private synchronized void initSSL(ChannelPipeline pipeline) throws SSLContextException { if (sslContext == null || sslEngine == null) { try (X509Util x509Util = new ClientX509Util()) { sslContext = x509Util.createSSLContext(clientConfig); sslEngine = sslContext.createSSLEngine(host, port); sslEngine.setUseClientMode(true); } } pipeline.addLast("ssl", new SslHandler(sslEngine)); LOG.info("SSL handler added for channel: {}", pipeline.channel()); } }
/** * Configure SSL authentication only if it is not configured. * * @throws ConfigException * If authentication scheme is configured but authentication * provider is not configured. */ private void configureSSLAuth() throws ConfigException { try (ClientX509Util clientX509Util = new ClientX509Util()) { String sslAuthProp = "zookeeper.authProvider." + System.getProperty(clientX509Util.getSslAuthProviderProperty(), "x509"); if (System.getProperty(sslAuthProp) == null) { if ("zookeeper.authProvider.x509".equals(sslAuthProp)) { System.setProperty("zookeeper.authProvider.x509", "org.apache.zookeeper.server.auth.X509AuthenticationProvider"); } else { throw new ConfigException("No auth provider configured for the SSL authentication scheme '" + System.getProperty(clientX509Util.getSslAuthProviderProperty()) + "'."); } } } }
/** * Now onwards client code will use properties from this class but older * clients still be setting properties through system properties. So to make * this change backward compatible we should set old system properties in * this configuration. */ protected void handleBackwardCompatibility() { properties.put(JUTE_MAXBUFFER, System.getProperty(JUTE_MAXBUFFER)); properties.put(KINIT_COMMAND, System.getProperty(KINIT_COMMAND)); properties.put(JGSS_NATIVE, System.getProperty(JGSS_NATIVE)); try (ClientX509Util clientX509Util = new ClientX509Util()) { putSSLProperties(clientX509Util); properties.put(clientX509Util.getSslAuthProviderProperty(), System.getProperty(clientX509Util.getSslAuthProviderProperty())); } try (X509Util x509Util = new QuorumX509Util()) { putSSLProperties(x509Util); } }
if (secure) { LOG.info("using secure socket"); try (X509Util x509Util = new ClientX509Util()) { SSLContext sslContext = x509Util.getDefaultSSLContext(); SSLSocketFactory socketFactory = sslContext.getSocketFactory();
NettyServerCnxnFactory() { x509Util = new ClientX509Util(); EventLoopGroup bossGroup = NettyUtils.newNioOrEpollEventLoopGroup(); EventLoopGroup workerGroup = NettyUtils.newNioOrEpollEventLoopGroup(); ServerBootstrap bootstrap = new ServerBootstrap() .group(bossGroup, workerGroup) .channel(NettyUtils.nioOrEpollServerSocketChannel()) // parent channel options .option(ChannelOption.SO_REUSEADDR, true) // child channels options .childOption(ChannelOption.TCP_NODELAY, true) .childOption(ChannelOption.SO_LINGER, -1) .childHandler(new ChannelInitializer<SocketChannel>() { @Override protected void initChannel(SocketChannel ch) throws Exception { ChannelPipeline pipeline = ch.pipeline(); if (secure) { initSSL(pipeline); } pipeline.addLast("servercnxnfactory", channelHandler); } }); this.bootstrap = configureBootstrapAllocator(bootstrap); this.bootstrap.validate(); }
@Before public void setUp() throws Exception { try (X509Util x509util = new ClientX509Util()) { x509TestContext.setSystemProperties(x509util, KeyStoreFileType.JKS, KeyStoreFileType.JKS); } System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory"); System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); x509Util = new ClientX509Util(); }
private void setCustomCipherSuites() { System.setProperty(x509Util.getCipherSuitesProperty(), customCipherSuites[0] + "," + customCipherSuites[1]); x509Util.close(); // remember to close old instance before replacing it x509Util = new ClientX509Util(); }
@Before public void setup() { clientX509Util = new ClientX509Util(); String testDataPath = System.getProperty("test.data.dir", "src/test/resources/data"); System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory"); System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); System.setProperty(ZKClientConfig.SECURE_CLIENT, "true"); System.setProperty(clientX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testKeyStore.jks"); System.setProperty(clientX509Util.getSslKeystorePasswdProperty(), "testpass"); System.setProperty(clientX509Util.getSslTruststoreLocationProperty(), testDataPath + "/ssl/testTrustStore.jks"); System.setProperty(clientX509Util.getSslTruststorePasswdProperty(), "testpass"); }
@Before public void setUp() throws Exception { localServerAddress = new InetSocketAddress(InetAddress.getLoopbackAddress(), PortAssignment.unique()); x509Util = new ClientX509Util(); x509TestContext.setSystemProperties(x509Util, KeyStoreFileType.JKS, KeyStoreFileType.JKS); }
@Before public void setUp() throws Exception { clientX509Util = new ClientX509Util(); String testDataPath = System.getProperty("test.data.dir", "src/test/resources/data"); System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory"); System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); System.setProperty(ZKClientConfig.SECURE_CLIENT, "true"); System.setProperty(clientX509Util.getSslAuthProviderProperty(), "x509"); System.setProperty(clientX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testKeyStore.jks"); System.setProperty(clientX509Util.getSslKeystorePasswdProperty(), "testpass"); System.setProperty(clientX509Util.getSslTruststoreLocationProperty(), testDataPath + "/ssl/testTrustStore.jks"); System.setProperty(clientX509Util.getSslTruststorePasswdProperty(), "testpass"); System.setProperty("javax.net.debug", "ssl"); System.setProperty("zookeeper.authProvider.x509", "org.apache.zookeeper.server.auth.X509AuthenticationProvider"); String host = "localhost"; int port = PortAssignment.unique(); hostPort = host + ":" + port; serverFactory = ServerCnxnFactory.createFactory(); serverFactory.configure(new InetSocketAddress(host, port), maxCnxns, true); super.setUp(); }
@Before public void setUp() throws Exception { x509Util = new ClientX509Util(); x509TestContext.setSystemProperties(x509Util, KeyStoreFileType.JKS, KeyStoreFileType.JKS); System.setProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty(), "100");
@Test public void testCreateSSLContext_validCustomSSLContextClass() throws Exception { ZKConfig zkConfig = new ZKConfig(); ClientX509Util clientX509Util = new ClientX509Util(); zkConfig.setProperty(clientX509Util.getSslContextSupplierClassProperty(), SslContextSupplier.class.getName()); final SSLContext sslContext = clientX509Util.createSSLContext(zkConfig); Assert.assertEquals(SSLContext.getDefault(), sslContext); }
try (X509Util x509Util = new ClientX509Util()) { String keyStoreLocation = config.getProperty(x509Util.getSslKeystoreLocationProperty(), ""); String keyStorePassword = config.getProperty(x509Util.getSslKeystorePasswdProperty(), "");
@Test(expected = X509Exception.SSLContextException.class) public void testCreateSSLContext_invalidCustomSSLContextClass() throws Exception { ZKConfig zkConfig = new ZKConfig(); ClientX509Util clientX509Util = new ClientX509Util(); zkConfig.setProperty(clientX509Util.getSslContextSupplierClassProperty(), String.class.getCanonicalName()); clientX509Util.createSSLContext(zkConfig); }
@Test public void testGetSslHandshakeDetectionTimeoutMillisProperty() { Assert.assertEquals( X509Util.DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS, x509Util.getSslHandshakeTimeoutMillis()); // Note: need to create a new ClientX509Util each time to pick up modified property value String newPropertyString = Integer.toString(X509Util.DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS + 1); System.setProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty(), newPropertyString); try (X509Util tempX509Util = new ClientX509Util()) { Assert.assertEquals( X509Util.DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS + 1, tempX509Util.getSslHandshakeTimeoutMillis()); } // 0 value not allowed, will return the default System.setProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty(), "0"); try (X509Util tempX509Util = new ClientX509Util()) { Assert.assertEquals( X509Util.DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS, tempX509Util.getSslHandshakeTimeoutMillis()); } // Negative value not allowed, will return the default System.setProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty(), "-1"); try (X509Util tempX509Util = new ClientX509Util()) { Assert.assertEquals( X509Util.DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS, tempX509Util.getSslHandshakeTimeoutMillis()); } }
/** * https://issues.apache.org/jira/browse/ZOOKEEPER-2297 */ @Test public void testCustomSSLAuth() throws IOException { try (ClientX509Util x509Util = new ClientX509Util()) { System.setProperty(x509Util.getSslAuthProviderProperty(), "y509"); QuorumPeerConfig quorumPeerConfig = new QuorumPeerConfig(); try { Properties zkProp = getDefaultZKProperties(); zkProp.setProperty("secureClientPort", "12345"); quorumPeerConfig.parseProperties(zkProp); fail("ConfigException is expected"); } catch (ConfigException e) { assertNotNull(e.getMessage()); } } }