io.netty.handler.ssl.SslProvider Java Examples

public ChannelPipelineInitializer(Protocol protocol,
                                  SslContext sslCtx,
                                  SslProvider sslProvider,
                                  long clientMaxStreams,
                                  int clientInitialWindowSize,
                                  Duration healthCheckPingPeriod,
                                  AtomicReference<ChannelPool> channelPoolRef,
                                  NettyConfiguration configuration,
                                  URI poolKey) {
    this.protocol = protocol;
    this.sslCtx = sslCtx;
    this.sslProvider = sslProvider;
    this.clientMaxStreams = clientMaxStreams;
    this.clientInitialWindowSize = clientInitialWindowSize;
    this.healthCheckPingPeriod = healthCheckPingPeriod;
    this.channelPoolRef = channelPoolRef;
    this.configuration = configuration;
    this.poolKey = poolKey;
}
 

@Substitute
static SslContext newClientContextInternal(
        SslProvider provider,
        Provider sslContextProvider,
        X509Certificate[] trustCert, TrustManagerFactory trustManagerFactory,
        X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
        Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn, String[] protocols,
        long sessionCacheSize, long sessionTimeout, boolean enableOcsp, String keyStoreType) throws SSLException {
    if (enableOcsp) {
        throw new IllegalArgumentException("OCSP is not supported with this SslProvider: " + provider);
    }
    return (SslContext) (Object) new Target_io_netty_handler_ssl_JdkSslClientContext(sslContextProvider,
            trustCert, trustManagerFactory, keyCertChain, key, keyPassword,
            keyManagerFactory, ciphers, cipherFilter, apn, protocols, sessionCacheSize,
            sessionTimeout, keyStoreType);
}
 

@Test
void buildTlsConfig_shouldUseCorrectTlsConfigValues() {
  TlsConfig tlsConfig =
      XConfig.buildTlsConfig(
          ConfigFactory.parseResources(XConfig.class, "xrpc.conf").getConfig("tls"));

  List<String> defaultSupportedProtocols = tlsConfig.getCiphers();
  assertEquals(6, defaultSupportedProtocols.size());
  for (String protocol : defaultSupportedProtocols) {
    assertTrue(SUPPORTED_PROTOCOLS.contains(protocol));
  }

  ApplicationProtocolConfig applicationProtocolConfig = tlsConfig.getAlpnConfig();
  assertEquals(
      SUPPORTED_PROTOCOLS_IN_PREFERENCE_ORDER, applicationProtocolConfig.supportedProtocols());
  assertEquals(NO_ADVERTISE, applicationProtocolConfig.selectorFailureBehavior());
  assertEquals(ACCEPT, applicationProtocolConfig.selectedListenerFailureBehavior());
  assertEquals(ALPN, applicationProtocolConfig.protocol());
  assertTrue(tlsConfig.isLogInsecureConfig());
  assertTrue(tlsConfig.isUseSsl());
  assertEquals(ClientAuth.OPTIONAL, tlsConfig.getClientAuth());
  assertFalse(tlsConfig.isEnableOcsp());
  assertEquals(0, tlsConfig.getSessionTimeout());
  assertEquals(0, tlsConfig.getSessionCacheSize());
  assertEquals(SslProvider.OPENSSL, tlsConfig.getSslProvider());
}
 

/** {@link Provides} the {@link SslClientInitializer} used for the {@link EppProtocol}. */
@Provides
@EppProtocol
static SslClientInitializer<NioSocketChannel> provideSslClientInitializer(
    SslProvider sslProvider,
    @LocalSecrets Supplier<PrivateKey> privateKeySupplier,
    @LocalSecrets Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {

  return SslClientInitializer
      .createSslClientInitializerWithSystemTrustStoreAndClientAuthentication(
          sslProvider,
          channel -> channel.attr(REMOTE_ADDRESS_KEY).get(),
          channel -> channel.attr(PROTOCOL_KEY).get().port(),
          privateKeySupplier,
          certificatesSupplier);
}
 

@Override
public SslContextBuilder createBuilderForServer() {
    try {
        ArrayList<X509Certificate> trustedCerts = getTrustedX509Certificates();
        SslProvider sslProvider = chooseSslProvider();

        LOG.debug("Using SslProvider of type {}", sslProvider.name());

        SslContextBuilder builder = newBuilderForServer()
                .ciphers(getCiphers(), getCiphersFilter())
                .sessionTimeout(serverSslConfig.getSessionTimeout())
                .sslProvider(sslProvider);

        if (serverSslConfig.getClientAuth() != null && trustedCerts != null && !trustedCerts.isEmpty()) {
            builder = builder
                    .trustManager(trustedCerts.toArray(new X509Certificate[0]))
                    .clientAuth(serverSslConfig.getClientAuth());
        }

        return builder;
    }
    catch (Exception e) {
        throw new RuntimeException("Error configuring SslContext!", e);
    }
}
 

public SslServerInitializer(
    boolean requireClientCert,
    boolean validateClientCert,
    SslProvider sslProvider,
    Supplier<PrivateKey> privateKeySupplier,
    Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
  logger.atInfo().log("Server SSL Provider: %s", sslProvider);
  checkArgument(
      requireClientCert || !validateClientCert,
      "Cannot validate client certificate if client certificate is not required.");
  this.requireClientCert = requireClientCert;
  this.validateClientCert = validateClientCert;
  this.sslProvider = sslProvider;
  this.privateKeySupplier = privateKeySupplier;
  this.certificatesSupplier = certificatesSupplier;
  this.supportedSslVersions =
      sslProvider == SslProvider.OPENSSL
          ? ImmutableList.of("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")
          // JDK support for TLS 1.3 won't be available until 2020-07-14 at the earliest.
          // See: https://java.com/en/jre-jdk-cryptoroadmap.html
          : ImmutableList.of("TLSv1.2", "TLSv1.1", "TLSv1");
}
 

private static SslContext getSslContext(){
  ClassLoader classLoader = AlphaIntegrationWithSSLTest.class.getClassLoader();
  SslContext sslContext = null;
  try {
    sslContext = GrpcSslContexts.forClient().sslProvider(SslProvider.OPENSSL)
        .protocols("TLSv1.2","TLSv1.1")
        .ciphers(Arrays.asList("ECDHE-RSA-AES128-GCM-SHA256",
            "ECDHE-RSA-AES256-GCM-SHA384"))
        .trustManager(new File(classLoader.getResource("ca.crt").getFile()))
        .keyManager(new File(classLoader.getResource("client.crt").getFile()),
            new File(classLoader.getResource("client.pem").getFile())).build();
  } catch (SSLException e) {
    e.printStackTrace();
  }
  return sslContext;
}
 

/**
 * init SslContext for p2p connection
 *
 * @param caCrt
 * @param nodeCrt
 * @param nodeKey
 * @return
 * @throws IOException
 */
public SslContext initSslContextForServer(
        org.springframework.core.io.Resource caCrt,
        org.springframework.core.io.Resource nodeCrt,
        org.springframework.core.io.Resource nodeKey)
        throws IOException {

    SslContext sslCtx =
            SslContextBuilder.forServer(nodeCrt.getInputStream(), nodeKey.getInputStream())
                    .trustManager(caCrt.getInputStream())
                    .sslProvider(SslProvider.JDK)
                    .clientAuth(ClientAuth.REQUIRE)
                    .build();

    return sslCtx;
}
 

private static KeyManagerFactory loadKeyManagerFactory(TransportOptions options, SslProvider provider) throws Exception {
    if (options.getKeyStoreLocation() == null) {
        return null;
    }

    final KeyManagerFactory factory;
    if (provider.equals(SslProvider.JDK)) {
        factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    } else {
        factory = new OpenSslX509KeyManagerFactory();
    }

    String storeLocation = options.getKeyStoreLocation();
    String storePassword = options.getKeyStorePassword();
    String storeType = options.getKeyStoreType();

    LOG.trace("Attempt to load KeyStore from location {} of type {}", storeLocation, storeType);

    KeyStore keyStore = loadStore(storeLocation, storePassword, storeType);
    factory.init(keyStore, storePassword != null ? storePassword.toCharArray() : null);

    return factory;
}
 

private static SslContext buildSslContext(AlphaClusterConfig clusterConfig) throws SSLException {
  SslContextBuilder builder = GrpcSslContexts.forClient();
  // openssl must be used because some older JDk does not support cipher suites required by http2,
  // and the performance of JDK ssl is pretty low compared to openssl.
  builder.sslProvider(SslProvider.OPENSSL);

  Properties prop = new Properties();
  try {
    prop.load(LoadBalancedClusterMessageSender.class.getClassLoader().getResourceAsStream("ssl.properties"));
  } catch (IOException e) {
    throw new IllegalArgumentException("Unable to read ssl.properties.", e);
  }

  builder.protocols(prop.getProperty("protocols").split(","));
  builder.ciphers(Arrays.asList(prop.getProperty("ciphers").split(",")));
  builder.trustManager(new File(clusterConfig.getCertChain()));

  if (clusterConfig.isEnableMutualAuth()) {
    builder.keyManager(new File(clusterConfig.getCert()), new File(clusterConfig.getKey()));
  }

  return builder.build();
}
 

private static SslContext createSSLContext(boolean useClientCA, String sslKeyStoreType, String sslKeyFilePath, String sslManagerPwd, String sslStorePwd) {
    try {
        InputStream ksInputStream = new FileInputStream(sslKeyFilePath);
        KeyStore ks = KeyStore.getInstance(sslKeyStoreType);
        ks.load(ksInputStream, sslStorePwd.toCharArray());


        final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        kmf.init(ks, sslManagerPwd.toCharArray());
        SslContextBuilder contextBuilder = SslContextBuilder.forServer(kmf);

        // whether need client CA(two-way authentication)
        if (useClientCA) {
            contextBuilder.clientAuth(ClientAuth.REQUIRE);
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(ks);
            contextBuilder.trustManager(tmf);
        }
        return contextBuilder.sslProvider(SslProvider.valueOf("JDK")).build();
    } catch (Exception ex) {
        log.error("Create ssl context failure.cause={}", ex);
        return null;
    }
}
 

@Setup(Level.Trial)
public void setup() throws Exception {
    mockServer = new MockH2Server(false);
    mockServer.start();

    SslProvider sslProvider = getSslProvider(sslProviderValue);

    sdkHttpClient = NettyNioAsyncHttpClient.builder()
                                           .sslProvider(sslProvider)
                                           .buildWithDefaults(trustAllTlsAttributeMapBuilder()
                                                                  .put(PROTOCOL, Protocol.HTTP2)
                                                                  .build());
    client = ProtocolRestJsonAsyncClient.builder()
                                        .endpointOverride(mockServer.getHttpsUri())
                                        .httpClient(sdkHttpClient)
                                        .build();

    // Making sure the request actually succeeds
    client.allTypes().join();
}
 

/**
 * Returns OpenSSL if available, otherwise returns the JDK provider.
 */
private static SslProvider defaultSslProvider() {
  if (OpenSsl.isAvailable()) {
    logger.log(Level.FINE, "Selecting OPENSSL");
    return SslProvider.OPENSSL;
  }
  Provider provider = findJdkProvider();
  if (provider != null) {
    logger.log(Level.FINE, "Selecting JDK with provider {0}", provider);
    return SslProvider.JDK;
  }
  logger.log(Level.INFO, "Java 9 ALPN API unavailable (this may be normal)");
  logger.log(Level.INFO, "netty-tcnative unavailable (this may be normal)",
      OpenSsl.unavailabilityCause());
  logger.log(Level.INFO, "Conscrypt not found (this may be normal)",
      ConscryptHolder.UNAVAILABILITY_CAUSE);
  logger.log(Level.INFO, "Jetty ALPN unavailable (this may be normal)",
      JettyTlsUtil.getJettyAlpnUnavailabilityCause());
  throw new IllegalStateException(
      "Could not find TLS ALPN provider; "
      + "no working netty-tcnative, Conscrypt, or Jetty NPN/ALPN available");
}
 

private static SslContext buildSslContext() { 
	try {
		SslContextBuilder sslContextBuilder = SslContextBuilder.forClient()
				.sslProvider(SslProvider.JDK)
				.sessionCacheSize(0)
				.sessionTimeout(0);
		String[] protocols = new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" };
		sslContextBuilder.protocols(protocols);
		SslContext sslContext = sslContextBuilder.build();
		return sslContext;
		
	} catch (Exception e) {
		e.printStackTrace();
		return null;
	}
}
 

private static void testClientOcspNotEnabled(SslProvider sslProvider) throws Exception {
    SslContext context = SslContextBuilder.forClient()
            .sslProvider(sslProvider)
            .build();
    try {
        SslHandler sslHandler = context.newHandler(ByteBufAllocator.DEFAULT);
        ReferenceCountedOpenSslEngine engine = (ReferenceCountedOpenSslEngine) sslHandler.engine();
        try {
            engine.getOcspResponse();
        } finally {
            engine.release();
        }
    } finally {
        ReferenceCountUtil.release(context);
    }
}
 

@Test
public void usingProxy_noSchemeGiven_defaultsToHttp() {
    ProxyConfiguration proxyConfiguration = ProxyConfiguration.builder()
            .host("localhost")
            .port(mockProxy.port())
            .build();

    channelPoolMap = AwaitCloseChannelPoolMap.builder()
            .proxyConfiguration(proxyConfiguration)
            .sdkChannelOptions(new SdkChannelOptions())
            .sdkEventLoopGroup(SdkEventLoopGroup.builder().build())
            .configuration(new NettyConfiguration(GLOBAL_HTTP_DEFAULTS))
            .protocol(Protocol.HTTP1_1)
            .maxStreams(100)
            .sslProvider(SslProvider.OPENSSL)
            .build();

    SimpleChannelPoolAwareChannelPool simpleChannelPoolAwareChannelPool = channelPoolMap.newPool(
            URI.create("https://some-awesome-service:443"));

    simpleChannelPoolAwareChannelPool.acquire().awaitUninterruptibly();

    String requests = recorder.requests().toString();

    assertThat(requests).contains("CONNECT some-awesome-service:443");
}
 

@Parameters(name = "{index}: serverEngine = {0}, clientEngine = {1}")
public static Collection<Object[]> data() throws Exception {
    List<SslContext> serverContexts = new ArrayList<SslContext>();
    serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE).sslProvider(SslProvider.JDK).build());

    List<SslContext> clientContexts = new ArrayList<SslContext>();
    clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(CERT_FILE).build());

    boolean hasOpenSsl = OpenSsl.isAvailable();
    if (hasOpenSsl) {
        serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE)
                                            .sslProvider(SslProvider.OPENSSL).build());
        clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.OPENSSL)
                                            .trustManager(CERT_FILE).build());
    } else {
        logger.warn("OpenSSL is unavailable and thus will not be tested.", OpenSsl.unavailabilityCause());
    }

    List<Object[]> params = new ArrayList<Object[]>();
    for (SslContext sc: serverContexts) {
        for (SslContext cc: clientContexts) {
            params.add(new Object[] { sc, cc });
        }
    }
    return params;
}
 

private SslContext getSslContext() {
    SslContext sslCtx = null;

    final SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;

    try {
        sslCtx = SslContextBuilder.forClient()
            .sslProvider(provider)
            .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .applicationProtocolConfig(new ApplicationProtocolConfig(
                Protocol.ALPN,
                SelectorFailureBehavior.NO_ADVERTISE,
                SelectedListenerFailureBehavior.ACCEPT,
                ApplicationProtocolNames.HTTP_2))
            .build();
    } catch(SSLException exception) {
        return null;
    }

    return sslCtx;
}
 

private SslContextBuilder getSslContextBuilder(GrpcServerConfig config) {

    Properties prop = new Properties();
    ClassLoader classLoader = getClass().getClassLoader();
    try {
      prop.load(classLoader.getResourceAsStream("ssl.properties"));
    } catch (IOException e) {
      throw new IllegalStateException("Unable to read ssl.properties.", e);
    }

    InputStream cert = getInputStream(classLoader, config.getCert(), "Server Cert");
    InputStream key = getInputStream(classLoader, config.getKey(), "Server Key");

    SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(cert, key)
        .protocols(prop.getProperty("protocols"))
        .ciphers(Arrays.asList(prop.getProperty("ciphers").split(",")));
    if (config.isMutualAuth()) {
      InputStream clientCert = getInputStream(classLoader, config.getClientCert(), "Client Cert");
      sslClientContextBuilder.trustManager(clientCert);
      sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
    }
    return GrpcSslContexts.configure(sslClientContextBuilder,
        SslProvider.OPENSSL);
  }
 

SslContextBuilder getSslContextBuilder(X509Certificate[] clientCert, PrivateKey clientKey, SslProvider sslprovider) {
    SslContextBuilder clientContextBuilder = GrpcSslContexts.configure(SslContextBuilder.forClient(), sslprovider);
    if (clientKey != null && clientCert != null) {
        clientContextBuilder = clientContextBuilder.keyManager(clientKey, clientCert);
    } else {
        logger.debug(format("Endpoint %s with no ssl context", url));
    }
    return clientContextBuilder;
}
 

private void setupSslCtx() throws Exception {
    Assert.assertNotNull(clientTrustStoreFile);
    SslContextBuilder builder = SslContextBuilder.forClient();
    builder.applicationProtocolConfig(ApplicationProtocolConfig.DISABLED);
    builder.sslProvider(SslProvider.JDK);
    builder.trustManager(clientTrustStoreFile); // Trust the server cert
    SslContext ctx = builder.build();
    Assert.assertTrue(ctx.isClient());
    Assert.assertTrue(ctx instanceof JdkSslContext);
    JdkSslContext jdk = (JdkSslContext) ctx;
    sslCtx = jdk.context();
}
 

protected SslContext createSSLContext(BalancerConfiguration config) throws Exception {

        ServerSsl sslCfg = config.getSecurity().getServerSsl();
        Boolean generate = sslCfg.isUseGeneratedKeypair();
        SslContextBuilder ssl;
        if (generate) {
            LOG.warn("Using generated self signed server certificate");
            Date begin = new Date();
            Date end = new Date(begin.getTime() + 86400000);
            SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end);
            ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
        } else {
            String cert = sslCfg.getCertificateFile();
            String key = sslCfg.getKeyFile();
            String keyPass = sslCfg.getKeyPassword();
            if (null == cert || null == key) {
                throw new IllegalArgumentException("Check your SSL properties, something is wrong.");
            }
            ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass);
        }

        ssl.ciphers(sslCfg.getUseCiphers());

        // Can't set to REQUIRE because the CORS pre-flight requests will fail.
        ssl.clientAuth(ClientAuth.OPTIONAL);

        Boolean useOpenSSL = sslCfg.isUseOpenssl();
        if (useOpenSSL) {
            ssl.sslProvider(SslProvider.OPENSSL);
        } else {
            ssl.sslProvider(SslProvider.JDK);
        }
        String trustStore = sslCfg.getTrustStoreFile();
        if (null != trustStore) {
            if (!trustStore.isEmpty()) {
                ssl.trustManager(new File(trustStore));
            }
        }
        return ssl.build();
    }
 

protected SslContext createSSLContext(Configuration config) throws Exception {

        ServerSsl sslCfg = config.getSecurity().getServerSsl();
        Boolean generate = sslCfg.isUseGeneratedKeypair();
        SslContextBuilder ssl;
        if (generate) {
            LOG.warn("Using generated self signed server certificate");
            Date begin = new Date();
            Date end = new Date(begin.getTime() + TimeUnit.DAYS.toMillis(7));
            SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end);
            ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
        } else {
            String cert = sslCfg.getCertificateFile();
            String key = sslCfg.getKeyFile();
            String keyPass = sslCfg.getKeyPassword();
            if (null == cert || null == key) {
                throw new IllegalArgumentException("Check your SSL properties, something is wrong.");
            }
            ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass);
        }

        ssl.ciphers(sslCfg.getUseCiphers());

        // Can't set to REQUIRE because the CORS pre-flight requests will fail.
        ssl.clientAuth(ClientAuth.OPTIONAL);

        Boolean useOpenSSL = sslCfg.isUseOpenssl();
        if (useOpenSSL) {
            ssl.sslProvider(SslProvider.OPENSSL);
        } else {
            ssl.sslProvider(SslProvider.JDK);
        }
        String trustStore = sslCfg.getTrustStoreFile();
        if (null != trustStore) {
            if (!trustStore.isEmpty()) {
                ssl.trustManager(new File(trustStore));
            }
        }
        return ssl.build();
    }
 

private ServerBuilder<?> serverBuilder(int port, File serverCertChainFile,
    File serverPrivateKeyFile, X509Certificate[] serverTrustedCaCerts) throws IOException {
  SslContextBuilder sslContextBuilder
      = SslContextBuilder.forServer(serverCertChainFile, serverPrivateKeyFile);
  if (sslProvider == SslProvider.JDK) {
    GrpcSslContexts.configure(sslContextBuilder, jdkProvider);
  } else {
    GrpcSslContexts.configure(sslContextBuilder, sslProvider);
  }
  sslContextBuilder.trustManager(serverTrustedCaCerts)
      .clientAuth(ClientAuth.REQUIRE);

  return NettyServerBuilder.forPort(port)
      .sslContext(sslContextBuilder.build());
}
 

@Test(expected = IllegalArgumentException.class)
public void testJdkClientEnableOcsp() throws Exception {
    SslContextBuilder.forClient()
            .sslProvider(SslProvider.JDK)
            .enableOcsp(true)
            .build();
}
 

public T activeSsl() {
    if (sslContext == null) {
        try {
            final SelfSignedCertificate certificate = new SelfSignedCertificate();
            final SslContext nettyContext = SslContext
                    .newServerContext(SslProvider.JDK, null, InsecureTrustManagerFactory.INSTANCE,
                            certificate.certificate(), certificate.privateKey(), null, null, null,
                            IdentityCipherSuiteFilter.INSTANCE, null, 0, 0);
            sslContext = JdkSslContext.class.cast(nettyContext).context();
        } catch (final SSLException | CertificateException e) {
            throw new IllegalStateException(e);
        }
    }
    return (T) this;
}
 

protected SSLSocketFactory getSSLSocketFactory() throws Exception {
    SslContextBuilder builder = SslContextBuilder.forClient();
    builder.applicationProtocolConfig(ApplicationProtocolConfig.DISABLED);
    // Use server cert / key on client side
    builder.keyManager(serverCert.key(), (String) null, serverCert.cert());
    builder.sslProvider(SslProvider.JDK);
    builder.trustManager(clientTrustStoreFile); // Trust the server cert
    SslContext ctx = builder.build();
    Assert.assertTrue(ctx.isClient());
    JdkSslContext jdk = (JdkSslContext) ctx;
    SSLContext jdkSslContext = jdk.context();
    return jdkSslContext.getSocketFactory();
}
 

public SslContext initSSLContext() {
    logger.info("Checking SSL configuration properties...");

    final String keyPassword = props.getProperty(BrokerConstants.KEY_MANAGER_PASSWORD_PROPERTY_NAME);
    if (keyPassword == null || keyPassword.isEmpty()) {
        logger.warn("The key manager password is null or empty. The SSL context won't be initialized.");
        return null;
    }

    try {
        SslProvider sslProvider = getSSLProvider();
        KeyStore ks = loadKeyStore();
        SslContextBuilder contextBuilder;
        switch (sslProvider) {
            case JDK:
                contextBuilder = builderWithJdkProvider(ks, keyPassword);
                break;
            case OPENSSL:
            case OPENSSL_REFCNT:
                contextBuilder = builderWithOpenSSLProvider(ks, keyPassword);
                break;
            default:
                logger.error("unsupported SSL provider "+ sslProvider);
                return null;
        }
        // if client authentification is enabled a trustmanager needs to be added to the ServerContext
        String sNeedsClientAuth = props.getProperty(BrokerConstants.NEED_CLIENT_AUTH, "false");
        if (Boolean.valueOf(sNeedsClientAuth)) {
            addClientAuthentication(ks, contextBuilder);
        }
        contextBuilder.sslProvider(sslProvider);
        SslContext sslContext = contextBuilder.build();
        logger.info("The SSL context has been initialized successfully.");
        return sslContext;
    } catch (GeneralSecurityException | IOException ex) {
        logger.error("Unable to initialize SSL context.", ex);
        return null;
    }
}
 

/**
 * Clearly specify OpenSSL, because jdk8 may have performance problems, See:
 * https://www.cnblogs.com/wade-luffy/p/6019743.html#_label1
 * 
 * @return
 * @throws SSLException
 * @see {@link io.netty.handler.ssl.ReferenceCountedOpenSslContext}
 */
// @Bean
// @ConditionalOnMissingBean
public SslContext sslContext(RemoteProperties props) throws SSLException {
	SslProperties ssl = props.getSslProperties();
	List<String> ciphers = ssl.getCiphers() == null ? SslProperties.DEFAULT_CIPHERS : ssl.getCiphers();
	return SslContextBuilder.forServer(new File(ssl.getKeyCertChainFile()), new File(ssl.getKeyFile()))
			.sslProvider(SslProvider.OPENSSL).ciphers(ciphers).clientAuth(ClientAuth.REQUIRE)
			.trustManager(InsecureTrustManagerFactory.INSTANCE).build();
}
 

/**
 * Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
 * an application requires particular settings it should override the options set here.
 */
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, Provider jdkProvider) {
  ApplicationProtocolConfig apc;
  if (SUN_PROVIDER_NAME.equals(jdkProvider.getName())) {
    // Jetty ALPN/NPN only supports one of NPN or ALPN
    if (JettyTlsUtil.isJettyAlpnConfigured()) {
      apc = ALPN;
    } else if (JettyTlsUtil.isJettyNpnConfigured()) {
      apc = NPN;
    } else if (JettyTlsUtil.isJava9AlpnAvailable()) {
      apc = ALPN;
    } else {
      throw new IllegalArgumentException(
          SUN_PROVIDER_NAME + " selected, but Java 9+ and Jetty NPN/ALPN unavailable");
    }
  } else if (ConscryptLoader.isConscrypt(jdkProvider)) {
    apc = ALPN;
  } else {
    throw new IllegalArgumentException("Unknown provider; can't configure: " + jdkProvider);
  }
  return builder
      .sslProvider(SslProvider.JDK)
      .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
      .applicationProtocolConfig(apc)
      .sslContextProvider(jdkProvider);
}