org.apache.rocketmq.remoting.common.TlsMode Java Examples
The following examples show how to use
org.apache.rocketmq.remoting.common.TlsMode.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: TlsTest.java From rocketmq-read with Apache License 2.0 | 4 votes |
|
@Before
public void setUp() throws InterruptedException {
tlsMode = TlsMode.ENFORCING;
tlsTestModeEnable = false;
tlsServerNeedClientAuth = "require";
tlsServerKeyPath = getCertsPath("server.key");
tlsServerCertPath = getCertsPath("server.pem");
tlsServerAuthClient = true;
tlsServerTrustCertPath = getCertsPath("ca.pem");
tlsClientKeyPath = getCertsPath("client.key");
tlsClientCertPath = getCertsPath("client.pem");
tlsClientAuthServer = true;
tlsClientTrustCertPath = getCertsPath("ca.pem");
tlsClientKeyPassword = "1234";
tlsServerKeyPassword = "";
NettyClientConfig clientConfig = new NettyClientConfig();
clientConfig.setUseTLS(true);
if ("serverRejectsUntrustedClientCert".equals(name.getMethodName())) {
// Create a client. Its credentials come from a CA that the server does not trust. The client
// trusts both test CAs to ensure the handshake failure is due to the server rejecting the client's cert.
tlsClientKeyPath = getCertsPath("badClient.key");
tlsClientCertPath = getCertsPath("badClient.pem");
} else if ("serverAcceptsUntrustedClientCert".equals(name.getMethodName())) {
tlsClientKeyPath = getCertsPath("badClient.key");
tlsClientCertPath = getCertsPath("badClient.pem");
tlsServerAuthClient = false;
}
else if ("noClientAuthFailure".equals(name.getMethodName())) {
//Clear the client cert config to ensure produce the handshake error
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("clientRejectsUntrustedServerCert".equals(name.getMethodName())) {
tlsServerKeyPath = getCertsPath("badServer.key");
tlsServerCertPath = getCertsPath("badServer.pem");
} else if ("clientAcceptsUntrustedServerCert".equals(name.getMethodName())) {
tlsServerKeyPath = getCertsPath("badServer.key");
tlsServerCertPath = getCertsPath("badServer.pem");
tlsClientAuthServer = false;
} else if ("serverNotNeedClientAuth".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "none";
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("serverWantClientAuth".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "optional";
} else if ("serverWantClientAuth_ButClientNoCert".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "optional";
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("serverAcceptsUnAuthClient".equals(name.getMethodName())) {
tlsMode = TlsMode.PERMISSIVE;
tlsClientKeyPath = "";
tlsClientCertPath = "";
clientConfig.setUseTLS(false);
} else if ("serverRejectsSSLClient".equals(name.getMethodName())) {
tlsMode = TlsMode.DISABLED;
} else if ("reloadSslContextForServer".equals(name.getMethodName())) {
tlsClientAuthServer = false;
tlsServerNeedClientAuth = "none";
}
remotingServer = RemotingServerTest.createRemotingServer();
remotingClient = RemotingServerTest.createRemotingClient(clientConfig);
}
Example #2
| Source File: NamesrvController.java From rocketmq with Apache License 2.0 | 4 votes |
|
public boolean initialize() {
this.kvConfigManager.load();
this.remotingServer = new NettyRemotingServer(this.nettyServerConfig, this.brokerHousekeepingService);
this.remotingExecutor =
Executors.newFixedThreadPool(nettyServerConfig.getServerWorkerThreads(), new ThreadFactoryImpl("RemotingExecutorThread_"));
this.registerProcessor();
this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {
@Override
public void run() {
NamesrvController.this.routeInfoManager.scanNotActiveBroker();
}
}, 5, 10, TimeUnit.SECONDS);
this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {
@Override
public void run() {
NamesrvController.this.kvConfigManager.printAllPeriodically();
}
}, 1, 10, TimeUnit.MINUTES);
if (TlsSystemConfig.tlsMode != TlsMode.DISABLED) {
// Register a listener to reload SslContext
try {
fileWatchService = new FileWatchService(
new String[] {
TlsSystemConfig.tlsServerCertPath,
TlsSystemConfig.tlsServerKeyPath,
TlsSystemConfig.tlsServerTrustCertPath
},
new FileWatchService.Listener() {
boolean certChanged, keyChanged = false;
@Override
public void onChanged(String path) {
if (path.equals(TlsSystemConfig.tlsServerTrustCertPath)) {
log.info("The trust certificate changed, reload the ssl context");
reloadServerSslContext();
}
if (path.equals(TlsSystemConfig.tlsServerCertPath)) {
certChanged = true;
}
if (path.equals(TlsSystemConfig.tlsServerKeyPath)) {
keyChanged = true;
}
if (certChanged && keyChanged) {
log.info("The certificate and private key changed, reload the ssl context");
certChanged = keyChanged = false;
reloadServerSslContext();
}
}
private void reloadServerSslContext() {
((NettyRemotingServer) remotingServer).loadSslContext();
}
});
} catch (Exception e) {
log.warn("FileWatchService created error, can't load the certificate dynamically");
}
}
return true;
}
Example #3
| Source File: TlsTest.java From rocketmq with Apache License 2.0 | 4 votes |
|
@After
public void tearDown() {
remotingClient.shutdown();
remotingServer.shutdown();
tlsMode = TlsMode.PERMISSIVE;
}
Example #4
| Source File: TlsTest.java From rocketmq with Apache License 2.0 | 4 votes |
|
@Before
public void setUp() throws InterruptedException {
tlsMode = TlsMode.ENFORCING;
tlsTestModeEnable = false;
tlsServerNeedClientAuth = "require";
tlsServerKeyPath = getCertsPath("server.key");
tlsServerCertPath = getCertsPath("server.pem");
tlsServerAuthClient = true;
tlsServerTrustCertPath = getCertsPath("ca.pem");
tlsClientKeyPath = getCertsPath("client.key");
tlsClientCertPath = getCertsPath("client.pem");
tlsClientAuthServer = true;
tlsClientTrustCertPath = getCertsPath("ca.pem");
tlsClientKeyPassword = "1234";
tlsServerKeyPassword = "";
NettyClientConfig clientConfig = new NettyClientConfig();
clientConfig.setUseTLS(true);
if ("serverRejectsUntrustedClientCert".equals(name.getMethodName())) {
// Create a client. Its credentials come from a CA that the server does not trust. The client
// trusts both test CAs to ensure the handshake failure is due to the server rejecting the client's cert.
tlsClientKeyPath = getCertsPath("badClient.key");
tlsClientCertPath = getCertsPath("badClient.pem");
} else if ("serverAcceptsUntrustedClientCert".equals(name.getMethodName())) {
tlsClientKeyPath = getCertsPath("badClient.key");
tlsClientCertPath = getCertsPath("badClient.pem");
tlsServerAuthClient = false;
}
else if ("noClientAuthFailure".equals(name.getMethodName())) {
//Clear the client cert config to ensure produce the handshake error
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("clientRejectsUntrustedServerCert".equals(name.getMethodName())) {
tlsServerKeyPath = getCertsPath("badServer.key");
tlsServerCertPath = getCertsPath("badServer.pem");
} else if ("clientAcceptsUntrustedServerCert".equals(name.getMethodName())) {
tlsServerKeyPath = getCertsPath("badServer.key");
tlsServerCertPath = getCertsPath("badServer.pem");
tlsClientAuthServer = false;
} else if ("serverNotNeedClientAuth".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "none";
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("serverWantClientAuth".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "optional";
} else if ("serverWantClientAuth_ButClientNoCert".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "optional";
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("serverAcceptsUnAuthClient".equals(name.getMethodName())) {
tlsMode = TlsMode.PERMISSIVE;
tlsClientKeyPath = "";
tlsClientCertPath = "";
clientConfig.setUseTLS(false);
} else if ("serverRejectsSSLClient".equals(name.getMethodName())) {
tlsMode = TlsMode.DISABLED;
} else if ("reloadSslContextForServer".equals(name.getMethodName())) {
tlsClientAuthServer = false;
tlsServerNeedClientAuth = "none";
}
remotingServer = RemotingServerTest.createRemotingServer();
remotingClient = RemotingServerTest.createRemotingClient(clientConfig);
}
Example #5
| Source File: NettyRemotingServer.java From rocketmq with Apache License 2.0 | 4 votes |
|
@Override
protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {
// mark the current position so that we can peek the first byte to determine if the content is starting with
// TLS handshake
msg.markReaderIndex();
byte b = msg.getByte(0);
if (b == HANDSHAKE_MAGIC_CODE) {
switch (tlsMode) {
case DISABLED:
ctx.close();
log.warn("Clients intend to establish an SSL connection while this server is running in SSL disabled mode");
break;
case PERMISSIVE:
case ENFORCING:
if (null != sslContext) {
ctx.pipeline()
.addAfter(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME, TLS_HANDLER_NAME, sslContext.newHandler(ctx.channel().alloc()))
.addAfter(defaultEventExecutorGroup, TLS_HANDLER_NAME, FILE_REGION_ENCODER_NAME, new FileRegionEncoder());
log.info("Handlers prepended to channel pipeline to establish SSL connection");
} else {
ctx.close();
log.error("Trying to establish an SSL connection but sslContext is null");
}
break;
default:
log.warn("Unknown TLS mode");
break;
}
} else if (tlsMode == TlsMode.ENFORCING) {
ctx.close();
log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode");
}
// reset the reader index so that handshake negotiation may proceed as normal.
msg.resetReaderIndex();
try {
// Remove this handler
ctx.pipeline().remove(this);
} catch (NoSuchElementException e) {
log.error("Error while removing HandshakeHandler", e);
}
// Hand over this message to the next .
ctx.fireChannelRead(msg.retain());
}
Example #6
| Source File: NettyRemotingServer.java From rocketmq with Apache License 2.0 | 4 votes |
|
HandshakeHandler(TlsMode tlsMode) {
this.tlsMode = tlsMode;
}
Example #7
| Source File: TlsTest.java From DDMQ with Apache License 2.0 | 4 votes |
|
@After
public void tearDown() {
remotingClient.shutdown();
remotingServer.shutdown();
tlsMode = TlsMode.PERMISSIVE;
}
Example #8
| Source File: TlsTest.java From DDMQ with Apache License 2.0 | 4 votes |
|
@Before
public void setUp() throws InterruptedException {
tlsMode = TlsMode.ENFORCING;
tlsTestModeEnable = false;
tlsServerNeedClientAuth = "require";
tlsServerKeyPath = getCertsPath("server.key");
tlsServerCertPath = getCertsPath("server.pem");
tlsServerAuthClient = true;
tlsServerTrustCertPath = getCertsPath("ca.pem");
tlsClientKeyPath = getCertsPath("client.key");
tlsClientCertPath = getCertsPath("client.pem");
tlsClientAuthServer = true;
tlsClientTrustCertPath = getCertsPath("ca.pem");
tlsClientKeyPassword = "1234";
tlsServerKeyPassword = "";
NettyClientConfig clientConfig = new NettyClientConfig();
clientConfig.setUseTLS(true);
if ("serverRejectsUntrustedClientCert".equals(name.getMethodName())) {
// Create a client. Its credentials come from a CA that the server does not trust. The client
// trusts both test CAs to ensure the handshake failure is due to the server rejecting the client's cert.
tlsClientKeyPath = getCertsPath("badClient.key");
tlsClientCertPath = getCertsPath("badClient.pem");
} else if ("serverAcceptsUntrustedClientCert".equals(name.getMethodName())) {
tlsClientKeyPath = getCertsPath("badClient.key");
tlsClientCertPath = getCertsPath("badClient.pem");
tlsServerAuthClient = false;
}
else if ("noClientAuthFailure".equals(name.getMethodName())) {
//Clear the client cert config to ensure produce the handshake error
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("clientRejectsUntrustedServerCert".equals(name.getMethodName())) {
tlsServerKeyPath = getCertsPath("badServer.key");
tlsServerCertPath = getCertsPath("badServer.pem");
} else if ("clientAcceptsUntrustedServerCert".equals(name.getMethodName())) {
tlsServerKeyPath = getCertsPath("badServer.key");
tlsServerCertPath = getCertsPath("badServer.pem");
tlsClientAuthServer = false;
} else if ("serverNotNeedClientAuth".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "none";
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("serverWantClientAuth".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "optional";
} else if ("serverWantClientAuth_ButClientNoCert".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "optional";
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("serverAcceptsUnAuthClient".equals(name.getMethodName())) {
tlsMode = TlsMode.PERMISSIVE;
tlsClientKeyPath = "";
tlsClientCertPath = "";
clientConfig.setUseTLS(false);
} else if ("serverRejectsSSLClient".equals(name.getMethodName())) {
tlsMode = TlsMode.DISABLED;
}
remotingServer = RemotingServerTest.createRemotingServer();
remotingClient = RemotingServerTest.createRemotingClient(clientConfig);
}
Example #9
| Source File: NettyRemotingServer.java From DDMQ with Apache License 2.0 | 4 votes |
|
@Override
protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {
// mark the current position so that we can peek the first byte to determine if the content is starting with
// TLS handshake
msg.markReaderIndex();
byte b = msg.getByte(0);
if (b == HANDSHAKE_MAGIC_CODE) {
switch (tlsMode) {
case DISABLED:
ctx.close();
log.warn("Clients intend to establish a SSL connection while this server is running in SSL disabled mode");
break;
case PERMISSIVE:
case ENFORCING:
if (null != sslContext) {
ctx.pipeline()
.addAfter(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME, TLS_HANDLER_NAME, sslContext.newHandler(ctx.channel().alloc()))
.addAfter(defaultEventExecutorGroup, TLS_HANDLER_NAME, FILE_REGION_ENCODER_NAME, new FileRegionEncoder());
log.info("Handlers prepended to channel pipeline to establish SSL connection");
} else {
ctx.close();
log.error("Trying to establish a SSL connection but sslContext is null");
}
break;
default:
log.warn("Unknown TLS mode");
break;
}
} else if (tlsMode == TlsMode.ENFORCING) {
ctx.close();
log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode");
}
// reset the reader index so that handshake negotiation may proceed as normal.
msg.resetReaderIndex();
try {
// Remove this handler
ctx.pipeline().remove(this);
} catch (NoSuchElementException e) {
log.error("Error while removing HandshakeHandler", e);
}
// Hand over this message to the next .
ctx.fireChannelRead(msg.retain());
}
Example #10
| Source File: NettyRemotingServer.java From DDMQ with Apache License 2.0 | 4 votes |
|
HandshakeHandler(TlsMode tlsMode) {
this.tlsMode = tlsMode;
}
Example #11
| Source File: NamesrvController.java From rocketmq-read with Apache License 2.0 | 4 votes |
|
/**
* NameServerController的初始化函数
* @return ;
*/
public boolean initialize() {
/*
* load kvconfigManager
*/
this.kvConfigManager.load();
//实例化通信层Server
this.remotingServer = new NettyRemotingServer(this.nettyServerConfig, this.brokerHousekeepingService);
//实例化通信层线程池
this.remotingExecutor = Executors.newFixedThreadPool(nettyServerConfig.getServerWorkerThreads(), new ThreadFactoryImpl("RemotingExecutorThread_"));
//注册Processor
this.registerProcessor();
//定时扫描不活跃的Broker
this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {
@Override
public void run() {
NamesrvController.this.routeInfoManager.scanNotActiveBroker();
}
}, 5, 10, TimeUnit.SECONDS);
//定时扫描KVconfigManager
this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {
@Override
public void run() {
NamesrvController.this.kvConfigManager.printAllPeriodically();
}
}, 1, 10, TimeUnit.MINUTES);
//TSL相关,就是监听到tsl证书更新了,触发 NettyRemotingServer.loadSslContext() 代码;
if (TlsSystemConfig.tlsMode != TlsMode.DISABLED) {
// Register a listener to reload SslContext
try {
fileWatchService = new FileWatchService(
new String[] {
TlsSystemConfig.tlsServerCertPath,
TlsSystemConfig.tlsServerKeyPath,
TlsSystemConfig.tlsServerTrustCertPath
},
new FileWatchService.Listener() {
boolean certChanged, keyChanged = false;
@Override
public void onChanged(String path) {
if (path.equals(TlsSystemConfig.tlsServerTrustCertPath)) {
log.info("The trust certificate changed, reload the ssl context");
reloadServerSslContext();
}
if (path.equals(TlsSystemConfig.tlsServerCertPath)) {
certChanged = true;
}
if (path.equals(TlsSystemConfig.tlsServerKeyPath)) {
keyChanged = true;
}
if (certChanged && keyChanged) {
log.info("The certificate and private key changed, reload the ssl context");
certChanged = keyChanged = false;
reloadServerSslContext();
}
}
private void reloadServerSslContext() {
((NettyRemotingServer) remotingServer).loadSslContext();
}
});
} catch (Exception e) {
log.warn("FileWatchService created error, can't load the certificate dynamically");
}
}
return true;
}
Example #12
| Source File: TlsTest.java From rocketmq-read with Apache License 2.0 | 4 votes |
|
@After
public void tearDown() {
remotingClient.shutdown();
remotingServer.shutdown();
tlsMode = TlsMode.PERMISSIVE;
}
Example #13
| Source File: NettyRemotingServer.java From DDMQ with Apache License 2.0 | 4 votes |
|
HandshakeHandler(TlsMode tlsMode) {
this.tlsMode = tlsMode;
}
Example #14
| Source File: NettyRemotingServer.java From rocketmq-read with Apache License 2.0 | 4 votes |
|
@Override
protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {
// mark the current position so that we can peek the first byte to determine if the content is starting with
// TLS handshake
msg.markReaderIndex();
byte b = msg.getByte(0);
if (b == HANDSHAKE_MAGIC_CODE) {
switch (tlsMode) {
case DISABLED:
ctx.close();
log.warn("Clients intend to establish a SSL connection while this server is running in SSL disabled mode");
break;
case PERMISSIVE:
case ENFORCING:
if (null != sslContext) {
ctx.pipeline()
.addAfter(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME, TLS_HANDLER_NAME, sslContext.newHandler(ctx.channel().alloc()))
.addAfter(defaultEventExecutorGroup, TLS_HANDLER_NAME, FILE_REGION_ENCODER_NAME, new FileRegionEncoder());
log.info("Handlers prepended to channel pipeline to establish SSL connection");
} else {
ctx.close();
log.error("Trying to establish a SSL connection but sslContext is null");
}
break;
default:
log.warn("Unknown TLS mode");
break;
}
} else if (tlsMode == TlsMode.ENFORCING) {
ctx.close();
log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode");
}
// reset the reader index so that handshake negotiation may proceed as normal.
msg.resetReaderIndex();
try {
// Remove this handler
ctx.pipeline().remove(this);
} catch (NoSuchElementException e) {
log.error("Error while removing HandshakeHandler", e);
}
// Hand over this message to the next .
ctx.fireChannelRead(msg.retain());
}
Example #15
| Source File: NettyRemotingServer.java From rocketmq-read with Apache License 2.0 | 4 votes |
|
HandshakeHandler(TlsMode tlsMode) {
this.tlsMode = tlsMode;
}
Example #16
| Source File: NamesrvController.java From rocketmq-4.3.0 with Apache License 2.0 | 4 votes |
|
public boolean initialize() {
// 加载配置 =》
this.kvConfigManager.load();
// 初始化netty server =》
this.remotingServer = new NettyRemotingServer(this.nettyServerConfig, this.brokerHousekeepingService);
// 初始化netty执行器 8个线程
this.remotingExecutor =
Executors.newFixedThreadPool(nettyServerConfig.getServerWorkerThreads(), new ThreadFactoryImpl("RemotingExecutorThread_"));
// 注册处理器 =》
this.registerProcessor();
this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {
@Override
public void run() {
// 扫描非活动的broker
NamesrvController.this.routeInfoManager.scanNotActiveBroker();
}
}, 5, 10, TimeUnit.SECONDS);
this.scheduledExecutorService.scheduleAtFixedRate(new Runnable() {
@Override
public void run() {
NamesrvController.this.kvConfigManager.printAllPeriodically();
}
}, 1, 10, TimeUnit.MINUTES);
if (TlsSystemConfig.tlsMode != TlsMode.DISABLED) {
// Register a listener to reload SslContext
try {
fileWatchService = new FileWatchService(
new String[] {
TlsSystemConfig.tlsServerCertPath,
TlsSystemConfig.tlsServerKeyPath,
TlsSystemConfig.tlsServerTrustCertPath
},
new FileWatchService.Listener() {
boolean certChanged, keyChanged = false;
@Override
public void onChanged(String path) {
if (path.equals(TlsSystemConfig.tlsServerTrustCertPath)) {
log.info("The trust certificate changed, reload the ssl context");
reloadServerSslContext();
}
if (path.equals(TlsSystemConfig.tlsServerCertPath)) {
certChanged = true;
}
if (path.equals(TlsSystemConfig.tlsServerKeyPath)) {
keyChanged = true;
}
if (certChanged && keyChanged) {
log.info("The certificate and private key changed, reload the ssl context");
certChanged = keyChanged = false;
reloadServerSslContext();
}
}
private void reloadServerSslContext() {
((NettyRemotingServer) remotingServer).loadSslContext();
}
});
} catch (Exception e) {
log.warn("FileWatchService created error, can't load the certificate dynamically");
}
}
return true;
}
Example #17
| Source File: TlsTest.java From rocketmq-4.3.0 with Apache License 2.0 | 4 votes |
|
@After
public void tearDown() {
remotingClient.shutdown();
remotingServer.shutdown();
tlsMode = TlsMode.PERMISSIVE;
}
Example #18
| Source File: TlsTest.java From rocketmq-4.3.0 with Apache License 2.0 | 4 votes |
|
@Before
public void setUp() throws InterruptedException {
tlsMode = TlsMode.ENFORCING;
tlsTestModeEnable = false;
tlsServerNeedClientAuth = "require";
tlsServerKeyPath = getCertsPath("server.key");
tlsServerCertPath = getCertsPath("server.pem");
tlsServerAuthClient = true;
tlsServerTrustCertPath = getCertsPath("ca.pem");
tlsClientKeyPath = getCertsPath("client.key");
tlsClientCertPath = getCertsPath("client.pem");
tlsClientAuthServer = true;
tlsClientTrustCertPath = getCertsPath("ca.pem");
tlsClientKeyPassword = "1234";
tlsServerKeyPassword = "";
NettyClientConfig clientConfig = new NettyClientConfig();
clientConfig.setUseTLS(true);
if ("serverRejectsUntrustedClientCert".equals(name.getMethodName())) {
// Create a client. Its credentials come from a CA that the server does not trust. The client
// trusts both test CAs to ensure the handshake failure is due to the server rejecting the client's cert.
tlsClientKeyPath = getCertsPath("badClient.key");
tlsClientCertPath = getCertsPath("badClient.pem");
} else if ("serverAcceptsUntrustedClientCert".equals(name.getMethodName())) {
tlsClientKeyPath = getCertsPath("badClient.key");
tlsClientCertPath = getCertsPath("badClient.pem");
tlsServerAuthClient = false;
}
else if ("noClientAuthFailure".equals(name.getMethodName())) {
//Clear the client cert config to ensure produce the handshake error
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("clientRejectsUntrustedServerCert".equals(name.getMethodName())) {
tlsServerKeyPath = getCertsPath("badServer.key");
tlsServerCertPath = getCertsPath("badServer.pem");
} else if ("clientAcceptsUntrustedServerCert".equals(name.getMethodName())) {
tlsServerKeyPath = getCertsPath("badServer.key");
tlsServerCertPath = getCertsPath("badServer.pem");
tlsClientAuthServer = false;
} else if ("serverNotNeedClientAuth".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "none";
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("serverWantClientAuth".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "optional";
} else if ("serverWantClientAuth_ButClientNoCert".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "optional";
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("serverAcceptsUnAuthClient".equals(name.getMethodName())) {
tlsMode = TlsMode.PERMISSIVE;
tlsClientKeyPath = "";
tlsClientCertPath = "";
clientConfig.setUseTLS(false);
} else if ("serverRejectsSSLClient".equals(name.getMethodName())) {
tlsMode = TlsMode.DISABLED;
} else if ("reloadSslContextForServer".equals(name.getMethodName())) {
tlsClientAuthServer = false;
tlsServerNeedClientAuth = "none";
}
remotingServer = RemotingServerTest.createRemotingServer();
remotingClient = RemotingServerTest.createRemotingClient(clientConfig);
}
Example #19
| Source File: NettyRemotingServer.java From rocketmq-4.3.0 with Apache License 2.0 | 4 votes |
|
@Override
protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {
// mark the current position so that we can peek the first byte to determine if the content is starting with
// TLS handshake
msg.markReaderIndex();
byte b = msg.getByte(0);
if (b == HANDSHAKE_MAGIC_CODE) {
switch (tlsMode) {
case DISABLED:
ctx.close();
log.warn("Clients intend to establish a SSL connection while this server is running in SSL disabled mode");
break;
case PERMISSIVE:
case ENFORCING:
if (null != sslContext) {
ctx.pipeline()
.addAfter(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME, TLS_HANDLER_NAME, sslContext.newHandler(ctx.channel().alloc()))
.addAfter(defaultEventExecutorGroup, TLS_HANDLER_NAME, FILE_REGION_ENCODER_NAME, new FileRegionEncoder());
log.info("Handlers prepended to channel pipeline to establish SSL connection");
} else {
ctx.close();
log.error("Trying to establish a SSL connection but sslContext is null");
}
break;
default:
log.warn("Unknown TLS mode");
break;
}
} else if (tlsMode == TlsMode.ENFORCING) {
ctx.close();
log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode");
}
// reset the reader index so that handshake negotiation may proceed as normal.
msg.resetReaderIndex();
try {
// Remove this handler
ctx.pipeline().remove(this);
} catch (NoSuchElementException e) {
log.error("Error while removing HandshakeHandler", e);
}
// Hand over this message to the next .
ctx.fireChannelRead(msg.retain());
}
Example #20
| Source File: NettyRemotingServer.java From rocketmq-4.3.0 with Apache License 2.0 | 4 votes |
|
HandshakeHandler(TlsMode tlsMode) {
this.tlsMode = tlsMode;
}
Example #21
| Source File: TlsTest.java From DDMQ with Apache License 2.0 | 4 votes |
|
@After
public void tearDown() {
remotingClient.shutdown();
remotingServer.shutdown();
tlsMode = TlsMode.PERMISSIVE;
}
Example #22
| Source File: TlsTest.java From DDMQ with Apache License 2.0 | 4 votes |
|
@Before
public void setUp() throws InterruptedException {
tlsMode = TlsMode.ENFORCING;
tlsTestModeEnable = false;
tlsServerNeedClientAuth = "require";
tlsServerKeyPath = getCertsPath("server.key");
tlsServerCertPath = getCertsPath("server.pem");
tlsServerAuthClient = true;
tlsServerTrustCertPath = getCertsPath("ca.pem");
tlsClientKeyPath = getCertsPath("client.key");
tlsClientCertPath = getCertsPath("client.pem");
tlsClientAuthServer = true;
tlsClientTrustCertPath = getCertsPath("ca.pem");
tlsClientKeyPassword = "1234";
tlsServerKeyPassword = "";
NettyClientConfig clientConfig = new NettyClientConfig();
clientConfig.setUseTLS(true);
if ("serverRejectsUntrustedClientCert".equals(name.getMethodName())) {
// Create a client. Its credentials come from a CA that the server does not trust. The client
// trusts both test CAs to ensure the handshake failure is due to the server rejecting the client's cert.
tlsClientKeyPath = getCertsPath("badClient.key");
tlsClientCertPath = getCertsPath("badClient.pem");
} else if ("serverAcceptsUntrustedClientCert".equals(name.getMethodName())) {
tlsClientKeyPath = getCertsPath("badClient.key");
tlsClientCertPath = getCertsPath("badClient.pem");
tlsServerAuthClient = false;
}
else if ("noClientAuthFailure".equals(name.getMethodName())) {
//Clear the client cert config to ensure produce the handshake error
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("clientRejectsUntrustedServerCert".equals(name.getMethodName())) {
tlsServerKeyPath = getCertsPath("badServer.key");
tlsServerCertPath = getCertsPath("badServer.pem");
} else if ("clientAcceptsUntrustedServerCert".equals(name.getMethodName())) {
tlsServerKeyPath = getCertsPath("badServer.key");
tlsServerCertPath = getCertsPath("badServer.pem");
tlsClientAuthServer = false;
} else if ("serverNotNeedClientAuth".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "none";
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("serverWantClientAuth".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "optional";
} else if ("serverWantClientAuth_ButClientNoCert".equals(name.getMethodName())) {
tlsServerNeedClientAuth = "optional";
tlsClientKeyPath = "";
tlsClientCertPath = "";
} else if ("serverAcceptsUnAuthClient".equals(name.getMethodName())) {
tlsMode = TlsMode.PERMISSIVE;
tlsClientKeyPath = "";
tlsClientCertPath = "";
clientConfig.setUseTLS(false);
} else if ("serverRejectsSSLClient".equals(name.getMethodName())) {
tlsMode = TlsMode.DISABLED;
}
remotingServer = RemotingServerTest.createRemotingServer();
remotingClient = RemotingServerTest.createRemotingClient(clientConfig);
}
Example #23
| Source File: NettyRemotingServer.java From DDMQ with Apache License 2.0 | 4 votes |
|
@Override
protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {
// mark the current position so that we can peek the first byte to determine if the content is starting with
// TLS handshake
msg.markReaderIndex();
byte b = msg.getByte(0);
if (b == HANDSHAKE_MAGIC_CODE) {
switch (tlsMode) {
case DISABLED:
ctx.close();
log.warn("Clients intend to establish a SSL connection while this server is running in SSL disabled mode");
break;
case PERMISSIVE:
case ENFORCING:
if (null != sslContext) {
ctx.pipeline()
.addAfter(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME, TLS_HANDLER_NAME, sslContext.newHandler(ctx.channel().alloc()))
.addAfter(defaultEventExecutorGroup, TLS_HANDLER_NAME, FILE_REGION_ENCODER_NAME, new FileRegionEncoder());
log.info("Handlers prepended to channel pipeline to establish SSL connection");
} else {
ctx.close();
log.error("Trying to establish a SSL connection but sslContext is null");
}
break;
default:
log.warn("Unknown TLS mode");
break;
}
} else if (tlsMode == TlsMode.ENFORCING) {
ctx.close();
log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode");
}
// reset the reader index so that handshake negotiation may proceed as normal.
msg.resetReaderIndex();
try {
// Remove this handler
ctx.pipeline().remove(this);
} catch (NoSuchElementException e) {
log.error("Error while removing HandshakeHandler", e);
}
// Hand over this message to the next .
ctx.fireChannelRead(msg.retain());
}
