io.netty.handler.ssl.ClientAuth Java Examples
The following examples show how to use
io.netty.handler.ssl.ClientAuth.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: LoadBalanceClusterMessageSenderWithTLSTest.java From txle with Apache License 2.0 | 6 votes |
private static SslContextBuilder getSslContextBuilder() {
ClassLoader classLoader = LoadBalanceClusterMessageSenderWithTLSTest.class.getClassLoader();
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(
new File(classLoader.getResource("server.crt").getFile()),
new File(classLoader.getResource("server.pem").getFile()))
.protocols("TLSv1.2","TLSv1.1")
.ciphers(Arrays.asList("ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES128-SHA256"));
sslClientContextBuilder.trustManager(new File(classLoader.getResource("client.crt").getFile()));
sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
return GrpcSslContexts.configure(sslClientContextBuilder,
SslProvider.OPENSSL);
}
Example #2
Source File: GrpcStartable.java From txle with Apache License 2.0 | 6 votes |
private SslContextBuilder getSslContextBuilder(GrpcServerConfig config) {
Properties prop = new Properties();
ClassLoader classLoader = getClass().getClassLoader();
try {
prop.load(classLoader.getResourceAsStream("ssl.properties"));
} catch (IOException e) {
throw new IllegalStateException("Unable to read ssl.properties.", e);
}
InputStream cert = getInputStream(classLoader, config.getCert(), "Server Cert");
InputStream key = getInputStream(classLoader, config.getKey(), "Server Key");
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(cert, key)
.protocols(prop.getProperty("protocols"))
.ciphers(Arrays.asList(prop.getProperty("ciphers").split(",")));
if (config.isMutualAuth()) {
InputStream clientCert = getInputStream(classLoader, config.getClientCert(), "Client Cert");
sslClientContextBuilder.trustManager(clientCert);
sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
}
return GrpcSslContexts.configure(sslClientContextBuilder,
SslProvider.OPENSSL);
}
Example #3
Source File: NettyBootstrap.java From WeCross with Apache License 2.0 | 6 votes |
/**
* init SslContext for p2p connection
*
* @param caCrt
* @param nodeCrt
* @param nodeKey
* @return
* @throws IOException
*/
public SslContext initSslContextForServer(
org.springframework.core.io.Resource caCrt,
org.springframework.core.io.Resource nodeCrt,
org.springframework.core.io.Resource nodeKey)
throws IOException {
SslContext sslCtx =
SslContextBuilder.forServer(nodeCrt.getInputStream(), nodeKey.getInputStream())
.trustManager(caCrt.getInputStream())
.sslProvider(SslProvider.JDK)
.clientAuth(ClientAuth.REQUIRE)
.build();
return sslCtx;
}
Example #4
Source File: RPCBootstrap.java From WeCross with Apache License 2.0 | 6 votes |
/**
* init SslContext for http server
*
* @param caCrt
* @param nodeCrt
* @param nodeKey
* @return
* @throws IOException
*/
public SslContext initSslContextForServer(
org.springframework.core.io.Resource caCrt,
org.springframework.core.io.Resource nodeCrt,
org.springframework.core.io.Resource nodeKey,
int sslSwitch)
throws IOException {
SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(nodeCrt.getInputStream(), nodeKey.getInputStream())
.trustManager(caCrt.getInputStream())
.sslProvider(SslProvider.JDK);
if (sslSwitch == RPCConfig.SSLSwitch.SSL_ON_CLIENT_AUTH.getSwh()) {
logger.info(" clientAuth ");
sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
}
return sslContextBuilder.build();
}
Example #5
Source File: Http2NettyTest.java From grpc-nebula-java with Apache License 2.0 | 6 votes |
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
// Starts the server with HTTPS.
try {
return NettyServerBuilder.forPort(0)
.flowControlWindow(65 * 1024)
.maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
.sslContext(GrpcSslContexts
.forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
.clientAuth(ClientAuth.REQUIRE)
.trustManager(TestUtils.loadCert("ca.pem"))
.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
.build());
} catch (IOException ex) {
throw new RuntimeException(ex);
}
}
Example #6
Source File: ConcurrencyTest.java From grpc-nebula-java with Apache License 2.0 | 6 votes |
/**
* Creates and starts a new {@link TestServiceImpl} server.
*/
private Server newServer() throws CertificateException, IOException {
File serverCertChainFile = TestUtils.loadCert("server1.pem");
File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
SslContext sslContext =
GrpcSslContexts.forServer(serverCertChainFile, serverPrivateKeyFile)
.trustManager(serverTrustedCaCerts)
.clientAuth(ClientAuth.REQUIRE)
.build();
return NettyServerBuilder.forPort(0)
.sslContext(sslContext)
.addService(new TestServiceImpl(serverExecutor))
.build()
.start();
}
Example #7
Source File: SslContextFactory.java From xio with Apache License 2.0 | 6 votes |
public static SslContext buildServerContext(
TlsConfig config, TrustManagerFactory trustManager, @Nullable ClientAuth clientAuth) {
try {
SslContextBuilder builder =
configure(config, newServerBuilder(config))
.trustManager(new XioTrustManagerFactory(trustManager));
if (clientAuth != null) {
builder.clientAuth(clientAuth);
}
return builder.build();
} catch (SSLException e) {
return null;
}
}
Example #8
Source File: Http2NettyTest.java From grpc-java with Apache License 2.0 | 6 votes |
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
// Starts the server with HTTPS.
try {
return NettyServerBuilder.forPort(0)
.flowControlWindow(65 * 1024)
.maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
.sslContext(GrpcSslContexts
.forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
.clientAuth(ClientAuth.REQUIRE)
.trustManager(TestUtils.loadCert("ca.pem"))
.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
.build());
} catch (IOException ex) {
throw new RuntimeException(ex);
}
}
Example #9
Source File: NettySslHandler.java From iot-mqtt with Apache License 2.0 | 6 votes |
private static SslContext createSSLContext(boolean useClientCA, String sslKeyStoreType, String sslKeyFilePath, String sslManagerPwd, String sslStorePwd) {
try {
InputStream ksInputStream = new FileInputStream(sslKeyFilePath);
KeyStore ks = KeyStore.getInstance(sslKeyStoreType);
ks.load(ksInputStream, sslStorePwd.toCharArray());
final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, sslManagerPwd.toCharArray());
SslContextBuilder contextBuilder = SslContextBuilder.forServer(kmf);
// whether need client CA(two-way authentication)
if (useClientCA) {
contextBuilder.clientAuth(ClientAuth.REQUIRE);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
contextBuilder.trustManager(tmf);
}
return contextBuilder.sslProvider(SslProvider.valueOf("JDK")).build();
} catch (Exception ex) {
log.error("Create ssl context failure.cause={}", ex);
return null;
}
}
Example #10
Source File: SecureChatServer.java From julongchain with Apache License 2.0 | 6 votes |
public static void main(String[] args) throws Exception {
SelfSignedCertificate ssc = new SelfSignedCertificate();
SslContext sslCtx = SslContextGMBuilder.forServer(ENC_CERT, ENC_KEY, SIGN_CERT, SIGN_KEY, null)
/* 默认协商出来的是ECDHE_SM4_SM3算法,所以必须是双向SSL,并且客户端和服务端必须要有加密证书和签名证书 */
.clientAuth(ClientAuth.REQUIRE)
.build();
EventLoopGroup bossGroup = new NioEventLoopGroup(1);
EventLoopGroup workerGroup = new NioEventLoopGroup();
try {
ServerBootstrap b = new ServerBootstrap();
b.group(bossGroup, workerGroup)
.channel(NioServerSocketChannel.class)
.handler(new LoggingHandler(LogLevel.INFO))
.childHandler(new SecureChatServerInitializer(sslCtx));
b.bind(PORT).sync().channel().closeFuture().sync();
} finally {
bossGroup.shutdownGracefully();
workerGroup.shutdownGracefully();
}
}
Example #11
Source File: DockerServiceFactory.java From haven-platform with Apache License 2.0 | 6 votes |
private void initSsl(String addr, NettyRequestFactory factory) throws Exception {
SSLContext sslc = SSLContext.getInstance("TLS");
if(!checkSsl) {
log.debug("disable any SSL check on {} address", addr);
sslc.init(null, new TrustManager[]{new SSLUtil.NullX509TrustManager()}, null);
} else if(StringUtils.hasText(keystore)) {
log.debug("use SSL trusted store {} on {} address", keystore, addr);
final String alg = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory def = TrustManagerFactory.getInstance(alg);
def.init((KeyStore)null);// initialize default list of trust managers
Resource resource = resourceLoader.getResource(keystore);
if(!resource.exists()) {
log.warn("Specified JKS {} is not exists.", keystore);
return;
}
KeyStore ks = KeyStore.getInstance("JKS");
try(InputStream is = resource.getInputStream()) {
ks.load(is, storepass == null? new char[0] : storepass.toCharArray());
}
TrustManagerFactory local = TrustManagerFactory.getInstance(alg);
local.init(ks);
TrustManager tm = SSLUtil.combineX509TrustManagers(local.getTrustManagers(), def.getTrustManagers());
sslc.init(null, new TrustManager[]{tm}, null);
}
factory.setSslContext(new JdkSslContext(sslc, true, ClientAuth.OPTIONAL));
}
Example #12
Source File: SslFactory.java From hxy-socket with GNU General Public License v3.0 | 6 votes |
public static SslContext createSslContext(String certFilePath, String keyFilePath) {
if (null == sslContext) {
synchronized (SslFactory.class) {
if (null == sslContext) {
File certFile = new File(certFilePath);
File keyFile = new File(keyFilePath);//此处需要PKS8编码的.key后缀文件
try {
sslContext = SslContextBuilder.forServer(certFile, keyFile)
.clientAuth(ClientAuth.NONE).ciphers(Arrays.asList(CIPHER_ARRAY), IdentityCipherSuiteFilter.INSTANCE_DEFAULTING_TO_SUPPORTED_CIPHERS)//只允许用上面的三种128位加密套件,一般情况下去除这一行
.build();
} catch (SSLException e) {
logger.error("SSL错误:" + e.toString());
}
}
}
}
return sslContext;
}
Example #13
Source File: NettySubstitutions.java From quarkus with Apache License 2.0 | 6 votes |
@Substitute
static SslContext newServerContextInternal(SslProvider provider,
Provider sslContextProvider,
X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth, String[] protocols, boolean startTls,
boolean enableOcsp, String keyStoreType)
throws SSLException {
if (enableOcsp) {
throw new IllegalArgumentException("OCSP is not supported with this SslProvider: " + provider);
}
return (SslContext) (Object) new Target_io_netty_handler_ssl_JdkSslServerContext(sslContextProvider,
trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
clientAuth, protocols, startTls, keyStoreType);
}
Example #14
Source File: GrpcStartable.java From servicecomb-pack with Apache License 2.0 | 6 votes |
private SslContextBuilder getSslContextBuilder(GrpcServerConfig config) {
Properties prop = new Properties();
ClassLoader classLoader = getClass().getClassLoader();
try {
prop.load(classLoader.getResourceAsStream("ssl.properties"));
} catch (IOException e) {
throw new IllegalStateException("Unable to read ssl.properties.", e);
}
InputStream cert = getInputStream(classLoader, config.getCert(), "Server Cert");
InputStream key = getInputStream(classLoader, config.getKey(), "Server Key");
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(cert, key)
.protocols(prop.getProperty("protocols"))
.ciphers(Arrays.asList(prop.getProperty("ciphers").split(",")));
if (config.isMutualAuth()) {
InputStream clientCert = getInputStream(classLoader, config.getClientCert(), "Client Cert");
sslClientContextBuilder.trustManager(clientCert);
sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
}
return GrpcSslContexts.configure(sslClientContextBuilder,
SslProvider.OPENSSL);
}
Example #15
Source File: HelloWorldServerTls.java From grpc-java with Apache License 2.0 | 5 votes |
private SslContextBuilder getSslContextBuilder() {
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(new File(certChainFilePath),
new File(privateKeyFilePath));
if (trustCertCollectionFilePath != null) {
sslClientContextBuilder.trustManager(new File(trustCertCollectionFilePath));
sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
}
return GrpcSslContexts.configure(sslClientContextBuilder);
}
Example #16
Source File: ServerSslConfig.java From zuul with Apache License 2.0 | 5 votes |
public ServerSslConfig(
String[] protocols, String[] ciphers, File certChainFile, File keyFile, ClientAuth clientAuth,
File clientAuthTrustStoreFile, String clientAuthTrustStorePassword, boolean sessionTicketsEnabled) {
this.protocols = protocols;
this.ciphers = Arrays.asList(ciphers);
this.certChainFile = certChainFile;
this.keyFile = keyFile;
this.clientAuth = clientAuth;
this.clientAuthTrustStoreFile = clientAuthTrustStoreFile;
this.clientAuthTrustStorePassword = clientAuthTrustStorePassword;
this.clientAuthTrustStorePasswordFile = null;
this.sessionTimeout = DEFAULT_SESSION_TIMEOUT.get();
this.sessionTicketsEnabled = sessionTicketsEnabled;
}
Example #17
Source File: SslContextProvider.java From grpc-java with Apache License 2.0 | 5 votes |
protected void setClientAuthValues( SslContextBuilder sslContextBuilder, CertificateValidationContext localCertValidationContext) throws CertificateException, IOException, CertStoreException { DownstreamTlsContext downstreamTlsContext = getDownstreamTlsContext(); if (localCertValidationContext != null) { sslContextBuilder.trustManager(new SdsTrustManagerFactory(localCertValidationContext)); sslContextBuilder.clientAuth( downstreamTlsContext.isRequireClientCertificate() ? ClientAuth.REQUIRE : ClientAuth.OPTIONAL); } else { sslContextBuilder.clientAuth(ClientAuth.NONE); } }
Example #18
Source File: StripUntrustedProxyHeadersHandler.java From zuul with Apache License 2.0 | 5 votes |
@VisibleForTesting
boolean connectionIsUsingMutualSSLWithAuthEnforced(Channel ch)
{
boolean is = false;
SslHandshakeInfo sslHandshakeInfo = ch.attr(SslHandshakeInfoHandler.ATTR_SSL_INFO).get();
if (sslHandshakeInfo != null) {
if (sslHandshakeInfo.getClientAuthRequirement() == ClientAuth.REQUIRE) {
is = true;
}
}
return is;
}
Example #19
Source File: TlsTest.java From grpc-java with Apache License 2.0 | 5 votes |
private ServerBuilder<?> serverBuilder(int port, File serverCertChainFile,
File serverPrivateKeyFile, X509Certificate[] serverTrustedCaCerts) throws IOException {
SslContextBuilder sslContextBuilder
= SslContextBuilder.forServer(serverCertChainFile, serverPrivateKeyFile);
if (sslProvider == SslProvider.JDK) {
GrpcSslContexts.configure(sslContextBuilder, jdkProvider);
} else {
GrpcSslContexts.configure(sslContextBuilder, sslProvider);
}
sslContextBuilder.trustManager(serverTrustedCaCerts)
.clientAuth(ClientAuth.REQUIRE);
return NettyServerBuilder.forPort(port)
.sslContext(sslContextBuilder.build());
}
Example #20
Source File: NettySslFactory.java From ambry with Apache License 2.0 | 5 votes |
/** * @param config the {@link SSLConfig}. * @return the {@link ClientAuth} setting. */ static ClientAuth getClientAuth(SSLConfig config) { switch (config.sslClientAuthentication) { case "required": return ClientAuth.REQUIRE; case "requested": return ClientAuth.OPTIONAL; default: return ClientAuth.NONE; } }
Example #21
Source File: RemoteWorker.java From bazel with Apache License 2.0 | 5 votes |
private SslContextBuilder getSslContextBuilder(RemoteWorkerOptions workerOptions) {
SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(
new File(workerOptions.tlsCertificate), new File(workerOptions.tlsPrivateKey));
if (workerOptions.tlsCaCertificate != null) {
sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
sslContextBuilder.trustManager(new File(workerOptions.tlsCaCertificate));
}
return GrpcSslContexts.configure(sslContextBuilder, SslProvider.OPENSSL);
}
Example #22
Source File: SecurityUtility.java From pulsar with Apache License 2.0 | 5 votes |
private static void setupClientAuthentication(SslContextBuilder builder, boolean requireTrustedClientCertOnConnect) { if (requireTrustedClientCertOnConnect) { builder.clientAuth(ClientAuth.REQUIRE); } else { builder.clientAuth(ClientAuth.OPTIONAL); } }
Example #23
Source File: TlsHelper.java From rocketmq with Apache License 2.0 | 5 votes |
private static ClientAuth parseClientAuthMode(String authMode) { if (null == authMode || authMode.trim().isEmpty()) { return ClientAuth.NONE; } for (ClientAuth clientAuth : ClientAuth.values()) { if (clientAuth.name().equals(authMode.toUpperCase())) { return clientAuth; } } return ClientAuth.NONE; }
Example #24
Source File: Server.java From timely with Apache License 2.0 | 5 votes |
protected SslContext createSSLContext(Configuration config) throws Exception {
ServerSsl sslCfg = config.getSecurity().getServerSsl();
Boolean generate = sslCfg.isUseGeneratedKeypair();
SslContextBuilder ssl;
if (generate) {
LOG.warn("Using generated self signed server certificate");
Date begin = new Date();
Date end = new Date(begin.getTime() + TimeUnit.DAYS.toMillis(7));
SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end);
ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
} else {
String cert = sslCfg.getCertificateFile();
String key = sslCfg.getKeyFile();
String keyPass = sslCfg.getKeyPassword();
if (null == cert || null == key) {
throw new IllegalArgumentException("Check your SSL properties, something is wrong.");
}
ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass);
}
ssl.ciphers(sslCfg.getUseCiphers());
// Can't set to REQUIRE because the CORS pre-flight requests will fail.
ssl.clientAuth(ClientAuth.OPTIONAL);
Boolean useOpenSSL = sslCfg.isUseOpenssl();
if (useOpenSSL) {
ssl.sslProvider(SslProvider.OPENSSL);
} else {
ssl.sslProvider(SslProvider.JDK);
}
String trustStore = sslCfg.getTrustStoreFile();
if (null != trustStore) {
if (!trustStore.isEmpty()) {
ssl.trustManager(new File(trustStore));
}
}
return ssl.build();
}
Example #25
Source File: GrafanaAuth.java From timely with Apache License 2.0 | 5 votes |
protected SslContext createSSLContext(GrafanaAuthConfiguration config) throws Exception {
ServerSsl sslCfg = config.getSecurity().getServerSsl();
Boolean generate = sslCfg.isUseGeneratedKeypair();
SslContextBuilder ssl;
if (generate) {
LOG.warn("Using generated self signed server certificate");
Date begin = new Date();
Date end = new Date(begin.getTime() + 86400000);
SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end);
ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
} else {
String cert = sslCfg.getCertificateFile();
String key = sslCfg.getKeyFile();
String keyPass = sslCfg.getKeyPassword();
if (null == cert || null == key) {
throw new IllegalArgumentException("Check your SSL properties, something is wrong.");
}
ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass);
}
ssl.ciphers(sslCfg.getUseCiphers());
// Can't set to REQUIRE because the CORS pre-flight requests will fail.
ssl.clientAuth(ClientAuth.OPTIONAL);
Boolean useOpenSSL = sslCfg.isUseOpenssl();
if (useOpenSSL) {
ssl.sslProvider(SslProvider.OPENSSL);
} else {
ssl.sslProvider(SslProvider.JDK);
}
String trustStore = sslCfg.getTrustStoreFile();
if (null != trustStore) {
if (!trustStore.isEmpty()) {
ssl.trustManager(new File(trustStore));
}
}
return ssl.build();
}
Example #26
Source File: HelloWorldServerTls.java From grpc-nebula-java with Apache License 2.0 | 5 votes |
private SslContextBuilder getSslContextBuilder() {
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(new File(certChainFilePath),
new File(privateKeyFilePath));
if (trustCertCollectionFilePath != null) {
sslClientContextBuilder.trustManager(new File(trustCertCollectionFilePath));
sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
}
return GrpcSslContexts.configure(sslClientContextBuilder,
SslProvider.OPENSSL);
}
Example #27
Source File: Balancer.java From timely with Apache License 2.0 | 5 votes |
protected SslContext createSSLContext(BalancerConfiguration config) throws Exception {
ServerSsl sslCfg = config.getSecurity().getServerSsl();
Boolean generate = sslCfg.isUseGeneratedKeypair();
SslContextBuilder ssl;
if (generate) {
LOG.warn("Using generated self signed server certificate");
Date begin = new Date();
Date end = new Date(begin.getTime() + 86400000);
SelfSignedCertificate ssc = new SelfSignedCertificate("localhost", begin, end);
ssl = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
} else {
String cert = sslCfg.getCertificateFile();
String key = sslCfg.getKeyFile();
String keyPass = sslCfg.getKeyPassword();
if (null == cert || null == key) {
throw new IllegalArgumentException("Check your SSL properties, something is wrong.");
}
ssl = SslContextBuilder.forServer(new File(cert), new File(key), keyPass);
}
ssl.ciphers(sslCfg.getUseCiphers());
// Can't set to REQUIRE because the CORS pre-flight requests will fail.
ssl.clientAuth(ClientAuth.OPTIONAL);
Boolean useOpenSSL = sslCfg.isUseOpenssl();
if (useOpenSSL) {
ssl.sslProvider(SslProvider.OPENSSL);
} else {
ssl.sslProvider(SslProvider.JDK);
}
String trustStore = sslCfg.getTrustStoreFile();
if (null != trustStore) {
if (!trustStore.isEmpty()) {
ssl.trustManager(new File(trustStore));
}
}
return ssl.build();
}
Example #28
Source File: SSLEngineFactoryImpl.java From dremio-oss with Apache License 2.0 | 5 votes |
@Override public SslContextBuilder newServerContextBuilder() throws SSLException { return SslContextBuilder.forServer(keyManagerFactory) .trustManager(trustManagerFactory) .clientAuth(sslConfig.disablePeerVerification() ? ClientAuth.OPTIONAL : ClientAuth.REQUIRE) .sslProvider(SSL_PROVIDER) .protocols(SSL_PROTOCOLS) .ciphers(SSL_CIPHERS); }
Example #29
Source File: ClientHttpConnectorFactory.java From spring-credhub with Apache License 2.0 | 5 votes |
/**
* Create a {@link ClientHttpConnector} for the given {@link ClientOptions}.
* @param options must not be {@literal null}
* @return a new {@link ClientHttpConnector}.
*/
public static ClientHttpConnector create(ClientOptions options) {
HttpClient httpClient = HttpClient.create();
if (usingCustomCerts(options)) {
TrustManagerFactory trustManagerFactory = sslCertificateUtils
.createTrustManagerFactory(options.getCaCertFiles());
httpClient = httpClient.secure((sslContextSpec) -> sslContextSpec.sslContext(
SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(trustManagerFactory)));
}
else {
httpClient = httpClient.secure((sslContextSpec) -> {
try {
sslContextSpec.sslContext(new JdkSslContext(SSLContext.getDefault(), true, null,
IdentityCipherSuiteFilter.INSTANCE, null, ClientAuth.REQUIRE, null, false));
}
catch (NoSuchAlgorithmException ex) {
logger.error("Error configuring HTTP connections", ex);
throw new RuntimeException("Error configuring HTTP connections", ex);
}
});
}
if (options.getConnectionTimeout() != null) {
httpClient = httpClient
.tcpConfiguration((tcpClient) -> tcpClient.option(ChannelOption.CONNECT_TIMEOUT_MILLIS,
Math.toIntExact(options.getConnectionTimeout().toMillis())));
}
return new ReactorClientHttpConnector(httpClient);
}
Example #30
Source File: SslContextBuilder.java From logstash-input-beats with Apache License 2.0 | 5 votes |
public SslContext buildContext() throws IOException, CertificateException { io.netty.handler.ssl.SslContextBuilder builder = io.netty.handler.ssl.SslContextBuilder.forServer(sslCertificateFile, sslKeyFile, passPhrase); if (logger.isDebugEnabled()) { logger.debug("Available ciphers: " + Arrays.toString(supportedCiphers)); logger.debug("Ciphers: " + Arrays.toString(ciphers)); } builder.ciphers(Arrays.asList(ciphers)); if(requireClientAuth()) { if (logger.isDebugEnabled()) logger.debug("Certificate Authorities: " + Arrays.toString(certificateAuthorities)); builder.trustManager(loadCertificateCollection(certificateAuthorities)); if(verifyMode == SslClientVerifyMode.FORCE_PEER) { // Explicitly require a client certificate builder.clientAuth(ClientAuth.REQUIRE); } else if(verifyMode == SslClientVerifyMode.VERIFY_PEER) { // If the client supply a client certificate we will verify it. builder.clientAuth(ClientAuth.OPTIONAL); } }else{ builder.clientAuth(ClientAuth.NONE); } builder.protocols(protocols); return builder.build(); }