List of usage examples for io.netty.handler.ssl SslHandler SslHandler
public SslHandler(SSLEngine engine, Executor delegatedTaskExecutor)
From source file:org.jdiameter.client.impl.transport.tls.netty.StartTlsServerHandler.java
License:Open Source License
@SuppressWarnings({ "unchecked", "rawtypes" })
@Override//from w w w .j av a 2 s. c o m
public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
logger.debug("StartTlsServerHandler");
ByteBuf buf = (ByteBuf) msg;
byte[] bytes = new byte[buf.readableBytes()];
buf.getBytes(buf.readerIndex(), bytes);
if ("StartTlsRequest".equals(new String(bytes))) {
logger.debug("Received StartTlsRequest");
SslContext sslContext = SslContextFactory.getSslContextForServer(this.tlsTransportClient.getConfig());
SSLEngine sslEngine = sslContext.newEngine(ctx.alloc());
sslEngine.setUseClientMode(false);
SslHandler sslHandler = new SslHandler(sslEngine, false);
final ChannelPipeline pipeline = ctx.pipeline();
pipeline.remove("decoder");
pipeline.remove("msgHandler");
pipeline.remove("encoder");
pipeline.remove("inbandWriter");
pipeline.remove(this);
pipeline.addLast("sslHandler", sslHandler);
sslHandler.handshakeFuture().addListener(new GenericFutureListener() {
@Override
public void operationComplete(Future future) throws Exception {
if (future.isSuccess()) {
logger.debug("StartTls server handshake succesfull");
tlsTransportClient.setTlsHandshakingState(TlsHandshakingState.SHAKEN);
logger.debug("restoring all handlers");
pipeline.addLast("decoder",
new DiameterMessageDecoder(
StartTlsServerHandler.this.tlsTransportClient.getParent(),
StartTlsServerHandler.this.tlsTransportClient.getParser()));
pipeline.addLast("msgHandler", new DiameterMessageHandler(
StartTlsServerHandler.this.tlsTransportClient.getParent(), true));
pipeline.addLast("encoder", new DiameterMessageEncoder(
StartTlsServerHandler.this.tlsTransportClient.getParser()));
pipeline.addLast("inbandWriter", new InbandSecurityHandler());
}
}
});
ReferenceCountUtil.release(msg);
logger.debug("Sending StartTlsResponse");
ctx.writeAndFlush(Unpooled.wrappedBuffer("StartTlsResponse".getBytes()))
.addListener(new GenericFutureListener() {
@Override
public void operationComplete(Future f) throws Exception {
if (!f.isSuccess()) {
logger.error(f.cause().getMessage(), f.cause());
}
}
});
} else {
ctx.fireChannelRead(msg);
}
}
From source file:org.jpos.qrest.RestServer.java
License:Open Source License
@Override protected void initService() throws GeneralSecurityException, IOException { sp = SpaceFactory.getSpace();//from www . j av a2 s .com final SSLContext sslContext = enableTLS ? getSSLContext() : null; bossGroup = new NioEventLoopGroup(); workerGroup = new NioEventLoopGroup(); serverBootstrap = new ServerBootstrap(); serverBootstrap.group(bossGroup, workerGroup).channel(NioServerSocketChannel.class) .childHandler(new ChannelInitializer<SocketChannel>() { @Override public void initChannel(SocketChannel ch) throws Exception { int timeout = cfg.getInt("timeout", 300); ch.pipeline().addLast(new IdleStateHandler(timeout, timeout, timeout)); if (enableTLS) { ch.pipeline().addLast(new SslHandler(getSSLEngine(sslContext), true)); } ch.pipeline().addLast(new HttpServerCodec()); ch.pipeline().addLast(new HttpObjectAggregator(512 * 1024)); ch.pipeline().addLast(new RestSession(RestServer.this)); } }).option(ChannelOption.SO_BACKLOG, 128).option(ChannelOption.SO_REUSEADDR, true) .childOption(ChannelOption.SO_KEEPALIVE, true); if (enableTLS) { logSSLEngineInfo(getSSLEngine(sslContext)); } }
From source file:org.maodian.flyingcat.xmpp.state.DefaultElementVisitor.java
License:Apache License
@Override public State handleTLS(XmppContext xmppCtx, TLS tls) throws XMLStreamException { ChannelHandlerContext ctx = xmppCtx.getNettyChannelHandlerContext(); SSLEngine engine = SecureSslContextFactory.getServerContext().createSSLEngine(); engine.setUseClientMode(false);/* w w w . j a va 2 s . com*/ SslHandler sslHandler = new SslHandler(engine, true); sslHandler.sslCloseFuture().addListener(new ChannelFutureListener() { @Override public void operationComplete(ChannelFuture future) throws Exception { log.info("Close the socket since SSL connection has been closed by client"); future.channel().close(); } }); ctx.pipeline().addFirst("ssl", sslHandler); StringWriter writer = new StringWriter(); XMLStreamWriter xmlsw = XMLOutputFactoryHolder.getXMLOutputFactory().createXMLStreamWriter(writer); xmlsw.writeEmptyElement("", "proceed", XmppNamespace.TLS); xmlsw.setPrefix("", XmppNamespace.TLS); xmlsw.writeNamespace("", XmppNamespace.TLS); xmlsw.writeEndDocument(); xmppCtx.flush(writer.toString()); return xmppCtx.getGlobalContext().getTlsStreamState(); }
From source file:org.ow2.petals.bc.gateway.commons.handlers.AuthenticatorSSLHandler.java
License:Open Source License
private void setUpSslHandlers(final ChannelHandlerContext ctx, final AbstractDomain domain, final @Nullable String certificate, final @Nullable String key, final @Nullable String passphrase, final @Nullable String remoteCertificate) throws SSLException { // TODO could we use certificate only for auth and not encryption? // TODO support openssl final SslHandler sslHandler; if (pdOrAuth.isB() && certificate != null && key != null) { // server side ssl, do not forget startTls so that our accept can be sent after the handler is added final ServiceUnitDataHandler handler = domain.getSUHandler(); final SslContextBuilder builder = SslContextBuilder .forServer(ServiceUnitUtil.getFile(handler.getInstallRoot(), certificate), ServiceUnitUtil.getFile(handler.getInstallRoot(), key), passphrase) .sslProvider(SslProvider.JDK).ciphers(null, IdentityCipherSuiteFilter.INSTANCE) .sessionCacheSize(0).sessionTimeout(0); if (remoteCertificate != null) { builder.trustManager(ServiceUnitUtil.getFile(handler.getInstallRoot(), remoteCertificate)) .clientAuth(ClientAuth.REQUIRE); }//w ww . j a va 2 s.c o m // until https://github.com/netty/netty/issues/5170 is accepted // we need to create the handler by hand sslHandler = new SslHandler(builder.build().newEngine(ctx.alloc()), true); } else if (pdOrAuth.isA() && remoteCertificate != null) { // client side final String installRoot = domain.getSUHandler().getInstallRoot(); final SslContextBuilder builder = SslContextBuilder.forClient().sslProvider(SslProvider.JDK) .trustManager(ServiceUnitUtil.getFile(installRoot, remoteCertificate)) .ciphers(null, IdentityCipherSuiteFilter.INSTANCE).sessionCacheSize(0).sessionTimeout(0); if (certificate != null && key != null) { builder.keyManager(ServiceUnitUtil.getFile(installRoot, certificate), ServiceUnitUtil.getFile(installRoot, key), passphrase); } sslHandler = builder.build().newHandler(ctx.alloc()); } else { sslHandler = null; } // For a server, it contains the transporter name and the consumer domain name (it was updated in channelRead0) // For a client, it contains the provider domain name (it was set by the component) final String logName = logger.getName(); // let's replace the debug logger with something specific to this consumer ctx.pipeline().replace(HandlerConstants.LOG_DEBUG_HANDLER, HandlerConstants.LOG_DEBUG_HANDLER, new LoggingHandler(logName, LogLevel.TRACE)); ctx.pipeline().replace(HandlerConstants.LOG_ERRORS_HANDLER, HandlerConstants.LOG_ERRORS_HANDLER, new LastLoggingHandler(logName + ".errors")); if (sslHandler != null) { // if there is a sslHandler, then we can only add the domain handler after the handshake is finished // if not we risk sending things too early in it sslHandler.handshakeFuture().addListener(new FutureListener<Channel>() { @Override public void operationComplete(final @Nullable Future<Channel> future) throws Exception { assert future != null; if (!future.isSuccess()) { authenticationFuture.setFailure(future.cause()); } else { // I must keep the handler here until now in case there is an exception so that I can log it ctx.pipeline().replace(HandlerConstants.DOMAIN_HANDLER, HandlerConstants.DOMAIN_HANDLER, dhb.build(domain)); authenticationFuture.setSuccess(ctx.channel()); } } }); ctx.pipeline().addAfter(HandlerConstants.LOG_DEBUG_HANDLER, HandlerConstants.SSL_HANDLER, sslHandler); } if (pdOrAuth.isB()) { if (logger.isLoggable(Level.FINE)) { logger.fine("Sending an Accept (" + ctx.channel().remoteAddress() + ")"); } // this must be sent after the ssh handler is replaced (when using ssl) so that we are ready to receive ssl data right away // but this must be sent before the domain handler is replaced (when not using ssl), because it will send // data and it must arrive AFTER our Accept ctx.writeAndFlush(new AuthAccept()); } // else it is done in the FutureListener if (sslHandler == null) { ctx.pipeline().replace(HandlerConstants.DOMAIN_HANDLER, HandlerConstants.DOMAIN_HANDLER, dhb.build(domain)); authenticationFuture.setSuccess(ctx.channel()); } }