List of usage examples for io.netty.handler.ssl ReferenceCountedOpenSslContext release
@Override public final boolean release()
From source file:io.netty.example.ocsp.OcspClientExample.java
License:Apache License
public static void main(String[] args) throws Exception { if (!OpenSsl.isAvailable()) { throw new IllegalStateException("OpenSSL is not available!"); }// w w w . j av a 2s .c om if (!OpenSsl.isOcspSupported()) { throw new IllegalStateException("OCSP is not supported!"); } // Using Wikipedia as an example. I'd rather use Netty's own website // but the server (Cloudflare) doesn't support OCSP stapling. A few // other examples could be Microsoft or Squarespace. Use OpenSSL's // CLI client to assess if a server supports OCSP stapling. E.g.: // // openssl s_client -tlsextdebug -status -connect www.squarespace.com:443 // String host = "www.wikipedia.org"; ReferenceCountedOpenSslContext context = (ReferenceCountedOpenSslContext) SslContextBuilder.forClient() .sslProvider(SslProvider.OPENSSL).enableOcsp(true).build(); try { EventLoopGroup group = new NioEventLoopGroup(); try { Promise<FullHttpResponse> promise = group.next().newPromise(); Bootstrap bootstrap = new Bootstrap().channel(NioSocketChannel.class).group(group) .option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 5 * 1000) .handler(newClientHandler(context, host, promise)); Channel channel = bootstrap.connect(host, 443).syncUninterruptibly().channel(); try { FullHttpResponse response = promise.get(); ReferenceCountUtil.release(response); } finally { channel.close(); } } finally { group.shutdownGracefully(); } } finally { context.release(); } }
From source file:io.netty.example.ocsp.OcspServerExample.java
License:Apache License
public static void main(String[] args) throws Exception { // We assume there's a private key. PrivateKey privateKey = null; // Step 1: Load the certificate chain for netty.io. We'll need the certificate // and the issuer's certificate and we don't need any of the intermediate certs. // The array is assumed to be a certain order to keep things simple. X509Certificate[] keyCertChain = parseCertificates(OcspServerExample.class, "netty_io_chain.pem"); X509Certificate certificate = keyCertChain[0]; X509Certificate issuer = keyCertChain[keyCertChain.length - 1]; // Step 2: We need the URL of the CA's OCSP responder server. It's somewhere encoded // into the certificate! Notice that it's an HTTP URL. URI uri = OcspUtils.ocspUri(certificate); System.out.println("OCSP Responder URI: " + uri); if (uri == null) { throw new IllegalStateException("The CA/certificate doesn't have an OCSP responder"); }/*from w w w . j av a 2s .co m*/ // Step 3: Construct the OCSP request OCSPReq request = new OcspRequestBuilder().certificate(certificate).issuer(issuer).build(); // Step 4: Do the request to the CA's OCSP responder OCSPResp response = OcspUtils.request(uri, request, 5L, TimeUnit.SECONDS); if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) { throw new IllegalStateException("response-status=" + response.getStatus()); } // Step 5: Is my certificate any good or has the CA revoked it? BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject(); SingleResp first = basicResponse.getResponses()[0]; CertificateStatus status = first.getCertStatus(); System.out.println("Status: " + (status == CertificateStatus.GOOD ? "Good" : status)); System.out.println("This Update: " + first.getThisUpdate()); System.out.println("Next Update: " + first.getNextUpdate()); if (status != null) { throw new IllegalStateException("certificate-status=" + status); } BigInteger certSerial = certificate.getSerialNumber(); BigInteger ocspSerial = first.getCertID().getSerialNumber(); if (!certSerial.equals(ocspSerial)) { throw new IllegalStateException("Bad Serials=" + certSerial + " vs. " + ocspSerial); } // Step 6: Cache the OCSP response and use it as long as it's not // expired. The exact semantics are beyond the scope of this example. if (!OpenSsl.isAvailable()) { throw new IllegalStateException("OpenSSL is not available!"); } if (!OpenSsl.isOcspSupported()) { throw new IllegalStateException("OCSP is not supported!"); } if (privateKey == null) { throw new IllegalStateException( "Because we don't have a PrivateKey we can't continue past this point."); } ReferenceCountedOpenSslContext context = (ReferenceCountedOpenSslContext) SslContextBuilder .forServer(privateKey, keyCertChain).sslProvider(SslProvider.OPENSSL).enableOcsp(true).build(); try { ServerBootstrap bootstrap = new ServerBootstrap().childHandler(newServerHandler(context, response)); // so on and so forth... } finally { context.release(); } }