/** * The cipher suites to enable, in the order of preference. {@code null} to use default * cipher suites. */ public SslContextBuilder ciphers(Iterable<String> ciphers) { return ciphers(ciphers, IdentityCipherSuiteFilter.INSTANCE); }
/** * The cipher suites to enable, in the order of preference. {@code null} to use default * cipher suites. */ public SslContextBuilder ciphers(Iterable<String> ciphers) { return ciphers(ciphers, IdentityCipherSuiteFilter.INSTANCE); }
private static void setupCiphers(SslContextBuilder builder, Set<String> ciphers) { if (ciphers != null && ciphers.size() > 0) { builder.ciphers(ciphers); } }
public SslContext nettyClientContext() throws SSLException { return SslContextBuilder.forClient() .sslProvider( sslProvider ) .keyManager( privateKey, keyCertChain ) .protocols( tlsVersions ) .ciphers( ciphers ) .trustManager( trustManagerFactory ) .build(); }
public SslContext getClientSslContext() { try { return SslContextBuilder .forClient() .sslProvider(chooseSslProvider()) .ciphers(getCiphers(), getCiphersFilter()) .protocols(getProtocols()) .build(); } catch (Exception e) { log.error("Error loading SslContext client request.", e); throw new RuntimeException("Error configuring SslContext for client request!", e); } } }
public SslContext nettyServerContext() throws SSLException { return SslContextBuilder.forServer( privateKey, keyCertChain ) .sslProvider( sslProvider ) .clientAuth( forNetty( clientAuth ) ) .protocols( tlsVersions ) .ciphers( ciphers ) .trustManager( trustManagerFactory ) .build(); }
builder.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE); builder.applicationProtocolConfig(HTTPS_ALPN_CFG);
static SslContext build(final Config conf) throws IOException, CertificateException { String tmpdir = conf.getString("application.tmpdir"); boolean http2 = conf.getBoolean("server.http2.enabled"); File keyStoreCert = toFile(conf.getString("ssl.keystore.cert"), tmpdir); File keyStoreKey = toFile(conf.getString("ssl.keystore.key"), tmpdir); String keyStorePass = conf.hasPath("ssl.keystore.password") ? conf.getString("ssl.keystore.password") : null; SslContextBuilder scb = SslContextBuilder.forServer(keyStoreCert, keyStoreKey, keyStorePass); if (conf.hasPath("ssl.trust.cert")) { scb.trustManager(toFile(conf.getString("ssl.trust.cert"), tmpdir)) .clientAuth(ClientAuth.REQUIRE); } if (http2) { SslProvider provider = OpenSsl.isAlpnSupported() ? SslProvider.OPENSSL : SslProvider.JDK; return scb.sslProvider(provider) .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .applicationProtocolConfig(new ApplicationProtocolConfig( Protocol.ALPN, SelectorFailureBehavior.NO_ADVERTISE, SelectedListenerFailureBehavior.ACCEPT, Arrays.asList(ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1))) .build(); } return scb.build(); }
/** * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs * from the trustSource. When trustSource is true, no upstream certificate verification will be performed. * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated * certificates). * * @param cipherSuites cipher suites to allow when connecting to the upstream server * @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates * @return an SSLContext to connect to upstream servers with */ public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) { SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (trustSource == null) { log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers."); sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); } else { sslContextBuilder.trustManager(trustSource.getTrustedCAs()); } sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE); try { return sslContextBuilder.build(); } catch (SSLException e) { throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e); } }
builder.ciphers(cipherSuites);
@Override public SslContextBuilder createBuilderForServer() { try { ArrayList<X509Certificate> trustedCerts = getTrustedX509Certificates(); SslProvider sslProvider = chooseSslProvider(); LOG.warn("Using SslProvider of type - " + sslProvider.name() + " for certChainFile - " + serverSslConfig.getCertChainFile()); InputStream certChainInput = new FileInputStream(serverSslConfig.getCertChainFile()); InputStream keyInput = getKeyInputStream(); SslContextBuilder builder = SslContextBuilder.forServer(certChainInput, keyInput) .ciphers(getCiphers(), getCiphersFilter()) .sessionTimeout(serverSslConfig.getSessionTimeout()) .sslProvider(sslProvider); if (serverSslConfig.getClientAuth() != null && isNotEmpty(trustedCerts)) { builder = builder .trustManager(trustedCerts.toArray(new X509Certificate[0])) .clientAuth(serverSslConfig.getClientAuth()); } return builder; } catch (Exception e) { throw new RuntimeException("Error configuring SslContext!", e); } }
@SuppressWarnings("Duplicates") @Override public Optional<SslContext> build() { if (!ssl.isEnabled()) { return Optional.empty(); } SslContextBuilder sslBuilder = SslContextBuilder .forClient() .keyManager(getKeyManagerFactory()) .trustManager(getTrustManagerFactory()); if (ssl.getProtocols().isPresent()) { sslBuilder.protocols(ssl.getProtocols().get()); } if (ssl.getCiphers().isPresent()) { sslBuilder = sslBuilder.ciphers(Arrays.asList(ssl.getCiphers().get())); } if (ssl.getClientAuthentication().isPresent()) { ClientAuthentication clientAuth = ssl.getClientAuthentication().get(); if (clientAuth == ClientAuthentication.NEED) { sslBuilder = sslBuilder.clientAuth(ClientAuth.REQUIRE); } else if (clientAuth == ClientAuthentication.WANT) { sslBuilder = sslBuilder.clientAuth(ClientAuth.OPTIONAL); } } try { return Optional.of(sslBuilder.build()); } catch (SSLException ex) { throw new SslConfigurationException("An error occurred while setting up SSL", ex); } }
sslBuilder = sslBuilder.ciphers(Arrays.asList(ssl.getCiphers().get()));
public SslContext getClientSslContext() { try { return SslContextBuilder .forClient() .sslProvider(chooseSslProvider()) .ciphers(getCiphers(), getCiphersFilter()) .protocols(getProtocols()) .build(); } catch (Exception e) { log.error("Error loading SslContext client request.", e); throw new RuntimeException("Error configuring SslContext for client request!", e); } } }
private SslContext buildSslContext(AsyncHttpClientConfig config) throws SSLException { if (config.getSslContext() != null) { return config.getSslContext(); } SslContextBuilder sslContextBuilder = SslContextBuilder.forClient() .sslProvider(config.isUseOpenSsl() ? SslProvider.OPENSSL : SslProvider.JDK) .sessionCacheSize(config.getSslSessionCacheSize()) .sessionTimeout(config.getSslSessionTimeout()); if (isNonEmpty(config.getEnabledProtocols())) { sslContextBuilder.protocols(config.getEnabledProtocols()); } if (isNonEmpty(config.getEnabledCipherSuites())) { sslContextBuilder.ciphers(Arrays.asList(config.getEnabledCipherSuites())); } else if (!config.isFilterInsecureCipherSuites()) { sslContextBuilder.ciphers(null, IdentityCipherSuiteFilter.INSTANCE_DEFAULTING_TO_SUPPORTED_CIPHERS); } if (config.isUseInsecureTrustManager()) { sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); } return configureSslContextBuilder(sslContextBuilder).build(); }
sslBuilder.ciphers(ImmutableList.copyOf(ciphers));
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .applicationProtocolConfig(new ApplicationProtocolConfig( ApplicationProtocolConfig.Protocol.ALPN,
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .applicationProtocolConfig(new ApplicationProtocolConfig( ApplicationProtocolConfig.Protocol.ALPN,
protected SslContextBuilder getContextBuilder() { SslContextBuilder builder = SslContextBuilder .forServer(getKeyManagerFactory(this.ssl, this.sslStoreProvider)) .trustManager(getTrustManagerFactory(this.ssl, this.sslStoreProvider)); if (this.ssl.getEnabledProtocols() != null) { builder.protocols(this.ssl.getEnabledProtocols()); } if (this.ssl.getCiphers() != null) { builder.ciphers(Arrays.asList(this.ssl.getCiphers())); } if (this.ssl.getClientAuth() == Ssl.ClientAuth.NEED) { builder.clientAuth(ClientAuth.REQUIRE); } else if (this.ssl.getClientAuth() == Ssl.ClientAuth.WANT) { builder.clientAuth(ClientAuth.OPTIONAL); } return builder; }
@Override public SslContextBuilder createBuilderForServer() { try { ArrayList<X509Certificate> trustedCerts = getTrustedX509Certificates(); SslProvider sslProvider = chooseSslProvider(); LOG.warn("Using SslProvider of type - " + sslProvider.name() + " for certChainFile - " + serverSslConfig.getCertChainFile()); InputStream certChainInput = new FileInputStream(serverSslConfig.getCertChainFile()); InputStream keyInput = getKeyInputStream(); SslContextBuilder builder = SslContextBuilder.forServer(certChainInput, keyInput) .ciphers(getCiphers(), getCiphersFilter()) .sessionTimeout(serverSslConfig.getSessionTimeout()) .sslProvider(sslProvider); if (serverSslConfig.getClientAuth() != null && isNotEmpty(trustedCerts)) { builder = builder .trustManager(trustedCerts.toArray(new X509Certificate[0])) .clientAuth(serverSslConfig.getClientAuth()); } return builder; } catch (Exception e) { throw new RuntimeException("Error configuring SslContext!", e); } }