andreacavalli
/
netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
netty5/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java

512 lines
19 KiB
Java
Raw Normal View History

Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
/*
* Copyright 2014 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
[#4828] OpenSslContext throws UnsupportedOperationException when Unsafe not available Motivation: OpenSslContext constructor fails with a UnsupportedOperationException if Unsafe is not present on the system. Modifications: Make OpenSslContext work also when Unsafe is not present by fallback to using JNI to get the memory address. Result: Using OpenSslContext also works on systems without Unsafe.
2016-02-03 20:50:57 +01:00
import io.netty.buffer.ByteBuf;
Add support for KeyManagerFactory when using SslProvider.OpenSsl. Motivation: To be able to use SslProvider.OpenSsl with existing java apps that use the JDK SSL API we need to also provide a way to use it with an existing KeyManagerFactory. Modification: Make use of new tcnative apis and so hook in KeyManagerFactory. Result: SslProvider.OpenSsl can be used with KeyManagerFactory as well.
2016-06-20 14:07:53 +02:00
import io.netty.handler.ssl.util.SelfSignedCertificate;
Ensure we only call ReferenceCountUtil.safeRelease(...) in finalize() if the refCnt() > 0 Motivation: We need to ensure we only call ReferenceCountUtil.safeRelease(...) in finalize() if the refCnt() > 0 as otherwise we will log a message about IllegalReferenceCountException. Modification: Check for a refCnt() > 0 before try to release Result: No more IllegalReferenceCountException produced when run finalize() on OpenSsl* objects that where explicit released before.
2016-08-09 18:14:22 +02:00
import io.netty.util.ReferenceCountUtil;
import io.netty.util.ReferenceCounted;
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
import io.netty.util.internal.NativeLibraryLoader;
Adding support for tcnative uber jar Motivation: We want to allow the use of an uber jar that contains the shared libraries for all platforms. Modifications: Modified OpenSsl to first check for a platform-specific lib before using the default lib. Result: uber support.
2016-02-19 18:20:35 +01:00
import io.netty.util.internal.SystemPropertyUtil;
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
[#5648] Detect if netty-tcnative is in classpath or just tcnative Motivation: If netty is used in a tomcat container tomcat itself may ship tcnative. Because of this we will try to use OpenSsl in netty and fail because it is different to netty-tcnative. Modifications: Ensure if we find tcnative it is really netty-tcnative before using it. Result: No more problems when using netty in a tomcat container that also has tcnative installed.
2016-08-06 21:47:26 +02:00
import org.apache.tomcat.Apr;
[#4828] OpenSslContext throws UnsupportedOperationException when Unsafe not available Motivation: OpenSslContext constructor fails with a UnsupportedOperationException if Unsafe is not present on the system. Modifications: Make OpenSslContext work also when Unsafe is not present by fallback to using JNI to get the memory address. Result: Using OpenSslContext also works on systems without Unsafe.
2016-02-03 20:50:57 +01:00
import org.apache.tomcat.jni.Buffer;
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
import org.apache.tomcat.jni.Library;
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
import org.apache.tomcat.jni.Pool;
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
import org.apache.tomcat.jni.SSL;
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
import org.apache.tomcat.jni.SSLContext;
[#5648] Detect if netty-tcnative is in classpath or just tcnative Motivation: If netty is used in a tomcat container tomcat itself may ship tcnative. Because of this we will try to use OpenSsl in netty and fail because it is different to netty-tcnative. Modifications: Ensure if we find tcnative it is really netty-tcnative before using it. Result: No more problems when using netty in a tomcat container that also has tcnative installed.
2016-08-06 21:47:26 +02:00
import java.io.IOException;
import java.io.InputStream;
Allow to explicit disable usage of KeyManagerFactory when using OpenSsl Motivation: Sometimes it may be useful to explicit disable the usage of the KeyManagerFactory when using OpenSsl. Modifications: Add io.netty.handler.ssl.openssl.useKeyManagerFactory which can be used to explicit disable KeyManagerFactory usage. Result: More flexible usage.
2016-08-01 22:17:30 +02:00
import java.security.AccessController;
import java.security.PrivilegedAction;
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
import java.util.Arrays;
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
import java.util.Collections;
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
import java.util.HashSet;
Raise an exception when the specified cipher suite is not available Motivation: SSL_set_cipher_list() in OpenSSL does not fail as long as at least one cipher suite is available. It is different from the semantics of SSLEngine.setEnabledCipherSuites(), which raises an exception when the list contains an unavailable cipher suite. Modifications: - Add OpenSsl.isCipherSuiteAvailable(String) which checks the availability of a cipher suite - Raise an IllegalArgumentException when the specified cipher suite is not available Result: Fixed compatibility
2014-12-30 11:20:43 +01:00
import java.util.LinkedHashSet;
Adding support for tcnative uber jar Motivation: We want to allow the use of an uber jar that contains the shared libraries for all platforms. Modifications: Modified OpenSsl to first check for a platform-specific lib before using the default lib. Result: uber support.
2016-02-19 18:20:35 +01:00
import java.util.Locale;
[#5648] Detect if netty-tcnative is in classpath or just tcnative Motivation: If netty is used in a tomcat container tomcat itself may ship tcnative. Because of this we will try to use OpenSsl in netty and fail because it is different to netty-tcnative. Modifications: Ensure if we find tcnative it is really netty-tcnative before using it. Result: No more problems when using netty in a tomcat container that also has tcnative installed.
2016-08-06 21:47:26 +02:00
import java.util.Properties;
Raise an exception when the specified cipher suite is not available Motivation: SSL_set_cipher_list() in OpenSSL does not fail as long as at least one cipher suite is available. It is different from the semantics of SSLEngine.setEnabledCipherSuites(), which raises an exception when the list contains an unavailable cipher suite. Modifications: - Add OpenSsl.isCipherSuiteAvailable(String) which checks the availability of a cipher suite - Raise an IllegalArgumentException when the specified cipher suite is not available Result: Fixed compatibility
2014-12-30 11:20:43 +01:00
import java.util.Set;
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
/**
* Tells if <a href="http://netty.io/wiki/forked-tomcat-native.html">{@code netty-tcnative}</a> and its OpenSSL support
* are available.
*/
public final class OpenSsl {
private static final InternalLogger logger = InternalLoggerFactory.getInstance(OpenSsl.class);
Adding support for tcnative fedora flavour in uber jar Motivation: We want to allow the use of an uber jar that contains shared dynamic libraries for all platforms (including fedora). Modifications: Modified OpenSsl to try and load the fedora library if the OS is Linux and the platform specified library fails before using the default lib. Result: True uber support.
2016-03-02 20:18:45 +01:00
private static final String LINUX = "linux";
Adding support for tcnative uber jar Motivation: We want to allow the use of an uber jar that contains the shared libraries for all platforms. Modifications: Modified OpenSsl to first check for a platform-specific lib before using the default lib. Result: uber support.
2016-02-19 18:20:35 +01:00
private static final String UNKNOWN = "unknown";
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
private static final Throwable UNAVAILABILITY_CAUSE;
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
static final Set<String> AVAILABLE_CIPHER_SUITES;
private static final Set<String> AVAILABLE_OPENSSL_CIPHER_SUITES;
private static final Set<String> AVAILABLE_JAVA_CIPHER_SUITES;
Add support for KeyManagerFactory when using SslProvider.OpenSsl. Motivation: To be able to use SslProvider.OpenSsl with existing java apps that use the JDK SSL API we need to also provide a way to use it with an existing KeyManagerFactory. Modification: Make use of new tcnative apis and so hook in KeyManagerFactory. Result: SslProvider.OpenSsl can be used with KeyManagerFactory as well.
2016-06-20 14:07:53 +02:00
private static final boolean SUPPORTS_KEYMANAGER_FACTORY;
Allow to explicit disable usage of KeyManagerFactory when using OpenSsl Motivation: Sometimes it may be useful to explicit disable the usage of the KeyManagerFactory when using OpenSsl. Modifications: Add io.netty.handler.ssl.openssl.useKeyManagerFactory which can be used to explicit disable KeyManagerFactory usage. Result: More flexible usage.
2016-08-01 22:17:30 +02:00
private static final boolean USE_KEYMANAGER_FACTORY;
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
// Protocols
static final String PROTOCOL_SSL_V2_HELLO = "SSLv2Hello";
static final String PROTOCOL_SSL_V2 = "SSLv2";
static final String PROTOCOL_SSL_V3 = "SSLv3";
static final String PROTOCOL_TLS_V1 = "TLSv1";
static final String PROTOCOL_TLS_V1_1 = "TLSv1.1";
static final String PROTOCOL_TLS_V1_2 = "TLSv1.2";
Correctly detect which protocols are supported when using OpenSSL Motivation: We failed to properly test if a protocol is supported on an OpenSSL installation and just always returned all protocols. Modifications: - Detect which protocols are supported on a platform. - Skip protocols in tests when not supported. This fixes a build error on some platforms introduced by [#6276]. Result: Correctly return only the supported protocols
2017-01-27 11:54:11 +01:00
static final Set<String> SUPPORTED_PROTOCOLS_SET;
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
static {
Throwable cause = null;
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
// Test if netty-tcnative is in the classpath first.
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
try {
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
Class.forName("org.apache.tomcat.jni.SSL", false, OpenSsl.class.getClassLoader());
} catch (ClassNotFoundException t) {
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
cause = t;
logger.debug(
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
"netty-tcnative not in the classpath; " +
OpenSslEngine.class.getSimpleName() + " will be unavailable.");
}
// If in the classpath, try to load the native library and initialize netty-tcnative.
if (cause == null) {
try {
Support preloading of tcnative share lib Motivation: Some applications may use alternative methods of loading the tcnative JNI symbols. We should support this use case. Modifications: Separate the loading and initialzation of the tcnative library so that each can fail independently. Result: Fixes #5043
2016-04-11 18:06:48 +02:00
// The JNI library was not already loaded. Load it now.
loadTcNative();
} catch (Throwable t) {
cause = t;
logger.debug(
"Failed to load netty-tcnative; " +
OpenSslEngine.class.getSimpleName() + " will be unavailable, unless the " +
"application has already loaded the symbols by some other means. " +
"See http://netty.io/wiki/forked-tomcat-native.html for more information.", t);
}
Adding support for tcnative fedora flavour in uber jar Motivation: We want to allow the use of an uber jar that contains shared dynamic libraries for all platforms (including fedora). Modifications: Modified OpenSsl to try and load the fedora library if the OS is Linux and the platform specified library fails before using the default lib. Result: True uber support.
2016-03-02 20:18:45 +01:00
Support preloading of tcnative share lib Motivation: Some applications may use alternative methods of loading the tcnative JNI symbols. We should support this use case. Modifications: Separate the loading and initialzation of the tcnative library so that each can fail independently. Result: Fixes #5043
2016-04-11 18:06:48 +02:00
try {
initializeTcNative();
Adding support for tcnative uber jar Motivation: We want to allow the use of an uber jar that contains the shared libraries for all platforms. Modifications: Modified OpenSsl to first check for a platform-specific lib before using the default lib. Result: uber support.
2016-02-19 18:20:35 +01:00
Support preloading of tcnative share lib Motivation: Some applications may use alternative methods of loading the tcnative JNI symbols. We should support this use case. Modifications: Separate the loading and initialzation of the tcnative library so that each can fail independently. Result: Fixes #5043
2016-04-11 18:06:48 +02:00
// The library was initialized successfully. If loading the library failed above,
// reset the cause now since it appears that the library was loaded by some other
// means.
cause = null;
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
} catch (Throwable t) {
Support preloading of tcnative share lib Motivation: Some applications may use alternative methods of loading the tcnative JNI symbols. We should support this use case. Modifications: Separate the loading and initialzation of the tcnative library so that each can fail independently. Result: Fixes #5043
2016-04-11 18:06:48 +02:00
if (cause == null) {
cause = t;
}
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
logger.debug(
Support preloading of tcnative share lib Motivation: Some applications may use alternative methods of loading the tcnative JNI symbols. We should support this use case. Modifications: Separate the loading and initialzation of the tcnative library so that each can fail independently. Result: Fixes #5043
2016-04-11 18:06:48 +02:00
"Failed to initialize netty-tcnative; " +
Add the URL of the wiki for easier troubleshooting Motivation: When a user sees an error message, sometimes he or she does not know what exactly he or she has to do to fix the problem. Modifications: Log the URL of the wiki pages that might help the user troubleshoot. Result: We are more friendly.
2015-01-08 04:43:03 +01:00
OpenSslEngine.class.getSimpleName() + " will be unavailable. " +
"See http://netty.io/wiki/forked-tomcat-native.html for more information.", t);
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
}
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
}
Do not log CNFE when tcnative is not in classpath Motivation: When a user deliberatively omitted netty-tcnative from classpath, he or she will see an ugly stack trace of ClassNotFoundException. Modifications: Log more briefly when netty-tcnative is not in classpath. Result: Better-looking log at DEBUG level
2015-01-08 04:23:14 +01:00
[#5648] Detect if netty-tcnative is in classpath or just tcnative Motivation: If netty is used in a tomcat container tomcat itself may ship tcnative. Because of this we will try to use OpenSsl in netty and fail because it is different to netty-tcnative. Modifications: Ensure if we find tcnative it is really netty-tcnative before using it. Result: No more problems when using netty in a tomcat container that also has tcnative installed.
2016-08-06 21:47:26 +02:00
if (cause == null && !isNettyTcnative()) {
logger.debug("incompatible tcnative in the classpath; "
+ OpenSslEngine.class.getSimpleName() + " will be unavailable.");
cause = new ClassNotFoundException("incompatible tcnative in the classpath");
}
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
UNAVAILABILITY_CAUSE = cause;
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
if (cause == null) {
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
final Set<String> availableOpenSslCipherSuites = new LinkedHashSet<String>(128);
Add support for KeyManagerFactory when using SslProvider.OpenSsl. Motivation: To be able to use SslProvider.OpenSsl with existing java apps that use the JDK SSL API we need to also provide a way to use it with an existing KeyManagerFactory. Modification: Make use of new tcnative apis and so hook in KeyManagerFactory. Result: SslProvider.OpenSsl can be used with KeyManagerFactory as well.
2016-06-20 14:07:53 +02:00
boolean supportsKeyManagerFactory = false;
Allow to explicit disable usage of KeyManagerFactory when using OpenSsl Motivation: Sometimes it may be useful to explicit disable the usage of the KeyManagerFactory when using OpenSsl. Modifications: Add io.netty.handler.ssl.openssl.useKeyManagerFactory which can be used to explicit disable KeyManagerFactory usage. Result: More flexible usage.
2016-08-01 22:17:30 +02:00
boolean useKeyManagerFactory = false;
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
final long aprPool = Pool.create(0);
try {
final long sslCtx = SSLContext.make(aprPool, SSL.SSL_PROTOCOL_ALL, SSL.SSL_MODE_SERVER);
Add support for KeyManagerFactory when using SslProvider.OpenSsl. Motivation: To be able to use SslProvider.OpenSsl with existing java apps that use the JDK SSL API we need to also provide a way to use it with an existing KeyManagerFactory. Modification: Make use of new tcnative apis and so hook in KeyManagerFactory. Result: SslProvider.OpenSsl can be used with KeyManagerFactory as well.
2016-06-20 14:07:53 +02:00
long privateKeyBio = 0;
long certBio = 0;
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
try {
SSLContext.setOptions(sslCtx, SSL.SSL_OP_ALL);
SSLContext.setCipherSuite(sslCtx, "ALL");
final long ssl = SSL.newSSL(sslCtx, true);
try {
for (String c: SSL.getCiphers(ssl)) {
// Filter out bad input.
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
if (c == null || c.length() == 0 || availableOpenSslCipherSuites.contains(c)) {
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
continue;
}
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
availableOpenSslCipherSuites.add(c);
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
}
Add support for KeyManagerFactory when using SslProvider.OpenSsl. Motivation: To be able to use SslProvider.OpenSsl with existing java apps that use the JDK SSL API we need to also provide a way to use it with an existing KeyManagerFactory. Modification: Make use of new tcnative apis and so hook in KeyManagerFactory. Result: SslProvider.OpenSsl can be used with KeyManagerFactory as well.
2016-06-20 14:07:53 +02:00
try {
SelfSignedCertificate cert = new SelfSignedCertificate();
certBio = OpenSslContext.toBIO(cert.cert());
SSL.setCertificateChainBio(ssl, certBio, false);
supportsKeyManagerFactory = true;
Allow to explicit disable usage of KeyManagerFactory when using OpenSsl Motivation: Sometimes it may be useful to explicit disable the usage of the KeyManagerFactory when using OpenSsl. Modifications: Add io.netty.handler.ssl.openssl.useKeyManagerFactory which can be used to explicit disable KeyManagerFactory usage. Result: More flexible usage.
2016-08-01 22:17:30 +02:00
useKeyManagerFactory = AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
@Override
public Boolean run() {
return SystemPropertyUtil.getBoolean(
"io.netty.handler.ssl.openssl.useKeyManagerFactory", true);
}
});
Add support for KeyManagerFactory when using SslProvider.OpenSsl. Motivation: To be able to use SslProvider.OpenSsl with existing java apps that use the JDK SSL API we need to also provide a way to use it with an existing KeyManagerFactory. Modification: Make use of new tcnative apis and so hook in KeyManagerFactory. Result: SslProvider.OpenSsl can be used with KeyManagerFactory as well.
2016-06-20 14:07:53 +02:00
} catch (Throwable ignore) {
logger.debug("KeyManagerFactory not supported.");
}
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
} finally {
SSL.freeSSL(ssl);
Add support for KeyManagerFactory when using SslProvider.OpenSsl. Motivation: To be able to use SslProvider.OpenSsl with existing java apps that use the JDK SSL API we need to also provide a way to use it with an existing KeyManagerFactory. Modification: Make use of new tcnative apis and so hook in KeyManagerFactory. Result: SslProvider.OpenSsl can be used with KeyManagerFactory as well.
2016-06-20 14:07:53 +02:00
if (privateKeyBio != 0) {
SSL.freeBIO(privateKeyBio);
}
if (certBio != 0) {
SSL.freeBIO(certBio);
}
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
}
} finally {
SSLContext.free(sslCtx);
}
} catch (Exception e) {
logger.warn("Failed to get the list of available OpenSSL cipher suites.", e);
} finally {
Pool.destroy(aprPool);
}
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
AVAILABLE_OPENSSL_CIPHER_SUITES = Collections.unmodifiableSet(availableOpenSslCipherSuites);
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
final Set<String> availableJavaCipherSuites = new LinkedHashSet<String>(
AVAILABLE_OPENSSL_CIPHER_SUITES.size() * 2);
for (String cipher: AVAILABLE_OPENSSL_CIPHER_SUITES) {
// Included converted but also openssl cipher name
availableJavaCipherSuites.add(CipherSuiteConverter.toJava(cipher, "TLS"));
availableJavaCipherSuites.add(CipherSuiteConverter.toJava(cipher, "SSL"));
}
AVAILABLE_JAVA_CIPHER_SUITES = Collections.unmodifiableSet(availableJavaCipherSuites);
final Set<String> availableCipherSuites = new LinkedHashSet<String>(
AVAILABLE_OPENSSL_CIPHER_SUITES.size() + AVAILABLE_JAVA_CIPHER_SUITES.size());
for (String cipher: AVAILABLE_OPENSSL_CIPHER_SUITES) {
availableCipherSuites.add(cipher);
}
for (String cipher: AVAILABLE_JAVA_CIPHER_SUITES) {
availableCipherSuites.add(cipher);
}
AVAILABLE_CIPHER_SUITES = availableCipherSuites;
Add support for KeyManagerFactory when using SslProvider.OpenSsl. Motivation: To be able to use SslProvider.OpenSsl with existing java apps that use the JDK SSL API we need to also provide a way to use it with an existing KeyManagerFactory. Modification: Make use of new tcnative apis and so hook in KeyManagerFactory. Result: SslProvider.OpenSsl can be used with KeyManagerFactory as well.
2016-06-20 14:07:53 +02:00
SUPPORTS_KEYMANAGER_FACTORY = supportsKeyManagerFactory;
Allow to explicit disable usage of KeyManagerFactory when using OpenSsl Motivation: Sometimes it may be useful to explicit disable the usage of the KeyManagerFactory when using OpenSsl. Modifications: Add io.netty.handler.ssl.openssl.useKeyManagerFactory which can be used to explicit disable KeyManagerFactory usage. Result: More flexible usage.
2016-08-01 22:17:30 +02:00
USE_KEYMANAGER_FACTORY = useKeyManagerFactory;
Correctly detect which protocols are supported when using OpenSSL Motivation: We failed to properly test if a protocol is supported on an OpenSSL installation and just always returned all protocols. Modifications: - Detect which protocols are supported on a platform. - Skip protocols in tests when not supported. This fixes a build error on some platforms introduced by [#6276]. Result: Correctly return only the supported protocols
2017-01-27 11:54:11 +01:00
final long pool = Pool.create(0);
Set<String> protocols = new LinkedHashSet<String>(6);
// Seems like there is no way to explicitly disable SSLv2Hello in openssl so it is always enabled
protocols.add(PROTOCOL_SSL_V2_HELLO);
try {
if (doesSupportProtocol(pool, SSL.SSL_PROTOCOL_SSLV2)) {
protocols.add(PROTOCOL_SSL_V2);
}
if (doesSupportProtocol(pool, SSL.SSL_PROTOCOL_SSLV3)) {
protocols.add(PROTOCOL_SSL_V3);
}
if (doesSupportProtocol(pool, SSL.SSL_PROTOCOL_TLSV1)) {
protocols.add(PROTOCOL_TLS_V1);
}
if (doesSupportProtocol(pool, SSL.SSL_PROTOCOL_TLSV1_1)) {
protocols.add(PROTOCOL_TLS_V1_1);
}
if (doesSupportProtocol(pool, SSL.SSL_PROTOCOL_TLSV1_2)) {
protocols.add(PROTOCOL_TLS_V1_2);
}
} finally {
Pool.destroy(aprPool);
}
SUPPORTED_PROTOCOLS_SET = Collections.unmodifiableSet(protocols);
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
} else {
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
AVAILABLE_OPENSSL_CIPHER_SUITES = Collections.emptySet();
AVAILABLE_JAVA_CIPHER_SUITES = Collections.emptySet();
Raise an exception when the specified cipher suite is not available Motivation: SSL_set_cipher_list() in OpenSSL does not fail as long as at least one cipher suite is available. It is different from the semantics of SSLEngine.setEnabledCipherSuites(), which raises an exception when the list contains an unavailable cipher suite. Modifications: - Add OpenSsl.isCipherSuiteAvailable(String) which checks the availability of a cipher suite - Raise an IllegalArgumentException when the specified cipher suite is not available Result: Fixed compatibility
2014-12-30 11:20:43 +01:00
AVAILABLE_CIPHER_SUITES = Collections.emptySet();
Add support for KeyManagerFactory when using SslProvider.OpenSsl. Motivation: To be able to use SslProvider.OpenSsl with existing java apps that use the JDK SSL API we need to also provide a way to use it with an existing KeyManagerFactory. Modification: Make use of new tcnative apis and so hook in KeyManagerFactory. Result: SslProvider.OpenSsl can be used with KeyManagerFactory as well.
2016-06-20 14:07:53 +02:00
SUPPORTS_KEYMANAGER_FACTORY = false;
Allow to explicit disable usage of KeyManagerFactory when using OpenSsl Motivation: Sometimes it may be useful to explicit disable the usage of the KeyManagerFactory when using OpenSsl. Modifications: Add io.netty.handler.ssl.openssl.useKeyManagerFactory which can be used to explicit disable KeyManagerFactory usage. Result: More flexible usage.
2016-08-01 22:17:30 +02:00
USE_KEYMANAGER_FACTORY = false;
Correctly detect which protocols are supported when using OpenSSL Motivation: We failed to properly test if a protocol is supported on an OpenSSL installation and just always returned all protocols. Modifications: - Detect which protocols are supported on a platform. - Skip protocols in tests when not supported. This fixes a build error on some platforms introduced by [#6276]. Result: Correctly return only the supported protocols
2017-01-27 11:54:11 +01:00
SUPPORTED_PROTOCOLS_SET = Collections.emptySet();
}
}
private static boolean doesSupportProtocol(long aprPool, int protocol) {
long sslCtx = -1;
try {
sslCtx = SSLContext.make(aprPool, protocol, SSL.SSL_MODE_COMBINED);
return true;
} catch (Exception ignore) {
return false;
} finally {
if (sslCtx != -1) {
SSLContext.free(sslCtx);
}
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
}
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
}
[#5648] Detect if netty-tcnative is in classpath or just tcnative Motivation: If netty is used in a tomcat container tomcat itself may ship tcnative. Because of this we will try to use OpenSsl in netty and fail because it is different to netty-tcnative. Modifications: Ensure if we find tcnative it is really netty-tcnative before using it. Result: No more problems when using netty in a tomcat container that also has tcnative installed.
2016-08-06 21:47:26 +02:00
private static boolean isNettyTcnative() {
return AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
@Override
public Boolean run() {
InputStream is = null;
try {
is = Apr.class.getResourceAsStream("/org/apache/tomcat/apr.properties");
Properties props = new Properties();
props.load(is);
String info = props.getProperty("tcn.info");
return info != null && info.startsWith("netty-tcnative");
} catch (Throwable ignore) {
return false;
} finally {
if (is != null) {
try {
is.close();
} catch (IOException ignore) {
// ignore
}
}
}
}
});
}
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
/**
* Returns {@code true} if and only if
* <a href="http://netty.io/wiki/forked-tomcat-native.html">{@code netty-tcnative}</a> and its OpenSSL support
* are available.
*/
public static boolean isAvailable() {
return UNAVAILABILITY_CAUSE == null;
}
Add support for ALPN when using openssl + NPN client mode and support for CipherSuiteFilter Motivation: To support HTTP2 we need APLN support. This was not provided before when using OpenSslEngine, so SSLEngine (JDK one) was the only bet. Beside this CipherSuiteFilter was not supported Modifications: - Upgrade netty-tcnative and make use of new features to support ALPN and NPN in server and client mode. - Guard against segfaults after the ssl pointer is freed - support correctly different failure behaviours - add support for CipherSuiteFilter Result: Be able to use OpenSslEngine for ALPN / NPN for server and client.
2015-03-05 14:19:13 +01:00
/**
* Returns {@code true} if the used version of openssl supports
* <a href="https://tools.ietf.org/html/rfc7301">ALPN</a>.
*/
public static boolean isAlpnSupported() {
Allow to get version of available OpenSSL library Motivation: Sometimes it's useful to get informations about the available OpenSSL library that is used for the OpenSslEngine. Modifications: Add two new methods which allows to get the available OpenSSL version as either an int or an String. Result: Easy to access details about OpenSSL version.
2015-04-15 23:05:10 +02:00
return version() >= 0x10002000L;
}
/**
* Returns the version of the used available OpenSSL library or {@code -1} if {@link #isAvailable()}
* returns {@code false}.
*/
public static int version() {
if (isAvailable()) {
return SSL.version();
}
return -1;
}
/**
* Returns the version string of the used available OpenSSL library or {@code null} if {@link #isAvailable()}
* returns {@code false}.
*/
public static String versionString() {
if (isAvailable()) {
return SSL.versionString();
}
return null;
Add support for ALPN when using openssl + NPN client mode and support for CipherSuiteFilter Motivation: To support HTTP2 we need APLN support. This was not provided before when using OpenSslEngine, so SSLEngine (JDK one) was the only bet. Beside this CipherSuiteFilter was not supported Modifications: - Upgrade netty-tcnative and make use of new features to support ALPN and NPN in server and client mode. - Guard against segfaults after the ssl pointer is freed - support correctly different failure behaviours - add support for CipherSuiteFilter Result: Be able to use OpenSslEngine for ALPN / NPN for server and client.
2015-03-05 14:19:13 +01:00
}
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
/**
* Ensure that <a href="http://netty.io/wiki/forked-tomcat-native.html">{@code netty-tcnative}</a> and
* its OpenSSL support are available.
*
* @throws UnsatisfiedLinkError if unavailable
*/
public static void ensureAvailability() {
if (UNAVAILABILITY_CAUSE != null) {
throw (Error) new UnsatisfiedLinkError(
"failed to load the required native library").initCause(UNAVAILABILITY_CAUSE);
}
}
/**
* Returns the cause of unavailability of
* <a href="http://netty.io/wiki/forked-tomcat-native.html">{@code netty-tcnative}</a> and its OpenSSL support.
*
* @return the cause if unavailable. {@code null} if available.
*/
public static Throwable unavailabilityCause() {
return UNAVAILABILITY_CAUSE;
}
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
/**
* @deprecated use {@link #availableOpenSslCipherSuites()}
*/
@Deprecated
public static Set<String> availableCipherSuites() {
return availableOpenSslCipherSuites();
}
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
/**
* Returns all the available OpenSSL cipher suites.
* Please note that the returned array may include the cipher suites that are insecure or non-functional.
*/
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
public static Set<String> availableOpenSslCipherSuites() {
return AVAILABLE_OPENSSL_CIPHER_SUITES;
}
/**
* Returns all the available cipher suites (Java-style).
* Please note that the returned array may include the cipher suites that are insecure or non-functional.
*/
public static Set<String> availableJavaCipherSuites() {
return AVAILABLE_JAVA_CIPHER_SUITES;
Raise an exception when the specified cipher suite is not available Motivation: SSL_set_cipher_list() in OpenSSL does not fail as long as at least one cipher suite is available. It is different from the semantics of SSLEngine.setEnabledCipherSuites(), which raises an exception when the list contains an unavailable cipher suite. Modifications: - Add OpenSsl.isCipherSuiteAvailable(String) which checks the availability of a cipher suite - Raise an IllegalArgumentException when the specified cipher suite is not available Result: Fixed compatibility
2014-12-30 11:20:43 +01:00
}
/**
* Returns {@code true} if and only if the specified cipher suite is available in OpenSSL.
* Both Java-style cipher suite and OpenSSL-style cipher suite are accepted.
*/
public static boolean isCipherSuiteAvailable(String cipherSuite) {
String converted = CipherSuiteConverter.toOpenSsl(cipherSuite);
if (converted != null) {
cipherSuite = converted;
}
OpenSslEngine.getSupportedCipherSuites() must return java names as well. Motivation: At the moment OpenSslEngine.getSupportedCipherSuites() only return the original openssl cipher names and not the java names. We need also include the java names. Modifications: Correctly return the java names as well. Result: Correct implementation of OpenSslEngine.getSupportedCipherSuites()
2016-06-22 15:46:45 +02:00
return AVAILABLE_OPENSSL_CIPHER_SUITES.contains(cipherSuite);
Implement OpenSslEngine.getSupportedCipherSuites() and get/setEnabledCipherSuites() Motivation: To make OpenSslEngine a full drop-in replacement, we need to implement getSupportedCipherSuites() and get/setEnabledCipherSuites(). Modifications: - Retrieve the list of the available cipher suites when initializing OpenSsl. - Improve CipherSuiteConverter to understand SRP - Add more test data to CipherSuiteConverterTest - Add bulk-conversion method to CipherSuiteConverter Result: OpenSslEngine should now be a drop-in replacement for JDK SSLEngineImpl for most cases.
2014-12-30 10:59:30 +01:00
}
Add support for KeyManagerFactory when using SslProvider.OpenSsl. Motivation: To be able to use SslProvider.OpenSsl with existing java apps that use the JDK SSL API we need to also provide a way to use it with an existing KeyManagerFactory. Modification: Make use of new tcnative apis and so hook in KeyManagerFactory. Result: SslProvider.OpenSsl can be used with KeyManagerFactory as well.
2016-06-20 14:07:53 +02:00
/**
* Returns {@code true} if {@link javax.net.ssl.KeyManagerFactory} is supported when using OpenSSL.
*/
public static boolean supportsKeyManagerFactory() {
return SUPPORTS_KEYMANAGER_FACTORY;
}
Allow to explicit disable usage of KeyManagerFactory when using OpenSsl Motivation: Sometimes it may be useful to explicit disable the usage of the KeyManagerFactory when using OpenSsl. Modifications: Add io.netty.handler.ssl.openssl.useKeyManagerFactory which can be used to explicit disable KeyManagerFactory usage. Result: More flexible usage.
2016-08-01 22:17:30 +02:00
static boolean useKeyManagerFactory() {
return USE_KEYMANAGER_FACTORY;
}
Check for errors without object allocation Motivation: At the moment we use SSL.getLastError() in unwrap(...) to check for error. This is very inefficient as it creates a new String for each check and we also use a String.startsWith(...) to detect if there was an error we need to handle. Modifications: Use SSL.getLastErrorNumber() to detect if we need to handle an error, as this only returns a long and so no String creation happens. Also the detection is much cheaper as we can now only compare longs. Once an error is detected the lately SSL.getErrorString(long) is used to conver the error number to a String and include it in log and exception message. Result: Performance improvements in OpenSslEngine.unwrap(...) due less object allocation and also faster comparations.
2014-10-17 16:11:40 +02:00
static boolean isError(long errorCode) {
return errorCode != SSL.SSL_ERROR_NONE;
Add OpenSslClientContext to allow creating SslEngine for client side Motivation: We only support openssl for server side at the moment but it would be also useful for client side. Modification: * Upgrade to new netty-tcnative snapshot to support client side openssl support * Add OpenSslClientContext which can be used to create SslEngine for client side usage * Factor out common logic between OpenSslClientContext and OpenSslServerContent into new abstract base class called OpenSslContext * Correctly detect handshake failures as soon as possible * Guard against segfault caused by multiple calls to destroyPools(). This can happen if OpenSslContext throws an exception in the constructor and the finalize() method is called later during GC Result: openssl can be used for client and servers now.
2014-10-13 13:21:29 +02:00
}
[#4828] OpenSslContext throws UnsupportedOperationException when Unsafe not available Motivation: OpenSslContext constructor fails with a UnsupportedOperationException if Unsafe is not present on the system. Modifications: Make OpenSslContext work also when Unsafe is not present by fallback to using JNI to get the memory address. Result: Using OpenSslContext also works on systems without Unsafe.
2016-02-03 20:50:57 +01:00
static long memoryAddress(ByteBuf buf) {
assert buf.isDirect();
return buf.hasMemoryAddress() ? buf.memoryAddress() : Buffer.address(buf.nioBuffer());
}
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
private OpenSsl() { }
Adding support for tcnative uber jar Motivation: We want to allow the use of an uber jar that contains the shared libraries for all platforms. Modifications: Modified OpenSsl to first check for a platform-specific lib before using the default lib. Result: uber support.
2016-02-19 18:20:35 +01:00
Support preloading of tcnative share lib Motivation: Some applications may use alternative methods of loading the tcnative JNI symbols. We should support this use case. Modifications: Separate the loading and initialzation of the tcnative library so that each can fail independently. Result: Fixes #5043
2016-04-11 18:06:48 +02:00
private static void loadTcNative() throws Exception {
String os = normalizeOs(SystemPropertyUtil.get("os.name", ""));
String arch = normalizeArch(SystemPropertyUtil.get("os.arch", ""));
Set<String> libNames = new LinkedHashSet<String>(3);
// First, try loading the platform-specific library. Platform-specific
// libraries will be available if using a tcnative uber jar.
libNames.add("netty-tcnative-" + os + '-' + arch);
if (LINUX.equalsIgnoreCase(os)) {
// Fedora SSL lib so naming (libssl.so.10 vs libssl.so.1.0.0)..
libNames.add("netty-tcnative-" + os + '-' + arch + "-fedora");
}
// finally the default library.
libNames.add("netty-tcnative");
NativeLibraryLoader.loadFirstAvailable(SSL.class.getClassLoader(),
libNames.toArray(new String[libNames.size()]));
}
private static void initializeTcNative() throws Exception {
Library.initialize("provided");
SSL.initialize(null);
}
Adding support for tcnative uber jar Motivation: We want to allow the use of an uber jar that contains the shared libraries for all platforms. Modifications: Modified OpenSsl to first check for a platform-specific lib before using the default lib. Result: uber support.
2016-02-19 18:20:35 +01:00
private static String normalizeOs(String value) {
value = normalize(value);
if (value.startsWith("aix")) {
return "aix";
}
if (value.startsWith("hpux")) {
return "hpux";
}
if (value.startsWith("os400")) {
// Avoid the names such as os4000
if (value.length() <= 5 || !Character.isDigit(value.charAt(5))) {
return "os400";
}
}
Adding support for tcnative fedora flavour in uber jar Motivation: We want to allow the use of an uber jar that contains shared dynamic libraries for all platforms (including fedora). Modifications: Modified OpenSsl to try and load the fedora library if the OS is Linux and the platform specified library fails before using the default lib. Result: True uber support.
2016-03-02 20:18:45 +01:00
if (value.startsWith(LINUX)) {
return LINUX;
Adding support for tcnative uber jar Motivation: We want to allow the use of an uber jar that contains the shared libraries for all platforms. Modifications: Modified OpenSsl to first check for a platform-specific lib before using the default lib. Result: uber support.
2016-02-19 18:20:35 +01:00
}
if (value.startsWith("macosx") || value.startsWith("osx")) {
return "osx";
}
if (value.startsWith("freebsd")) {
return "freebsd";
}
if (value.startsWith("openbsd")) {
return "openbsd";
}
if (value.startsWith("netbsd")) {
return "netbsd";
}
if (value.startsWith("solaris") || value.startsWith("sunos")) {
return "sunos";
}
if (value.startsWith("windows")) {
return "windows";
}
return UNKNOWN;
}
private static String normalizeArch(String value) {
value = normalize(value);
if (value.matches("^(x8664|amd64|ia32e|em64t|x64)$")) {
return "x86_64";
}
if (value.matches("^(x8632|x86|i[3-6]86|ia32|x32)$")) {
return "x86_32";
}
if (value.matches("^(ia64|itanium64)$")) {
return "itanium_64";
}
if (value.matches("^(sparc|sparc32)$")) {
return "sparc_32";
}
if (value.matches("^(sparcv9|sparc64)$")) {
return "sparc_64";
}
if (value.matches("^(arm|arm32)$")) {
return "arm_32";
}
if ("aarch64".equals(value)) {
return "aarch_64";
}
if (value.matches("^(ppc|ppc32)$")) {
return "ppc_32";
}
if ("ppc64".equals(value)) {
return "ppc_64";
}
if ("ppc64le".equals(value)) {
return "ppcle_64";
}
if ("s390".equals(value)) {
return "s390_32";
}
if ("s390x".equals(value)) {
return "s390_64";
}
return UNKNOWN;
}
private static String normalize(String value) {
return value.toLowerCase(Locale.US).replaceAll("[^a-z0-9]+", "");
}
Ensure we only call ReferenceCountUtil.safeRelease(...) in finalize() if the refCnt() > 0 Motivation: We need to ensure we only call ReferenceCountUtil.safeRelease(...) in finalize() if the refCnt() > 0 as otherwise we will log a message about IllegalReferenceCountException. Modification: Check for a refCnt() > 0 before try to release Result: No more IllegalReferenceCountException produced when run finalize() on OpenSsl* objects that where explicit released before.
2016-08-09 18:14:22 +02:00
static void releaseIfNeeded(ReferenceCounted counted) {
if (counted.refCnt() > 0) {
ReferenceCountUtil.safeRelease(counted);
}
}
Add an OpenSslEngine and the universal API for enabling SSL Motivation: Some users already use an SSLEngine implementation in finagle-native. It wraps OpenSSL to get higher SSL performance. However, to take advantage of it, finagle-native must be compiled manually, and it means we cannot pull it in as a dependency and thus we cannot test our SslHandler against the OpenSSL-based SSLEngine. For an instance, we had #2216. Because the construction procedures of JDK SSLEngine and OpenSslEngine are very different from each other, we also need to provide a universal way to enable SSL in a Netty application. Modifications: - Pull netty-tcnative in as an optional dependency. http://netty.io/wiki/forked-tomcat-native.html - Backport NativeLibraryLoader from 4.0 - Move OpenSSL-based SSLEngine implementation into our code base. - Copied from finagle-native; originally written by @jpinner et al. - Overall cleanup by @trustin. - Run all SslHandler tests with both default SSLEngine and OpenSslEngine - Add a unified API for creating an SSL context - SslContext allows you to create a new SSLEngine or a new SslHandler with your PKCS#8 key and X.509 certificate chain. - Add JdkSslContext and its subclasses - Add OpenSslServerContext - Add ApplicationProtocolSelector to ensure the future support for NPN (NextProtoNego) and ALPN (Application Layer Protocol Negotiation) on the client-side. - Add SimpleTrustManagerFactory to help a user write a TrustManagerFactory easily, which should be useful for those who need to write an alternative verification mechanism. For example, we can use it to implement an unsafe TrustManagerFactory that accepts self-signed certificates for testing purposes. - Add InsecureTrustManagerFactory and FingerprintTrustManager for quick and dirty testing - Add SelfSignedCertificate class which generates a self-signed X.509 certificate very easily. - Update all our examples to use SslContext.newClient/ServerContext() - SslHandler now logs the chosen cipher suite when handshake is finished. Result: - Cleaner unified API for configuring an SSL client and an SSL server regardless of its internal implementation. - When native libraries are available, OpenSSL-based SSLEngine implementation is selected automatically to take advantage of its performance benefit. - Examples take advantage of this modification and thus are cleaner.
2014-05-17 19:26:01 +02:00
}