io.netty.handler.ssl.SupportedCipherSuiteFilter Java Examples

The following examples show how to use io.netty.handler.ssl.SupportedCipherSuiteFilter. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: Http2NettyTest.java    From grpc-nebula-java with Apache License 2.0 6 votes vote down vote up
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
  // Starts the server with HTTPS.
  try {
    return NettyServerBuilder.forPort(0)
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(GrpcSslContexts
            .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
            .clientAuth(ClientAuth.REQUIRE)
            .trustManager(TestUtils.loadCert("ca.pem"))
            .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
            .build());
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 
Example #2
Source File: SslUtil.java    From AndroidHttpCapture with MIT License 6 votes vote down vote up
/**
 * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
 * from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
 * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
 * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
 * certificates).
 *
 * @param cipherSuites    cipher suites to allow when connecting to the upstream server
 * @param trustSource     the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
 * @return an SSLContext to connect to upstream servers with
 */
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
    SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();

    if (trustSource == null) {
        log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");

        sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
    } else {
        sslContextBuilder.trustManager(trustSource.getTrustedCAs());
    }

    sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);

    try {
        return sslContextBuilder.build();
    } catch (SSLException e) {
        throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
    }
}
 
Example #3
Source File: NettyHttp2Client.java    From jmeter-http2-plugin with Apache License 2.0 6 votes vote down vote up
private SslContext getSslContext() {
    SslContext sslCtx = null;

    final SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;

    try {
        sslCtx = SslContextBuilder.forClient()
            .sslProvider(provider)
            .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .applicationProtocolConfig(new ApplicationProtocolConfig(
                Protocol.ALPN,
                SelectorFailureBehavior.NO_ADVERTISE,
                SelectedListenerFailureBehavior.ACCEPT,
                ApplicationProtocolNames.HTTP_2))
            .build();
    } catch(SSLException exception) {
        return null;
    }

    return sslCtx;
}
 
Example #4
Source File: Http2OkHttpTest.java    From grpc-nebula-java with Apache License 2.0 6 votes vote down vote up
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
  // Starts the server with HTTPS.
  try {
    SslProvider sslProvider = SslContext.defaultServerProvider();
    if (sslProvider == SslProvider.OPENSSL && !OpenSsl.isAlpnSupported()) {
      // OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we
      // are forced to use Jetty ALPN for Netty instead of OpenSSL.
      sslProvider = SslProvider.JDK;
    }
    SslContextBuilder contextBuilder = SslContextBuilder
        .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
    GrpcSslContexts.configure(contextBuilder, sslProvider);
    contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE);
    return NettyServerBuilder.forPort(0)
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(contextBuilder.build());
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 
Example #5
Source File: SslUtil.java    From Dream-Catcher with MIT License 6 votes vote down vote up
/**
 * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
 * from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
 * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
 * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
 * certificates).
 *
 * @param cipherSuites    cipher suites to allow when connecting to the upstream server
 * @param trustSource     the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
 * @return an SSLContext to connect to upstream servers with
 */
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
    SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();

    if (trustSource == null) {
        log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");

        sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
    } else {
        sslContextBuilder.trustManager(trustSource.getTrustedCAs());
    }

    sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);

    try {
        return sslContextBuilder.build();
    } catch (SSLException e) {
        throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
    }
}
 
Example #6
Source File: AwaitCloseChannelPoolMap.java    From aws-sdk-java-v2 with Apache License 2.0 6 votes vote down vote up
private SslContext sslContext(URI targetAddress) {
    URI proxyAddress = proxyAddress(targetAddress);

    boolean needContext = targetAddress.getScheme().equalsIgnoreCase("https")
            || proxyAddress != null && proxyAddress.getScheme().equalsIgnoreCase("https");

    if (!needContext) {
        return null;
    }

    try {
        return SslContextBuilder.forClient()
                                .sslProvider(sslProvider)
                                .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                                .trustManager(getTrustManager())
                                .keyManager(getKeyManager())
                                .build();
    } catch (SSLException e) {
        throw new RuntimeException(e);
    }
}
 
Example #7
Source File: Http2OkHttpTest.java    From grpc-java with Apache License 2.0 6 votes vote down vote up
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
  // Starts the server with HTTPS.
  try {
    SslProvider sslProvider = SslContext.defaultServerProvider();
    if (sslProvider == SslProvider.OPENSSL && !SslProvider.isAlpnSupported(SslProvider.OPENSSL)) {
      // OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we
      // are forced to use Jetty ALPN for Netty instead of OpenSSL.
      sslProvider = SslProvider.JDK;
    }
    SslContextBuilder contextBuilder = SslContextBuilder
        .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
    GrpcSslContexts.configure(contextBuilder, sslProvider);
    contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE);
    return NettyServerBuilder.forPort(0)
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(contextBuilder.build());
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 
Example #8
Source File: XrpcClient.java    From xrpc with Apache License 2.0 6 votes vote down vote up
private SslContext buildSslCtx() {
  SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;
  try {
    return SslContextBuilder.forClient()
        .sslProvider(provider)
        .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
        .trustManager(InsecureTrustManagerFactory.INSTANCE)
        // TODO(JR): Make a seperate Handler Class for http2 as opposed to autoneg
        //        .applicationProtocolConfig(new ApplicationProtocolConfig(
        //          ApplicationProtocolConfig.Protocol.ALPN,
        //          // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK
        //             providers.
        //          ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
        //          // ACCEPT is currently the only mode supported by both OpenSsl and JDK
        //             providers.
        //          ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
        //          ApplicationProtocolNames.HTTP_2,
        //          ApplicationProtocolNames.HTTP_1_1))
        .build();
  } catch (SSLException e) {
    e.printStackTrace();
  }

  return null;
}
 
Example #9
Source File: SslUtil.java    From CapturePacket with MIT License 6 votes vote down vote up
/**
 * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
 * from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
 * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
 * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
 * certificates).
 *
 * @param cipherSuites    cipher suites to allow when connecting to the upstream server
 * @param trustSource     the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
 * @return an SSLContext to connect to upstream servers with
 */
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
    SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();

    if (trustSource == null) {
        log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");

        sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
    } else {
        sslContextBuilder.trustManager(trustSource.getTrustedCAs());
    }

    sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);

    try {
        return sslContextBuilder.build();
    } catch (SSLException e) {
        throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
    }
}
 
Example #10
Source File: Http2NettyTest.java    From grpc-java with Apache License 2.0 6 votes vote down vote up
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
  // Starts the server with HTTPS.
  try {
    return NettyServerBuilder.forPort(0)
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(GrpcSslContexts
            .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
            .clientAuth(ClientAuth.REQUIRE)
            .trustManager(TestUtils.loadCert("ca.pem"))
            .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
            .build());
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 
Example #11
Source File: Http2NettyTest.java    From grpc-java with Apache License 2.0 6 votes vote down vote up
@Override
protected ManagedChannel createChannel() {
  try {
    NettyChannelBuilder builder = NettyChannelBuilder
        .forAddress(TestUtils.testServerAddress((InetSocketAddress) getListenAddress()))
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(GrpcSslContexts
            .forClient()
            .keyManager(TestUtils.loadCert("client.pem"), TestUtils.loadCert("client.key"))
            .trustManager(TestUtils.loadX509Cert("ca.pem"))
            .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
            .build());
    // Disable the default census stats interceptor, use testing interceptor instead.
    io.grpc.internal.TestingAccessor.setStatsEnabled(builder, false);
    return builder.intercept(createCensusStatsClientInterceptor()).build();
  } catch (Exception ex) {
    throw new RuntimeException(ex);
  }
}
 
Example #12
Source File: SslUtil.java    From hivemq-community-edition with Apache License 2.0 6 votes vote down vote up
@NotNull
public SslContext createSslServerContext(@NotNull final KeyManagerFactory kmf, @Nullable final TrustManagerFactory tmFactory, @Nullable final List<String> cipherSuites, @Nullable final List<String> protocols) throws SSLException {

    final SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(kmf);

    sslContextBuilder.sslProvider(SslProvider.JDK).trustManager(tmFactory);

    if (protocols != null && !protocols.isEmpty()) {
        sslContextBuilder.protocols(protocols.toArray(new String[0]));
    }

    //set chosen cipher suites if available
    if (cipherSuites != null && cipherSuites.size() > 0) {
        sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);
    } else {
        sslContextBuilder.ciphers(null, SupportedCipherSuiteFilter.INSTANCE);
    }
    return sslContextBuilder.build();
}
 
Example #13
Source File: SslUtil.java    From browserup-proxy with Apache License 2.0 6 votes vote down vote up
/**
 * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
 * from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
 * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
 * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
 * certificates).
 *
 * @param cipherSuites    cipher suites to allow when connecting to the upstream server
 * @param trustSource     the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
 * @return an SSLContext to connect to upstream servers with
 */
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
    SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();

    if (trustSource == null) {
        log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");

        sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
    } else {
        sslContextBuilder.trustManager(trustSource.getTrustedCAs());
    }

    sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);

    try {
        return sslContextBuilder.build();
    } catch (SSLException e) {
        throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
    }
}
 
Example #14
Source File: NettySslHttp2Factory.java    From ambry with Apache License 2.0 6 votes vote down vote up
/**
 * @param config the {@link SSLConfig}
 * @return a configured {@link SslContext} object for a client.
 * @throws GeneralSecurityException
 * @throws IOException
 */
static SslContext getServerSslContext(SSLConfig config) throws GeneralSecurityException, IOException {
  logger.info("Using {} provider for server SslContext", SslContext.defaultServerProvider());
  SslContextBuilder sslContextBuilder;
  if (config.sslHttp2SelfSign) {
    SelfSignedCertificate ssc = new SelfSignedCertificate();
    sslContextBuilder = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
    logger.info("Using Self Signed Certificate.");
  } else {
    sslContextBuilder = SslContextBuilder.forServer(NettySslFactory.getKeyManagerFactory(config))
        .trustManager(NettySslFactory.getTrustManagerFactory(config));
  }
  return sslContextBuilder.sslProvider(SslContext.defaultClientProvider())
      .clientAuth(NettySslFactory.getClientAuth(config))
      /* NOTE: the cipher filter may not include all ciphers required by the HTTP/2 specification.
       * Please refer to the HTTP/2 specification for cipher requirements. */
      .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN,
          // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
          ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
          // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
          ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2))
      .build();
}
 
Example #15
Source File: NettySslHttp2Factory.java    From ambry with Apache License 2.0 6 votes vote down vote up
/**
 * @param config the {@link SSLConfig}
 * @return a configured {@link SslContext} object for a server.
 * @throws GeneralSecurityException
 * @throws IOException
 */
public static SslContext getClientSslContext(SSLConfig config) throws GeneralSecurityException, IOException {
  logger.info("Using {} provider for client ", SslContext.defaultClientProvider());
  SslContextBuilder sslContextBuilder;
  if (config.sslHttp2SelfSign) {
    sslContextBuilder = SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE);
    logger.info("Using Self Signed Certificate.");
  } else {
    sslContextBuilder = SslContextBuilder.forClient()
        .keyManager(NettySslFactory.getKeyManagerFactory(config))
        .trustManager(NettySslFactory.getTrustManagerFactory(config));
  }
  return sslContextBuilder.sslProvider(SslContext.defaultClientProvider())
      /* NOTE: the cipher filter may not include all ciphers required by the HTTP/2 specification.
       * Please refer to the HTTP/2 specification for cipher requirements. */
      .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN,
          // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
          ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
          // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
          ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2))
      .build();
}
 
Example #16
Source File: Http2NettyTest.java    From grpc-nebula-java with Apache License 2.0 6 votes vote down vote up
@Override
protected ManagedChannel createChannel() {
  try {
    NettyChannelBuilder builder = NettyChannelBuilder
        .forAddress(TestUtils.testServerAddress(getPort()))
        .flowControlWindow(65 * 1024)
        .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
        .sslContext(GrpcSslContexts
            .forClient()
            .keyManager(TestUtils.loadCert("client.pem"), TestUtils.loadCert("client.key"))
            .trustManager(TestUtils.loadX509Cert("ca.pem"))
            .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
            .build());
    io.grpc.internal.TestingAccessor.setStatsImplementation(
        builder, createClientCensusStatsModule());
    return builder.build();
  } catch (Exception ex) {
    throw new RuntimeException(ex);
  }
}
 
Example #17
Source File: NettyClientTransportTest.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
private static SslContext createSslContext() {
  try {
    File serverCert = TestUtils.loadCert("server1.pem");
    File key = TestUtils.loadCert("server1.key");
    return GrpcSslContexts.forServer(serverCert, key)
        .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).build();
  } catch (IOException ex) {
    throw new RuntimeException(ex);
  }
}
 
Example #18
Source File: GrpcSslContexts.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
/**
 * Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
 * an application requires particular settings it should override the options set here.
 */
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, Provider jdkProvider) {
  ApplicationProtocolConfig apc;
  if (SUN_PROVIDER_NAME.equals(jdkProvider.getName())) {
    // Jetty ALPN/NPN only supports one of NPN or ALPN
    if (JettyTlsUtil.isJettyAlpnConfigured()) {
      apc = ALPN;
    } else if (JettyTlsUtil.isJettyNpnConfigured()) {
      apc = NPN;
    } else if (JettyTlsUtil.isJava9AlpnAvailable()) {
      apc = ALPN;
    } else {
      throw new IllegalArgumentException(
          SUN_PROVIDER_NAME + " selected, but Java 9+ and Jetty NPN/ALPN unavailable");
    }
  } else if (ConscryptLoader.isConscrypt(jdkProvider)) {
    apc = ALPN;
  } else {
    throw new IllegalArgumentException("Unknown provider; can't configure: " + jdkProvider);
  }
  return builder
      .sslProvider(SslProvider.JDK)
      .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(apc)
      .sslContextProvider(jdkProvider);
}
 
Example #19
Source File: GrpcSslContexts.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
/**
 * Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
 * an application requires particular settings it should override the options set here.
 */
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/1784")
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, SslProvider provider) {
  switch (provider) {
    case JDK:
    {
      Provider jdkProvider = findJdkProvider();
      if (jdkProvider == null) {
        throw new IllegalArgumentException(
            "Could not find Jetty NPN/ALPN or Conscrypt as installed JDK providers");
      }
      return configure(builder, jdkProvider);
    }
    case OPENSSL:
    {
      ApplicationProtocolConfig apc;
      if (OpenSsl.isAlpnSupported()) {
        apc = NPN_AND_ALPN;
      } else {
        apc = NPN;
      }
      return builder
          .sslProvider(SslProvider.OPENSSL)
          .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
          .applicationProtocolConfig(apc);
    }
    default:
      throw new IllegalArgumentException("Unsupported provider: " + provider);
  }
}
 
Example #20
Source File: ProtocolNegotiatorsTest.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
@Before
public void setUp() throws Exception {
  File serverCert = TestUtils.loadCert("server1.pem");
  File key = TestUtils.loadCert("server1.key");
  sslContext = GrpcSslContexts.forServer(serverCert, key)
      .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).build();
  engine = SSLContext.getDefault().createSSLEngine();
  engine.setUseClientMode(true);
}
 
Example #21
Source File: ProtocolNegotiatorsTest.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
@Test
public void serverTlsHandler_userEventTriggeredSslEvent_supportedProtocolCustom()
    throws Exception {
  SslHandler goodSslHandler = new SslHandler(engine, false) {
    @Override
    public String applicationProtocol() {
      return "managed_mtls";
    }
  };

  File serverCert = TestUtils.loadCert("server1.pem");
  File key = TestUtils.loadCert("server1.key");
  List<String> alpnList = Arrays.asList("managed_mtls", "h2");
  ApplicationProtocolConfig apn = new ApplicationProtocolConfig(
      ApplicationProtocolConfig.Protocol.ALPN,
      ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
      ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
      alpnList);

  sslContext = GrpcSslContexts.forServer(serverCert, key)
      .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(apn).build();

  ChannelHandler handler = new ServerTlsHandler(grpcHandler, sslContext, null);
  pipeline.addLast(handler);

  pipeline.replace(SslHandler.class, null, goodSslHandler);
  channelHandlerCtx = pipeline.context(handler);
  Object sslEvent = SslHandshakeCompletionEvent.SUCCESS;

  pipeline.fireUserEventTriggered(sslEvent);

  assertTrue(channel.isOpen());
  ChannelHandlerContext grpcHandlerCtx = pipeline.context(grpcHandler);
  assertNotNull(grpcHandlerCtx);
}
 
Example #22
Source File: ProtocolNegotiatorsTest.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
@Test
public void clientTlsHandler_userEventTriggeredSslEvent_supportedProtocolCustom()
    throws Exception {
  SslHandler goodSslHandler = new SslHandler(engine, false) {
    @Override
    public String applicationProtocol() {
      return "managed_mtls";
    }
  };
  DefaultEventLoopGroup elg = new DefaultEventLoopGroup(1);

  File clientCert = TestUtils.loadCert("client.pem");
  File key = TestUtils.loadCert("client.key");
  List<String> alpnList = Arrays.asList("managed_mtls", "h2");
  ApplicationProtocolConfig apn = new ApplicationProtocolConfig(
      ApplicationProtocolConfig.Protocol.ALPN,
      ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
      ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
      alpnList);

  sslContext = GrpcSslContexts.forClient()
      .keyManager(clientCert, key)
      .ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(apn).build();

  ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext, "authority", elg);
  pipeline.addLast(handler);
  pipeline.replace(SslHandler.class, null, goodSslHandler);
  pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
  channelHandlerCtx = pipeline.context(handler);
  Object sslEvent = SslHandshakeCompletionEvent.SUCCESS;

  pipeline.fireUserEventTriggered(sslEvent);

  ChannelHandlerContext grpcHandlerCtx = pipeline.context(grpcHandler);
  assertNotNull(grpcHandlerCtx);
}
 
Example #23
Source File: VerificationHost_t.java    From gumtree-spoon-ast-diff with Apache License 2.0 5 votes vote down vote up
public static void createAndAttachSSLClient(ServiceHost h) throws Throwable {
    // we create a random userAgent string to validate host to host communication when
    // the client appears to be from an external, non-Xenon source.
    ServiceClient client = NettyHttpServiceClient.create(UUID.randomUUID().toString(),
            null,
            h.getScheduledExecutor(), h);

    if (NettyChannelContext.isALPNEnabled()) {
        SslContext http2ClientContext = SslContextBuilder.forClient()
                .trustManager(InsecureTrustManagerFactory.INSTANCE)
                .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                .applicationProtocolConfig(new ApplicationProtocolConfig(
                        ApplicationProtocolConfig.Protocol.ALPN,
                        ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
                        ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
                        ApplicationProtocolNames.HTTP_2))
                .build();
        ((NettyHttpServiceClient) client).setHttp2SslContext(http2ClientContext);
    }

    SSLContext clientContext = SSLContext.getInstance(ServiceClient.TLS_PROTOCOL_NAME);
    clientContext.init(null, InsecureTrustManagerFactory.INSTANCE.getTrustManagers(), null);
    client.setSSLContext(clientContext);
    h.setClient(client);

    SelfSignedCertificate ssc = new SelfSignedCertificate();
    h.setCertificateFileReference(ssc.certificate().toURI());
    h.setPrivateKeyFileReference(ssc.privateKey().toURI());
}
 
Example #24
Source File: Http2Util.java    From tutorials with MIT License 5 votes vote down vote up
public static SslContext createSSLContext(boolean isServer) throws SSLException, CertificateException {

        SslContext sslCtx;

        SelfSignedCertificate ssc = new SelfSignedCertificate();

        if (isServer) {
            sslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
                .sslProvider(SslProvider.JDK)
                .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                .applicationProtocolConfig(new ApplicationProtocolConfig(Protocol.ALPN,
                    SelectorFailureBehavior.NO_ADVERTISE,
                    SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1))
                .build();
        } else {
            sslCtx = SslContextBuilder.forClient()
                .sslProvider(SslProvider.JDK)
                .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                .trustManager(InsecureTrustManagerFactory.INSTANCE)
                .applicationProtocolConfig(new ApplicationProtocolConfig(Protocol.ALPN,
                    SelectorFailureBehavior.NO_ADVERTISE,
                    SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2))
                .build();
        }
        return sslCtx;

    }
 
Example #25
Source File: VerificationHost_s.java    From gumtree-spoon-ast-diff with Apache License 2.0 5 votes vote down vote up
public static void createAndAttachSSLClient(ServiceHost h) throws Throwable {
    // we create a random userAgent string to validate host to host communication when
    // the client appears to be from an external, non-Xenon source.
    ServiceClient client = NettyHttpServiceClient.create(UUID.randomUUID().toString(),
            null,
            h.getScheduledExecutor(), h);

    if (NettyChannelContext.isALPNEnabled()) {
        SslContext http2ClientContext = SslContextBuilder.forClient()
                .trustManager(InsecureTrustManagerFactory.INSTANCE)
                .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                .applicationProtocolConfig(new ApplicationProtocolConfig(
                        ApplicationProtocolConfig.Protocol.ALPN,
                        ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
                        ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
                        ApplicationProtocolNames.HTTP_2))
                .build();
        ((NettyHttpServiceClient) client).setHttp2SslContext(http2ClientContext);
    }

    SSLContext clientContext = SSLContext.getInstance(ServiceClient.TLS_PROTOCOL_NAME);
    clientContext.init(null, InsecureTrustManagerFactory.INSTANCE.getTrustManagers(), null);
    client.setSSLContext(clientContext);
    h.setClient(client);

    SelfSignedCertificate ssc = new SelfSignedCertificate();
    h.setCertificateFileReference(ssc.certificate().toURI());
    h.setPrivateKeyFileReference(ssc.privateKey().toURI());
}
 
Example #26
Source File: SslContextFactory.java    From xio with Apache License 2.0 5 votes vote down vote up
private static SslContextBuilder configure(TlsConfig config, SslContextBuilder builder) {
  return builder
      .applicationProtocolConfig(config.getAlpnConfig())
      .ciphers(config.getCiphers(), SupportedCipherSuiteFilter.INSTANCE)
      .clientAuth(config.getClientAuth())
      .enableOcsp(config.isEnableOcsp())
      .protocols(config.getProtocols())
      .sessionCacheSize(config.getSessionCacheSize())
      .sessionTimeout(config.getSessionTimeout())
      .sslProvider(config.getSslProvider());
}
 
Example #27
Source File: SslProvider.java    From reactor-netty with Apache License 2.0 5 votes vote down vote up
void updateDefaultConfiguration() {
	switch (type) {
		case H2:
			sslContextBuilder.sslProvider(
			                     io.netty.handler.ssl.SslProvider.isAlpnSupported(io.netty.handler.ssl.SslProvider.OPENSSL) ?
			                             io.netty.handler.ssl.SslProvider.OPENSSL :
			                             io.netty.handler.ssl.SslProvider.JDK)
			                 .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
			                 .applicationProtocolConfig(new ApplicationProtocolConfig(
			                     ApplicationProtocolConfig.Protocol.ALPN,
			                     ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
			                     ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
			                     ApplicationProtocolNames.HTTP_2,
			                     ApplicationProtocolNames.HTTP_1_1));
			break;
		case TCP:
			sslContextBuilder.sslProvider(
			                     OpenSsl.isAvailable() ?
			                             io.netty.handler.ssl.SslProvider.OPENSSL :
			                             io.netty.handler.ssl.SslProvider.JDK)
			                 .ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
			                 .applicationProtocolConfig(null);
			break;
		case NONE:
			break; //no default configuration
	}
}
 
Example #28
Source File: GrpcSslContexts.java    From grpc-nebula-java with Apache License 2.0 5 votes vote down vote up
/**
 * Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
 * an application requires particular settings it should override the options set here.
 */
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/1784")
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, SslProvider provider) {
  switch (provider) {
    case JDK:
    {
      Provider jdkProvider = findJdkProvider();
      if (jdkProvider == null) {
        throw new IllegalArgumentException(
            "Could not find Jetty NPN/ALPN or Conscrypt as installed JDK providers");
      }
      return configure(builder, jdkProvider);
    }
    case OPENSSL:
    {
      ApplicationProtocolConfig apc;
      if (OpenSsl.isAlpnSupported()) {
        apc = NPN_AND_ALPN;
      } else {
        apc = NPN;
      }
      return builder
          .sslProvider(SslProvider.OPENSSL)
          .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
          .applicationProtocolConfig(apc);
    }
    default:
      throw new IllegalArgumentException("Unsupported provider: " + provider);
  }
}
 
Example #29
Source File: GrpcSslContexts.java    From grpc-nebula-java with Apache License 2.0 5 votes vote down vote up
/**
 * Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
 * an application requires particular settings it should override the options set here.
 */
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, Provider jdkProvider) {
  ApplicationProtocolConfig apc;
  if (SUN_PROVIDER_NAME.equals(jdkProvider.getName())) {
    // Jetty ALPN/NPN only supports one of NPN or ALPN
    if (JettyTlsUtil.isJettyAlpnConfigured()) {
      apc = ALPN;
    } else if (JettyTlsUtil.isJettyNpnConfigured()) {
      apc = NPN;
    } else if (JettyTlsUtil.isJava9AlpnAvailable()) {
      apc = ALPN;
    } else {
      throw new IllegalArgumentException(
          SUN_PROVIDER_NAME + " selected, but Jetty NPN/ALPN unavailable");
    }
  } else if (isConscrypt(jdkProvider)) {
    apc = ALPN;
  } else {
    throw new IllegalArgumentException("Unknown provider; can't configure: " + jdkProvider);
  }
  return builder
      .sslProvider(SslProvider.JDK)
      .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(apc)
      .sslContextProvider(jdkProvider);
}
 
Example #30
Source File: ChannelPipelineInitializerTest.java    From aws-sdk-java-v2 with Apache License 2.0 5 votes vote down vote up
@Test
public void channelConfigOptionCheck() throws SSLException {
    targetUri = URI.create("https://some-awesome-service-1234.amazonaws.com:8080");

    SslContext sslContext = SslContextBuilder.forClient()
                                             .sslProvider(SslProvider.JDK)
                                             .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                                             .build();

    AtomicReference<ChannelPool> channelPoolRef = new AtomicReference<>();

    NettyConfiguration nettyConfiguration = new NettyConfiguration(GLOBAL_HTTP_DEFAULTS);

    pipelineInitializer = new ChannelPipelineInitializer(Protocol.HTTP1_1,
                                                         sslContext,
                                                         SslProvider.JDK,
                                                         100,
                                                         1024,
                                                         Duration.ZERO,
                                                         channelPoolRef,
                                                         nettyConfiguration,
                                                         targetUri);

    Channel channel = new EmbeddedChannel();

    pipelineInitializer.channelCreated(channel);

    assertThat(channel.config().getOption(ChannelOption.ALLOCATOR), is(UnpooledByteBufAllocator.DEFAULT));

}