Java Code Examples for io.netty.handler.ssl.SslContextBuilder#ciphers()
The following examples show how to use
io.netty.handler.ssl.SslContextBuilder#ciphers() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: LoadBalancedClusterMessageSender.java From txle with Apache License 2.0 | 6 votes |
private static SslContext buildSslContext(AlphaClusterConfig clusterConfig) throws SSLException { SslContextBuilder builder = GrpcSslContexts.forClient(); // openssl must be used because some older JDk does not support cipher suites required by http2, // and the performance of JDK ssl is pretty low compared to openssl. builder.sslProvider(SslProvider.OPENSSL); Properties prop = new Properties(); try { prop.load(LoadBalancedClusterMessageSender.class.getClassLoader().getResourceAsStream("ssl.properties")); } catch (IOException e) { throw new IllegalArgumentException("Unable to read ssl.properties.", e); } builder.protocols(prop.getProperty("protocols").split(",")); builder.ciphers(Arrays.asList(prop.getProperty("ciphers").split(","))); builder.trustManager(new File(clusterConfig.getCertChain())); if (clusterConfig.isEnableMutualAuth()) { builder.keyManager(new File(clusterConfig.getCert()), new File(clusterConfig.getKey())); } return builder.build(); }
Example 2
Source File: Http2OkHttpTest.java From grpc-java with Apache License 2.0 | 6 votes |
@Override protected AbstractServerImplBuilder<?> getServerBuilder() { // Starts the server with HTTPS. try { SslProvider sslProvider = SslContext.defaultServerProvider(); if (sslProvider == SslProvider.OPENSSL && !SslProvider.isAlpnSupported(SslProvider.OPENSSL)) { // OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we // are forced to use Jetty ALPN for Netty instead of OpenSSL. sslProvider = SslProvider.JDK; } SslContextBuilder contextBuilder = SslContextBuilder .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key")); GrpcSslContexts.configure(contextBuilder, sslProvider); contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE); return NettyServerBuilder.forPort(0) .flowControlWindow(65 * 1024) .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE) .sslContext(contextBuilder.build()); } catch (IOException ex) { throw new RuntimeException(ex); } }
Example 3
Source File: SslUtil.java From AndroidHttpCapture with MIT License | 6 votes |
/** * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs * from the trustSource. When trustSource is true, no upstream certificate verification will be performed. * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated * certificates). * * @param cipherSuites cipher suites to allow when connecting to the upstream server * @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates * @return an SSLContext to connect to upstream servers with */ public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) { SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (trustSource == null) { log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers."); sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); } else { sslContextBuilder.trustManager(trustSource.getTrustedCAs()); } sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE); try { return sslContextBuilder.build(); } catch (SSLException e) { throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e); } }
Example 4
Source File: SslSimpleBuilder.java From jlogstash-input-plugin with Apache License 2.0 | 6 votes |
public SslHandler build(ByteBufAllocator bufferAllocator) throws SSLException { SslContextBuilder builder = SslContextBuilder.forServer(sslCertificateFile, sslKeyFile, passPhrase); builder.ciphers(Arrays.asList(ciphers)); if(requireClientAuth()) { logger.debug("Certificate Authorities: " + certificateAuthorities); builder.trustManager(new File(certificateAuthorities)); } SslContext context = builder.build(); SslHandler sslHandler = context.newHandler(bufferAllocator); SSLEngine engine = sslHandler.engine(); engine.setEnabledProtocols(protocols); if(requireClientAuth()) { engine.setUseClientMode(false); engine.setNeedClientAuth(true); } return sslHandler; }
Example 5
Source File: SslUtil.java From Dream-Catcher with MIT License | 6 votes |
/** * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs * from the trustSource. When trustSource is true, no upstream certificate verification will be performed. * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated * certificates). * * @param cipherSuites cipher suites to allow when connecting to the upstream server * @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates * @return an SSLContext to connect to upstream servers with */ public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) { SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (trustSource == null) { log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers."); sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); } else { sslContextBuilder.trustManager(trustSource.getTrustedCAs()); } sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE); try { return sslContextBuilder.build(); } catch (SSLException e) { throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e); } }
Example 6
Source File: SslUtil.java From CapturePacket with MIT License | 6 votes |
/** * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs * from the trustSource. When trustSource is true, no upstream certificate verification will be performed. * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated * certificates). * * @param cipherSuites cipher suites to allow when connecting to the upstream server * @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates * @return an SSLContext to connect to upstream servers with */ public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) { SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (trustSource == null) { log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers."); sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); } else { sslContextBuilder.trustManager(trustSource.getTrustedCAs()); } sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE); try { return sslContextBuilder.build(); } catch (SSLException e) { throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e); } }
Example 7
Source File: SslUtil.java From hivemq-community-edition with Apache License 2.0 | 6 votes |
@NotNull public SslContext createSslServerContext(@NotNull final KeyManagerFactory kmf, @Nullable final TrustManagerFactory tmFactory, @Nullable final List<String> cipherSuites, @Nullable final List<String> protocols) throws SSLException { final SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(kmf); sslContextBuilder.sslProvider(SslProvider.JDK).trustManager(tmFactory); if (protocols != null && !protocols.isEmpty()) { sslContextBuilder.protocols(protocols.toArray(new String[0])); } //set chosen cipher suites if available if (cipherSuites != null && cipherSuites.size() > 0) { sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE); } else { sslContextBuilder.ciphers(null, SupportedCipherSuiteFilter.INSTANCE); } return sslContextBuilder.build(); }
Example 8
Source File: SslUtil.java From browserup-proxy with Apache License 2.0 | 6 votes |
/** * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs * from the trustSource. When trustSource is true, no upstream certificate verification will be performed. * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated * certificates). * * @param cipherSuites cipher suites to allow when connecting to the upstream server * @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates * @return an SSLContext to connect to upstream servers with */ public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) { SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (trustSource == null) { log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers."); sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); } else { sslContextBuilder.trustManager(trustSource.getTrustedCAs()); } sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE); try { return sslContextBuilder.build(); } catch (SSLException e) { throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e); } }
Example 9
Source File: Http2OkHttpTest.java From grpc-nebula-java with Apache License 2.0 | 6 votes |
@Override protected AbstractServerImplBuilder<?> getServerBuilder() { // Starts the server with HTTPS. try { SslProvider sslProvider = SslContext.defaultServerProvider(); if (sslProvider == SslProvider.OPENSSL && !OpenSsl.isAlpnSupported()) { // OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we // are forced to use Jetty ALPN for Netty instead of OpenSSL. sslProvider = SslProvider.JDK; } SslContextBuilder contextBuilder = SslContextBuilder .forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key")); GrpcSslContexts.configure(contextBuilder, sslProvider); contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE); return NettyServerBuilder.forPort(0) .flowControlWindow(65 * 1024) .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE) .sslContext(contextBuilder.build()); } catch (IOException ex) { throw new RuntimeException(ex); } }
Example 10
Source File: SslContextFactory.java From servicetalk with Apache License 2.0 | 5 votes |
/** * A new context for a client using the passed {@code config}. * * @param config SSL config. * @param supportedAlpnProtocols the list of supported ALPN protocols. * @return A new {@link SslContext} for a client. */ public static SslContext forClient(ReadOnlyClientSecurityConfig config, List<String> supportedAlpnProtocols) { requireNonNull(config); SslContextBuilder builder = SslContextBuilder.forClient() .sessionCacheSize(config.sessionCacheSize()).sessionTimeout(config.sessionTimeout()); configureTrustManager(config, builder); KeyManagerFactory keyManagerFactory = config.keyManagerFactory(); if (keyManagerFactory != null) { builder.keyManager(keyManagerFactory); } else { InputStream keyCertChainSupplier = null; InputStream keySupplier = null; try { keyCertChainSupplier = config.keyCertChainSupplier().get(); keySupplier = config.keySupplier().get(); builder.keyManager(keyCertChainSupplier, keySupplier, config.keyPassword()); } finally { try { closeAndRethrowUnchecked(keyCertChainSupplier); } finally { closeAndRethrowUnchecked(keySupplier); } } } builder.sslProvider(toNettySslProvider(config.provider(), !supportedAlpnProtocols.isEmpty())); builder.protocols(config.protocols()); builder.ciphers(config.ciphers()); builder.applicationProtocolConfig(nettyApplicationProtocol(supportedAlpnProtocols)); try { return builder.build(); } catch (SSLException e) { throw new IllegalArgumentException(e); } }
Example 11
Source File: HttpServletProtocolSpringAdapter.java From spring-boot-protocol with Apache License 2.0 | 5 votes |
/** * Initialize the SSL security configuration for HTTPS * @param keyManagerFactory keyManagerFactory * @param ssl ssl * @param sslStoreProvider sslStoreProvider * @return The SSL context builder * @throws Exception Exception */ protected SslContextBuilder getSslContext(KeyManagerFactory keyManagerFactory, Ssl ssl, SslStoreProvider sslStoreProvider) throws Exception { SslContextBuilder builder = SslContextBuilder.forServer(keyManagerFactory); builder.trustManager(getTrustManagerFactory(ssl, sslStoreProvider)); if (ssl.getEnabledProtocols() != null) { builder.protocols(ssl.getEnabledProtocols()); } if (ssl.getCiphers() != null) { builder.ciphers(Arrays.asList(ssl.getCiphers())); } if (ssl.getClientAuth() == Ssl.ClientAuth.NEED) { builder.clientAuth(ClientAuth.REQUIRE); } else if (ssl.getClientAuth() == Ssl.ClientAuth.WANT) { builder.clientAuth(ClientAuth.OPTIONAL); } ApplicationProtocolConfig protocolConfig = new ApplicationProtocolConfig( ApplicationProtocolConfig.Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers. ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers. ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1); builder.applicationProtocolConfig(protocolConfig); return builder; }
Example 12
Source File: Server.java From qonduit with Apache License 2.0 | 5 votes |
protected SslContext createSSLContext(Configuration config) throws Exception { Configuration.Ssl sslCfg = config.getSecurity().getSsl(); Boolean generate = sslCfg.isUseGeneratedKeypair(); SslContextBuilder ssl; if (generate) { LOG.warn("Using generated self signed server certificate"); Date begin = new Date(); Date end = new Date(begin.getTime() + 86400000); SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end); ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()); } else { String cert = sslCfg.getCertificateFile(); String key = sslCfg.getKeyFile(); String keyPass = sslCfg.getKeyPassword(); if (null == cert || null == key) { throw new IllegalArgumentException("Check your SSL properties, something is wrong."); } ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass); } ssl.ciphers(sslCfg.getUseCiphers()); // Can't set to REQUIRE because the CORS pre-flight requests will fail. ssl.clientAuth(ClientAuth.OPTIONAL); Boolean useOpenSSL = sslCfg.isUseOpenssl(); if (useOpenSSL) { ssl.sslProvider(SslProvider.OPENSSL); } else { ssl.sslProvider(SslProvider.JDK); } String trustStore = sslCfg.getTrustStoreFile(); if (null != trustStore) { if (!trustStore.isEmpty()) { ssl.trustManager(new File(trustStore)); } } return ssl.build(); }
Example 13
Source File: Balancer.java From timely with Apache License 2.0 | 5 votes |
protected SslContext createSSLContext(BalancerConfiguration config) throws Exception { ServerSsl sslCfg = config.getSecurity().getServerSsl(); Boolean generate = sslCfg.isUseGeneratedKeypair(); SslContextBuilder ssl; if (generate) { LOG.warn("Using generated self signed server certificate"); Date begin = new Date(); Date end = new Date(begin.getTime() + 86400000); SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end); ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()); } else { String cert = sslCfg.getCertificateFile(); String key = sslCfg.getKeyFile(); String keyPass = sslCfg.getKeyPassword(); if (null == cert || null == key) { throw new IllegalArgumentException("Check your SSL properties, something is wrong."); } ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass); } ssl.ciphers(sslCfg.getUseCiphers()); // Can't set to REQUIRE because the CORS pre-flight requests will fail. ssl.clientAuth(ClientAuth.OPTIONAL); Boolean useOpenSSL = sslCfg.isUseOpenssl(); if (useOpenSSL) { ssl.sslProvider(SslProvider.OPENSSL); } else { ssl.sslProvider(SslProvider.JDK); } String trustStore = sslCfg.getTrustStoreFile(); if (null != trustStore) { if (!trustStore.isEmpty()) { ssl.trustManager(new File(trustStore)); } } return ssl.build(); }
Example 14
Source File: GrafanaAuth.java From timely with Apache License 2.0 | 5 votes |
protected SslContext createSSLContext(GrafanaAuthConfiguration config) throws Exception { ServerSsl sslCfg = config.getSecurity().getServerSsl(); Boolean generate = sslCfg.isUseGeneratedKeypair(); SslContextBuilder ssl; if (generate) { LOG.warn("Using generated self signed server certificate"); Date begin = new Date(); Date end = new Date(begin.getTime() + 86400000); SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end); ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()); } else { String cert = sslCfg.getCertificateFile(); String key = sslCfg.getKeyFile(); String keyPass = sslCfg.getKeyPassword(); if (null == cert || null == key) { throw new IllegalArgumentException("Check your SSL properties, something is wrong."); } ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass); } ssl.ciphers(sslCfg.getUseCiphers()); // Can't set to REQUIRE because the CORS pre-flight requests will fail. ssl.clientAuth(ClientAuth.OPTIONAL); Boolean useOpenSSL = sslCfg.isUseOpenssl(); if (useOpenSSL) { ssl.sslProvider(SslProvider.OPENSSL); } else { ssl.sslProvider(SslProvider.JDK); } String trustStore = sslCfg.getTrustStoreFile(); if (null != trustStore) { if (!trustStore.isEmpty()) { ssl.trustManager(new File(trustStore)); } } return ssl.build(); }
Example 15
Source File: Server.java From timely with Apache License 2.0 | 5 votes |
protected SslContext createSSLContext(Configuration config) throws Exception { ServerSsl sslCfg = config.getSecurity().getServerSsl(); Boolean generate = sslCfg.isUseGeneratedKeypair(); SslContextBuilder ssl; if (generate) { LOG.warn("Using generated self signed server certificate"); Date begin = new Date(); Date end = new Date(begin.getTime() + TimeUnit.DAYS.toMillis(7)); SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end); ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()); } else { String cert = sslCfg.getCertificateFile(); String key = sslCfg.getKeyFile(); String keyPass = sslCfg.getKeyPassword(); if (null == cert || null == key) { throw new IllegalArgumentException("Check your SSL properties, something is wrong."); } ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass); } ssl.ciphers(sslCfg.getUseCiphers()); // Can't set to REQUIRE because the CORS pre-flight requests will fail. ssl.clientAuth(ClientAuth.OPTIONAL); Boolean useOpenSSL = sslCfg.isUseOpenssl(); if (useOpenSSL) { ssl.sslProvider(SslProvider.OPENSSL); } else { ssl.sslProvider(SslProvider.JDK); } String trustStore = sslCfg.getTrustStoreFile(); if (null != trustStore) { if (!trustStore.isEmpty()) { ssl.trustManager(new File(trustStore)); } } return ssl.build(); }
Example 16
Source File: SslContextFactory.java From servicetalk with Apache License 2.0 | 4 votes |
/** * A new context for a server using the passed {@code config}. * * @param config SSL config. * @param supportedAlpnProtocols the list of supported ALPN protocols. * @return A new {@link SslContext} for a server. */ public static SslContext forServer(ReadOnlyServerSecurityConfig config, List<String> supportedAlpnProtocols) { requireNonNull(config); SslContextBuilder builder; KeyManagerFactory keyManagerFactory = config.keyManagerFactory(); if (keyManagerFactory != null) { builder = SslContextBuilder.forServer(keyManagerFactory); } else { InputStream keyCertChainSupplier = null; InputStream keySupplier = null; try { keyCertChainSupplier = config.keyCertChainSupplier().get(); keySupplier = config.keySupplier().get(); builder = SslContextBuilder.forServer(keyCertChainSupplier, keySupplier, config.keyPassword()); } finally { try { closeAndRethrowUnchecked(keyCertChainSupplier); } finally { closeAndRethrowUnchecked(keySupplier); } } } builder.sessionCacheSize(config.sessionCacheSize()).sessionTimeout(config.sessionTimeout()) .applicationProtocolConfig(nettyApplicationProtocol(supportedAlpnProtocols)); switch (config.clientAuth()) { case NONE: builder.clientAuth(ClientAuth.NONE); break; case OPTIONAL: builder.clientAuth(ClientAuth.OPTIONAL); break; case REQUIRE: builder.clientAuth(ClientAuth.REQUIRE); break; default: throw new IllegalArgumentException("Unsupported ClientAuth value: " + config.clientAuth()); } configureTrustManager(config, builder); builder.protocols(config.protocols()); builder.ciphers(config.ciphers()); builder.sslProvider(toNettySslProvider(config.provider(), !supportedAlpnProtocols.isEmpty())); try { return builder.build(); } catch (SSLException e) { throw new IllegalArgumentException(e); } }
Example 17
Source File: SecurityUtility.java From pulsar with Apache License 2.0 | 4 votes |
private static void setupCiphers(SslContextBuilder builder, Set<String> ciphers) { if (ciphers != null && ciphers.size() > 0) { builder.ciphers(ciphers); } }
Example 18
Source File: NettySSLOptionsFactory.java From dropwizard-cassandra with Apache License 2.0 | 4 votes |
@Override public SSLOptions build() { SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (provider != null) { sslContextBuilder.sslProvider(provider); } if (ciphers != null) { sslContextBuilder.ciphers(ciphers); } if (clientAuth != null) { sslContextBuilder.clientAuth(clientAuth); } if (sessionCacheSize != null) { sslContextBuilder.sessionCacheSize(sessionCacheSize); } if (sessionTimeout != null) { sslContextBuilder.sessionTimeout(sessionTimeout.toSeconds()); } if (trustCertChainFile != null) { sslContextBuilder.trustManager(trustCertChainFile); } if (keyManager != null) { sslContextBuilder.keyManager( keyManager.getKeyCertChainFile(), keyManager.getKeyFile(), keyManager.getKeyPassword()); } SslContext sslContext; try { sslContext = sslContextBuilder.build(); } catch (SSLException e) { throw new RuntimeException("Unable to build Netty SslContext", e); } return new NettySSLOptions(sslContext); }