/** * @return when alpn support is available via OpenSSL engine */ public static boolean isAlpnAvailable() { return OpenSsl.isAlpnSupported(); }
public static SslProvider chooseSslProvider() { // Use openssl only if available and has ALPN support (ie. version > 1.0.2). SslProvider sslProvider; if (ALLOW_USE_OPENSSL.get() && OpenSsl.isAvailable() && OpenSsl.isAlpnSupported()) { sslProvider = SslProvider.OPENSSL; } else { sslProvider = SslProvider.JDK; } return sslProvider; }
boolean openSslAlpnIsSupported = OpenSsl.isAlpnSupported(); String javaVersion = Runtime.class.getPackage().getImplementationVersion(); String javaSpecificationVersion = System.getProperty("java.specification.version");
public static SslProvider chooseSslProvider() { // Use openssl only if available and has ALPN support (ie. version > 1.0.2). SslProvider sslProvider; if (ALLOW_USE_OPENSSL.get() && OpenSsl.isAvailable() && OpenSsl.isAlpnSupported()) { sslProvider = SslProvider.OPENSSL; } else { sslProvider = SslProvider.JDK; } return sslProvider; }
static SslContext build(final Config conf) throws IOException, CertificateException { String tmpdir = conf.getString("application.tmpdir"); boolean http2 = conf.getBoolean("server.http2.enabled"); File keyStoreCert = toFile(conf.getString("ssl.keystore.cert"), tmpdir); File keyStoreKey = toFile(conf.getString("ssl.keystore.key"), tmpdir); String keyStorePass = conf.hasPath("ssl.keystore.password") ? conf.getString("ssl.keystore.password") : null; SslContextBuilder scb = SslContextBuilder.forServer(keyStoreCert, keyStoreKey, keyStorePass); if (conf.hasPath("ssl.trust.cert")) { scb.trustManager(toFile(conf.getString("ssl.trust.cert"), tmpdir)) .clientAuth(ClientAuth.REQUIRE); } if (http2) { SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK; return scb.sslProvider(provider) .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .applicationProtocolConfig(new ApplicationProtocolConfig( Protocol.ALPN, SelectorFailureBehavior.NO_ADVERTISE, SelectedListenerFailureBehavior.ACCEPT, Arrays.asList(ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1))) .build(); } return scb.build(); }
if (SSL) { SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK; SelfSignedCertificate ssc = new SelfSignedCertificate(); sslCtx = io.netty.handler.ssl.SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
if (SSL) { SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK; SelfSignedCertificate ssc = new SelfSignedCertificate(); sslCtx = io.netty.handler.ssl.SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
/** * @return when alpn support is available via OpenSSL engine */ public static boolean isAlpnAvailable() { return OpenSsl.isAlpnSupported(); }
private static boolean initializeALPNEnabled() { String property = XenonConfiguration.string( NettyChannelContext.class, "isALPNEnabled", null); return (property != null) ? Boolean.parseBoolean(property) : OpenSsl.isAlpnSupported(); }
public static SslProvider chooseSslProvider() { // Use openssl only if available and has ALPN support (ie. version > 1.0.2). SslProvider sslProvider; if (ALLOW_USE_OPENSSL.get() && OpenSsl.isAvailable() && OpenSsl.isAlpnSupported()) { sslProvider = SslProvider.OPENSSL; } else { sslProvider = SslProvider.JDK; } return sslProvider; }
static SslContext build(final Config conf) throws IOException, CertificateException { String tmpdir = conf.getString("application.tmpdir"); boolean http2 = conf.getBoolean("server.http2.enabled"); File keyStoreCert = toFile(conf.getString("ssl.keystore.cert"), tmpdir); File keyStoreKey = toFile(conf.getString("ssl.keystore.key"), tmpdir); String keyStorePass = conf.hasPath("ssl.keystore.password") ? conf.getString("ssl.keystore.password") : null; SslContextBuilder scb = SslContextBuilder.forServer(keyStoreCert, keyStoreKey, keyStorePass); if (conf.hasPath("ssl.trust.cert")) { scb.trustManager(toFile(conf.getString("ssl.trust.cert"), tmpdir)) .clientAuth(ClientAuth.REQUIRE); } if (http2) { SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK; return scb.sslProvider(provider) .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .applicationProtocolConfig(new ApplicationProtocolConfig( Protocol.ALPN, SelectorFailureBehavior.NO_ADVERTISE, SelectedListenerFailureBehavior.ACCEPT, Arrays.asList(ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1))) .build(); } return scb.build(); }
public BenchmarkHttpClient(String keystorePath, String keystorePassword, String trustStorePath, String trustStorePassword) throws Exception { if (!OpenSsl.isAlpnSupported()) { throw new IllegalStateException("OpenSSL is not present, can not test TLS/ALPN support"); } nettyHttpClient = NettyHttpClient.newHttp2ClientWithALPN(keystorePath, keystorePassword); SslContextFactory sslContextFactory = new SslContextFactory(); sslContextFactory.setTrustStorePassword(trustStorePath); sslContextFactory.setTrustStorePassword(trustStorePassword); sslContextFactory.setKeyStorePath(keystorePath); sslContextFactory.setKeyStorePassword(keystorePassword); http1Client = new HttpClient(sslContextFactory); usesTLS = true; }
public static SslContext createTruststoreContext(String truststore, char[] password, String... alpnProtocols) throws Exception { KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(truststore), password); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(ks, password); SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK; return SslContextBuilder.forClient() .sslProvider(provider) .keyManager(kmf) .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .trustManager(InsecureTrustManagerFactory.INSTANCE) .applicationProtocolConfig(new ApplicationProtocolConfig( ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, alpnProtocols)) .build(); }
void updateDefaultConfiguration() { switch (type) { case H2: sslContextBuilder.sslProvider( OpenSsl.isAlpnSupported() ? io.netty.handler.ssl.SslProvider.OPENSSL : io.netty.handler.ssl.SslProvider.JDK) .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .applicationProtocolConfig(new ApplicationProtocolConfig( ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1)); break; case TCP: sslContextBuilder.sslProvider( OpenSsl.isAvailable() ? io.netty.handler.ssl.SslProvider.OPENSSL : io.netty.handler.ssl.SslProvider.JDK); break; case NONE: break; //no default configuration } }
void updateDefaultConfiguration() { switch (type) { case H2: sslContextBuilder.sslProvider( OpenSsl.isAlpnSupported() ? io.netty.handler.ssl.SslProvider.OPENSSL : io.netty.handler.ssl.SslProvider.JDK) .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .applicationProtocolConfig(new ApplicationProtocolConfig( ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1)); break; case TCP: sslContextBuilder.sslProvider( OpenSsl.isAvailable() ? io.netty.handler.ssl.SslProvider.OPENSSL : io.netty.handler.ssl.SslProvider.JDK); break; case NONE: break; //no default configuration } }
/** * This method will provide netty ssl context which supports HTTP2 over TLS using * Application Layer Protocol Negotiation (ALPN) * * @return instance of {@link SslContext} * @throws SSLException if any error occurred during building SSL context. */ public SslContext createHttp2TLSContext() throws SSLException { // If listener configuration does not include cipher suites , default ciphers required by the HTTP/2 // specification will be added. List<String> ciphers = sslConfig.getCipherSuites() != null && sslConfig.getCipherSuites().length > 0 ? Arrays .asList(sslConfig.getCipherSuites()) : Http2SecurityUtil.CIPHERS; SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK; return SslContextBuilder.forServer(this.getKeyManagerFactory()) .trustManager(this.getTrustStoreFactory()) .sslProvider(provider) .ciphers(ciphers, SupportedCipherSuiteFilter.INSTANCE) .clientAuth(needClientAuth ? ClientAuth.REQUIRE : ClientAuth.NONE) .applicationProtocolConfig(new ApplicationProtocolConfig( ApplicationProtocolConfig.Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers. ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers. ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1)).build(); }
@Test public void testSslConfigurationProtocolH2_1() { DisposableServer disposableServer = server.secure(spec -> spec.sslContext(builder)) .protocol(HttpProtocol.H2) .bindNow(); assertEquals(2, protocols.size()); assertTrue(protocols.contains("h2")); assertTrue(OpenSsl.isAlpnSupported() ? sslContext instanceof OpenSslContext : sslContext instanceof JdkSslContext); disposableServer.disposeNow(); }
@Test public void testProtocolH2SslConfiguration() { DisposableServer disposableServer = server.protocol(HttpProtocol.H2) .secure(spec -> spec.sslContext(builder)) .bindNow(); assertEquals(2, protocols.size()); assertTrue(protocols.contains("h2")); assertTrue(OpenSsl.isAlpnSupported() ? sslContext instanceof OpenSslContext : sslContext instanceof JdkSslContext); disposableServer.disposeNow(); }
@Test public void testSslConfigurationProtocolH2_2() { DisposableServer disposableServer = server.protocol(HttpProtocol.HTTP11) .secure(spec -> spec.sslContext(builder)) .protocol(HttpProtocol.H2) .bindNow(); assertEquals(2, protocols.size()); assertTrue(protocols.contains("h2")); assertTrue(OpenSsl.isAlpnSupported() ? sslContext instanceof OpenSslContext : sslContext instanceof JdkSslContext); disposableServer.disposeNow(); } }
@Test public void shouldUpgradeUsingALPN() throws Exception { SkipTestNG.skipSinceJDK(10); // TODO: OpenSSL ALPN doesn't seem to work. Restructure the test to use internal JDK ALPN if (!OpenSsl.isAlpnSupported()) { throw new IllegalStateException("OpenSSL is not present, can not test TLS/ALPN support. Version: " + OpenSsl.versionString() + " Cause: " + OpenSsl.unavailabilityCause()); } //given restServer = RestServerHelper.defaultRestServer("http2testcache") .withKeyStore(KEY_STORE_PATH, "secret", "pkcs12") .start(TestResourceTracker.getCurrentTestShortName()); client = NettyHttpClient.newHttp2ClientWithALPN(KEY_STORE_PATH, "secret"); client.start(restServer.getHost(), restServer.getPort()); FullHttpRequest putValueInCacheRequest = new DefaultFullHttpRequest(HTTP_1_1, POST, "/rest/http2testcache/test", wrappedBuffer("test".getBytes(CharsetUtil.UTF_8))); //when client.sendRequest(putValueInCacheRequest); Queue<FullHttpResponse> responses = client.getResponses(); //then Assertions.assertThat(responses).hasSize(1); Assertions.assertThat(responses.element().status().code()).isEqualTo(200); Assertions.assertThat(restServer.getCacheManager().getCache("http2testcache").size()).isEqualTo(1); }