andreacavalli
/
netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
netty5/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java

173 lines
6.3 KiB
Java
Raw Normal View History

Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
/*
* Copyright 2014 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import io.netty.util.internal.NativeLibraryLoader;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import org.apache.tomcat.jni.Library;
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
import org.apache.tomcat.jni.Pool;
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
import org.apache.tomcat.jni.SSL;
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
import org.apache.tomcat.jni.SSLContext;
import java.util.Collections;
Raise an exception when the specified cipher suite is not available Motivation: SSL_set_cipher_list() in OpenSSL does not fail as long as at least one cipher suite is available. It is different from the semantics of SSLEngine.setEnabledCipherSuites(), which raises an exception when the list contains an unavailable cipher suite. Modifications: - Add OpenSsl.isCipherSuiteAvailable(String) which checks the availability of a cipher suite - Raise an IllegalArgumentException when the specified cipher suite is not available Result: Fixed compatibility
2014-12-30 11:20:43 +01:00
import java.util.LinkedHashSet;
import java.util.Set;
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
/**
* Tells if <a href="http://netty.io/wiki/forked-tomcat-native.html">{@code netty-tcnative}</a> and its OpenSSL support
* are available.
*/
public final class OpenSsl {
private static final InternalLogger logger = InternalLoggerFactory.getInstance(OpenSsl.class);
private static final Throwable UNAVAILABILITY_CAUSE;
Raise an exception when the specified cipher suite is not available Motivation: SSL_set_cipher_list() in OpenSSL does not fail as long as at least one cipher suite is available. It is different from the semantics of SSLEngine.setEnabledCipherSuites(), which raises an exception when the list contains an unavailable cipher suite. Modifications: - Add OpenSsl.isCipherSuiteAvailable(String) which checks the availability of a cipher suite - Raise an IllegalArgumentException when the specified cipher suite is not available Result: Fixed compatibility
2014-12-30 11:20:43 +01:00
private static final Set<String> AVAILABLE_CIPHER_SUITES;
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
static {
Throwable cause = null;
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
// Test if netty-tcnative is in the classpath first.
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
try {
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
Class.forName("org.apache.tomcat.jni.SSL", false, OpenSsl.class.getClassLoader());
} catch (ClassNotFoundException t) {
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
cause = t;
logger.debug(
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
"netty-tcnative not in the classpath; " +
OpenSslEngine.class.getSimpleName() + " will be unavailable.");
}
// If in the classpath, try to load the native library and initialize netty-tcnative.
if (cause == null) {
try {
NativeLibraryLoader.load("netty-tcnative", SSL.class.getClassLoader());
Library.initialize("provided");
SSL.initialize(null);
} catch (Throwable t) {
cause = t;
logger.debug(
"Failed to load netty-tcnative; " +
Add the URL of the wiki for easier troubleshooting Motivation: When a user sees an error message, sometimes he or she does not know what exactly he or she has to do to fix the problem. Modifications: Log the URL of the wiki pages that might help the user troubleshoot. Result: We are more friendly.
2015-01-08 04:43:03 +01:00
OpenSslEngine.class.getSimpleName() + " will be unavailable. " +
"See http://netty.io/wiki/forked-tomcat-native.html for more information.", t);
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
}
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
}
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
UNAVAILABILITY_CAUSE = cause;
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
if (cause == null) {
Raise an exception when the specified cipher suite is not available Motivation: SSL_set_cipher_list() in OpenSSL does not fail as long as at least one cipher suite is available. It is different from the semantics of SSLEngine.setEnabledCipherSuites(), which raises an exception when the list contains an unavailable cipher suite. Modifications: - Add OpenSsl.isCipherSuiteAvailable(String) which checks the availability of a cipher suite - Raise an IllegalArgumentException when the specified cipher suite is not available Result: Fixed compatibility
2014-12-30 11:20:43 +01:00
final Set<String> availableCipherSuites = new LinkedHashSet<String>(128);
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
final long aprPool = Pool.create(0);
try {
final long sslCtx = SSLContext.make(aprPool, SSL.SSL_PROTOCOL_ALL, SSL.SSL_MODE_SERVER);
try {
SSLContext.setOptions(sslCtx, SSL.SSL_OP_ALL);
SSLContext.setCipherSuite(sslCtx, "ALL");
final long ssl = SSL.newSSL(sslCtx, true);
try {
for (String c: SSL.getCiphers(ssl)) {
// Filter out bad input.
if (c == null || c.length() == 0 || availableCipherSuites.contains(c)) {
continue;
}
availableCipherSuites.add(c);
}
} finally {
SSL.freeSSL(ssl);
}
} finally {
SSLContext.free(sslCtx);
}
} catch (Exception e) {
logger.warn("Failed to get the list of available OpenSSL cipher suites.", e);
} finally {
Pool.destroy(aprPool);
}
Raise an exception when the specified cipher suite is not available Motivation: SSL_set_cipher_list() in OpenSSL does not fail as long as at least one cipher suite is available. It is different from the semantics of SSLEngine.setEnabledCipherSuites(), which raises an exception when the list contains an unavailable cipher suite. Modifications: - Add OpenSsl.isCipherSuiteAvailable(String) which checks the availability of a cipher suite - Raise an IllegalArgumentException when the specified cipher suite is not available Result: Fixed compatibility
2014-12-30 11:20:43 +01:00
AVAILABLE_CIPHER_SUITES = Collections.unmodifiableSet(availableCipherSuites);
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
} else {
Raise an exception when the specified cipher suite is not available Motivation: SSL_set_cipher_list() in OpenSSL does not fail as long as at least one cipher suite is available. It is different from the semantics of SSLEngine.setEnabledCipherSuites(), which raises an exception when the list contains an unavailable cipher suite. Modifications: - Add OpenSsl.isCipherSuiteAvailable(String) which checks the availability of a cipher suite - Raise an IllegalArgumentException when the specified cipher suite is not available Result: Fixed compatibility
2014-12-30 11:20:43 +01:00
AVAILABLE_CIPHER_SUITES = Collections.emptySet();
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
}
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
}
/**
* Returns {@code true} if and only if
* <a href="http://netty.io/wiki/forked-tomcat-native.html">{@code netty-tcnative}</a> and its OpenSSL support
* are available.
*/
public static boolean isAvailable() {
return UNAVAILABILITY_CAUSE == null;
}
Add support for ALPN when using openssl + NPN client mode and support for CipherSuiteFilter Motivation: To support HTTP2 we need APLN support. This was not provided before when using OpenSslEngine, so SSLEngine (JDK one) was the only bet. Beside this CipherSuiteFilter was not supported Modifications: - Upgrade netty-tcnative and make use of new features to support ALPN and NPN in server and client mode. - Guard against segfaults after the ssl pointer is freed - support correctly different failure behaviours - add support for CipherSuiteFilter Result: Be able to use OpenSslEngine for ALPN / NPN for server and client.
2015-03-05 14:19:13 +01:00
/**
* Returns {@code true} if the used version of openssl supports
* <a href="https://tools.ietf.org/html/rfc7301">ALPN</a>.
*/
public static boolean isAlpnSupported() {
return isAvailable() && SSL.version() >= 0x10002000L;
}
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
/**
* Ensure that <a href="http://netty.io/wiki/forked-tomcat-native.html">{@code netty-tcnative}</a> and
* its OpenSSL support are available.
*
* @throws UnsatisfiedLinkError if unavailable
*/
public static void ensureAvailability() {
if (UNAVAILABILITY_CAUSE != null) {
throw (Error) new UnsatisfiedLinkError(
"failed to load the required native library").initCause(UNAVAILABILITY_CAUSE);
}
}
/**
* Returns the cause of unavailability of
* <a href="http://netty.io/wiki/forked-tomcat-native.html">{@code netty-tcnative}</a> and its OpenSSL support.
*
* @return the cause if unavailable. {@code null} if available.
*/
public static Throwable unavailabilityCause() {
return UNAVAILABILITY_CAUSE;
}
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
/**
* Returns all the available OpenSSL cipher suites.
* Please note that the returned array may include the cipher suites that are insecure or non-functional.
*/
Raise an exception when the specified cipher suite is not available Motivation: SSL_set_cipher_list() in OpenSSL does not fail as long as at least one cipher suite is available. It is different from the semantics of SSLEngine.setEnabledCipherSuites(), which raises an exception when the list contains an unavailable cipher suite. Modifications: - Add OpenSsl.isCipherSuiteAvailable(String) which checks the availability of a cipher suite - Raise an IllegalArgumentException when the specified cipher suite is not available Result: Fixed compatibility
2014-12-30 11:20:43 +01:00
public static Set<String> availableCipherSuites() {
return AVAILABLE_CIPHER_SUITES;
}
/**
* Returns {@code true} if and only if the specified cipher suite is available in OpenSSL.
* Both Java-style cipher suite and OpenSSL-style cipher suite are accepted.
*/
public static boolean isCipherSuiteAvailable(String cipherSuite) {
String converted = CipherSuiteConverter.toOpenSsl(cipherSuite);
if (converted != null) {
cipherSuite = converted;
}
return AVAILABLE_CIPHER_SUITES.contains(cipherSuite);
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
}
Check for errors without object allocation Motivation: At the moment we use SSL.getLastError() in unwrap(...) to check for error. This is very inefficient as it creates a new String for each check and we also use a String.startsWith(...) to detect if there was an error we need to handle. Modifications: Use SSL.getLastErrorNumber() to detect if we need to handle an error, as this only returns a long and so no String creation happens. Also the detection is much cheaper as we can now only compare longs. Once an error is detected the lately SSL.getErrorString(long) is used to conver the error number to a String and include it in log and exception message. Result: Performance improvements in OpenSslEngine.unwrap(...) due less object allocation and also faster comparations.
2014-10-17 16:11:40 +02:00
static boolean isError(long errorCode) {
return errorCode != SSL.SSL_ERROR_NONE;
Add OpenSslClientContext to allow creating SslEngine for client side Motivation: We only support openssl for server side at the moment but it would be also useful for client side. Modification: * Upgrade to new netty-tcnative snapshot to support client side openssl support * Add OpenSslClientContext which can be used to create SslEngine for client side usage * Factor out common logic between OpenSslClientContext and OpenSslServerContent into new abstract base class called OpenSslContext * Correctly detect handshake failures as soon as possible * Guard against segfault caused by multiple calls to destroyPools(). This can happen if OpenSslContext throws an exception in the constructor and the finalize() method is called later during GC Result: openssl can be used for client and servers now.
2014-10-13 13:21:29 +02:00
}
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
private OpenSsl() { }
}