下面列出了io.netty.channel.pool.ChannelPoolHandler#io.netty.handler.ssl.OpenSsl 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
@Override
protected AbstractServerImplBuilder<?> getServerBuilder() {
// Starts the server with HTTPS.
try {
SslProvider sslProvider = SslContext.defaultServerProvider();
if (sslProvider == SslProvider.OPENSSL && !OpenSsl.isAlpnSupported()) {
// OkHttp only supports Jetty ALPN on OpenJDK. So if OpenSSL doesn't support ALPN, then we
// are forced to use Jetty ALPN for Netty instead of OpenSSL.
sslProvider = SslProvider.JDK;
}
SslContextBuilder contextBuilder = SslContextBuilder
.forServer(TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
GrpcSslContexts.configure(contextBuilder, sslProvider);
contextBuilder.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE);
return NettyServerBuilder.forPort(0)
.flowControlWindow(65 * 1024)
.maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE)
.sslContext(contextBuilder.build());
} catch (IOException ex) {
throw new RuntimeException(ex);
}
}
/**
* Returns OpenSSL if available, otherwise returns the JDK provider.
*/
private static SslProvider defaultSslProvider() {
if (OpenSsl.isAvailable()) {
logger.log(Level.FINE, "Selecting OPENSSL");
return SslProvider.OPENSSL;
}
Provider provider = findJdkProvider();
if (provider != null) {
logger.log(Level.FINE, "Selecting JDK with provider {0}", provider);
return SslProvider.JDK;
}
logger.log(Level.INFO, "netty-tcnative unavailable (this may be normal)",
OpenSsl.unavailabilityCause());
logger.log(Level.INFO, "Conscrypt not found (this may be normal)");
logger.log(Level.INFO, "Jetty ALPN unavailable (this may be normal)",
JettyTlsUtil.getJettyAlpnUnavailabilityCause());
throw new IllegalStateException(
"Could not find TLS ALPN provider; "
+ "no working netty-tcnative, Conscrypt, or Jetty NPN/ALPN available");
}
@Override
public List<String> get() {
List<String> ciphers;
if (OpenSsl.isAvailable()) {
// TODO: consider switching to the list of all available ciphers using OpenSsl.availableCipherSuites()
ciphers = getBuiltInCipherList();
} else {
ciphers = getEnabledJdkCipherSuites();
if (ciphers.isEmpty()) {
// could not retrieve the list of enabled ciphers from the JDK SSLContext, so use the hard-coded list
ciphers = getBuiltInCipherList();
}
}
return ciphers;
}
@Test
public void testCreateSslEngineFromJceksStoreWithExplicitEnabledProtocolsOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
// Try and disable all but the one we really want but for now expect that this one plus SSLv2Hello
// is going to come back until the netty code can successfully disable them all.
TransportOptions options = createJceksSslOptions(ENABLED_PROTOCOLS);
SslContext context = TransportSupport.createOpenSslContext(options);
assertNotNull(context);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
assertNotNull(engine);
assertArrayEquals("Enabled protocols not as expected", ENABLED_OPENSSL_PROTOCOLS, engine.getEnabledProtocols());
}
@Test
public void testCreateSslEngineFromJksStoreWithExplicitEnabledAndDisabledCiphersOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
// Discover the default enabled ciphers
TransportOptions options = createJksSslOptions();
SSLEngine directEngine = createOpenSSLEngineDirectly(options);
String[] ciphers = directEngine.getEnabledCipherSuites();
assertTrue("There werent enough initial ciphers to choose from!", ciphers.length > 1);
// Pull out two to enable, and one to disable specifically
String cipher1 = ciphers[0];
String cipher2 = ciphers[1];
String[] enabledCiphers = new String[] { cipher1, cipher2 };
String[] disabledCipher = new String[] { cipher1 };
String[] remainingCipher = new String[] { cipher2 };
options.setEnabledCipherSuites(enabledCiphers);
options.setDisabledCipherSuites(disabledCipher);
SslContext context = TransportSupport.createOpenSslContext(options);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
// verify the option took effect, that the disabled ciphers were removed from the enabled list.
assertNotNull(engine);
assertArrayEquals("Enabled ciphers not as expected", remainingCipher, engine.getEnabledCipherSuites());
}
/**
* Returns OpenSSL if available, otherwise returns the JDK provider.
*/
private static SslProvider defaultSslProvider() {
if (OpenSsl.isAvailable()) {
logger.log(Level.FINE, "Selecting OPENSSL");
return SslProvider.OPENSSL;
}
Provider provider = findJdkProvider();
if (provider != null) {
logger.log(Level.FINE, "Selecting JDK with provider {0}", provider);
return SslProvider.JDK;
}
logger.log(Level.INFO, "Java 9 ALPN API unavailable (this may be normal)");
logger.log(Level.INFO, "netty-tcnative unavailable (this may be normal)",
OpenSsl.unavailabilityCause());
logger.log(Level.INFO, "Conscrypt not found (this may be normal)",
ConscryptHolder.UNAVAILABILITY_CAUSE);
logger.log(Level.INFO, "Jetty ALPN unavailable (this may be normal)",
JettyTlsUtil.getJettyAlpnUnavailabilityCause());
throw new IllegalStateException(
"Could not find TLS ALPN provider; "
+ "no working netty-tcnative, Conscrypt, or Jetty NPN/ALPN available");
}
@Test
public void testAvailCiphersOpenSSL() throws Exception {
Assume.assumeTrue(OpenSsl.isAvailable());
// Set<String> openSSLAvailCiphers = new
// HashSet<>(OpenSsl.availableCipherSuites());
// System.out.println("OpenSSL available ciphers: "+openSSLAvailCiphers);
// ECDHE-RSA-AES256-SHA, ECDH-ECDSA-AES256-SHA, DH-DSS-DES-CBC-SHA,
// ADH-AES256-SHA256, ADH-CAMELLIA128-SHA
final Set<String> openSSLSecureCiphers = new HashSet<>();
for (final String secure : SSLConfigConstants.getSecureSSLCiphers(Settings.EMPTY, false)) {
if (OpenSsl.isCipherSuiteAvailable(secure)) {
openSSLSecureCiphers.add(secure);
}
}
System.out.println("OpenSSL secure ciphers: " + openSSLSecureCiphers);
Assert.assertTrue(openSSLSecureCiphers.size() > 0);
}
private static SslProvider createSslProvider(BridgeServerConfig serverConfig) {
switch (serverConfig.getTlsProvider()) {
case BridgeServerConfig.TLS_PROVIDER_JDK:
case BridgeServerConfig.TLS_PROVIDER_DEFAULT:
logger.info("using jdk ssl provider");
return SslProvider.JDK;
case BridgeServerConfig.TLS_PROVIDER_OPENSSL:
if (!OpenSsl.isAvailable()) {
throw new RuntimeException("could not initialize openssl ssl provider", OpenSsl.unavailabilityCause());
}
logger.info("using openssl ssl provider");
return SslProvider.OPENSSL_REFCNT;
default:
throw new RuntimeException("unknown ssl provider: " + serverConfig.getTlsProvider());
}
}
@Test
public void testCreateSslEngineWithVerifyHostOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
assumeTrue(OpenSsl.supportsHostnameValidation());
TransportOptions options = createJksSslOptions();
options.setVerifyHost(true);
SslContext context = TransportSupport.createOpenSslContext(options);
assertNotNull(context);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
assertNotNull(engine);
assertEquals("HTTPS", engine.getSSLParameters().getEndpointIdentificationAlgorithm());
}
@Parameters(name = "{index}: serverEngine = {0}, clientEngine = {1}")
public static Collection<Object[]> data() throws Exception {
List<SslContext> serverContexts = new ArrayList<SslContext>();
serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE).sslProvider(SslProvider.JDK).build());
List<SslContext> clientContexts = new ArrayList<SslContext>();
clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(CERT_FILE).build());
boolean hasOpenSsl = OpenSsl.isAvailable();
if (hasOpenSsl) {
serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE)
.sslProvider(SslProvider.OPENSSL).build());
clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.OPENSSL)
.trustManager(CERT_FILE).build());
} else {
logger.warn("OpenSSL is unavailable and thus will not be tested.", OpenSsl.unavailabilityCause());
}
List<Object[]> params = new ArrayList<Object[]>();
for (SslContext sc: serverContexts) {
for (SslContext cc: clientContexts) {
params.add(new Object[] { sc, cc });
}
}
return params;
}
@Parameters(name = "{index}: serverEngine = {0}, clientEngine = {1}")
public static Collection<Object[]> data() throws Exception {
List<SslContext> serverContexts = new ArrayList<SslContext>();
serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE).sslProvider(SslProvider.JDK).build());
List<SslContext> clientContexts = new ArrayList<SslContext>();
clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(CERT_FILE).build());
boolean hasOpenSsl = OpenSsl.isAvailable();
if (hasOpenSsl) {
serverContexts.add(SslContextBuilder.forServer(CERT_FILE, KEY_FILE)
.sslProvider(SslProvider.OPENSSL).build());
clientContexts.add(SslContextBuilder.forClient().sslProvider(SslProvider.OPENSSL)
.trustManager(CERT_FILE).build());
} else {
logger.warn("OpenSSL is unavailable and thus will not be tested.", OpenSsl.unavailabilityCause());
}
List<Object[]> params = new ArrayList<Object[]>();
for (SslContext sc: serverContexts) {
for (SslContext cc: clientContexts) {
params.add(new Object[] { sc, cc });
}
}
return params;
}
@Test
public void testCreateSslEngineFromJksStoreOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
TransportOptions options = createJksSslOptions();
SslContext context = TransportSupport.createOpenSslContext(options);
assertNotNull(context);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
assertNotNull(engine);
List<String> engineProtocols = Arrays.asList(engine.getEnabledProtocols());
assertFalse(engineProtocols.isEmpty());
}
@Override
public List<String> get() {
List<String> ciphers;
if (OpenSsl.isAvailable()) {
// TODO: consider switching to the list of all available ciphers using OpenSsl.availableCipherSuites()
ciphers = getBuiltInCipherList();
} else {
ciphers = getEnabledJdkCipherSuites();
if (ciphers.isEmpty()) {
// could not retrieve the list of enabled ciphers from the JDK SSLContext, so use the hard-coded list
ciphers = getBuiltInCipherList();
}
}
return ciphers;
}
@Test
public void testCreateSslEngineFromPkcs12StoreOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
TransportOptions options = createPkcs12SslOptions();
SslContext context = TransportSupport.createOpenSslContext(options);
assertNotNull(context);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
assertNotNull(engine);
List<String> engineProtocols = Arrays.asList(engine.getEnabledProtocols());
assertFalse(engineProtocols.isEmpty());
}
private SslContext getSslContext() {
SslContext sslCtx = null;
final SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK;
try {
sslCtx = SslContextBuilder.forClient()
.sslProvider(provider)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.trustManager(InsecureTrustManagerFactory.INSTANCE)
.applicationProtocolConfig(new ApplicationProtocolConfig(
Protocol.ALPN,
SelectorFailureBehavior.NO_ADVERTISE,
SelectedListenerFailureBehavior.ACCEPT,
ApplicationProtocolNames.HTTP_2))
.build();
} catch(SSLException exception) {
return null;
}
return sslCtx;
}
@Parameters(name = "{index}: serverEngine = {0}, clientEngine = {1}")
public static Collection<Object[]> data() throws Exception {
List<SslContext> serverContexts = new ArrayList<SslContext>();
serverContexts.add(new JdkSslServerContext(CERT_FILE, KEY_FILE));
List<SslContext> clientContexts = new ArrayList<SslContext>();
clientContexts.add(new JdkSslClientContext(CERT_FILE));
boolean hasOpenSsl = OpenSsl.isAvailable();
if (hasOpenSsl) {
serverContexts.add(new OpenSslServerContext(CERT_FILE, KEY_FILE));
clientContexts.add(new OpenSslClientContext(CERT_FILE));
} else {
logger.warn("OpenSSL is unavailable and thus will not be tested.", OpenSsl.unavailabilityCause());
}
List<Object[]> params = new ArrayList<Object[]>();
for (SslContext sc: serverContexts) {
for (SslContext cc: clientContexts) {
params.add(new Object[] { sc, cc });
}
}
return params;
}
@Parameters(name = "{index}: serverEngine = {0}, clientEngine = {1}")
public static Collection<Object[]> data() throws Exception {
List<SslContext> serverContexts = new ArrayList<SslContext>();
serverContexts.add(new JdkSslServerContext(CERT_FILE, KEY_FILE));
List<SslContext> clientContexts = new ArrayList<SslContext>();
clientContexts.add(new JdkSslClientContext(CERT_FILE));
boolean hasOpenSsl = OpenSsl.isAvailable();
if (hasOpenSsl) {
serverContexts.add(new OpenSslServerContext(CERT_FILE, KEY_FILE));
clientContexts.add(new OpenSslClientContext(CERT_FILE));
} else {
logger.warn("OpenSSL is unavailable and thus will not be tested.", OpenSsl.unavailabilityCause());
}
List<Object[]> params = new ArrayList<Object[]>();
for (SslContext sc: serverContexts) {
for (SslContext cc: clientContexts) {
params.add(new Object[] { sc, cc });
}
}
return params;
}
@Test
void dumpOpenSslInfoDoNotThrowStackOverFlowError() throws Throwable {
assumeThat(OpenSsl.isAvailable()).isTrue();
System.setProperty("com.linecorp.armeria.dumpOpenSslInfo", "true");
// There's a chance that Flags.useOpenSsl() is already called by other test cases, which means that
// we cannot set dumpOpenSslInfo. So we use our own class loader to load the Flags class.
final FlagsClassLoader classLoader = new FlagsClassLoader();
final Class<?> flags = classLoader.loadClass("com.linecorp.armeria.common.Flags");
final Lookup lookup = MethodHandles.publicLookup();
final MethodHandle useOpenSslMethodHandle = lookup.findStatic(flags, "useOpenSsl",
MethodType.methodType(boolean.class));
useOpenSslMethodHandle.invoke(); // Call Flags.useOpenSsl();
final MethodHandle dumpOpenSslInfoMethodHandle =
lookup.findStatic(flags, "dumpOpenSslInfo", MethodType.methodType(boolean.class));
// // Call Flags.dumpOpenSslInfo();
assertThat(dumpOpenSslInfoMethodHandle.invoke()).isSameAs(Boolean.TRUE);
}
/**
* Determines if Netty OpenSSL support is available and applicable based on the configuration
* in the given TransportOptions instance.
*
* @param options
* The configuration of the Transport being created.
*
* @return true if OpenSSL support is available and usable given the requested configuration.
*/
public static boolean isOpenSSLPossible(TransportOptions options) {
boolean result = false;
if (options.isUseOpenSSL()) {
if (!OpenSsl.isAvailable()) {
LOG.debug("OpenSSL could not be enabled because a suitable implementation could not be found.", OpenSsl.unavailabilityCause());
} else if (options.getSslContextOverride() != null) {
LOG.debug("OpenSSL could not be enabled due to user SSLContext being supplied.");
} else if (!OpenSsl.supportsKeyManagerFactory()) {
LOG.debug("OpenSSL could not be enabled because the version provided does not allow a KeyManagerFactory to be used.");
} else if (options.isVerifyHost() && !OpenSsl.supportsHostnameValidation()) {
// Keep deprecated check for now, older netty-tcnative versions required it and we don't control the version used.
LOG.debug("OpenSSL could not be enabled due to verifyHost being enabled but not supported by the provided OpenSSL version.");
} else if (options.getKeyAlias() != null) {
LOG.debug("OpenSSL could not be enabled because a keyAlias is set and that feature is not supported for OpenSSL.");
} else {
LOG.debug("OpenSSL Enabled: Version {} of OpenSSL will be used", OpenSsl.versionString());
result = true;
}
}
return result;
}
@Test
public void testCreateSslEngineWithoutVerifyHostOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
assumeTrue(OpenSsl.supportsHostnameValidation());
TransportOptions options = createJksSslOptions();
options.setVerifyHost(false);
SslContext context = TransportSupport.createOpenSslContext(options);
assertNotNull(context);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
assertNotNull(engine);
assertNull(engine.getSSLParameters().getEndpointIdentificationAlgorithm());
}
@Test
public void testLegacySslProtocolsDisabledByDefaultOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
TransportOptions options = createJksSslOptions(null);
SslContext context = TransportSupport.createOpenSslContext(options);
assertNotNull(context);
SSLEngine engine = TransportSupport.createOpenSslEngine(PooledByteBufAllocator.DEFAULT, null, context, options);
assertNotNull(engine);
List<String> engineProtocols = Arrays.asList(engine.getEnabledProtocols());
assertFalse("SSLv3 should not be enabled by default", engineProtocols.contains("SSLv3"));
// TODO - Netty is currently unable to disable OpenSSL SSLv2Hello so we are stuck with it for now.
// assertFalse("SSLv2Hello should not be enabled by default", engineProtocols.contains("SSLv2Hello"));
}
@Test
public void testCreateSslContextNoKeyStorePasswordOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
TransportOptions options = createJksSslOptions();
options.setKeyStorePassword(null);
try {
TransportSupport.createOpenSslContext(options);
fail("Expected an exception to be thrown");
} catch (UnrecoverableKeyException e) {
// Expected
} catch (IllegalArgumentException iae) {
// Expected in certain cases
String message = iae.getMessage();
assertTrue("Unexpected message: " + message, message.contains("password can't be null"));
}
}
/**
* Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
* an application requires particular settings it should override the options set here.
*/
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/1784")
@CanIgnoreReturnValue
public static SslContextBuilder configure(SslContextBuilder builder, SslProvider provider) {
switch (provider) {
case JDK:
{
Provider jdkProvider = findJdkProvider();
if (jdkProvider == null) {
throw new IllegalArgumentException(
"Could not find Jetty NPN/ALPN or Conscrypt as installed JDK providers");
}
return configure(builder, jdkProvider);
}
case OPENSSL:
{
ApplicationProtocolConfig apc;
if (OpenSsl.isAlpnSupported()) {
apc = NPN_AND_ALPN;
} else {
apc = NPN;
}
return builder
.sslProvider(SslProvider.OPENSSL)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
.applicationProtocolConfig(apc);
}
default:
throw new IllegalArgumentException("Unsupported provider: " + provider);
}
}
private SslProvider getSslProvider() {
if (OpenSsl.isAvailable()) {
return SslProvider.OPENSSL_REFCNT;
} else {
return SslProvider.JDK;
}
}
@Test(expected = IOException.class)
public void testCreateSslContextBadPathToKeyStoreOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
TransportOptions options = createJksSslOptions();
options.setKeyStoreLocation(CLIENT_JKS_KEYSTORE + ".bad");
TransportSupport.createOpenSslContext(options);
}
@Test
public void testEnsureOpenSSLAvailability() {
//Assert.assertTrue("OpenSSL not available: "+String.valueOf(OpenSsl.unavailabilityCause()), OpenSsl.isAvailable());
final String openSSLOptional = System.getenv("OPENDISTRO_SECURITY_TEST_OPENSSL_OPT");
System.out.println("OPENDISTRO_SECURITY_TEST_OPENSSL_OPT "+openSSLOptional);
if(!Boolean.parseBoolean(openSSLOptional)) {
System.out.println("OpenSSL must be available");
Assert.assertTrue("OpenSSL not available: "+String.valueOf(OpenSsl.unavailabilityCause()), OpenSsl.isAvailable());
} else {
System.out.println("OpenSSL can be available");
}
}
@Test(expected = IOException.class)
public void testCreateSslContextWrongKeyStorePasswordOpenSSL() throws Exception {
assumeTrue(OpenSsl.isAvailable());
assumeTrue(OpenSsl.supportsKeyManagerFactory());
TransportOptions options = createJksSslOptions();
options.setKeyStorePassword("wrong");
TransportSupport.createOpenSslContext(options);
}
@Test
public void testNodeClientSSLwithOpenSslTLSv13() throws Exception {
Assume.assumeTrue(OpenSsl.isAvailable() && OpenSsl.version() > 0x10101009L);
final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true)
.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL)
.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL)
.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0")
.put("opendistro_security.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks"))
.put("opendistro_security.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks"))
.put("opendistro_security.ssl.transport.enforce_hostname_verification", false)
.put("opendistro_security.ssl.transport.resolve_hostname", false)
.putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3")
.putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_CHACHA20_POLY1305_SHA256")
.build();
startES(settings);
final Settings tcSettings = Settings.builder().put("cluster.name", clustername).put("path.home", ".")
.put("node.name", "client_node_" + new Random().nextInt())
.put(settings)// -----
.build();
try (Node node = new PluginAwareNode(tcSettings, Netty4Plugin.class, OpenDistroSecuritySSLPlugin.class).start()) {
ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5))).actionGet();
Assert.assertFalse(res.isTimedOut());
Assert.assertEquals(4, res.getNumberOfNodes());
Assert.assertEquals(4, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size());
}
Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
}
public static SslProvider createSslProvider() {
Supplier<String> sslProvider = ConfigService.supplier("iris.gateway.ssl.provider", String.class, "");
Security.addProvider(new BouncyCastleProvider());
switch (sslProvider.get()) {
case "":
case "openssl":
if (OpenSsl.isAvailable()) {
log.debug("using openssl for gateway ssl provider");
return openssl();
} else {
if (!"".equals(sslProvider.get())) {
log.warn("openssl ssl provider requested but not available, using jdk ssl for gateway connection:", OpenSsl.unavailabilityCause());
} else {
log.debug("using jdk for gateway ssl provider: ", OpenSsl.unavailabilityCause());
}
return jdk();
}
case "jdk":
log.debug("using jdk for gateway ssl provider");
return jdk();
default:
log.warn("unknown ssl provider, using jdk by default");
return jdk();
}
}
@Test(timeout = 30000)
public void testSslRenegotiationRejected() throws Throwable {
// BoringSSL does not support renegotiation intentionally.
Assume.assumeFalse("BoringSSL".equals(OpenSsl.versionString()));
Assume.assumeTrue(OpenSsl.isAvailable());
run();
}