private SslContextFactory createSslContextFactory() { final SslContextFactory contextFactory = new SslContextFactory(); configureSslContextFactory(contextFactory, props); return contextFactory; }
@Override public void execute(Map<String, List<String>> parameters, PrintWriter output) throws Exception { // Iterate through all the reloaders first to ensure valid configuration for (SslReload reloader : getReloaders()) { reloader.reload(new SslContextFactory()); } // Now we know that configuration is valid, reload for real for (SslReload reloader : getReloaders()) { reloader.reload(); } output.write("Reloaded certificate configuration\n"); }
/** * Create a channel connector for "http/https" requests */ Connector createChannelConnector(int queueSize, Builder b) { ServerConnector connector; final HttpConfiguration conf = new HttpConfiguration(); conf.setRequestHeaderSize(1024*64); final HttpConnectionFactory http = new HttpConnectionFactory(conf); if (!b.useSSL) { connector = new ServerConnector(webServer, http); } else { SslContextFactory sslContextFactory = new SslContextFactory(); sslContextFactory.setKeyStorePath(b.keyStorePath); Set<String> excludedSSLProtocols = Sets.newHashSet( Splitter.on(",").trimResults().omitEmptyStrings().split( Strings.nullToEmpty(b.conf.getVar(ConfVars.HIVE_SSL_PROTOCOL_BLACKLIST)))); sslContextFactory.addExcludeProtocols(excludedSSLProtocols.toArray( new String[excludedSSLProtocols.size()])); sslContextFactory.setKeyStorePassword(b.keyStorePassword); connector = new ServerConnector(webServer, sslContextFactory, http); } connector.setAcceptQueueSize(queueSize); connector.setReuseAddress(true); connector.setHost(b.host); connector.setPort(b.port); return connector; }
private static Server createServer(Handler handler, int port, KeyStore keyStore, String keyPassword) throws Exception { Server server = new Server(); SslContextFactory sslContextFactory = new SslContextFactory(); sslContextFactory.setIncludeProtocols("TLSv1.2"); sslContextFactory.setKeyStore(keyStore); sslContextFactory.setKeyManagerPassword(keyPassword); HttpConfiguration httpsConfig = new HttpConfiguration(); httpsConfig.addCustomizer(new SecureRequestCustomizer()); ServerConnector sslConnector = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpsConfig)); sslConnector.setPort(port); server.addConnector(sslConnector); server.setHandler(handler); return server; }
@Override public void customize(Server server) { SslContextFactory sslContextFactory = new SslContextFactory(); configureSsl(sslContextFactory, this.ssl, this.sslStoreProvider); ServerConnector connector = createConnector(server, sslContextFactory, this.address); server.setConnectors(new Connector[] { connector }); }
private static Supplier<WebSocketClient> createTestClientSupplier() { return () -> { SslContextFactory sslContextFactory = new SslContextFactory( /* trustall= */ true ); /* remove extra filters added by jetty on cipher suites */ sslContextFactory.setExcludeCipherSuites(); return new WebSocketClient( sslContextFactory ); }; } }
server.addConnector(connector); SslContextFactory sslContextFactory = new SslContextFactory(); sslContextFactory.setCertAlias("cruise"); sslContextFactory.setKeyStoreResource(Resource.newClassPathResource("testdata/fake-server-keystore"));
public static SslContextFactory createSslContextFactory(boolean tlsAllowInsecureConnection, String tlsTrustCertsFilePath, String tlsCertificateFilePath, String tlsKeyFilePath, boolean tlsRequireTrustedClientCertOnConnect) throws GeneralSecurityException { SslContextFactory sslCtxFactory = new SslContextFactory(); SSLContext sslCtx = createSslContext(tlsAllowInsecureConnection, tlsTrustCertsFilePath, tlsCertificateFilePath, tlsKeyFilePath); sslCtxFactory.setSslContext(sslCtx); if (tlsRequireTrustedClientCertOnConnect) { sslCtxFactory.setNeedClientAuth(true); } else { sslCtxFactory.setWantClientAuth(true); } sslCtxFactory.setTrustAll(true); return sslCtxFactory; } }
/** * Create ssl connector if https is used * @return */ private ServerConnector sslConnector() { HttpConfiguration http_config = new HttpConfiguration(); http_config.setSecureScheme("https"); http_config.setSecurePort(this.getPort()); HttpConfiguration https_config = new HttpConfiguration(http_config); https_config.addCustomizer(new SecureRequestCustomizer()); SslContextFactory sslContextFactory = new SslContextFactory(this.getCertKeyStorePath()); sslContextFactory.setKeyStorePassword(this.getCertKeyStorePassword()); //exclude weak ciphers sslContextFactory.setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$"); //only support tlsv1.2 sslContextFactory.addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1"); ServerConnector connector = new ServerConnector(jettyServer, new SslConnectionFactory(sslContextFactory, "http/1.1"), new HttpConnectionFactory(https_config)); connector.setPort(this.getPort()); connector.setIdleTimeout(50000); return connector; }
private SslConnectionFactory createSslConnectionFactory( SslPolicy sslPolicy ) SslContextFactory sslContextFactory = new SslContextFactory();
public static ServerConnector addHttpsConnector(Server server) throws IOException, URISyntaxException { String keyStoreFile = resourceAsFile("ssltest-keystore.jks").getAbsolutePath(); SslContextFactory sslContextFactory = new SslContextFactory(keyStoreFile); sslContextFactory.setKeyStorePassword("changeit"); String trustStoreFile = resourceAsFile("ssltest-cacerts.jks").getAbsolutePath(); sslContextFactory.setTrustStorePath(trustStoreFile); sslContextFactory.setTrustStorePassword("changeit"); HttpConfiguration httpsConfig = new HttpConfiguration(); httpsConfig.setSecureScheme("https"); httpsConfig.addCustomizer(new SecureRequestCustomizer()); ServerConnector connector = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, "http/1.1"), new HttpConnectionFactory(httpsConfig)); server.addConnector(connector); return connector; }
private SslContextFactory createSslContextFactory() { SslContextFactory factory = new SslContextFactory(); if (keyStorePath != null) { factory.setKeyStorePath(keyStorePath);
Boolean needClientAuth, Boolean wantClientAuth, Integer headerBufferSize) { SslContextFactory factory = new SslContextFactory(); factory.setExcludeCipherSuites("SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA"); factory.setExcludeProtocols("SSLv3");
final SslContextFactory sslContextFactory = new SslContextFactory(); sslContextFactory.setSslContext(getSslContextBinding().getProvider().get()); httpClient = new HttpClient(sslContextFactory);
@Override public Connector build(Server server, MetricRegistry metrics, String name, @Nullable ThreadPool threadPool) { final HttpConfiguration httpConfig = buildHttpConfiguration(); final HttpConnectionFactory httpConnectionFactory = buildHttpConnectionFactory(httpConfig); final SslContextFactory sslContextFactory = configureSslContextFactory(new SslContextFactory()); sslContextFactory.addLifeCycleListener(logSslInfoOnStart(sslContextFactory)); server.addBean(sslContextFactory); server.addBean(new SslReload(sslContextFactory, this::configureSslContextFactory)); final SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.toString()); final Scheduler scheduler = new ScheduledExecutorScheduler(); final ByteBufferPool bufferPool = buildBufferPool(); return buildConnector(server, scheduler, bufferPool, name, threadPool, new Jetty93InstrumentedConnectionFactory( sslConnectionFactory, metrics.timer(httpConnections())), httpConnectionFactory); }
@Override public Connector build(Server server, MetricRegistry metrics, String name, @Nullable ThreadPool threadPool) { // HTTP/2 requires that a server MUST support TLSv1.2 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher // See http://http2.github.io/http2-spec/index.html#rfc.section.9.2.2 setSupportedProtocols(Collections.singletonList("TLSv1.2")); checkSupportedCipherSuites(); // Setup connection factories final HttpConfiguration httpConfig = buildHttpConfiguration(); final HttpConnectionFactory http1 = buildHttpConnectionFactory(httpConfig); final HTTP2ServerConnectionFactory http2 = new HTTP2ServerConnectionFactory(httpConfig); http2.setMaxConcurrentStreams(maxConcurrentStreams); http2.setInitialStreamRecvWindow(initialStreamRecvWindow); final NegotiatingServerConnectionFactory alpn = new ALPNServerConnectionFactory(H2, H2_17); alpn.setDefaultProtocol(HTTP_1_1); // Speak HTTP 1.1 over TLS if negotiation fails final SslContextFactory sslContextFactory = configureSslContextFactory(new SslContextFactory()); sslContextFactory.addLifeCycleListener(logSslInfoOnStart(sslContextFactory)); server.addBean(sslContextFactory); server.addBean(new SslReload(sslContextFactory, this::configureSslContextFactory)); // We should use ALPN as a negotiation protocol. Old clients that don't support it will be served // via HTTPS. New clients, however, that want to use HTTP/2 will use TLS with ALPN extension. // If negotiation succeeds, the client and server switch to HTTP/2 protocol. final SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(sslContextFactory, "alpn"); return buildConnector(server, new ScheduledExecutorScheduler(), buildBufferPool(), name, threadPool, new Jetty93InstrumentedConnectionFactory(sslConnectionFactory, metrics.timer(httpConnections())), alpn, http2, http1); }
@Override public WebSocketClient build() throws Exception { SslContextFactory sslContextFactory = sslVerificationMode == SslVerificationMode.NONE ? new TrustAllSSLContextFactory() : new SslContextFactory(); sslContextFactory.setNeedClientAuth(true); sslContextFactory.setKeyStore(agentKeystore()); sslContextFactory.setKeyStorePassword(keystorePassword()); sslContextFactory.setKeyManagerPassword(keystorePassword()); if (rootCertFile != null) { sslContextFactory.setTrustStore(agentTruststore()); sslContextFactory.setTrustStorePassword(keystorePassword()); } if (sslVerificationMode == SslVerificationMode.NO_VERIFY_HOST) { sslContextFactory.setEndpointIdentificationAlgorithm(null); } WebSocketClient client = new WebSocketClient(sslContextFactory); client.setMaxIdleTimeout(systemEnvironment.getWebsocketMaxIdleTime()); return client; }
protected SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) { final SslContextFactory sslFactory = new SslContextFactory(); sslFactory.setNeedClientAuth(needClientAuth); sslFactory.setWantClientAuth(wantClientAuth); if (sslService.isKeyStoreConfigured()) { sslFactory.setKeyStorePath(sslService.getKeyStoreFile()); sslFactory.setKeyStorePassword(sslService.getKeyStorePassword()); sslFactory.setKeyStoreType(sslService.getKeyStoreType()); } if (sslService.isTrustStoreConfigured()) { sslFactory.setTrustStorePath(sslService.getTrustStoreFile()); sslFactory.setTrustStorePassword(sslService.getTrustStorePassword()); sslFactory.setTrustStoreType(sslService.getTrustStoreType()); } return sslFactory; }
Assert.notNull(sslStores, "'sslStores' must not be null"); SslContextFactory sslContextFactory = new SslContextFactory(sslStores.keystoreFile());
private SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) { final SslContextFactory sslFactory = new SslContextFactory(); sslFactory.setNeedClientAuth(needClientAuth); sslFactory.setWantClientAuth(wantClientAuth); sslFactory.setProtocol(sslService.getSslAlgorithm()); if (sslService.isKeyStoreConfigured()) { sslFactory.setKeyStorePath(sslService.getKeyStoreFile()); sslFactory.setKeyStorePassword(sslService.getKeyStorePassword()); sslFactory.setKeyStoreType(sslService.getKeyStoreType()); } if (sslService.isTrustStoreConfigured()) { sslFactory.setTrustStorePath(sslService.getTrustStoreFile()); sslFactory.setTrustStorePassword(sslService.getTrustStorePassword()); sslFactory.setTrustStoreType(sslService.getTrustStoreType()); } return sslFactory; }