config.withLogging(new JULogging(Level.parse(logging))); if(!encryption) config.withoutEncryption(); config.withTrustStrategy(Config.TrustStrategy.trustAllCertificates()); if(!logLeakedSessions) config.withoutEncryption(); config.withMaxIdleSessions(maxIdleConnectionPoolSize.intValue()); config.withRoutingRetryDelay(routingRetryDelayMillis,TimeUnit.MILLISECONDS); config.withMaxTransactionRetryTime(maxRetryTimeMs, TimeUnit.MILLISECONDS); if(trustStrategy.equals("TRUST_ALL_CERTIFICATES")) config.withTrustStrategy(Config.TrustStrategy.trustAllCertificates()); else if(trustStrategy.equals("TRUST_SYSTEM_CA_SIGNED_CERTIFICATES")) config.withTrustStrategy(Config.TrustStrategy.trustSystemCertificates()); else { File file = new File(trustStrategy); config.withTrustStrategy(Config.TrustStrategy.trustCustomCertificateSignedBy(file));
boolean hostnameVerificationEnabled = trustStrategy.isHostnameVerificationEnabled(); switch ( trustStrategy.strategy() ) "Option `TRUST_ON_FIRST_USE` has been deprecated and will be removed in a future " + "version of the driver. Please switch to use `TRUST_ALL_CERTIFICATES` instead." ); return SecurityPlan.forTrustOnFirstUse( trustStrategy.certFile(), hostnameVerificationEnabled, address, logger ); case TRUST_SIGNED_CERTIFICATES: logger.warn( return SecurityPlan.forCustomCASignedCertificates( trustStrategy.certFile(), hostnameVerificationEnabled ); case TRUST_SYSTEM_CA_SIGNED_CERTIFICATES: return SecurityPlan.forSystemCASignedCertificates( hostnameVerificationEnabled ); default: throw new ClientException( "Unknown TLS authentication strategy: " + trustStrategy.strategy().name() );
Config.TrustStrategy.trustOnFirstUse(new File(new URI(boltConfig.trustCertFile)))); Config.TrustStrategy.trustSignedBy(new File(new URI(boltConfig.trustCertFile))));
Config.TrustStrategy.trustOnFirstUse(new File(new URI(boltConfig.trustCertFile)))); Config.TrustStrategy.trustSignedBy(new File(new URI(boltConfig.trustCertFile))));
/** * Automatically trust a Neo4j instance the first time we see it - but fail to connect if its encryption certificate ever changes. * This is similar to the mechanism used in SSH, and protects against man-in-the-middle attacks that occur after the initial setup of your application. * <p> * Known Neo4j hosts are recorded in a file, {@code certFile}. * Each time we reconnect to a known host, we verify that its certificate remains the same, guarding against attackers intercepting our communication. * <p> * Note that this approach is vulnerable to man-in-the-middle attacks the very first time you connect to a new Neo4j instance. * If you do not trust the network you are connecting over, consider using {@link #trustCustomCertificateSignedBy(File)} signed certificates} instead, or manually adding the * trusted host line into the specified file. * * @param knownHostsFile a file where known certificates are stored. * @return an authentication config * * @deprecated in 1.1 in favour of {@link #trustAllCertificates()} */ @Deprecated public static TrustStrategy trustOnFirstUse( File knownHostsFile ) { return new TrustStrategy( Strategy.TRUST_ON_FIRST_USE, knownHostsFile ); } }
private static synchronized void cleanupNeo4jKnownHosts(Neo4jServerLoader neo4jServerLoader) { File hostsFile = Config.defaultConfig().trustStrategy().certFile(); try { if (hostsFile != null && hostsFile.isFile()) { List<String> lines = FileUtil.loadLines(hostsFile); List<String> updatedLines = lines.stream() .filter((line) -> !line.startsWith(neo4jServerLoader.getBoltHost() + ":" + neo4jServerLoader.getBoltPort())) .filter((line) -> !line.isEmpty()) .collect(Collectors.toList()); FileUtil.writeToFile(hostsFile, String.join(System.lineSeparator(), updatedLines) + System.lineSeparator()); } } catch (Exception e) { Throwables.throwIfUnchecked(e); throw new RuntimeException(e); } } }
/** * Only encrypted connections to Neo4j instances with certificates signed by a trusted certificate will be accepted. * The file specified should contain one or more trusted X.509 certificates. * <p> * The certificate(s) in the file must be encoded using PEM encoding, meaning the certificates in the file should be encoded using Base64, * and each certificate is bounded at the beginning by "-----BEGIN CERTIFICATE-----", and bounded at the end by "-----END CERTIFICATE-----". * * @param certFile the trusted certificate file * @return an authentication config */ public static TrustStrategy trustCustomCertificateSignedBy( File certFile ) { return new TrustStrategy( Strategy.TRUST_CUSTOM_CA_SIGNED_CERTIFICATES, certFile ); }
/** * Trust strategy for certificates that can be verified through the local system store. * * @return an authentication config * @since 1.1 */ public static TrustStrategy trustAllCertificates() { return new TrustStrategy( Strategy.TRUST_ALL_CERTIFICATES ); }
/** * Use {@link #trustCustomCertificateSignedBy(File)} instead. * * @param certFile the trusted certificate file * @return an authentication config */ @Deprecated public static TrustStrategy trustSignedBy( File certFile ) { return new TrustStrategy( Strategy.TRUST_SIGNED_CERTIFICATES, certFile ); }
/** * Trust strategy for certificates that can be verified through the local system store. * * @return an authentication config */ public static TrustStrategy trustSystemCertificates() { return new TrustStrategy( Strategy.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES ); }