/** * @return when OpenSSL is available */ public static boolean isAvailable() { return OpenSsl.isAvailable(); }
public static SslProvider chooseSslProvider() { // Use openssl only if available and has ALPN support (ie. version > 1.0.2). SslProvider sslProvider; if (ALLOW_USE_OPENSSL.get() && OpenSsl.isAvailable() && OpenSsl.isAlpnSupported()) { sslProvider = SslProvider.OPENSSL; } else { sslProvider = SslProvider.JDK; } return sslProvider; }
@Test public void testEnsureOpenSSLAvailability() { Assume.assumeTrue(allowOpenSSL); Assert.assertTrue(String.valueOf(OpenSsl.unavailabilityCause()), OpenSsl.isAvailable()); }
boolean openSslIsAvailable = OpenSsl.isAvailable(); boolean openSslAlpnIsSupported = OpenSsl.isAlpnSupported(); String javaVersion = Runtime.class.getPackage().getImplementationVersion(); String javaSpecificationVersion = System.getProperty("java.specification.version"); } else { System.out.println(" [FAIL] Open SSL is NOT available"); if (OpenSsl.unavailabilityCause() != null) { System.out.println(" Open SSL Unavailability cause:"); OpenSsl.unavailabilityCause().printStackTrace(System.out);
/** * Determines if Netty OpenSSL support is available and applicable based on the configuration * in the given TransportOptions instance. * * @param options * The configuration of the Transport being created. * * @return true if OpenSSL support is available and usable given the requested configuration. */ public static boolean isOpenSSLPossible(TransportOptions options) { boolean result = false; if (options.isUseOpenSSL()) { if (!OpenSsl.isAvailable()) { LOG.debug("OpenSSL could not be enabled because a suitable implementation could not be found.", OpenSsl.unavailabilityCause()); } else if (options.getSslContextOverride() != null) { LOG.debug("OpenSSL could not be enabled due to user SSLContext being supplied."); } else if (!OpenSsl.supportsKeyManagerFactory()) { LOG.debug("OpenSSL could not be enabled because the version provided does not allow a KeyManagerFactory to be used."); } else if (options.isVerifyHost() && !OpenSsl.supportsHostnameValidation()) { LOG.debug("OpenSSL could not be enabled due to verifyHost being enabled but not supported by the provided OpenSSL version."); } else if (options.getKeyAlias() != null) { LOG.debug("OpenSSL could not be enabled because a keyAlias is set and that feature is not supported for OpenSSL."); } else { LOG.debug("OpenSSL Enabled: Version {} of OpenSSL will be used", OpenSsl.versionString()); result = true; } } return result; }
@Override public final void setEnabledCipherSuites(String[] cipherSuites) { checkNotNull(cipherSuites, "cipherSuites"); if (!OpenSsl.isCipherSuiteAvailable(converted)) { throw new IllegalArgumentException("unsupported cipher suite: " + c + '(' + converted + ')');
final List<String> secureTransportSSLProtocols = Arrays.asList(SSLConfigConstants.getSecureSSLProtocols(settings, false)); if (OpenSsl.isAvailable()) { final Set<String> openSSLSecureHttpCiphers = new HashSet<>(); for (final String secure : secureHttpSSLCiphers) { if (OpenSsl.isCipherSuiteAvailable(secure)) { openSSLSecureHttpCiphers.add(secure); log.debug("OPENSSL "+OpenSsl.versionString()+" supports the following ciphers (java-style) {}", OpenSsl.availableJavaCipherSuites()); log.debug("OPENSSL "+OpenSsl.versionString()+" supports the following ciphers (openssl-style) {}", OpenSsl.availableOpenSslCipherSuites()); if (OpenSsl.isAvailable()) { final Set<String> openSSLSecureTransportCiphers = new HashSet<>(); for (final String secure : secureTransportSSLCiphers) { if (OpenSsl.isCipherSuiteAvailable(secure)) { openSSLSecureTransportCiphers.add(secure); if(OpenSsl.isAvailable() && OpenSsl.version() > 0x10101009L) { enabledHttpProtocolsOpenSSLProvider = new ArrayList(Arrays.asList("TLSv1.3","TLSv1.2","TLSv1.1")); enabledHttpProtocolsOpenSSLProvider.retainAll(secureHttpSSLProtocols); } else if(OpenSsl.isAvailable()){ enabledHttpProtocolsOpenSSLProvider = new ArrayList(Arrays.asList("TLSv1.2","TLSv1.1")); enabledHttpProtocolsOpenSSLProvider.retainAll(secureHttpSSLProtocols);
private void logOpenSSLInfos() { if (OpenSsl.isAvailable()) { log.info("OpenSSL " + OpenSsl.versionString() + " (" + OpenSsl.version() + ") available"); if (OpenSsl.version() < 0x10002000L) { log.warn( "Outdated OpenSSL version detected. You should update to 1.0.2k or later. Currently installed: " + OpenSsl.versionString()); } if (!OpenSsl.supportsHostnameValidation()) { log.warn("Your OpenSSL version " + OpenSsl.versionString() + " does not support hostname verification. You should update to 1.0.2k or later."); } log.debug("OpenSSL available ciphers " + OpenSsl.availableOpenSslCipherSuites()); } else { log.info("OpenSSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of " + OpenSsl.unavailabilityCause()); } }
final boolean isOpenSslAvailable = OpenSsl.isAvailable(); final boolean supportsKeyManagerFactory = OpenSsl.supportsKeyManagerFactory(); final boolean useOpenSsl = getConfig().isNativeTlsRequired() || (isOpenSslAvailable && supportsKeyManagerFactory); OpenSsl.versionString()); serverOptions.setSslEngineOptions(new OpenSSLEngineOptions()); } else {
private void buildSslContext() { SslProvider provider = OpenSsl.isAvailable() ? SslProvider.OPENSSL : SslProvider.JDK; try { sslContext = SslContextBuilder.forClient() .sslProvider(provider) /* NOTE: the cipher filter may not include all ciphers required by the HTTP/2 specification. * Please refer to the HTTP/2 specification for cipher requirements. */ .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .trustManager(InsecureTrustManagerFactory.INSTANCE) .build(); } catch (SSLException e) { e.printStackTrace(); } }
/** * @return when alpn support is available via OpenSSL engine */ public static boolean isAlpnAvailable() { return OpenSsl.isAlpnSupported(); }
static boolean isOpenSslAvailable() { return PlatformDependent.bitMode() != 32 && OpenSsl.isAvailable(); }
@Test public void shouldUpgradeUsingALPN() throws Exception { SkipTestNG.skipSinceJDK(10); // TODO: OpenSSL ALPN doesn't seem to work. Restructure the test to use internal JDK ALPN if (!OpenSsl.isAlpnSupported()) { throw new IllegalStateException("OpenSSL is not present, can not test TLS/ALPN support. Version: " + OpenSsl.versionString() + " Cause: " + OpenSsl.unavailabilityCause()); } //given restServer = RestServerHelper.defaultRestServer("http2testcache") .withKeyStore(KEY_STORE_PATH, "secret", "pkcs12") .start(TestResourceTracker.getCurrentTestShortName()); client = NettyHttpClient.newHttp2ClientWithALPN(KEY_STORE_PATH, "secret"); client.start(restServer.getHost(), restServer.getPort()); FullHttpRequest putValueInCacheRequest = new DefaultFullHttpRequest(HTTP_1_1, POST, "/rest/http2testcache/test", wrappedBuffer("test".getBytes(CharsetUtil.UTF_8))); //when client.sendRequest(putValueInCacheRequest); Queue<FullHttpResponse> responses = client.getResponses(); //then Assertions.assertThat(responses).hasSize(1); Assertions.assertThat(responses.element().status().code()).isEqualTo(200); Assertions.assertThat(restServer.getCacheManager().getCache("http2testcache").size()).isEqualTo(1); }
@Test public void testAvailCiphersOpenSSL() throws Exception { Assume.assumeTrue(OpenSsl.isAvailable()); // Set<String> openSSLAvailCiphers = new // HashSet<>(OpenSsl.availableCipherSuites()); // System.out.println("OpenSSL available ciphers: "+openSSLAvailCiphers); // ECDHE-RSA-AES256-SHA, ECDH-ECDSA-AES256-SHA, DH-DSS-DES-CBC-SHA, // ADH-AES256-SHA256, ADH-CAMELLIA128-SHA final Set<String> openSSLSecureCiphers = new HashSet<>(); for (final String secure : SSLConfigConstants.getSecureSSLCiphers(Settings.EMPTY, false)) { if (OpenSsl.isCipherSuiteAvailable(secure)) { openSSLSecureCiphers.add(secure); } } System.out.println("OpenSSL secure ciphers: " + openSSLSecureCiphers); Assert.assertTrue(openSSLSecureCiphers.size() > 0); }
@Test(timeout = 30000) public void testSslRenegotiationRejected() throws Throwable { // BoringSSL does not support renegotiation intentionally. Assume.assumeFalse("BoringSSL".equals(OpenSsl.versionString())); Assume.assumeTrue(OpenSsl.isAvailable()); run(); }
@Override public Object run() { System.setProperty("es.set.netty.runtime.available.processors", "false"); PlatformDependent.newFixedMpscQueue(1); OpenSsl.isAvailable(); return null; } });
/** * @deprecated use {@link #availableOpenSslCipherSuites()} */ @Deprecated public static Set<String> availableCipherSuites() { return availableOpenSslCipherSuites(); }
if (!OpenSsl.isCipherSuiteAvailable(converted)) { throw new IllegalArgumentException("unsupported cipher suite: " + c + '(' + converted + ')');
/** * Determines if Netty OpenSSL support is available and applicable based on the configuration * in the given TransportOptions instance. * * @param options * The configuration of the Transport being created. * * @return true if OpenSSL support is available and usable given the requested configuration. */ public static boolean isOpenSSLPossible(TransportOptions options) { boolean result = false; if (options.isUseOpenSSL()) { if (!OpenSsl.isAvailable()) { LOG.debug("OpenSSL could not be enabled because a suitable implementation could not be found.", OpenSsl.unavailabilityCause()); } else if (options.getSslContextOverride() != null) { LOG.debug("OpenSSL could not be enabled due to user SSLContext being supplied."); } else if (!OpenSsl.supportsKeyManagerFactory()) { LOG.debug("OpenSSL could not be enabled because the version provided does not allow a KeyManagerFactory to be used."); } else if (options.isVerifyHost() && !OpenSsl.supportsHostnameValidation()) { LOG.debug("OpenSSL could not be enabled due to verifyHost being enabled but not supported by the provided OpenSSL version."); } else if (options.getKeyAlias() != null) { LOG.debug("OpenSSL could not be enabled because a keyAlias is set and that feature is not supported for OpenSSL."); } else { LOG.debug("OpenSSL Enabled: Version {} of OpenSSL will be used", OpenSsl.versionString()); result = true; } } return result; }
@Override public final void setEnabledCipherSuites(String[] cipherSuites) { checkNotNull(cipherSuites, "cipherSuites"); if (!OpenSsl.isCipherSuiteAvailable(converted)) { throw new IllegalArgumentException("unsupported cipher suite: " + c + '(' + converted + ')');