下面列出了io.grpc.ExperimentalApi#io.netty.handler.ssl.SupportedCipherSuiteFilter 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
// Starts the server with HTTPS.
try {
SslProvider sslProvider = SslContext.defaultServerProvider();
if (sslProvider == SslProvider.OPENSSL && !OpenSsl.isAlpnSupported()) {
// OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we
// are forced to use Jetty ALPN for Netty instead of OpenSSL.
sslProvider = SslProvider.JDK;
}
SslContextBuilder contextBuilder = SslContextBuilder
.forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
GrpcSslContexts.configure(contextBuilder, sslProvider);
contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE);
return NettyServerBuilder.forPort(0)
.flowControlWindow(65 * 1024)
.maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
.sslContext(contextBuilder.build());
} catch (IOException ex) {
throw new RuntimeException(ex);
}
}
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
// Starts the server with HTTPS.
try {
return NettyServerBuilder.forPort(0)
.flowControlWindow(65 * 1024)
.maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
.sslContext(GrpcSslContexts
.forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
.clientAuth(ClientAuth.REQUIRE)
.trustManager(TestUtils.loadCert("ca.pem"))
.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
.build());
} catch (IOException ex) {
throw new RuntimeException(ex);
}
}
@Override
protected ManagedChannel createChannel() {
try {
NettyChannelBuilder builder = NettyChannelBuilder
.forAddress(TestUtils.testServerAddress(getPort()))
.flowControlWindow(65 * 1024)
.maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
.sslContext(GrpcSslContexts
.forClient()
.keyManager(TestUtils.loadCert("client.pem"), TestUtils.loadCert("client.key"))
.trustManager(TestUtils.loadX509Cert("ca.pem"))
.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
.build());
io.grpc.internal.TestingAccessor.setStatsImplementation(
builder, createClientCensusStatsModule());
return builder.build();
} catch (Exception ex) {
throw new RuntimeException(ex);
}
}
/**
* Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
* from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
* <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
* supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
* certificates).
*
* @param cipherSuites cipher suites to allow when connecting to the upstream server
* @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
* @return an SSLContext to connect to upstream servers with
*/
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
if (trustSource == null) {
log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");
sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
} else {
sslContextBuilder.trustManager(trustSource.getTrustedCAs());
}
sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);
try {
return sslContextBuilder.build();
} catch (SSLException e) {
throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
}
}
@NotNull
public SslContext createSslServerContext(@NotNull final KeyManagerFactory kmf, @Nullable final TrustManagerFactory tmFactory, @Nullable final List<String> cipherSuites, @Nullable final List<String> protocols) throws SSLException {
final SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(kmf);
sslContextBuilder.sslProvider(SslProvider.JDK).trustManager(tmFactory);
if (protocols != null && !protocols.isEmpty()) {
sslContextBuilder.protocols(protocols.toArray(new String[0]));
}
//set chosen cipher suites if available
if (cipherSuites != null && cipherSuites.size() > 0) {
sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);
} else {
sslContextBuilder.ciphers(null, SupportedCipherSuiteFilter.INSTANCE);
}
return sslContextBuilder.build();
}
/**
* Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
* from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
* <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
* supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
* certificates).
*
* @param cipherSuites cipher suites to allow when connecting to the upstream server
* @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
* @return an SSLContext to connect to upstream servers with
*/
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
if (trustSource == null) {
log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");
sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
} else {
sslContextBuilder.trustManager(trustSource.getTrustedCAs());
}
sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);
try {
return sslContextBuilder.build();
} catch (SSLException e) {
throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
}
}
private SslContext buildSslCtx() {
SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;
try {
return SslContextBuilder.forClient()
.sslProvider(provider)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.trustManager(InsecureTrustManagerFactory.INSTANCE)
// TODO(JR): Make a seperate Handler Class for http2 as opposed to autoneg
// .applicationProtocolConfig(new ApplicationProtocolConfig(
// ApplicationProtocolConfig.Protocol.ALPN,
// // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK
// providers.
// ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
// // ACCEPT is currently the only mode supported by both OpenSsl and JDK
// providers.
// ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
// ApplicationProtocolNames.HTTP_2,
// ApplicationProtocolNames.HTTP_1_1))
.build();
} catch (SSLException e) {
e.printStackTrace();
}
return null;
}
private SslContext sslContext(URI targetAddress) {
URI proxyAddress = proxyAddress(targetAddress);
boolean needContext = targetAddress.getScheme().equalsIgnoreCase("https")
|| proxyAddress != null && proxyAddress.getScheme().equalsIgnoreCase("https");
if (!needContext) {
return null;
}
try {
return SslContextBuilder.forClient()
.sslProvider(sslProvider)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.trustManager(getTrustManager())
.keyManager(getKeyManager())
.build();
} catch (SSLException e) {
throw new RuntimeException(e);
}
}
/**
* Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
* from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
* <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
* supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
* certificates).
*
* @param cipherSuites cipher suites to allow when connecting to the upstream server
* @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
* @return an SSLContext to connect to upstream servers with
*/
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
if (trustSource == null) {
log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");
sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
} else {
sslContextBuilder.trustManager(trustSource.getTrustedCAs());
}
sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);
try {
return sslContextBuilder.build();
} catch (SSLException e) {
throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
}
}
/**
* Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs
* from the trustSource. When trustSource is true, no upstream certificate verification will be performed.
* <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always
* supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated
* certificates).
*
* @param cipherSuites cipher suites to allow when connecting to the upstream server
* @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates
* @return an SSLContext to connect to upstream servers with
*/
public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) {
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
if (trustSource == null) {
log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");
sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
} else {
sslContextBuilder.trustManager(trustSource.getTrustedCAs());
}
sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE);
try {
return sslContextBuilder.build();
} catch (SSLException e) {
throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
}
}
private SslContext getSslContext() {
SslContext sslCtx = null;
final SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;
try {
sslCtx = SslContextBuilder.forClient()
.sslProvider(provider)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.trustManager(InsecureTrustManagerFactory.INSTANCE)
.applicationProtocolConfig(new ApplicationProtocolConfig(
Protocol.ALPN,
SelectorFailureBehavior.NO_ADVERTISE,
SelectedListenerFailureBehavior.ACCEPT,
ApplicationProtocolNames.HTTP_2))
.build();
} catch(SSLException exception) {
return null;
}
return sslCtx;
}
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
// Starts the server with HTTPS.
try {
SslProvider sslProvider = SslContext.defaultServerProvider();
if (sslProvider == SslProvider.OPENSSL && !SslProvider.isAlpnSupported(SslProvider.OPENSSL)) {
// OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we
// are forced to use Jetty ALPN for Netty instead of OpenSSL.
sslProvider = SslProvider.JDK;
}
SslContextBuilder contextBuilder = SslContextBuilder
.forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
GrpcSslContexts.configure(contextBuilder, sslProvider);
contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE);
return NettyServerBuilder.forPort(0)
.flowControlWindow(65 * 1024)
.maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
.sslContext(contextBuilder.build());
} catch (IOException ex) {
throw new RuntimeException(ex);
}
}
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
// Starts the server with HTTPS.
try {
return NettyServerBuilder.forPort(0)
.flowControlWindow(65 * 1024)
.maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
.sslContext(GrpcSslContexts
.forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"))
.clientAuth(ClientAuth.REQUIRE)
.trustManager(TestUtils.loadCert("ca.pem"))
.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
.build());
} catch (IOException ex) {
throw new RuntimeException(ex);
}
}
@Override
protected ManagedChannel createChannel() {
try {
NettyChannelBuilder builder = NettyChannelBuilder
.forAddress(TestUtils.testServerAddress((InetSocketAddress) getListenAddress()))
.flowControlWindow(65 * 1024)
.maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
.sslContext(GrpcSslContexts
.forClient()
.keyManager(TestUtils.loadCert("client.pem"), TestUtils.loadCert("client.key"))
.trustManager(TestUtils.loadX509Cert("ca.pem"))
.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
.build());
// Disable the default census stats interceptor, use testing interceptor instead.
io.grpc.internal.TestingAccessor.setStatsEnabled(builder, false);
return builder.intercept(createCensusStatsClientInterceptor()).build();
} catch (Exception ex) {
throw new RuntimeException(ex);
}
}
/**
* @param config the {@link SSLConfig}
* @return a configured {@link SslContext} object for a client.
* @throws GeneralSecurityException
* @throws IOException
*/
static SslContext getServerSslContext(SSLConfig config) throws GeneralSecurityException, IOException {
logger.info("Using {} provider for server SslContext", SslContext.defaultServerProvider());
SslContextBuilder sslContextBuilder;
if (config.sslHttp2SelfSign) {
SelfSignedCertificate ssc = new SelfSignedCertificate();
sslContextBuilder = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
logger.info("Using Self Signed Certificate.");
} else {
sslContextBuilder = SslContextBuilder.forServer(NettySslFactory.getKeyManagerFactory(config))
.trustManager(NettySslFactory.getTrustManagerFactory(config));
}
return sslContextBuilder.sslProvider(SslContext.defaultClientProvider())
.clientAuth(NettySslFactory.getClientAuth(config))
/* NOTE: the cipher filter may not include all ciphers required by the HTTP/2 specification.
* Please refer to the HTTP/2 specification for cipher requirements. */
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN,
// NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
// ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2))
.build();
}
/**
* @param config the {@link SSLConfig}
* @return a configured {@link SslContext} object for a server.
* @throws GeneralSecurityException
* @throws IOException
*/
public static SslContext getClientSslContext(SSLConfig config) throws GeneralSecurityException, IOException {
logger.info("Using {} provider for client ", SslContext.defaultClientProvider());
SslContextBuilder sslContextBuilder;
if (config.sslHttp2SelfSign) {
sslContextBuilder = SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE);
logger.info("Using Self Signed Certificate.");
} else {
sslContextBuilder = SslContextBuilder.forClient()
.keyManager(NettySslFactory.getKeyManagerFactory(config))
.trustManager(NettySslFactory.getTrustManagerFactory(config));
}
return sslContextBuilder.sslProvider(SslContext.defaultClientProvider())
/* NOTE: the cipher filter may not include all ciphers required by the HTTP/2 specification.
* Please refer to the HTTP/2 specification for cipher requirements. */
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN,
// NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
// ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2))
.build();
}
/**
* Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
* an application requires particular settings it should override the options set here.
*/
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/1784")
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, SslProvider provider) {
switch (provider) {
case JDK:
{
Provider jdkProvider = findJdkProvider();
if (jdkProvider == null) {
throw new IllegalArgumentException(
"Could not find Jetty NPN/ALPN or Conscrypt as installed JDK providers");
}
return configure(builder, jdkProvider);
}
case OPENSSL:
{
ApplicationProtocolConfig apc;
if (OpenSsl.isAlpnSupported()) {
apc = NPN_AND_ALPN;
} else {
apc = NPN;
}
return builder
.sslProvider(SslProvider.OPENSSL)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(apc);
}
default:
throw new IllegalArgumentException("Unsupported provider: " + provider);
}
}
/**
* Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
* an application requires particular settings it should override the options set here.
*/
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, Provider jdkProvider) {
ApplicationProtocolConfig apc;
if (SUN_PROVIDER_NAME.equals(jdkProvider.getName())) {
// Jetty ALPN/NPN only supports one of NPN or ALPN
if (JettyTlsUtil.isJettyAlpnConfigured()) {
apc = ALPN;
} else if (JettyTlsUtil.isJettyNpnConfigured()) {
apc = NPN;
} else if (JettyTlsUtil.isJava9AlpnAvailable()) {
apc = ALPN;
} else {
throw new IllegalArgumentException(
SUN_PROVIDER_NAME + " selected, but Jetty NPN/ALPN unavailable");
}
} else if (isConscrypt(jdkProvider)) {
apc = ALPN;
} else {
throw new IllegalArgumentException("Unknown provider; can't configure: " + jdkProvider);
}
return builder
.sslProvider(SslProvider.JDK)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(apc)
.sslContextProvider(jdkProvider);
}
private static SslContext createSslContext() {
try {
File serverCert = TestUtils.loadCert("server1.pem");
File key = TestUtils.loadCert("server1.key");
return GrpcSslContexts.forServer(serverCert, key)
.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).build();
} catch (IOException ex) {
throw new RuntimeException(ex);
}
}
@Before
public void setUp() throws Exception {
File serverCert = TestUtils.loadCert("server1.pem");
File key = TestUtils.loadCert("server1.key");
sslContext = GrpcSslContexts.forServer(serverCert, key)
.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).build();
engine = SSLContext.getDefault().createSSLEngine();
engine.setUseClientMode(true);
}
private static SslContext configureTLS() throws CertificateException, SSLException {
SelfSignedCertificate ssc = new SelfSignedCertificate();
ApplicationProtocolConfig apn = new ApplicationProtocolConfig(
Protocol.ALPN,
// NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
SelectorFailureBehavior.NO_ADVERTISE,
// ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
SelectedListenerFailureBehavior.ACCEPT,
ApplicationProtocolNames.HTTP_2,
ApplicationProtocolNames.HTTP_1_1);
return SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey(), null)
.ciphers(CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(apn).build();
}
public static SslContext ctxForClient(NitmProxyConfig config) throws SSLException {
SslContextBuilder builder = SslContextBuilder
.forClient()
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(applicationProtocolConfig(config, config.isServerHttp2()));
if (config.isInsecure()) {
builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
}
return builder.build();
}
public static SslContext ctxForServer(NitmProxyConfig config, String serverHost) throws SSLException {
Certificate certificate = CertUtil.newCert(config.getCertFile(), config.getKeyFile(), serverHost);
return SslContextBuilder
.forServer(certificate.getKeyPair().getPrivate(), certificate.getChain())
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(applicationProtocolConfig(config, config.isClientHttp2()))
.build();
}
@Test
public void channelConfigOptionCheck() throws SSLException {
targetUri = URI.create("https://some-awesome-service-1234.amazonaws.com:8080");
SslContext sslContext = SslContextBuilder.forClient()
.sslProvider(SslProvider.JDK)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.build();
AtomicReference<ChannelPool> channelPoolRef = new AtomicReference<>();
NettyConfiguration nettyConfiguration = new NettyConfiguration(GLOBAL_HTTP_DEFAULTS);
pipelineInitializer = new ChannelPipelineInitializer(Protocol.HTTP1_1,
sslContext,
SslProvider.JDK,
100,
1024,
Duration.ZERO,
channelPoolRef,
nettyConfiguration,
targetUri);
Channel channel = new EmbeddedChannel();
pipelineInitializer.channelCreated(channel);
assertThat(channel.config().getOption(ChannelOption.ALLOCATOR), is(UnpooledByteBufAllocator.DEFAULT));
}
void updateDefaultConfiguration() {
switch (type) {
case H2:
sslContextBuilder.sslProvider(
io.netty.handler.ssl.SslProvider.isAlpnSupported(io.netty.handler.ssl.SslProvider.OPENSSL) ?
io.netty.handler.ssl.SslProvider.OPENSSL :
io.netty.handler.ssl.SslProvider.JDK)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(new ApplicationProtocolConfig(
ApplicationProtocolConfig.Protocol.ALPN,
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
ApplicationProtocolNames.HTTP_2,
ApplicationProtocolNames.HTTP_1_1));
break;
case TCP:
sslContextBuilder.sslProvider(
OpenSsl.isAvailable() ?
io.netty.handler.ssl.SslProvider.OPENSSL :
io.netty.handler.ssl.SslProvider.JDK)
.ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(null);
break;
case NONE:
break; //no default configuration
}
}
private static SslContextBuilder configure(TlsConfig config, SslContextBuilder builder) {
return builder
.applicationProtocolConfig(config.getAlpnConfig())
.ciphers(config.getCiphers(), SupportedCipherSuiteFilter.INSTANCE)
.clientAuth(config.getClientAuth())
.enableOcsp(config.isEnableOcsp())
.protocols(config.getProtocols())
.sessionCacheSize(config.getSessionCacheSize())
.sessionTimeout(config.getSessionTimeout())
.sslProvider(config.getSslProvider());
}
public static void createAndAttachSSLClient(ServiceHost h) throws Throwable {
// we create a random userAgent string to validate host to host communication when
// the client appears to be from an external, non-Xenon source.
ServiceClient client = NettyHttpServiceClient.create(UUID.randomUUID().toString(),
null,
h.getScheduledExecutor(), h);
if (NettyChannelContext.isALPNEnabled()) {
SslContext http2ClientContext = SslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(new ApplicationProtocolConfig(
ApplicationProtocolConfig.Protocol.ALPN,
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
ApplicationProtocolNames.HTTP_2))
.build();
((NettyHttpServiceClient) client).setHttp2SslContext(http2ClientContext);
}
SSLContext clientContext = SSLContext.getInstance(ServiceClient.TLS_PROTOCOL_NAME);
clientContext.init(null, InsecureTrustManagerFactory.INSTANCE.getTrustManagers(), null);
client.setSSLContext(clientContext);
h.setClient(client);
SelfSignedCertificate ssc = new SelfSignedCertificate();
h.setCertificateFileReference(ssc.certificate().toURI());
h.setPrivateKeyFileReference(ssc.privateKey().toURI());
}
public static void createAndAttachSSLClient(ServiceHost h) throws Throwable {
// we create a random userAgent string to validate host to host communication when
// the client appears to be from an external, non-Xenon source.
ServiceClient client = NettyHttpServiceClient.create(UUID.randomUUID().toString(),
null,
h.getScheduledExecutor(), h);
if (NettyChannelContext.isALPNEnabled()) {
SslContext http2ClientContext = SslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(new ApplicationProtocolConfig(
ApplicationProtocolConfig.Protocol.ALPN,
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
ApplicationProtocolNames.HTTP_2))
.build();
((NettyHttpServiceClient) client).setHttp2SslContext(http2ClientContext);
}
SSLContext clientContext = SSLContext.getInstance(ServiceClient.TLS_PROTOCOL_NAME);
clientContext.init(null, InsecureTrustManagerFactory.INSTANCE.getTrustManagers(), null);
client.setSSLContext(clientContext);
h.setClient(client);
SelfSignedCertificate ssc = new SelfSignedCertificate();
h.setCertificateFileReference(ssc.certificate().toURI());
h.setPrivateKeyFileReference(ssc.privateKey().toURI());
}
/**
* Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
* an application requires particular settings it should override the options set here.
*/
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/1784")
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, SslProvider provider) {
switch (provider) {
case JDK:
{
Provider jdkProvider = findJdkProvider();
if (jdkProvider == null) {
throw new IllegalArgumentException(
"Could not find Jetty NPN/ALPN or Conscrypt as installed JDK providers");
}
return configure(builder, jdkProvider);
}
case OPENSSL:
{
ApplicationProtocolConfig apc;
if (OpenSsl.isAlpnSupported()) {
apc = NPN_AND_ALPN;
} else {
apc = NPN;
}
return builder
.sslProvider(SslProvider.OPENSSL)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(apc);
}
default:
throw new IllegalArgumentException("Unsupported provider: " + provider);
}
}
/**
* Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
* an application requires particular settings it should override the options set here.
*/
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, Provider jdkProvider) {
ApplicationProtocolConfig apc;
if (SUN_PROVIDER_NAME.equals(jdkProvider.getName())) {
// Jetty ALPN/NPN only supports one of NPN or ALPN
if (JettyTlsUtil.isJettyAlpnConfigured()) {
apc = ALPN;
} else if (JettyTlsUtil.isJettyNpnConfigured()) {
apc = NPN;
} else if (JettyTlsUtil.isJava9AlpnAvailable()) {
apc = ALPN;
} else {
throw new IllegalArgumentException(
SUN_PROVIDER_NAME + " selected, but Java 9+ and Jetty NPN/ALPN unavailable");
}
} else if (ConscryptLoader.isConscrypt(jdkProvider)) {
apc = ALPN;
} else {
throw new IllegalArgumentException("Unknown provider; can't configure: " + jdkProvider);
}
return builder
.sslProvider(SslProvider.JDK)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(apc)
.sslContextProvider(jdkProvider);
}