List of usage examples for io.netty.handler.ssl SslContextBuilder ciphers
Iterable ciphers
To view the source code for io.netty.handler.ssl SslContextBuilder ciphers.
Click Source Link
From source file:com.linecorp.armeria.client.http.HttpClientPipelineConfigurator.java
License:Apache License
HttpClientPipelineConfigurator(SessionProtocol sessionProtocol, SessionOptions options) {
switch (sessionProtocol) {
case HTTP:/*from w w w. j a v a 2s . c o m*/
case HTTPS:
httpPreference = HttpPreference.HTTP2_PREFERRED;
break;
case H1:
case H1C:
httpPreference = HttpPreference.HTTP1_REQUIRED;
break;
case H2:
case H2C:
httpPreference = HttpPreference.HTTP2_REQUIRED;
break;
default:
// Should never reach here.
throw new Error();
}
this.options = requireNonNull(options, "options");
if (sessionProtocol.isTls()) {
try {
final SslContextBuilder builder = SslContextBuilder.forClient();
builder.sslProvider(NativeLibraries.isOpenSslAvailable() ? SslProvider.OPENSSL : SslProvider.JDK);
options.trustManagerFactory().ifPresent(builder::trustManager);
if (httpPreference == HttpPreference.HTTP2_REQUIRED
|| httpPreference == HttpPreference.HTTP2_PREFERRED) {
builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(
new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN,
// NO_ADVERTISE is currently the only mode supported by both OpenSsl and
// JDK providers.
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
// ACCEPT is currently the only mode supported by both OpenSsl and JDK
// providers.
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
ApplicationProtocolNames.HTTP_2));
}
sslCtx = builder.build();
} catch (SSLException e) {
throw new IllegalStateException("failed to create an SslContext", e);
}
} else {
sslCtx = null;
}
}
From source file:com.linecorp.armeria.client.HttpClientPipelineConfigurator.java
License:Apache License
HttpClientPipelineConfigurator(HttpClientFactory clientFactory, SessionProtocol sessionProtocol) {
this.clientFactory = clientFactory;
if (sessionProtocol == HTTP || sessionProtocol == HTTPS) {
httpPreference = HttpPreference.HTTP2_PREFERRED;
} else if (sessionProtocol == H1 || sessionProtocol == H1C) {
httpPreference = HttpPreference.HTTP1_REQUIRED;
} else if (sessionProtocol == H2 || sessionProtocol == H2C) {
httpPreference = HttpPreference.HTTP2_REQUIRED;
} else {/*from w w w . j av a2 s . c o m*/
// Should never reach here.
throw new Error();
}
if (sessionProtocol.isTls()) {
try {
final SslContextBuilder builder = SslContextBuilder.forClient();
builder.sslProvider(Flags.useOpenSsl() ? SslProvider.OPENSSL : SslProvider.JDK);
clientFactory.sslContextCustomizer().accept(builder);
if (httpPreference == HttpPreference.HTTP2_REQUIRED
|| httpPreference == HttpPreference.HTTP2_PREFERRED) {
builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(
new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN,
// NO_ADVERTISE is currently the only mode supported by both OpenSsl and
// JDK providers.
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
// ACCEPT is currently the only mode supported by both OpenSsl and JDK
// providers.
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
ApplicationProtocolNames.HTTP_2));
}
sslCtx = builder.build();
} catch (SSLException e) {
throw new IllegalStateException("failed to create an SslContext", e);
}
} else {
sslCtx = null;
}
}
From source file:com.linecorp.armeria.client.HttpConfigurator.java
License:Apache License
HttpConfigurator(SessionProtocol sessionProtocol, RemoteInvokerOptions options) {
switch (sessionProtocol) {
case HTTP:/*from www . j a va2 s .com*/
case HTTPS:
httpPreference = HttpPreference.HTTP2_PREFERRED;
break;
case H1:
case H1C:
httpPreference = HttpPreference.HTTP1_REQUIRED;
break;
case H2:
case H2C:
httpPreference = HttpPreference.HTTP2_REQUIRED;
break;
default:
// Should never reach here.
throw new Error();
}
this.options = requireNonNull(options, "options");
if (sessionProtocol.isTls()) {
try {
final SslContextBuilder builder = SslContextBuilder.forClient();
builder.sslProvider(NativeLibraries.isOpenSslAvailable() ? SslProvider.OPENSSL : SslProvider.JDK);
options.trustManagerFactory().ifPresent(builder::trustManager);
if (httpPreference == HttpPreference.HTTP2_REQUIRED
|| httpPreference == HttpPreference.HTTP2_PREFERRED) {
builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(
new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN,
// NO_ADVERTISE is currently the only mode supported by both OpenSsl and
// JDK providers.
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
// ACCEPT is currently the only mode supported by both OpenSsl and JDK
// providers.
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
ApplicationProtocolNames.HTTP_2));
}
sslCtx = builder.build();
} catch (SSLException e) {
throw new IllegalStateException("failed to create a SslContext", e);
}
} else {
sslCtx = null;
}
}
From source file:com.linecorp.armeria.server.AbstractVirtualHostBuilder.java
License:Apache License
/** * Configures SSL or TLS of this {@link VirtualHost} with the specified {@code keyCertChainFile}, * {@code keyFile} and {@code keyPassword}. *///from w w w . j a va2 s . c o m public B tls(File keyCertChainFile, File keyFile, @Nullable String keyPassword) throws SSLException { if (!keyCertChainFile.exists()) { throw new SSLException("non-existent certificate chain file: " + keyCertChainFile); } if (!keyCertChainFile.canRead()) { throw new SSLException("cannot read certificate chain file: " + keyCertChainFile); } if (!keyFile.exists()) { throw new SSLException("non-existent key file: " + keyFile); } if (!keyFile.canRead()) { throw new SSLException("cannot read key file: " + keyFile); } final SslContext sslCtx; try { sslCtx = BouncyCastleKeyFactoryProvider.call(() -> { final SslContextBuilder builder = SslContextBuilder.forServer(keyCertChainFile, keyFile, keyPassword); builder.sslProvider(Flags.useOpenSsl() ? SslProvider.OPENSSL : SslProvider.JDK); builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE); builder.applicationProtocolConfig(HTTPS_ALPN_CFG); return builder.build(); }); } catch (RuntimeException | SSLException e) { throw e; } catch (Exception e) { throw new SSLException("failed to configure TLS: " + e, e); } tls(sslCtx); return self(); }
From source file:com.linecorp.armeria.server.VirtualHostBuilder.java
License:Apache License
/** * Sets the {@link SslContext} of this {@link VirtualHost} from the specified {@link SessionProtocol}, * {@code keyCertChainFile}, {@code keyFile} and {@code keyPassword}. *///from w w w .j ava 2s . com public VirtualHostBuilder sslContext(SessionProtocol protocol, File keyCertChainFile, File keyFile, String keyPassword) throws SSLException { if (requireNonNull(protocol, "protocol") != SessionProtocol.HTTPS) { throw new IllegalArgumentException("unsupported protocol: " + protocol); } final SslContextBuilder builder = SslContextBuilder.forServer(keyCertChainFile, keyFile, keyPassword); builder.sslProvider(NativeLibraries.isOpenSslAvailable() ? SslProvider.OPENSSL : SslProvider.JDK); builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE); builder.applicationProtocolConfig(HTTPS_ALPN_CFG); sslContext(builder.build()); return this; }
From source file:com.vmware.xenon.host.XenonHostWithPeerListener.java
License:Open Source License
private int startPeerListener() throws Throwable { if (this.hostArgs.nodeGroupPublicUri == null) { return ServiceHost.PORT_VALUE_LISTENER_DISABLED; }// www . j av a 2s . c o m URI uri = URI.create(this.hostArgs.nodeGroupPublicUri); NettyHttpListener peerListener = new NettyHttpListener(this); boolean isHttps = uri.getScheme().equals("https"); if (isHttps) { SslContextBuilder builder; if (this.hostArgs.peerCertificateFile != null && this.hostArgs.peerKeyFile != null) { builder = SslContextBuilder.forServer(this.hostArgs.peerCertificateFile.toFile(), this.hostArgs.peerKeyFile.toFile(), this.hostArgs.peerKeyPassphrase); } else { builder = SslContextBuilder.forServer(this.hostArgs.certificateFile.toFile(), this.hostArgs.keyFile.toFile(), this.hostArgs.keyPassphrase); } if (OpenSsl.isAlpnSupported()) { builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .applicationProtocolConfig( new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1)); } peerListener.setSSLContext(builder.build()); } peerListener.start(uri.getPort(), uri.getHost()); int assignedPort = peerListener.getPort(); log(Level.INFO, "Started peer listener on %s", UriUtils.buildUri(uri.getScheme(), uri.getHost(), assignedPort, null, null)); return assignedPort; }
From source file:io.airlift.drift.transport.netty.DriftNettyMethodInvokerFactory.java
License:Apache License
@Override public MethodInvoker createMethodInvoker(AddressSelector addressSelector, I clientIdentity) { DriftNettyClientConfig clientConfig = clientConfigurationProvider.apply(clientIdentity); TProtocolFactory protocolFactory;//from w w w . j av a 2 s . c o m switch (clientConfig.getProtocol()) { case BINARY: protocolFactory = new TBinaryProtocol.Factory(false, true, -1, clientConfig.getMaxFrameSize().toBytes()); break; case COMPACT: // Header transport uses the FB fork of the compact protocol if (clientConfig.getTransport() == Transport.HEADER) { protocolFactory = new TFacebookCompactProtocol.Factory( toIntExact(clientConfig.getMaxFrameSize().toBytes())); } else { protocolFactory = new TCompactProtocol.Factory(-1, clientConfig.getMaxFrameSize().toBytes()); } break; default: throw new IllegalArgumentException("Unknown protocol: " + clientConfig.getProtocol()); } MessageFraming messageFraming; MessageEncoding messageEncoding; switch (clientConfig.getTransport()) { case UNFRAMED: messageFraming = new NoMessageFraming(protocolFactory, clientConfig.getMaxFrameSize()); messageEncoding = new SimpleMessageEncoding(protocolFactory); break; case FRAMED: messageFraming = new LengthPrefixedMessageFraming(clientConfig.getMaxFrameSize()); messageEncoding = new SimpleMessageEncoding(protocolFactory); break; case HEADER: messageFraming = new LengthPrefixedMessageFraming(clientConfig.getMaxFrameSize()); messageEncoding = new HeaderMessageEncoding(protocolFactory); break; default: throw new IllegalArgumentException("Unknown transport: " + clientConfig.getTransport()); } Optional<SslContext> sslContext; if (clientConfig.isSslEnabled()) { try { SslContextBuilder sslContextBuilder = SslContextBuilder.forClient() .trustManager(clientConfig.getTrustCertificate()) .keyManager(clientConfig.getKey(), null, clientConfig.getKeyPassword()) .sessionCacheSize(clientConfig.getSessionCacheSize()) .sessionTimeout(clientConfig.getSessionTimeout().roundTo(SECONDS)); if (!clientConfig.getCiphers().isEmpty()) { sslContextBuilder.ciphers(clientConfig.getCiphers()); } sslContext = Optional.of(sslContextBuilder.build()); } catch (SSLException e) { throw new RuntimeException("Invalid SSL configuration", e); } } else { sslContext = Optional.empty(); } ConnectionManager connectionManager = new ConnectionFactory(group, messageFraming, messageEncoding, sslContext, clientConfig); if (clientConfig.isPoolEnabled()) { connectionManager = new ConnectionPool(connectionManager, group, clientConfig); } return new DriftNettyMethodInvoker(connectionManager, addressSelector); }
From source file:io.airlift.drift.transport.netty.ssl.ReloadableSslContext.java
License:Apache License
public synchronized void reload() { try {//from w w w . j ava 2 s .c o m // every watch must be called each time to update status boolean trustCertificateModified = trustCertificatesFileWatch.updateState(); boolean clientCertificateModified = false; if (clientCertificatesFileWatch.isPresent()) { clientCertificateModified = clientCertificatesFileWatch.get().updateState(); } boolean privateKeyModified = false; if (privateKeyFileWatch.isPresent()) { privateKeyModified = privateKeyFileWatch.get().updateState(); } if (trustCertificateModified || clientCertificateModified || privateKeyModified) { PrivateKey privateKey = null; if (privateKeyFileWatch.isPresent()) { privateKey = loadPrivateKey(privateKeyFileWatch.get().getFile(), privateKeyPassword); } X509Certificate[] certificateChain = null; if (clientCertificatesFileWatch.isPresent()) { certificateChain = readCertificateChain(clientCertificatesFileWatch.get().getFile()) .toArray(new X509Certificate[0]); } SslContextBuilder sslContextBuilder; if (forClient) { sslContextBuilder = SslContextBuilder.forClient().keyManager(privateKey, certificateChain); } else { sslContextBuilder = SslContextBuilder.forServer(privateKey, certificateChain); } X509Certificate[] trustChain = readCertificateChain(trustCertificatesFileWatch.getFile()) .toArray(new X509Certificate[0]); sslContextBuilder.trustManager(trustChain).sessionCacheSize(sessionCacheSize) .sessionTimeout(sessionTimeout.roundTo(SECONDS)); if (!ciphers.isEmpty()) { sslContextBuilder.ciphers(ciphers); } sslContext.set(new SslContextHolder(sslContextBuilder.build())); } } catch (GeneralSecurityException e) { sslContext.set(new SslContextHolder(new UncheckedIOException(new IOException(e)))); } catch (IOException e) { sslContext.set(new SslContextHolder(new UncheckedIOException(e))); } }
From source file:io.gatling.http.client.impl.DefaultHttpClient.java
License:Apache License
public DefaultHttpClient(HttpClientConfig config) { this.config = config; try {//from w ww. ja va 2s .co m SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (config.getSslSessionCacheSize() > 0) { sslContextBuilder.sessionCacheSize(config.getSslSessionCacheSize()); } if (config.getSslSessionTimeout() > 0) { sslContextBuilder.sessionTimeout(config.getSslSessionTimeout()); } if (isNonEmpty(config.getEnabledSslProtocols())) { sslContextBuilder.protocols(config.getEnabledSslProtocols()); } if (isNonEmpty(config.getEnabledSslCipherSuites())) { sslContextBuilder.ciphers(Arrays.asList(config.getEnabledSslCipherSuites())); } else if (!config.isFilterInsecureCipherSuites()) { sslContextBuilder.ciphers(null, IdentityCipherSuiteFilter.INSTANCE_DEFAULTING_TO_SUPPORTED_CIPHERS); } sslContextBuilder.sslProvider(config.isUseOpenSsl() ? SslProvider.OPENSSL : SslProvider.JDK) .keyManager(config.getKeyManagerFactory()).trustManager(config.getTrustManagerFactory()); this.sslContext = sslContextBuilder.build(); this.alpnSslContext = sslContextBuilder.applicationProtocolConfig( new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers. ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers. ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1)) .build(); } catch (SSLException e) { throw new IllegalArgumentException("Impossible to create SslContext", e); } DefaultThreadFactory threadFactory = new DefaultThreadFactory(config.getThreadPoolName()); eventLoopGroup = config.isUseNativeTransport() ? new EpollEventLoopGroup(0, threadFactory) : new NioEventLoopGroup(0, threadFactory); eventLoopPicker = new AffinityEventLoopPicker(eventLoopGroup); channelGroup = new DefaultChannelGroup(eventLoopGroup.next()); }
From source file:io.vertx.core.net.impl.SSLHelper.java
License:Open Source License
private SslContext createContext(VertxInternal vertx) { try {/*from ww w.j a v a2s .c om*/ KeyManagerFactory keyMgrFactory = getKeyMgrFactory(vertx); TrustManagerFactory trustMgrFactory = getTrustMgrFactory(vertx); SslContextBuilder builder; if (client) { builder = SslContextBuilder.forClient(); if (keyMgrFactory != null) { builder.keyManager(keyMgrFactory); } } else { if (keyMgrFactory == null) { throw new VertxException("Key/certificate is mandatory for SSL"); } builder = SslContextBuilder.forServer(keyMgrFactory); } Collection<String> cipherSuites = enabledCipherSuites; if (openSsl) { builder.sslProvider(SslProvider.OPENSSL); if (cipherSuites == null || cipherSuites.isEmpty()) { cipherSuites = OpenSsl.availableOpenSslCipherSuites(); } } else { builder.sslProvider(SslProvider.JDK); if (cipherSuites == null || cipherSuites.isEmpty()) { cipherSuites = DEFAULT_JDK_CIPHER_SUITE; } } if (trustMgrFactory != null) { builder.trustManager(trustMgrFactory); } if (cipherSuites != null && cipherSuites.size() > 0) { builder.ciphers(cipherSuites); } if (useAlpn && applicationProtocols != null && applicationProtocols.size() > 0) { builder.applicationProtocolConfig(new ApplicationProtocolConfig( ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, applicationProtocols .stream().map(PROTOCOL_NAME_MAPPING::get).collect(Collectors.toList()))); } return builder.build(); } catch (Exception e) { throw new VertxException(e); } }