List of usage examples for io.netty.handler.ssl SslContextBuilder build
public SslContext build() throws SSLException
From source file:cf.dropsonde.firehose.NettyFirehoseOnSubscribe.java
License:Open Source License
public NettyFirehoseOnSubscribe(URI uri, String token, String subscriptionId, boolean skipTlsValidation, EventLoopGroup eventLoopGroup, Class<? extends SocketChannel> channelClass) { try {//from w ww. j a v a 2s. co m final String host = uri.getHost() == null ? "127.0.0.1" : uri.getHost(); final String scheme = uri.getScheme() == null ? "ws" : uri.getScheme(); final int port = getPort(scheme, uri.getPort()); final URI fullUri = uri.resolve("/firehose/" + subscriptionId); final SslContext sslContext; if ("wss".equalsIgnoreCase(scheme)) { final SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (skipTlsValidation) { sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); } else { TrustManagerFactory trustManagerFactory = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init((KeyStore) null); sslContextBuilder.trustManager(trustManagerFactory); } sslContext = sslContextBuilder.build(); } else { sslContext = null; } bootstrap = new Bootstrap(); if (eventLoopGroup == null) { this.eventLoopGroup = new NioEventLoopGroup(); bootstrap.group(this.eventLoopGroup); } else { this.eventLoopGroup = null; bootstrap.group(eventLoopGroup); } bootstrap.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 15000) .channel(channelClass == null ? NioSocketChannel.class : channelClass).remoteAddress(host, port) .handler(new ChannelInitializer<SocketChannel>() { @Override protected void initChannel(SocketChannel c) throws Exception { final HttpHeaders headers = new DefaultHttpHeaders(); headers.add(HttpHeaders.Names.AUTHORIZATION, token); final WebSocketClientHandler handler = new WebSocketClientHandler( WebSocketClientHandshakerFactory.newHandshaker(fullUri, WebSocketVersion.V13, null, false, headers)); final ChannelPipeline pipeline = c.pipeline(); if (sslContext != null) { pipeline.addLast(sslContext.newHandler(c.alloc(), host, port)); } pipeline.addLast(new ReadTimeoutHandler(30)); pipeline.addLast(new HttpClientCodec(), new HttpObjectAggregator(8192)); pipeline.addLast(HANDLER_NAME, handler); channel = c; } }); } catch (NoSuchAlgorithmException | SSLException | KeyStoreException e) { throw new RuntimeException(e); } }
From source file:com.datastax.driver.core.SSLTestBase.java
License:Apache License
/** * @param sslImplementation the SSL implementation to use * @param clientAuth whether the client should authenticate * @param trustingServer whether the client should trust the server's certificate * @return {@link com.datastax.driver.core.SSLOptions} with the given configuration for * server certificate validation and client certificate authentication. *///from www . jav a2 s . c om public SSLOptions getSSLOptions(SslImplementation sslImplementation, boolean clientAuth, boolean trustingServer) throws Exception { TrustManagerFactory tmf = null; if (trustingServer) { KeyStore ks = KeyStore.getInstance("JKS"); ks.load(this.getClass().getResourceAsStream(CCMBridge.DEFAULT_CLIENT_TRUSTSTORE_PATH), CCMBridge.DEFAULT_CLIENT_TRUSTSTORE_PASSWORD.toCharArray()); tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); } switch (sslImplementation) { case JDK: KeyManagerFactory kmf = null; if (clientAuth) { KeyStore ks = KeyStore.getInstance("JKS"); ks.load(this.getClass().getResourceAsStream(CCMBridge.DEFAULT_CLIENT_KEYSTORE_PATH), CCMBridge.DEFAULT_CLIENT_KEYSTORE_PASSWORD.toCharArray()); kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(ks, CCMBridge.DEFAULT_CLIENT_KEYSTORE_PASSWORD.toCharArray()); } SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(kmf != null ? kmf.getKeyManagers() : null, tmf != null ? tmf.getTrustManagers() : null, new SecureRandom()); return JdkSSLOptions.builder().withSSLContext(sslContext).build(); case NETTY_OPENSSL: SslContextBuilder builder = SslContextBuilder.forClient().sslProvider(OPENSSL).trustManager(tmf); if (clientAuth) { builder.keyManager(CCMBridge.DEFAULT_CLIENT_CERT_CHAIN_FILE, CCMBridge.DEFAULT_CLIENT_PRIVATE_KEY_FILE); } return new NettySSLOptions(builder.build()); default: fail("Unsupported SSL implementation: " + sslImplementation); return null; } }
From source file:com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.java
License:Apache License
private SslContext buildSSLContext0(final SslContextBuilder sslContextBuilder) throws SSLException { final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(new SpecialPermission()); }/*w w w. j a v a 2 s .co m*/ SslContext sslContext = null; try { sslContext = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContext>() { @Override public SslContext run() throws Exception { return sslContextBuilder.build(); } }); } catch (final PrivilegedActionException e) { throw (SSLException) e.getCause(); } return sslContext; }
From source file:com.floragunn.searchguard.ssl.SearchGuardKeyStore.java
License:Apache License
private SslContext buildSSLContext(final SslContextBuilder sslContextBuilder) throws SSLException { final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(new SpecialPermission()); }/*from www .j av a 2 s . c o m*/ SslContext sslContext = null; try { sslContext = AccessController.doPrivileged(new PrivilegedExceptionAction<SslContext>() { @Override public SslContext run() throws Exception { return sslContextBuilder.build(); } }); } catch (final PrivilegedActionException e) { throw (SSLException) e.getCause(); } return sslContext; }
From source file:com.liferay.sync.engine.lan.server.file.LanFileServerInitializer.java
License:Open Source License
public void updateDomainNameMapping() { DomainNameMappingBuilder<SslContext> domainNameMappingBuilder = null; for (SyncAccount syncAccount : SyncAccountService.findAll()) { if (!syncAccount.isActive() || !syncAccount.isLanEnabled()) { continue; }/*from w w w.j a v a 2 s. co m*/ SslContext sslContext = null; try { X509Certificate x509Certificate = LanPEMParserUtil .parseX509Certificate(syncAccount.getLanCertificate()); SslContextBuilder sslContextBuilder = SslContextBuilder .forServer(LanPEMParserUtil.parsePrivateKey(syncAccount.getLanKey()), x509Certificate); sslContextBuilder.clientAuth(ClientAuth.REQUIRE); sslContextBuilder.sslProvider(SslProvider.JDK); sslContextBuilder.trustManager(x509Certificate); sslContext = sslContextBuilder.build(); } catch (Exception e) { _logger.error(e.getMessage(), e); continue; } if (domainNameMappingBuilder == null) { domainNameMappingBuilder = new DomainNameMappingBuilder<>(sslContext); } domainNameMappingBuilder.add(LanClientUtil.getSNIHostname(syncAccount.getLanServerUuid()), sslContext); } if (domainNameMappingBuilder == null) { return; } _domainNameMapping = domainNameMappingBuilder.build(); }
From source file:com.linecorp.armeria.client.http.HttpClientPipelineConfigurator.java
License:Apache License
HttpClientPipelineConfigurator(SessionProtocol sessionProtocol, SessionOptions options) { switch (sessionProtocol) { case HTTP:/*w ww.j av a 2 s . c o m*/ case HTTPS: httpPreference = HttpPreference.HTTP2_PREFERRED; break; case H1: case H1C: httpPreference = HttpPreference.HTTP1_REQUIRED; break; case H2: case H2C: httpPreference = HttpPreference.HTTP2_REQUIRED; break; default: // Should never reach here. throw new Error(); } this.options = requireNonNull(options, "options"); if (sessionProtocol.isTls()) { try { final SslContextBuilder builder = SslContextBuilder.forClient(); builder.sslProvider(NativeLibraries.isOpenSslAvailable() ? SslProvider.OPENSSL : SslProvider.JDK); options.trustManagerFactory().ifPresent(builder::trustManager); if (httpPreference == HttpPreference.HTTP2_REQUIRED || httpPreference == HttpPreference.HTTP2_PREFERRED) { builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .applicationProtocolConfig( new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and // JDK providers. ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK // providers. ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2)); } sslCtx = builder.build(); } catch (SSLException e) { throw new IllegalStateException("failed to create an SslContext", e); } } else { sslCtx = null; } }
From source file:com.linecorp.armeria.client.HttpClientPipelineConfigurator.java
License:Apache License
HttpClientPipelineConfigurator(HttpClientFactory clientFactory, SessionProtocol sessionProtocol) { this.clientFactory = clientFactory; if (sessionProtocol == HTTP || sessionProtocol == HTTPS) { httpPreference = HttpPreference.HTTP2_PREFERRED; } else if (sessionProtocol == H1 || sessionProtocol == H1C) { httpPreference = HttpPreference.HTTP1_REQUIRED; } else if (sessionProtocol == H2 || sessionProtocol == H2C) { httpPreference = HttpPreference.HTTP2_REQUIRED; } else {//w ww . j a va 2s . com // Should never reach here. throw new Error(); } if (sessionProtocol.isTls()) { try { final SslContextBuilder builder = SslContextBuilder.forClient(); builder.sslProvider(Flags.useOpenSsl() ? SslProvider.OPENSSL : SslProvider.JDK); clientFactory.sslContextCustomizer().accept(builder); if (httpPreference == HttpPreference.HTTP2_REQUIRED || httpPreference == HttpPreference.HTTP2_PREFERRED) { builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .applicationProtocolConfig( new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and // JDK providers. ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK // providers. ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2)); } sslCtx = builder.build(); } catch (SSLException e) { throw new IllegalStateException("failed to create an SslContext", e); } } else { sslCtx = null; } }
From source file:com.linecorp.armeria.client.HttpConfigurator.java
License:Apache License
HttpConfigurator(SessionProtocol sessionProtocol, RemoteInvokerOptions options) { switch (sessionProtocol) { case HTTP://from w ww.j a v a 2s. com case HTTPS: httpPreference = HttpPreference.HTTP2_PREFERRED; break; case H1: case H1C: httpPreference = HttpPreference.HTTP1_REQUIRED; break; case H2: case H2C: httpPreference = HttpPreference.HTTP2_REQUIRED; break; default: // Should never reach here. throw new Error(); } this.options = requireNonNull(options, "options"); if (sessionProtocol.isTls()) { try { final SslContextBuilder builder = SslContextBuilder.forClient(); builder.sslProvider(NativeLibraries.isOpenSslAvailable() ? SslProvider.OPENSSL : SslProvider.JDK); options.trustManagerFactory().ifPresent(builder::trustManager); if (httpPreference == HttpPreference.HTTP2_REQUIRED || httpPreference == HttpPreference.HTTP2_PREFERRED) { builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .applicationProtocolConfig( new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and // JDK providers. ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK // providers. ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2)); } sslCtx = builder.build(); } catch (SSLException e) { throw new IllegalStateException("failed to create a SslContext", e); } } else { sslCtx = null; } }
From source file:com.linecorp.armeria.server.AbstractVirtualHostBuilder.java
License:Apache License
/** * Configures SSL or TLS of this {@link VirtualHost} with the specified {@code keyCertChainFile}, * {@code keyFile} and {@code keyPassword}. *///from w w w . j a v a2s. c om public B tls(File keyCertChainFile, File keyFile, @Nullable String keyPassword) throws SSLException { if (!keyCertChainFile.exists()) { throw new SSLException("non-existent certificate chain file: " + keyCertChainFile); } if (!keyCertChainFile.canRead()) { throw new SSLException("cannot read certificate chain file: " + keyCertChainFile); } if (!keyFile.exists()) { throw new SSLException("non-existent key file: " + keyFile); } if (!keyFile.canRead()) { throw new SSLException("cannot read key file: " + keyFile); } final SslContext sslCtx; try { sslCtx = BouncyCastleKeyFactoryProvider.call(() -> { final SslContextBuilder builder = SslContextBuilder.forServer(keyCertChainFile, keyFile, keyPassword); builder.sslProvider(Flags.useOpenSsl() ? SslProvider.OPENSSL : SslProvider.JDK); builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE); builder.applicationProtocolConfig(HTTPS_ALPN_CFG); return builder.build(); }); } catch (RuntimeException | SSLException e) { throw e; } catch (Exception e) { throw new SSLException("failed to configure TLS: " + e, e); } tls(sslCtx); return self(); }
From source file:com.linecorp.armeria.server.VirtualHostBuilder.java
License:Apache License
/** * Sets the {@link SslContext} of this {@link VirtualHost} from the specified {@link SessionProtocol}, * {@code keyCertChainFile}, {@code keyFile} and {@code keyPassword}. *//*ww w . java2 s .c om*/ public VirtualHostBuilder sslContext(SessionProtocol protocol, File keyCertChainFile, File keyFile, String keyPassword) throws SSLException { if (requireNonNull(protocol, "protocol") != SessionProtocol.HTTPS) { throw new IllegalArgumentException("unsupported protocol: " + protocol); } final SslContextBuilder builder = SslContextBuilder.forServer(keyCertChainFile, keyFile, keyPassword); builder.sslProvider(NativeLibraries.isOpenSslAvailable() ? SslProvider.OPENSSL : SslProvider.JDK); builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE); builder.applicationProtocolConfig(HTTPS_ALPN_CFG); sslContext(builder.build()); return this; }