@Override protected void noSelectedMatchFound(String protocol) throws Exception { throw new SSLHandshakeException("No compatible protocols found"); } }
private SSLHandshakeException renegotiationException() { return new SSLHandshakeException("Renegotiation is not supported"); }
@Override public String noSelectMatchFound() throws Exception { throw new SSLHandshakeException("Selected protocol is not supported"); } }
@Override public String noSelectMatchFound() throws Exception { throw new SSLHandshakeException("Selected protocol is not supported"); } }
@Override protected void noSelectedMatchFound(String protocol) throws Exception { throw new SSLHandshakeException("No compatible protocols found"); } }
/** * Converts the given exception to a {@link SSLHandshakeException}, if it isn't already. */ static SSLHandshakeException toSSLHandshakeException(Throwable e) { if (e instanceof SSLHandshakeException) { return (SSLHandshakeException) e; } return (SSLHandshakeException) new SSLHandshakeException(e.getMessage()).initCause(e); }
@Override public void userEventTriggered(ChannelHandlerContext ctx, Object evt) { if (evt instanceof SslHandshakeCompletionEvent) { // Notify application SslHandshakeCompletionEvent completion = (SslHandshakeCompletionEvent) evt; if (completion.isSuccess()) { // Remove from the pipeline after handshake result ctx.pipeline().remove(this); applicationProtocol = sslHandler.applicationProtocol(); channelHandler.handle(io.vertx.core.Future.succeededFuture(channel)); } else { SSLHandshakeException sslException = new SSLHandshakeException("Failed to create SSL connection"); sslException.initCause(completion.cause()); channelHandler.handle(io.vertx.core.Future.failedFuture(sslException)); } } ctx.fireUserEventTriggered(evt); } @Override
private SSLException shutdownWithError(String operation, int sslError, int error) { String errorString = SSL.getErrorString(error); if (logger.isDebugEnabled()) { logger.debug("{} failed with {}: OpenSSL error: {} {}", operation, sslError, error, errorString); } // There was an internal error -- shutdown shutdown(); if (handshakeState == HandshakeState.FINISHED) { return new SSLException(errorString); } return new SSLHandshakeException(errorString); }
@Override public final SSLHandshakeException noContextForSslConnection() { final SSLHandshakeException result = new SSLHandshakeException(String.format(getLoggingLocale(), noContextForSslConnection$str())); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String sslClosed = "ELY04007: SSL channel is closed";
@Override public final SSLHandshakeException invalidHandshakeRecord() { final SSLHandshakeException result = new SSLHandshakeException(String.format(getLoggingLocale(), invalidHandshakeRecord$str())); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String multiRecordSSLHandshake = "UT000142: Initial SSL/TLS handshake spans multiple records";
@Override public final SSLHandshakeException expectedServerHello() { final SSLHandshakeException result = new SSLHandshakeException(String.format(getLoggingLocale(), expectedServerHello$str())); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String tooManyRedirects = "UT000145: Too many redirects";
private void rejectRemoteInitiatedRenegotiation() throws SSLHandshakeException { // As rejectRemoteInitiatedRenegotiation() is called in a finally block we also need to check if we shutdown // the engine before as otherwise SSL.getHandshakeCount(ssl) will throw an NPE if the passed in ssl is 0. // See https://github.com/netty/netty/issues/7353 if (!isDestroyed() && SSL.getHandshakeCount(ssl) > 1 && // As we may count multiple handshakes when TLSv1.3 is used we should just ignore this here as // renegotiation is not supported in TLSv1.3 as per spec. !SslUtils.PROTOCOL_TLS_V1_3.equals(session.getProtocol()) && handshakeState == HandshakeState.FINISHED) { // TODO: In future versions me may also want to send a fatal_alert to the client and so notify it // that the renegotiation failed. shutdown(); throw new SSLHandshakeException("remote-initiated renegotiation not allowed"); } }
@Override public final SSLHandshakeException invalidHandshakeRecord() { final SSLHandshakeException result = new SSLHandshakeException(String.format(getLoggingLocale(), invalidHandshakeRecord$str())); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String multiRecordSSLHandshake = "ELY04010: Initial SSL/TLS handshake spans multiple records";
@Override public final SSLHandshakeException multiRecordSSLHandshake() { final SSLHandshakeException result = new SSLHandshakeException(String.format(getLoggingLocale(), multiRecordSSLHandshake$str())); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String expectedClientHello = "UT000143: Expected \"client hello\" record";
@Override public final SSLHandshakeException expectedClientHello() { final SSLHandshakeException result = new SSLHandshakeException(String.format(getLoggingLocale(), expectedClientHello$str())); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String unsupportedSslRecord = "ELY04012: Unsupported SSL/TLS record";
@Override public final SSLHandshakeException notHandshakeRecord() { final SSLHandshakeException result = new SSLHandshakeException(String.format(getLoggingLocale(), notHandshakeRecord$str())); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String invalidHandshakeRecord = "UT000141: Initial SSL/TLS handshake record is invalid";
@Override public final SSLHandshakeException expectedClientHello() { final SSLHandshakeException result = new SSLHandshakeException(String.format(getLoggingLocale(), expectedClientHello$str())); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String expectedServerHello = "UT000144: Expected server hello";
private void rejectRemoteInitiatedRenegotiation() throws SSLHandshakeException { // As rejectRemoteInitiatedRenegotiation() is called in a finally block we also need to check if we shutdown // the engine before as otherwise SSL.getHandshakeCount(ssl) will throw an NPE if the passed in ssl is 0. // See https://github.com/netty/netty/issues/7353 if (!isDestroyed() && SSL.getHandshakeCount(ssl) > 1) { // TODO: In future versions me may also want to send a fatal_alert to the client and so notify it // that the renegotiation failed. shutdown(); throw new SSLHandshakeException("remote-initiated renegotiation not allowed"); } }
@Override public void handle(long ssl, byte[] keyTypeBytes, byte[][] asn1DerEncodedPrincipals) throws Exception { final ReferenceCountedOpenSslEngine engine = engineMap.get(ssl); try { // For now we just ignore the asn1DerEncodedPrincipals as this is kind of inline with what the // OpenJDK SSLEngineImpl does. keyManagerHolder.setKeyMaterialServerSide(engine); } catch (Throwable cause) { logger.debug("Failed to set the server-side key material", cause); SSLHandshakeException e = new SSLHandshakeException("General OpenSslEngine problem"); e.initCause(cause); engine.handshakeException = e; } } }
private SSLEngineResult sslReadErrorResult(int error, int stackError, int bytesConsumed, int bytesProduced) throws SSLException { // Check if we have a pending handshakeException and if so see if we need to consume all pending data from the // BIO first or can just shutdown and throw it now. // This is needed so we ensure close_notify etc is correctly send to the remote peer. // See https://github.com/netty/netty/issues/3900 if (SSL.bioLengthNonApplication(networkBIO) > 0) { if (handshakeException == null && handshakeState != HandshakeState.FINISHED) { // we seems to have data left that needs to be transferred and so the user needs // call wrap(...). Store the error so we can pick it up later. handshakeException = new SSLHandshakeException(SSL.getErrorString(stackError)); } // We need to clear all errors so we not pick up anything that was left on the stack on the next // operation. Note that shutdownWithError(...) will cleanup the stack as well so its only needed here. SSL.clearError(); return new SSLEngineResult(OK, NEED_WRAP, bytesConsumed, bytesProduced); } throw shutdownWithError("SSL_read", error, stackError); }