public SSLHelper(NetServerOptions options, KeyCertOptions keyCertOptions, TrustOptions trustOptions) { SSLEngineOptions sslEngineOptions = resolveEngineOptions(options); this.ssl = options.isSsl(); this.keyCertOptions = keyCertOptions; this.trustOptions = trustOptions; this.clientAuth = options.getClientAuth(); this.crlPaths = options.getCrlPaths() != null ? new ArrayList<>(options.getCrlPaths()) : null; this.crlValues = options.getCrlValues() != null ? new ArrayList<>(options.getCrlValues()) : null; this.enabledCipherSuites = options.getEnabledCipherSuites(); this.openSsl = sslEngineOptions instanceof OpenSSLEngineOptions; this.client = false; this.useAlpn = false; this.enabledProtocols = options.getEnabledSecureTransportProtocols(); this.openSslSessionCacheEnabled = (options.getSslEngineOptions() instanceof OpenSSLEngineOptions) && ((OpenSSLEngineOptions) options.getSslEngineOptions()).isSessionCacheEnabled(); this.sni = options.isSni(); }
assertEquals(usePooledBuffers, options.isUsePooledBuffers()); assertEquals(idleTimeout, options.getIdleTimeout()); assertEquals(ssl, options.isSsl()); assertNotSame(keyStoreOptions, options.getKeyCertOptions()); assertEquals(ksPassword, ((JksOptions) options.getKeyCertOptions()).getPassword());
assertEquals(usePooledBuffers, copy.isUsePooledBuffers()); assertEquals(idleTimeout, copy.getIdleTimeout()); assertEquals(ssl, copy.isSsl()); assertNotSame(keyStoreOptions, copy.getKeyCertOptions()); assertEquals(ksPassword, ((JksOptions) copy.getKeyCertOptions()).getPassword());
@Test @SuppressWarnings("deprecation") public void testDefaultServerOptionsJson() { NetServerOptions def = new NetServerOptions(); NetServerOptions json = new NetServerOptions(new JsonObject()); assertEquals(def.isClientAuthRequired(), json.isClientAuthRequired()); assertEquals(def.getCrlPaths(), json.getCrlPaths()); assertEquals(def.getCrlValues(), json.getCrlValues()); assertEquals(def.getAcceptBacklog(), json.getAcceptBacklog()); assertEquals(def.getPort(), json.getPort()); assertEquals(def.getHost(), json.getHost()); assertEquals(def.isClientAuthRequired(), json.isClientAuthRequired()); assertEquals(def.getCrlPaths(), json.getCrlPaths()); assertEquals(def.getCrlValues(), json.getCrlValues()); assertEquals(def.getAcceptBacklog(), json.getAcceptBacklog()); assertEquals(def.getPort(), json.getPort()); assertEquals(def.getHost(), json.getHost()); assertEquals(def.isTcpNoDelay(), json.isTcpNoDelay()); assertEquals(def.isTcpKeepAlive(), json.isTcpKeepAlive()); assertEquals(def.getSoLinger(), json.getSoLinger()); assertEquals(def.isUsePooledBuffers(), json.isUsePooledBuffers()); assertEquals(def.isSsl(), json.isSsl()); assertEquals(def.isUseAlpn(), json.isUseAlpn()); assertEquals(def.getSslEngineOptions(), json.getSslEngineOptions()); assertEquals(def.isSni(), json.isSni()); }
public SSLHelper(NetServerOptions options, KeyCertOptions keyCertOptions, TrustOptions trustOptions) { SSLEngineOptions sslEngineOptions = resolveEngineOptions(options); this.ssl = options.isSsl(); this.keyCertOptions = keyCertOptions; this.trustOptions = trustOptions; this.clientAuth = options.getClientAuth(); this.crlPaths = options.getCrlPaths() != null ? new ArrayList<>(options.getCrlPaths()) : null; this.crlValues = options.getCrlValues() != null ? new ArrayList<>(options.getCrlValues()) : null; this.enabledCipherSuites = options.getEnabledCipherSuites(); this.openSsl = sslEngineOptions instanceof OpenSSLEngineOptions; this.client = false; this.useAlpn = false; this.enabledProtocols = options.getEnabledSecureTransportProtocols(); this.openSslSessionCacheEnabled = (options.getSslEngineOptions() instanceof OpenSSLEngineOptions) && ((OpenSSLEngineOptions) options.getSslEngineOptions()).isSessionCacheEnabled(); this.sni = options.isSni(); }
assertEquals(usePooledBuffers, options.isUsePooledBuffers()); assertEquals(idleTimeout, options.getIdleTimeout()); assertEquals(ssl, options.isSsl()); assertNotSame(keyStoreOptions, options.getKeyCertOptions()); assertEquals(ksPassword, ((JksOptions) options.getKeyCertOptions()).getPassword());
/** * Adds TLS trust anchor configuration to a given set of server options. * <p> * The options for configuring the server side trust anchor are * determined by invoking the {@link #getServerTrustOptions()} method. * However, the trust anchor options returned by that method will only be added to the * given server options if its <em>ssl</em> flag is set to {@code true} and if its * <em>trustOptions</em> property is {@code null}. * * @param serverOptions The options to add configuration to. */ protected final void addTlsTrustOptions(final NetServerOptions serverOptions) { if (serverOptions.isSsl() && serverOptions.getTrustOptions() == null) { final TrustOptions trustOptions = getServerTrustOptions(); if (trustOptions != null) { serverOptions.setTrustOptions(trustOptions).setClientAuth(ClientAuth.REQUEST); LOG.info("enabling client authentication using certificates [{}]", trustOptions.getClass().getName()); } } }
/** * Adds TLS trust anchor configuration to a given set of server options. * <p> * The options for configuring the server side trust anchor are * determined by invoking the {@link #getServerTrustOptions()} method. * However, the trust anchor options returned by that method will only be added to the * given server options if its <em>ssl</em> flag is set to {@code true} and if its * <em>trustOptions</em> property is {@code null}. * * @param serverOptions The options to add configuration to. */ protected final void addTlsTrustOptions(final NetServerOptions serverOptions) { if (serverOptions.isSsl() && serverOptions.getTrustOptions() == null) { final TrustOptions trustOptions = getServerTrustOptions(); if (trustOptions != null) { serverOptions.setTrustOptions(trustOptions).setClientAuth(ClientAuth.REQUEST); LOG.info("enabling client authentication using certificates [{}]", trustOptions.getClass().getName()); } } }
assertEquals(usePooledBuffers, copy.isUsePooledBuffers()); assertEquals(idleTimeout, copy.getIdleTimeout()); assertEquals(ssl, copy.isSsl()); assertNotSame(keyStoreOptions, copy.getKeyCertOptions()); assertEquals(ksPassword, ((JksOptions) copy.getKeyCertOptions()).getPassword());
@Test @SuppressWarnings("deprecation") public void testDefaultServerOptionsJson() { NetServerOptions def = new NetServerOptions(); NetServerOptions json = new NetServerOptions(new JsonObject()); assertEquals(def.isClientAuthRequired(), json.isClientAuthRequired()); assertEquals(def.getCrlPaths(), json.getCrlPaths()); assertEquals(def.getCrlValues(), json.getCrlValues()); assertEquals(def.getAcceptBacklog(), json.getAcceptBacklog()); assertEquals(def.getPort(), json.getPort()); assertEquals(def.getHost(), json.getHost()); assertEquals(def.isClientAuthRequired(), json.isClientAuthRequired()); assertEquals(def.getCrlPaths(), json.getCrlPaths()); assertEquals(def.getCrlValues(), json.getCrlValues()); assertEquals(def.getAcceptBacklog(), json.getAcceptBacklog()); assertEquals(def.getPort(), json.getPort()); assertEquals(def.getHost(), json.getHost()); assertEquals(def.isTcpNoDelay(), json.isTcpNoDelay()); assertEquals(def.isTcpKeepAlive(), json.isTcpKeepAlive()); assertEquals(def.getSoLinger(), json.getSoLinger()); assertEquals(def.isUsePooledBuffers(), json.isUsePooledBuffers()); assertEquals(def.isSsl(), json.isSsl()); assertEquals(def.isUseAlpn(), json.isUseAlpn()); assertEquals(def.getSslEngineOptions(), json.getSslEngineOptions()); assertEquals(def.isSni(), json.isSni()); }
if (serverOptions.isSsl()) {
if (serverOptions.isSsl()) {
/** * Verifies that only the configured TLS protocols are enabled. * */ @Test public void testAddTlsKeyCertOptionsDisablesTlsProtocolVersions() { // GIVEN a configuration with only TLS 1 and TLS 1.1 enabled final ServiceConfigProperties config = new ServiceConfigProperties(); config.setKeyStorePath(PREFIX_KEY_PATH + "/honoKeyStore.p12"); config.setSecureProtocols(Arrays.asList("TLSv1", "TLSv1.1")); // WHEN configuring a service using the configuration final AbstractServiceBase<ServiceConfigProperties> service = createService(config); final NetServerOptions options = new NetServerOptions(); service.addTlsKeyCertOptions(options); // THEN SSL is enabled and only TLSv1 and TLSv1.1 are supported assertTrue(options.isSsl()); assertTrue(options.getEnabledSecureTransportProtocols().size() == 2); assertTrue(options.getEnabledSecureTransportProtocols().contains("TLSv1")); assertTrue(options.getEnabledSecureTransportProtocols().contains("TLSv1.1")); } }
/** * Verifies that only TLSv1.2 is enabled by default. * */ @Test public void testAddTlsKeyCertOptionsDisablesAllProtocolVersionsButTls12() { // GIVEN a default configuration for TLS final ServiceConfigProperties config = new ServiceConfigProperties(); config.setKeyStorePath(PREFIX_KEY_PATH + "/honoKeyStore.p12"); // WHEN configuring a service using the configuration final AbstractServiceBase<ServiceConfigProperties> service = createService(config); final NetServerOptions options = new NetServerOptions(); service.addTlsKeyCertOptions(options); // THEN SSL is enabled and only TLSv1.2 is enabled assertTrue(options.isSsl()); assertTrue(options.getEnabledSecureTransportProtocols().contains("TLSv1.2")); assertTrue(options.getEnabledSecureTransportProtocols().size() == 1); }