Refine search
@Override protected void initChannel(SocketChannel ch) throws Exception { ChannelPipeline p = ch.pipeline(); // Enable HTTPS if necessary. if ("https".equals(requestUri.getScheme())) { // making client authentication optional for now; it could be extracted to configurable property JdkSslContext jdkSslContext = new JdkSslContext(client.getSslContext(), true, ClientAuth.NONE); p.addLast(jdkSslContext.newHandler(ch.alloc())); } // http proxy Configuration config = jerseyRequest.getConfiguration(); final Object proxyUri = config.getProperties().get(ClientProperties.PROXY_URI); if (proxyUri != null) { final URI u = getProxyUri(proxyUri); final String userName = ClientProperties.getValue( config.getProperties(), ClientProperties.PROXY_USERNAME, String.class); final String password = ClientProperties.getValue( config.getProperties(), ClientProperties.PROXY_PASSWORD, String.class); p.addLast(new HttpProxyHandler(new InetSocketAddress(u.getHost(), u.getPort() == -1 ? 8080 : u.getPort()), userName, password)); } p.addLast(new HttpClientCodec()); p.addLast(new ChunkedWriteHandler()); p.addLast(new HttpContentDecompressor()); p.addLast(new JerseyClientHandler(NettyConnector.this, jerseyRequest, jerseyCallback, settableFuture)); } });
@Override public final SSLEngine newEngine(ByteBufAllocator alloc) { return configureAndWrapEngine(context().createSSLEngine(), alloc); }
/** * Build a {@link KeyManagerFactory} based upon a key algorithm, key file, key file password, * and a certificate chain. * @param certChainFile a X.509 certificate chain file in PEM format * @param keyAlgorithm the standard name of the requested algorithm. See the Java Secure Socket Extension * Reference Guide for information about standard algorithm names. * @param keyFile a PKCS#8 private key file in PEM format * @param keyPassword the password of the {@code keyFile}. * {@code null} if it's not password-protected. * @param kmf The existing {@link KeyManagerFactory} that will be used if not {@code null} * @return A {@link KeyManagerFactory} based upon a key algorithm, key file, key file password, * and a certificate chain. * @deprecated will be removed. */ @Deprecated protected static KeyManagerFactory buildKeyManagerFactory(File certChainFile, String keyAlgorithm, File keyFile, String keyPassword, KeyManagerFactory kmf) throws KeyStoreException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeySpecException, InvalidAlgorithmParameterException, IOException, CertificateException, KeyException, UnrecoverableKeyException { return buildKeyManagerFactory(toX509Certificates(certChainFile), keyAlgorithm, toPrivateKey(keyFile, keyPassword), keyPassword, kmf); } }
/** * Returns the JDK {@link SSLSessionContext} object held by this context. */ @Override public final SSLSessionContext sessionContext() { if (isServer()) { return context().getServerSessionContext(); } else { return context().getClientSessionContext(); } }
private void initSsl(String addr, NettyRequestFactory factory) throws Exception { SSLContext sslc = SSLContext.getInstance("TLS"); if(!checkSsl) { log.debug("disable any SSL check on {} address", addr); sslc.init(null, new TrustManager[]{new SSLUtil.NullX509TrustManager()}, null); } else if(StringUtils.hasText(keystore)) { log.debug("use SSL trusted store {} on {} address", keystore, addr); final String alg = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory def = TrustManagerFactory.getInstance(alg); def.init((KeyStore)null);// initialize default list of trust managers Resource resource = resourceLoader.getResource(keystore); if(!resource.exists()) { log.warn("Specified JKS {} is not exists.", keystore); return; } KeyStore ks = KeyStore.getInstance("JKS"); try(InputStream is = resource.getInputStream()) { ks.load(is, storepass == null? new char[0] : storepass.toCharArray()); } TrustManagerFactory local = TrustManagerFactory.getInstance(alg); local.init(ks); TrustManager tm = SSLUtil.combineX509TrustManagers(local.getTrustManagers(), def.getTrustManagers()); sslc.init(null, new TrustManager[]{tm}, null); } factory.setSslContext(new JdkSslContext(sslc, true, ClientAuth.OPTIONAL)); }
private SslContext createContext(SSLContext sslContext) { //Unfortunately we need to grap a list of available ciphers from the engine. //If we won't, JdkSslContext will use common ciphers from DEFAULT and SUPPORTED, which gives us 5 out of ~50 available ciphers //Of course, we don't need to any specific engine configuration here... just a list of ciphers String[] ciphers = sslContext.createSSLEngine().getSupportedCipherSuites(); return new JdkSslContext(sslContext, false, Arrays.asList(ciphers), IdentityCipherSuiteFilter.INSTANCE, null, ClientAuth.OPTIONAL); }
/** * Creates Netty's {@link SslContext} based on optional standard JDK's {@link SSLContext}. If {@link * Optional#empty()} is passed as an argument, this method will return the default {@link SslContext}. * * @param context Optional {@link SSLContext}. * @return Netty's {@link SslContext}. */ public SslContext toNettySslContext(Optional<SSLContext> context) { try { SSLContext jdkContext = context.orElse(SSLContext.getDefault()); String[] ciphers = SslContextFactory.getEngine(jdkContext, false, false).getSupportedCipherSuites(); return new JdkSslContext(jdkContext, false, Arrays.asList(ciphers), IdentityCipherSuiteFilter.INSTANCE, null, ClientAuth.OPTIONAL); } catch (NoSuchAlgorithmException e) { throw new IllegalStateException(e); } } }
sslContext = new JdkSslContext(soConfig.ssl(), false, ClientAuth.NONE);
@SuppressWarnings("deprecation") private SSLEngine configureAndWrapEngine(SSLEngine engine, ByteBufAllocator alloc) { engine.setEnabledCipherSuites(cipherSuites); engine.setEnabledProtocols(protocols); engine.setUseClientMode(isClient()); if (isServer()) { switch (clientAuth) { case OPTIONAL: engine.setWantClientAuth(true); break; case REQUIRE: engine.setNeedClientAuth(true); break; case NONE: break; // exhaustive cases default: throw new Error("Unknown auth " + clientAuth); } } JdkApplicationProtocolNegotiator.SslEngineWrapperFactory factory = apn.wrapperFactory(); if (factory instanceof JdkApplicationProtocolNegotiator.AllocatorAwareSslEngineWrapperFactory) { return ((JdkApplicationProtocolNegotiator.AllocatorAwareSslEngineWrapperFactory) factory) .wrapSslEngine(engine, alloc, apn, isServer()); } return factory.wrapSslEngine(engine, apn, isServer()); }
@Override public final long sessionTimeout() { return sessionContext().getSessionTimeout(); }
/** * Creates a new {@link JdkSslContext} from a pre-configured {@link SSLContext}. * * @param sslContext the {@link SSLContext} to use. * @param isClient {@code true} if this context should create {@link SSLEngine}s for client-side usage. * @param ciphers the ciphers to use or {@code null} if the standard should be used. * @param cipherFilter the filter to use. * @param apn the {@link ApplicationProtocolConfig} to use. * @param clientAuth the {@link ClientAuth} to use. This will only be used when {@param isClient} is {@code false}. */ public JdkSslContext(SSLContext sslContext, boolean isClient, Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn, ClientAuth clientAuth) { this(sslContext, isClient, ciphers, cipherFilter, toNegotiator(apn, !isClient), clientAuth, null, false); }
/** * Build a {@link KeyManagerFactory} based upon a key file, key file password, and a certificate chain. * @param certChainFile a X.509 certificate chain file in PEM format * @param keyFile a PKCS#8 private key file in PEM format * @param keyPassword the password of the {@code keyFile}. * {@code null} if it's not password-protected. * @param kmf The existing {@link KeyManagerFactory} that will be used if not {@code null} * @return A {@link KeyManagerFactory} based upon a key file, key file password, and a certificate chain. * @deprecated will be removed. */ @Deprecated protected static KeyManagerFactory buildKeyManagerFactory(File certChainFile, File keyFile, String keyPassword, KeyManagerFactory kmf) throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeySpecException, InvalidAlgorithmParameterException, CertificateException, KeyException, IOException { String algorithm = Security.getProperty("ssl.KeyManagerFactory.algorithm"); if (algorithm == null) { algorithm = "SunX509"; } return buildKeyManagerFactory(certChainFile, algorithm, keyFile, keyPassword, kmf); }
@Nullable @Override @SuppressWarnings("deprecation") public SSLContext getSslContext() { SslContext sslContext = serverConfigData.getSslContext(); if (sslContext instanceof JdkSslContext) { return ((JdkSslContext) sslContext).context(); } else { throw new UnsupportedOperationException("Cannot provide sslContext as JDK type"); } }
} else { final SecureRandom secureRandom = new BufferedSecureRandom(); final SSLContext sslcontext = SSLContext.getInstance("TLS"); sslcontext.init(null, null, secureRandom); config.setSslContext( new JdkSslContext(sslcontext, true, asList(poolConfiguration.getEnabledCipherSuites()), IdentityCipherSuiteFilter.INSTANCE, null, ClientAuth.OPTIONAL));
private SslContext createContext(SSLContext sslContext) { //Unfortunately we need to grap a list of available ciphers from the engine. //If we won't, JdkSslContext will use common ciphers from DEFAULT and SUPPORTED, which gives us 5 out of ~50 available ciphers //Of course, we don't need to any specific engine configuration here... just a list of ciphers String[] ciphers = sslContext.createSSLEngine().getSupportedCipherSuites(); return new JdkSslContext(sslContext, false, Arrays.asList(ciphers), IdentityCipherSuiteFilter.INSTANCE, null, ClientAuth.OPTIONAL); }
/** * Returns the JDK {@link SSLSessionContext} object held by this context. */ @Override public final SSLSessionContext sessionContext() { if (isServer()) { return context().getServerSessionContext(); } else { return context().getClientSessionContext(); } }
static AsyncHttpClient createAsyncHttpClient( String nameFormat, String timerThreadNameFormat, @Nullable SSLContext sslContext ) { final DefaultAsyncHttpClientConfig.Builder builder = new DefaultAsyncHttpClientConfig.Builder() .setThreadFactory(Execs.makeThreadFactory(nameFormat)) .setNettyTimer(new HashedWheelTimer(Execs.makeThreadFactory(timerThreadNameFormat))); if (sslContext != null) { builder.setSslContext(new JdkSslContext(sslContext, true, ClientAuth.NONE)); } return new DefaultAsyncHttpClient(builder.build()); }
@SuppressWarnings("deprecation") private SSLEngine configureAndWrapEngine(SSLEngine engine, ByteBufAllocator alloc) { engine.setEnabledCipherSuites(cipherSuites); engine.setEnabledProtocols(protocols); engine.setUseClientMode(isClient()); if (isServer()) { switch (clientAuth) { case OPTIONAL: engine.setWantClientAuth(true); break; case REQUIRE: engine.setNeedClientAuth(true); break; case NONE: break; // exhaustive cases default: throw new Error("Unknown auth " + clientAuth); } } JdkApplicationProtocolNegotiator.SslEngineWrapperFactory factory = apn.wrapperFactory(); if (factory instanceof JdkApplicationProtocolNegotiator.AllocatorAwareSslEngineWrapperFactory) { return ((JdkApplicationProtocolNegotiator.AllocatorAwareSslEngineWrapperFactory) factory) .wrapSslEngine(engine, alloc, apn, isServer()); } return factory.wrapSslEngine(engine, apn, isServer()); }
@Override public final long sessionCacheSize() { return sessionContext().getSessionCacheSize(); }
/** * Creates a new {@link JdkSslContext} from a pre-configured {@link SSLContext}. * * @param sslContext the {@link SSLContext} to use. * @param isClient {@code true} if this context should create {@link SSLEngine}s for client-side usage. * @param ciphers the ciphers to use or {@code null} if the standard should be used. * @param cipherFilter the filter to use. * @param apn the {@link ApplicationProtocolConfig} to use. * @param clientAuth the {@link ClientAuth} to use. This will only be used when {@param isClient} is {@code false}. * @param protocols the protocols to enable, or {@code null} to enable the default protocols. * @param startTls {@code true} if the first write request shouldn't be encrypted */ public JdkSslContext(SSLContext sslContext, boolean isClient, Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn, ClientAuth clientAuth, String[] protocols, boolean startTls) { this(sslContext, isClient, ciphers, cipherFilter, toNegotiator(apn, !isClient), clientAuth, protocols == null ? null : protocols.clone(), startTls); }