fireChannelRead(msg.retain());
}
 
Example #10
Source File: NettyRemotingServer.java    From DDMQ with Apache License 2.0 4 votes vote down vote up
HandshakeHandler(TlsMode tlsMode) {
    this.tlsMode = tlsMode;
}
 
Example #11
Source File: NamesrvController.java    From rocketmq-read with Apache License 2.0 4 votes vote down vote up
/**
 * NameServerController的初始化函数
 * @return ;
 */
public boolean initialize() {
    /*
     * load kvconfigManager
     */
    this.kvConfigManager.load();
    //实例化通信层Server
    this.remotingServer = new NettyRemotingServer(this.nettyServerConfig, this.brokerHousekeepingService);
    //实例化通信层线程池
    this.remotingExecutor = Executors.newFixedThreadPool(nettyServerConfig.getServerWorkerThreads(), new ThreadFactoryImpl("RemotingExecutorThread_"));
    //注册Processor
    this.registerProcessor();

    //定时扫描不活跃的Broker
    this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {

        @Override
        public void run() {
            NamesrvController.this.routeInfoManager.scanNotActiveBroker();
        }
    }, 5, 10, TimeUnit.SECONDS);

    //定时扫描KVconfigManager
    this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {

        @Override
        public void run() {
            NamesrvController.this.kvConfigManager.printAllPeriodically();
        }
    }, 1, 10, TimeUnit.MINUTES);

    //TSL相关,就是监听到tsl证书更新了,触发 NettyRemotingServer.loadSslContext() 代码;
    if (TlsSystemConfig.tlsMode != TlsMode.DISABLED) {
        // Register a listener to reload SslContext
        try {
            fileWatchService = new FileWatchService(
                new String[] {
                    TlsSystemConfig.tlsServerCertPath,
                    TlsSystemConfig.tlsServerKeyPath,
                    TlsSystemConfig.tlsServerTrustCertPath
                },
                new FileWatchService.Listener() {
                    boolean certChanged, keyChanged = false;
                    @Override
                    public void onChanged(String path) {
                        if (path.equals(TlsSystemConfig.tlsServerTrustCertPath)) {
                            log.info("The trust certificate changed, reload the ssl context");
                            reloadServerSslContext();
                        }
                        if (path.equals(TlsSystemConfig.tlsServerCertPath)) {
                            certChanged = true;
                        }
                        if (path.equals(TlsSystemConfig.tlsServerKeyPath)) {
                            keyChanged = true;
                        }
                        if (certChanged && keyChanged) {
                            log.info("The certificate and private key changed, reload the ssl context");
                            certChanged = keyChanged = false;
                            reloadServerSslContext();
                        }
                    }
                    private void reloadServerSslContext() {
                        ((NettyRemotingServer) remotingServer).loadSslContext();
                    }
                });
        } catch (Exception e) {
            log.warn("FileWatchService created error, can't load the certificate dynamically");
        }
    }

    return true;
}
 
Example #12
Source File: TlsTest.java    From rocketmq-read with Apache License 2.0 4 votes vote down vote up
@After
public void tearDown() {
    remotingClient.shutdown();
    remotingServer.shutdown();
    tlsMode = TlsMode.PERMISSIVE;
}
 
Example #13
Source File: NettyRemotingServer.java    From DDMQ with Apache License 2.0 4 votes vote down vote up
HandshakeHandler(TlsMode tlsMode) {
    this.tlsMode = tlsMode;
}
 
Example #14
Source File: NettyRemotingServer.java    From rocketmq-read with Apache License 2.0 4 votes vote down vote up
@Override
protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {

    // mark the current position so that we can peek the first byte to determine if the content is starting with
    // TLS handshake
    msg.markReaderIndex();

    byte b = msg.getByte(0);

    if (b == HANDSHAKE_MAGIC_CODE) {
        switch (tlsMode) {
            case DISABLED:
                ctx.close();
                log.warn("Clients intend to establish a SSL connection while this server is running in SSL disabled mode");
                break;
            case PERMISSIVE:
            case ENFORCING:
                if (null != sslContext) {
                    ctx.pipeline()
                        .addAfter(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME, TLS_HANDLER_NAME, sslContext.newHandler(ctx.channel().alloc()))
                        .addAfter(defaultEventExecutorGroup, TLS_HANDLER_NAME, FILE_REGION_ENCODER_NAME, new FileRegionEncoder());
                    log.info("Handlers prepended to channel pipeline to establish SSL connection");
                } else {
                    ctx.close();
                    log.error("Trying to establish a SSL connection but sslContext is null");
                }
                break;

            default:
                log.warn("Unknown TLS mode");
                break;
        }
    } else if (tlsMode == TlsMode.ENFORCING) {
        ctx.close();
        log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode");
    }

    // reset the reader index so that handshake negotiation may proceed as normal.
    msg.resetReaderIndex();

    try {
        // Remove this handler
        ctx.pipeline().remove(this);
    } catch (NoSuchElementException e) {
        log.error("Error while removing HandshakeHandler", e);
    }

    // Hand over this message to the next .
    ctx.fireChannelRead(msg.retain());
}
 
Example #15
Source File: NettyRemotingServer.java    From rocketmq-read with Apache License 2.0 4 votes vote down vote up
HandshakeHandler(TlsMode tlsMode) {
    this.tlsMode = tlsMode;
}
 
Example #16
Source File: NamesrvController.java    From rocketmq-4.3.0 with Apache License 2.0 4 votes vote down vote up
public boolean initialize() {

//        加载配置 =》
        this.kvConfigManager.load();

//        初始化netty server =》
        this.remotingServer = new NettyRemotingServer(this.nettyServerConfig, this.brokerHousekeepingService);

//        初始化netty执行器 8个线程
        this.remotingExecutor =
            Executors.newFixedThreadPool(nettyServerConfig.getServerWorkerThreads(), new ThreadFactoryImpl("RemotingExecutorThread_"));

//        注册处理器 =》
        this.registerProcessor();

        this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {

            @Override
            public void run() {
//                扫描非活动的broker
                NamesrvController.this.routeInfoManager.scanNotActiveBroker();
            }
        }, 5, 10, TimeUnit.SECONDS);

        this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {

            @Override
            public void run() {
                NamesrvController.this.kvConfigManager.printAllPeriodically();
            }
        }, 1, 10, TimeUnit.MINUTES);

        if (TlsSystemConfig.tlsMode != TlsMode.DISABLED) {
            // Register a listener to reload SslContext
            try {
                fileWatchService = new FileWatchService(
                    new String[] {
                        TlsSystemConfig.tlsServerCertPath,
                        TlsSystemConfig.tlsServerKeyPath,
                        TlsSystemConfig.tlsServerTrustCertPath
                    },
                    new FileWatchService.Listener() {
                        boolean certChanged, keyChanged = false;
                        @Override
                        public void onChanged(String path) {
                            if (path.equals(TlsSystemConfig.tlsServerTrustCertPath)) {
                                log.info("The trust certificate changed, reload the ssl context");
                                reloadServerSslContext();
                            }
                            if (path.equals(TlsSystemConfig.tlsServerCertPath)) {
                                certChanged = true;
                            }
                            if (path.equals(TlsSystemConfig.tlsServerKeyPath)) {
                                keyChanged = true;
                            }
                            if (certChanged && keyChanged) {
                                log.info("The certificate and private key changed, reload the ssl context");
                                certChanged = keyChanged = false;
                                reloadServerSslContext();
                            }
                        }
                        private void reloadServerSslContext() {
                            ((NettyRemotingServer) remotingServer).loadSslContext();
                        }
                    });
            } catch (Exception e) {
                log.warn("FileWatchService created error, can't load the certificate dynamically");
            }
        }

        return true;
    }
 
Example #17
Source File: TlsTest.java    From rocketmq-4.3.0 with Apache License 2.0 4 votes vote down vote up
@After
public void tearDown() {
    remotingClient.shutdown();
    remotingServer.shutdown();
    tlsMode = TlsMode.PERMISSIVE;
}
 
Example #18
Source File: TlsTest.java    From rocketmq-4.3.0 with Apache License 2.0 4 votes vote down vote up
@Before
public void setUp() throws InterruptedException {
    tlsMode = TlsMode.ENFORCING;
    tlsTestModeEnable = false;
    tlsServerNeedClientAuth = "require";
    tlsServerKeyPath = getCertsPath("server.key");
    tlsServerCertPath = getCertsPath("server.pem");
    tlsServerAuthClient = true;
    tlsServerTrustCertPath = getCertsPath("ca.pem");
    tlsClientKeyPath = getCertsPath("client.key");
    tlsClientCertPath = getCertsPath("client.pem");
    tlsClientAuthServer = true;
    tlsClientTrustCertPath = getCertsPath("ca.pem");
    tlsClientKeyPassword = "1234";
    tlsServerKeyPassword = "";

    NettyClientConfig clientConfig = new NettyClientConfig();
    clientConfig.setUseTLS(true);

    if ("serverRejectsUntrustedClientCert".equals(name.getMethodName())) {
        // Create a client. Its credentials come from a CA that the server does not trust. The client
        // trusts both test CAs to ensure the handshake failure is due to the server rejecting the client's cert.
        tlsClientKeyPath = getCertsPath("badClient.key");
        tlsClientCertPath = getCertsPath("badClient.pem");
    } else if ("serverAcceptsUntrustedClientCert".equals(name.getMethodName())) {
        tlsClientKeyPath = getCertsPath("badClient.key");
        tlsClientCertPath = getCertsPath("badClient.pem");
        tlsServerAuthClient = false;
    }
    else if ("noClientAuthFailure".equals(name.getMethodName())) {
        //Clear the client cert config to ensure produce the handshake error
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("clientRejectsUntrustedServerCert".equals(name.getMethodName())) {
        tlsServerKeyPath = getCertsPath("badServer.key");
        tlsServerCertPath = getCertsPath("badServer.pem");
    } else if ("clientAcceptsUntrustedServerCert".equals(name.getMethodName())) {
        tlsServerKeyPath = getCertsPath("badServer.key");
        tlsServerCertPath = getCertsPath("badServer.pem");
        tlsClientAuthServer = false;
    } else if ("serverNotNeedClientAuth".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "none";
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("serverWantClientAuth".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "optional";
    } else if ("serverWantClientAuth_ButClientNoCert".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "optional";
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("serverAcceptsUnAuthClient".equals(name.getMethodName())) {
        tlsMode = TlsMode.PERMISSIVE;
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
        clientConfig.setUseTLS(false);
    } else if ("serverRejectsSSLClient".equals(name.getMethodName())) {
        tlsMode = TlsMode.DISABLED;
    } else if ("reloadSslContextForServer".equals(name.getMethodName())) {
        tlsClientAuthServer = false;
        tlsServerNeedClientAuth = "none";
    }

    remotingServer = RemotingServerTest.createRemotingServer();
    remotingClient = RemotingServerTest.createRemotingClient(clientConfig);
}
 
Example #19
Source File: NettyRemotingServer.java    From rocketmq-4.3.0 with Apache License 2.0 4 votes vote down vote up
@Override
protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {

    // mark the current position so that we can peek the first byte to determine if the content is starting with
    // TLS handshake
    msg.markReaderIndex();

    byte b = msg.getByte(0);

    if (b == HANDSHAKE_MAGIC_CODE) {
        switch (tlsMode) {
            case DISABLED:
                ctx.close();
                log.warn("Clients intend to establish a SSL connection while this server is running in SSL disabled mode");
                break;
            case PERMISSIVE:
            case ENFORCING:
                if (null != sslContext) {
                    ctx.pipeline()
                        .addAfter(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME, TLS_HANDLER_NAME, sslContext.newHandler(ctx.channel().alloc()))
                        .addAfter(defaultEventExecutorGroup, TLS_HANDLER_NAME, FILE_REGION_ENCODER_NAME, new FileRegionEncoder());
                    log.info("Handlers prepended to channel pipeline to establish SSL connection");
                } else {
                    ctx.close();
                    log.error("Trying to establish a SSL connection but sslContext is null");
                }
                break;

            default:
                log.warn("Unknown TLS mode");
                break;
        }
    } else if (tlsMode == TlsMode.ENFORCING) {
        ctx.close();
        log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode");
    }

    // reset the reader index so that handshake negotiation may proceed as normal.
    msg.resetReaderIndex();

    try {
        // Remove this handler
        ctx.pipeline().remove(this);
    } catch (NoSuchElementException e) {
        log.error("Error while removing HandshakeHandler", e);
    }

    // Hand over this message to the next .
    ctx.fireChannelRead(msg.retain());
}
 
Example #20
Source File: NettyRemotingServer.java    From rocketmq-4.3.0 with Apache License 2.0 4 votes vote down vote up
HandshakeHandler(TlsMode tlsMode) {
    this.tlsMode = tlsMode;
}
 
Example #21
Source File: TlsTest.java    From DDMQ with Apache License 2.0 4 votes vote down vote up
@After
public void tearDown() {
    remotingClient.shutdown();
    remotingServer.shutdown();
    tlsMode = TlsMode.PERMISSIVE;
}
 
Example #22
Source File: TlsTest.java    From DDMQ with Apache License 2.0 4 votes vote down vote up
@Before
public void setUp() throws InterruptedException {
    tlsMode = TlsMode.ENFORCING;
    tlsTestModeEnable = false;
    tlsServerNeedClientAuth = "require";
    tlsServerKeyPath = getCertsPath("server.key");
    tlsServerCertPath = getCertsPath("server.pem");
    tlsServerAuthClient = true;
    tlsServerTrustCertPath = getCertsPath("ca.pem");
    tlsClientKeyPath = getCertsPath("client.key");
    tlsClientCertPath = getCertsPath("client.pem");
    tlsClientAuthServer = true;
    tlsClientTrustCertPath = getCertsPath("ca.pem");
    tlsClientKeyPassword = "1234";
    tlsServerKeyPassword = "";

    NettyClientConfig clientConfig = new NettyClientConfig();
    clientConfig.setUseTLS(true);

    if ("serverRejectsUntrustedClientCert".equals(name.getMethodName())) {
        // Create a client. Its credentials come from a CA that the server does not trust. The client
        // trusts both test CAs to ensure the handshake failure is due to the server rejecting the client's cert.
        tlsClientKeyPath = getCertsPath("badClient.key");
        tlsClientCertPath = getCertsPath("badClient.pem");
    } else if ("serverAcceptsUntrustedClientCert".equals(name.getMethodName())) {
        tlsClientKeyPath = getCertsPath("badClient.key");
        tlsClientCertPath = getCertsPath("badClient.pem");
        tlsServerAuthClient = false;
    }
    else if ("noClientAuthFailure".equals(name.getMethodName())) {
        //Clear the client cert config to ensure produce the handshake error
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("clientRejectsUntrustedServerCert".equals(name.getMethodName())) {
        tlsServerKeyPath = getCertsPath("badServer.key");
        tlsServerCertPath = getCertsPath("badServer.pem");
    } else if ("clientAcceptsUntrustedServerCert".equals(name.getMethodName())) {
        tlsServerKeyPath = getCertsPath("badServer.key");
        tlsServerCertPath = getCertsPath("badServer.pem");
        tlsClientAuthServer = false;
    } else if ("serverNotNeedClientAuth".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "none";
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("serverWantClientAuth".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "optional";
    } else if ("serverWantClientAuth_ButClientNoCert".equals(name.getMethodName())) {
        tlsServerNeedClientAuth = "optional";
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
    } else if ("serverAcceptsUnAuthClient".equals(name.getMethodName())) {
        tlsMode = TlsMode.PERMISSIVE;
        tlsClientKeyPath = "";
        tlsClientCertPath = "";
        clientConfig.setUseTLS(false);
    } else if ("serverRejectsSSLClient".equals(name.getMethodName())) {
        tlsMode = TlsMode.DISABLED;
    }

    remotingServer = RemotingServerTest.createRemotingServer();
    remotingClient = RemotingServerTest.createRemotingClient(clientConfig);
}
 
Example #23
Source File: NettyRemotingServer.java    From DDMQ with Apache License 2.0 4 votes vote down vote up
@Override
protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {

    // mark the current position so that we can peek the first byte to determine if the content is starting with
    // TLS handshake
    msg.markReaderIndex();

    byte b = msg.getByte(0);

    if (b == HANDSHAKE_MAGIC_CODE) {
        switch (tlsMode) {
            case DISABLED:
                ctx.close();
                log.warn("Clients intend to establish a SSL connection while this server is running in SSL disabled mode");
                break;
            case PERMISSIVE:
            case ENFORCING:
                if (null != sslContext) {
                    ctx.pipeline()
                        .addAfter(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME, TLS_HANDLER_NAME, sslContext.newHandler(ctx.channel().alloc()))
                        .addAfter(defaultEventExecutorGroup, TLS_HANDLER_NAME, FILE_REGION_ENCODER_NAME, new FileRegionEncoder());
                    log.info("Handlers prepended to channel pipeline to establish SSL connection");
                } else {
                    ctx.close();
                    log.error("Trying to establish a SSL connection but sslContext is null");
                }
                break;

            default:
                log.warn("Unknown TLS mode");
                break;
        }
    } else if (tlsMode == TlsMode.ENFORCING) {
        ctx.close();
        log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode");
    }

    // reset the reader index so that handshake negotiation may proceed as normal.
    msg.resetReaderIndex();

    try {
        // Remove this handler
        ctx.pipeline().remove(this);
    } catch (NoSuchElementException e) {
        log.error("Error while removing HandshakeHandler", e);
    }

    // Hand over this message to the next .
    ctx.fireChannelRead(msg.retain());
}