Add unified NextProtoNego extension support to SslContext

Motivation:

- OpenSslEngine and JDK SSLEngine (+ Jetty NPN) have different APIs to
  support NextProtoNego extension.
  - It is impossible to configure NPN with SslContext when the provider
    type is JDK.

Modification:

- Implement NextProtoNego extension by overriding the behavior of
  SSLSession.getProtocol() for both OpenSSLEngine and JDK SSLEngine.
  - SSLEngine.getProtocol() returns a string delimited by a colon (':')
    where the first component is the transport protosol (e.g. TLSv1.2)
    and the second component is the name of the application protocol
- Remove the direct reference of Jetty NPN classes from the examples
- Add SslContext.newApplicationProtocolSelector

Result:

- A user can now use both JDK SSLEngine and OpenSslEngine for NPN-based
  protocols such as HTTP2 and SPDY
This commit is contained in:
Trustin Lee 2014-05-21 17:21:18 +09:00
parent d4f2488eac
commit 861ed1e7ad
17 changed files with 634 additions and 178 deletions

View File

@ -27,8 +27,8 @@ import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpMethod; import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpRequest; import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpVersion; import io.netty.handler.codec.http.HttpVersion;
import io.netty.handler.codec.spdy.SpdyOrHttpChooser.SelectedProtocol;
import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory; import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import javax.net.ssl.SSLException; import javax.net.ssl.SSLException;
@ -60,7 +60,13 @@ public class SpdyClient {
private EventLoopGroup workerGroup; private EventLoopGroup workerGroup;
public SpdyClient(String host, int port) throws SSLException { public SpdyClient(String host, int port) throws SSLException {
sslCtx = SslContext.newClientContext(SslProvider.JDK, InsecureTrustManagerFactory.INSTANCE); sslCtx = SslContext.newClientContext(
null, InsecureTrustManagerFactory.INSTANCE, null,
SslContext.newApplicationProtocolSelector(
SelectedProtocol.SPDY_3_1.protocolName(),
SelectedProtocol.HTTP_1_1.protocolName()),
0, 0);
this.host = host; this.host = host;
this.port = port; this.port = port;
httpResponseHandler = new HttpResponseClientHandler(); httpResponseHandler = new HttpResponseClientHandler();

View File

@ -23,10 +23,6 @@ import io.netty.handler.codec.spdy.SpdyHttpDecoder;
import io.netty.handler.codec.spdy.SpdyHttpEncoder; import io.netty.handler.codec.spdy.SpdyHttpEncoder;
import io.netty.handler.codec.spdy.SpdySessionHandler; import io.netty.handler.codec.spdy.SpdySessionHandler;
import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import org.eclipse.jetty.npn.NextProtoNego;
import javax.net.ssl.SSLEngine;
import static io.netty.handler.codec.spdy.SpdyVersion.*; import static io.netty.handler.codec.spdy.SpdyVersion.*;
import static io.netty.util.internal.logging.InternalLogLevel.*; import static io.netty.util.internal.logging.InternalLogLevel.*;
@ -45,14 +41,8 @@ public class SpdyClientInitializer extends ChannelInitializer<SocketChannel> {
@Override @Override
public void initChannel(SocketChannel ch) throws Exception { public void initChannel(SocketChannel ch) throws Exception {
SslHandler sslHandler = sslCtx.newHandler(ch.alloc());
SSLEngine engine = sslHandler.engine();
NextProtoNego.put(engine, new SpdyClientProvider());
NextProtoNego.debug = true;
ChannelPipeline pipeline = ch.pipeline(); ChannelPipeline pipeline = ch.pipeline();
pipeline.addLast("ssl", sslCtx.newHandler(ch.alloc()));
pipeline.addLast("ssl", sslHandler);
pipeline.addLast("spdyFrameCodec", new SpdyFrameCodec(SPDY_3_1)); pipeline.addLast("spdyFrameCodec", new SpdyFrameCodec(SPDY_3_1));
pipeline.addLast("spdyFrameLogger", new SpdyFrameLogger(INFO)); pipeline.addLast("spdyFrameLogger", new SpdyFrameLogger(INFO));
pipeline.addLast("spdySessionHandler", new SpdySessionHandler(SPDY_3_1, false)); pipeline.addLast("spdySessionHandler", new SpdySessionHandler(SPDY_3_1, false));

View File

@ -1,58 +0,0 @@
/*
* Copyright 2014 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.example.spdy.client;
import org.eclipse.jetty.npn.NextProtoNego.ClientProvider;
import java.util.List;
import static io.netty.handler.codec.spdy.SpdyOrHttpChooser.SelectedProtocol.*;
/**
* The Jetty project provides an implementation of the Transport Layer Security (TLS) extension for Next Protocol
* Negotiation (NPN) for OpenJDK 7 or greater. NPN allows the application layer to negotiate which protocol to use
* over the secure connection.
* <p>
* This NPN service provider negotiates using SPDY.
* <p>
* To enable NPN support, start the JVM with: {@code java -Xbootclasspath/p:<path_to_npn_boot_jar> ...}. The
* "path_to_npn_boot_jar" is the path on the file system for the NPN Boot Jar file which can be downloaded from Maven
* at coordinates org.mortbay.jetty.npn:npn-boot. Different versions applies to different OpenJDK versions.
*
* @see <a href="http://www.eclipse.org/jetty/documentation/current/npn-chapter.html">Jetty documentation</a>
*/
public class SpdyClientProvider implements ClientProvider {
private String selectedProtocol;
@Override
public String selectProtocol(List<String> protocols) {
if (protocols.contains(SPDY_3_1.protocolName())) {
return SPDY_3_1.protocolName();
}
return selectedProtocol;
}
@Override
public boolean supports() {
return true;
}
@Override
public void unsupported() {
selectedProtocol = HTTP_1_1.protocolName();
}
}

View File

@ -17,7 +17,6 @@ package io.netty.example.spdy.server;
import io.netty.channel.ChannelInboundHandler; import io.netty.channel.ChannelInboundHandler;
import io.netty.handler.codec.spdy.SpdyOrHttpChooser; import io.netty.handler.codec.spdy.SpdyOrHttpChooser;
import org.eclipse.jetty.npn.NextProtoNego;
import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngine;
import java.util.logging.Logger; import java.util.logging.Logger;
@ -41,8 +40,8 @@ public class SpdyOrHttpHandler extends SpdyOrHttpChooser {
@Override @Override
protected SelectedProtocol getProtocol(SSLEngine engine) { protected SelectedProtocol getProtocol(SSLEngine engine) {
SpdyServerProvider provider = (SpdyServerProvider) NextProtoNego.get(engine); String[] protocol = engine.getSession().getProtocol().split(":");
SelectedProtocol selectedProtocol = provider.getSelectedProtocol(); SelectedProtocol selectedProtocol = SelectedProtocol.protocol(protocol[1]);
logger.info("Selected Protocol is " + selectedProtocol); logger.info("Selected Protocol is " + selectedProtocol);
return selectedProtocol; return selectedProtocol;

View File

@ -21,10 +21,12 @@ import io.netty.channel.ChannelOption;
import io.netty.channel.EventLoopGroup; import io.netty.channel.EventLoopGroup;
import io.netty.channel.nio.NioEventLoopGroup; import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.nio.NioServerSocketChannel; import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.handler.codec.spdy.SpdyOrHttpChooser.SelectedProtocol;
import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.SelfSignedCertificate; import io.netty.handler.ssl.util.SelfSignedCertificate;
import java.util.Arrays;
/** /**
* A SPDY Server that responds to a GET request with a Hello World. * A SPDY Server that responds to a GET request with a Hello World.
* <p> * <p>
@ -72,7 +74,6 @@ public class SpdyServer {
} }
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
checkForNpnSupport();
int port; int port;
if (args.length > 0) { if (args.length > 0) {
port = Integer.parseInt(args[0]); port = Integer.parseInt(args[0]);
@ -86,21 +87,13 @@ public class SpdyServer {
// Configure SSL. // Configure SSL.
SelfSignedCertificate ssc = new SelfSignedCertificate(); SelfSignedCertificate ssc = new SelfSignedCertificate();
SslContext sslCtx = SslContext.newServerContext(SslProvider.JDK, ssc.certificate(), ssc.privateKey()); SslContext sslCtx = SslContext.newServerContext(
ssc.certificate(), ssc.privateKey(), null, null,
Arrays.asList(
SelectedProtocol.SPDY_3_1.protocolName(),
SelectedProtocol.HTTP_1_1.protocolName()),
0, 0);
new SpdyServer(sslCtx, port).run(); new SpdyServer(sslCtx, port).run();
} }
private static void checkForNpnSupport() {
try {
Class.forName("sun.security.ssl.NextProtoNegoExtension");
} catch (ClassNotFoundException ignored) {
System.err.println();
System.err.println("Could not locate Next Protocol Negotiation (NPN) implementation.");
System.err.println("The NPN jar should have been made available when building the examples with maven.");
System.err.println("Please check that your JDK is among those supported by Jetty-NPN:");
System.err.println("http://wiki.eclipse.org/Jetty/Feature/NPN#Versions");
System.err.println();
throw new IllegalStateException("Could not locate NPN implementation. See console err for details.");
}
}
} }

View File

@ -19,10 +19,6 @@ import io.netty.channel.ChannelInitializer;
import io.netty.channel.ChannelPipeline; import io.netty.channel.ChannelPipeline;
import io.netty.channel.socket.SocketChannel; import io.netty.channel.socket.SocketChannel;
import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import org.eclipse.jetty.npn.NextProtoNego;
import javax.net.ssl.SSLEngine;
/** /**
* Sets up the Netty pipeline * Sets up the Netty pipeline
@ -38,15 +34,7 @@ public class SpdyServerInitializer extends ChannelInitializer<SocketChannel> {
@Override @Override
public void initChannel(SocketChannel ch) throws Exception { public void initChannel(SocketChannel ch) throws Exception {
ChannelPipeline p = ch.pipeline(); ChannelPipeline p = ch.pipeline();
p.addLast("ssl", sslCtx.newHandler(ch.alloc()));
SslHandler sslHandler = sslCtx.newHandler(ch.alloc());
SSLEngine engine = sslHandler.engine();
p.addLast("ssl", sslHandler);
// Setup NextProtoNego with our server provider
NextProtoNego.put(engine, new SpdyServerProvider());
NextProtoNego.debug = true;
// Negotiates with the browser if SPDY or HTTP is going to be used // Negotiates with the browser if SPDY or HTTP is going to be used
p.addLast("handler", new SpdyOrHttpHandler()); p.addLast("handler", new SpdyOrHttpHandler());
} }

View File

@ -1,63 +0,0 @@
/*
* Copyright 2014 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.example.spdy.server;
import io.netty.handler.codec.spdy.SpdyOrHttpChooser;
import org.eclipse.jetty.npn.NextProtoNego.ServerProvider;
import java.util.Arrays;
import java.util.List;
/**
* The Jetty project provides an implementation of the Transport Layer Security (TLS) extension for Next
* Protocol Negotiation (NPN) for OpenJDK 7 or greater. NPN allows the application layer to negotiate which
* protocol to use over the secure connection.
* <p>
* This NPN service provider negotiates using SPDY.
* <p>
* To enable NPN support, start the JVM with: {@code java -Xbootclasspath/p:<path_to_npn_boot_jar> ...}. The
* "path_to_npn_boot_jar" is the path on the file system for the NPN Boot Jar file which can be downloaded from
* Maven at coordinates org.mortbay.jetty.npn:npn-boot. Different versions applies to different OpenJDK versions.
*
* @see <a href="http://www.eclipse.org/jetty/documentation/current/npn-chapter.html">Jetty documentation</a>
*/
public class SpdyServerProvider implements ServerProvider {
private String selectedProtocol;
@Override
public void unsupported() {
// if unsupported, default to http/1.1
selectedProtocol = "http/1.1";
}
@Override
public List<String> protocols() {
return Arrays.asList("spdy/3.1", "http/1.1");
}
@Override
public void protocolSelected(String protocol) {
selectedProtocol = protocol;
}
public SpdyOrHttpChooser.SelectedProtocol getSelectedProtocol() {
if (selectedProtocol == null) {
return SpdyOrHttpChooser.SelectedProtocol.UNKNOWN;
}
return SpdyOrHttpChooser.SelectedProtocol.protocol(selectedProtocol);
}
}

View File

@ -55,6 +55,17 @@
<artifactId>bcpkix-jdk15on</artifactId> <artifactId>bcpkix-jdk15on</artifactId>
<optional>true</optional> <optional>true</optional>
</dependency> </dependency>
<dependency>
<groupId>org.eclipse.jetty.npn</groupId>
<artifactId>npn-api</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.mortbay.jetty.npn</groupId>
<artifactId>npn-boot</artifactId>
<scope>provided</scope>
<optional>true</optional>
</dependency>
</dependencies> </dependencies>
</project> </project>

View File

@ -20,6 +20,7 @@ import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufInputStream; import io.netty.buffer.ByteBufInputStream;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException; import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSessionContext; import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManager;
@ -38,6 +39,7 @@ import java.util.List;
public final class JdkSslClientContext extends JdkSslContext { public final class JdkSslClientContext extends JdkSslContext {
private final SSLContext ctx; private final SSLContext ctx;
private final ApplicationProtocolSelector nextProtocolSelector;
/** /**
* Creates a new instance. * Creates a new instance.
@ -105,10 +107,12 @@ public final class JdkSslClientContext extends JdkSslContext {
super(ciphers); super(ciphers);
if (nextProtocolSelector != null) { if (nextProtocolSelector != null && !JettyNpnSslEngine.isAvailable()) {
throw new SSLException("NPN/ALPN unsupported: " + nextProtocolSelector); throw new SSLException("NPN/ALPN unsupported: " + nextProtocolSelector);
} }
this.nextProtocolSelector = nextProtocolSelector;
try { try {
if (certChainFile == null) { if (certChainFile == null) {
ctx = SSLContext.getInstance(PROTOCOL); ctx = SSLContext.getInstance(PROTOCOL);
@ -166,7 +170,7 @@ public final class JdkSslClientContext extends JdkSslContext {
@Override @Override
public ApplicationProtocolSelector nextProtocolSelector() { public ApplicationProtocolSelector nextProtocolSelector() {
return null; return nextProtocolSelector;
} }
@Override @Override
@ -178,4 +182,13 @@ public final class JdkSslClientContext extends JdkSslContext {
public SSLContext context() { public SSLContext context() {
return ctx; return ctx;
} }
@Override
SSLEngine wrapEngine(SSLEngine engine) {
if (nextProtocolSelector == null) {
return engine;
} else {
return new JettyNpnSslEngine(engine, nextProtocolSelector);
}
}
} }

View File

@ -153,7 +153,7 @@ public abstract class JdkSslContext extends SslContext {
engine.setEnabledCipherSuites(cipherSuites); engine.setEnabledCipherSuites(cipherSuites);
engine.setEnabledProtocols(PROTOCOLS); engine.setEnabledProtocols(PROTOCOLS);
engine.setUseClientMode(isClient()); engine.setUseClientMode(isClient());
return engine; return wrapEngine(engine);
} }
@Override @Override
@ -162,9 +162,11 @@ public abstract class JdkSslContext extends SslContext {
engine.setEnabledCipherSuites(cipherSuites); engine.setEnabledCipherSuites(cipherSuites);
engine.setEnabledProtocols(PROTOCOLS); engine.setEnabledProtocols(PROTOCOLS);
engine.setUseClientMode(isClient()); engine.setUseClientMode(isClient());
return engine; return wrapEngine(engine);
} }
abstract SSLEngine wrapEngine(SSLEngine engine);
private static String[] toCipherSuiteArray(Iterable<String> ciphers) { private static String[] toCipherSuiteArray(Iterable<String> ciphers) {
if (ciphers == null) { if (ciphers == null) {
return DEFAULT_CIPHERS.toArray(new String[DEFAULT_CIPHERS.size()]); return DEFAULT_CIPHERS.toArray(new String[DEFAULT_CIPHERS.size()]);

View File

@ -21,6 +21,7 @@ import io.netty.buffer.ByteBufInputStream;
import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException; import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSessionContext; import javax.net.ssl.SSLSessionContext;
import java.io.File; import java.io.File;
@ -42,6 +43,7 @@ import java.util.List;
public final class JdkSslServerContext extends JdkSslContext { public final class JdkSslServerContext extends JdkSslContext {
private final SSLContext ctx; private final SSLContext ctx;
private final List<String> nextProtocols;
/** /**
* Creates a new instance. * Creates a new instance.
@ -100,9 +102,23 @@ public final class JdkSslServerContext extends JdkSslContext {
} }
if (nextProtocols != null && nextProtocols.iterator().hasNext()) { if (nextProtocols != null && nextProtocols.iterator().hasNext()) {
if (!JettyNpnSslEngine.isAvailable()) {
throw new SSLException("NPN/ALPN unsupported: " + nextProtocols); throw new SSLException("NPN/ALPN unsupported: " + nextProtocols);
} }
List<String> list = new ArrayList<String>();
for (String p: nextProtocols) {
if (p == null) {
break;
}
list.add(p);
}
this.nextProtocols = Collections.unmodifiableList(list);
} else {
this.nextProtocols = Collections.emptyList();
}
String algorithm = Security.getProperty("ssl.KeyManagerFactory.algorithm"); String algorithm = Security.getProperty("ssl.KeyManagerFactory.algorithm");
if (algorithm == null) { if (algorithm == null) {
algorithm = "SunX509"; algorithm = "SunX509";
@ -173,11 +189,20 @@ public final class JdkSslServerContext extends JdkSslContext {
@Override @Override
public List<String> nextProtocols() { public List<String> nextProtocols() {
return Collections.emptyList(); return nextProtocols;
} }
@Override @Override
public SSLContext context() { public SSLContext context() {
return ctx; return ctx;
} }
@Override
SSLEngine wrapEngine(SSLEngine engine) {
if (nextProtocols.isEmpty()) {
return engine;
} else {
return new JettyNpnSslEngine(engine, nextProtocols);
}
}
} }

View File

@ -0,0 +1,286 @@
/*
* Copyright 2014 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import org.eclipse.jetty.npn.NextProtoNego;
import org.eclipse.jetty.npn.NextProtoNego.ClientProvider;
import org.eclipse.jetty.npn.NextProtoNego.ServerProvider;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
import java.nio.ByteBuffer;
import java.util.List;
final class JettyNpnSslEngine extends SSLEngine {
private static final InternalLogger logger = InternalLoggerFactory.getInstance(JettyNpnSslEngine.class);
private static boolean available;
static boolean isAvailable() {
updateAvailability();
return available;
}
private static void updateAvailability() {
if (available) {
return;
}
try {
// Try to get the bootstrap class loader.
ClassLoader bootloader = ClassLoader.getSystemClassLoader().getParent();
if (bootloader == null) {
// If failed, use the system class loader,
// although it's not perfect to tell if NPN extension has been loaded.
bootloader = ClassLoader.getSystemClassLoader();
}
Class.forName("sun.security.ssl.NextProtoNegoExtension", true, bootloader);
available = true;
} catch (Exception ignore) {
// npn-boot was not loaded.
}
}
private final SSLEngine engine;
private final JettyNpnSslSession session;
JettyNpnSslEngine(SSLEngine engine, final List<String> nextProtocols) {
assert !nextProtocols.isEmpty();
this.engine = engine;
session = new JettyNpnSslSession(engine);
NextProtoNego.put(engine, new ServerProvider() {
@Override
public void unsupported() {
getSession().setApplicationProtocol(nextProtocols.get(nextProtocols.size() - 1));
}
@Override
public List<String> protocols() {
return nextProtocols;
}
@Override
public void protocolSelected(String protocol) {
getSession().setApplicationProtocol(protocol);
}
});
}
JettyNpnSslEngine(SSLEngine engine, final ApplicationProtocolSelector nextProtocolSelector) {
this.engine = engine;
session = new JettyNpnSslSession(engine);
NextProtoNego.put(engine, new ClientProvider() {
@Override
public boolean supports() {
return true;
}
@Override
public void unsupported() {
session.setApplicationProtocol(null);
}
@Override
public String selectProtocol(List<String> protocols) {
String p = null;
try {
p = nextProtocolSelector.selectProtocol(protocols);
} catch (Exception e) {
logger.warn("Failed to select the next protocol:", e);
}
session.setApplicationProtocol(p);
return p;
}
});
}
@Override
public JettyNpnSslSession getSession() {
return session;
}
@Override
public void closeInbound() throws SSLException {
NextProtoNego.remove(engine);
engine.closeInbound();
}
@Override
public void closeOutbound() {
NextProtoNego.remove(engine);
engine.closeOutbound();
}
@Override
public String getPeerHost() {
return engine.getPeerHost();
}
@Override
public int getPeerPort() {
return engine.getPeerPort();
}
@Override
public SSLEngineResult wrap(ByteBuffer byteBuffer, ByteBuffer byteBuffer2) throws SSLException {
return engine.wrap(byteBuffer, byteBuffer2);
}
@Override
public SSLEngineResult wrap(ByteBuffer[] byteBuffers, ByteBuffer byteBuffer) throws SSLException {
return engine.wrap(byteBuffers, byteBuffer);
}
@Override
public SSLEngineResult wrap(ByteBuffer[] byteBuffers, int i, int i2, ByteBuffer byteBuffer) throws SSLException {
return engine.wrap(byteBuffers, i, i2, byteBuffer);
}
@Override
public SSLEngineResult unwrap(ByteBuffer byteBuffer, ByteBuffer byteBuffer2) throws SSLException {
return engine.unwrap(byteBuffer, byteBuffer2);
}
@Override
public SSLEngineResult unwrap(ByteBuffer byteBuffer, ByteBuffer[] byteBuffers) throws SSLException {
return engine.unwrap(byteBuffer, byteBuffers);
}
@Override
public SSLEngineResult unwrap(ByteBuffer byteBuffer, ByteBuffer[] byteBuffers, int i, int i2) throws SSLException {
return engine.unwrap(byteBuffer, byteBuffers, i, i2);
}
@Override
public Runnable getDelegatedTask() {
return engine.getDelegatedTask();
}
@Override
public boolean isInboundDone() {
return engine.isInboundDone();
}
@Override
public boolean isOutboundDone() {
return engine.isOutboundDone();
}
@Override
public String[] getSupportedCipherSuites() {
return engine.getSupportedCipherSuites();
}
@Override
public String[] getEnabledCipherSuites() {
return engine.getEnabledCipherSuites();
}
@Override
public void setEnabledCipherSuites(String[] strings) {
engine.setEnabledCipherSuites(strings);
}
@Override
public String[] getSupportedProtocols() {
return engine.getSupportedProtocols();
}
@Override
public String[] getEnabledProtocols() {
return engine.getEnabledProtocols();
}
@Override
public void setEnabledProtocols(String[] strings) {
engine.setEnabledProtocols(strings);
}
@Override
public SSLSession getHandshakeSession() {
return engine.getHandshakeSession();
}
@Override
public void beginHandshake() throws SSLException {
engine.beginHandshake();
}
@Override
public HandshakeStatus getHandshakeStatus() {
return engine.getHandshakeStatus();
}
@Override
public void setUseClientMode(boolean b) {
engine.setUseClientMode(b);
}
@Override
public boolean getUseClientMode() {
return engine.getUseClientMode();
}
@Override
public void setNeedClientAuth(boolean b) {
engine.setNeedClientAuth(b);
}
@Override
public boolean getNeedClientAuth() {
return engine.getNeedClientAuth();
}
@Override
public void setWantClientAuth(boolean b) {
engine.setWantClientAuth(b);
}
@Override
public boolean getWantClientAuth() {
return engine.getWantClientAuth();
}
@Override
public void setEnableSessionCreation(boolean b) {
engine.setEnableSessionCreation(b);
}
@Override
public boolean getEnableSessionCreation() {
return engine.getEnableSessionCreation();
}
@Override
public SSLParameters getSSLParameters() {
return engine.getSSLParameters();
}
@Override
public void setSSLParameters(SSLParameters sslParameters) {
engine.setSSLParameters(sslParameters);
}
}

View File

@ -0,0 +1,167 @@
/*
* Copyright 2014 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.security.cert.X509Certificate;
import java.security.Principal;
import java.security.cert.Certificate;
final class JettyNpnSslSession implements SSLSession {
private final SSLEngine engine;
private volatile String applicationProtocol;
JettyNpnSslSession(SSLEngine engine) {
this.engine = engine;
}
void setApplicationProtocol(String applicationProtocol) {
this.applicationProtocol = applicationProtocol;
}
@Override
public String getProtocol() {
final String protocol = unwrap().getProtocol();
final String applicationProtocol = this.applicationProtocol;
if (applicationProtocol == null) {
if (protocol != null) {
return protocol.replace(':', '_');
} else {
return null;
}
}
final StringBuilder buf = new StringBuilder(32);
if (protocol != null) {
buf.append(protocol.replace(':', '_'));
buf.append(':');
} else {
buf.append("null:");
}
buf.append(applicationProtocol);
return buf.toString();
}
private SSLSession unwrap() {
return engine.getSession();
}
@Override
public byte[] getId() {
return unwrap().getId();
}
@Override
public SSLSessionContext getSessionContext() {
return unwrap().getSessionContext();
}
@Override
public long getCreationTime() {
return unwrap().getCreationTime();
}
@Override
public long getLastAccessedTime() {
return unwrap().getLastAccessedTime();
}
@Override
public void invalidate() {
unwrap().invalidate();
}
@Override
public boolean isValid() {
return unwrap().isValid();
}
@Override
public void putValue(String s, Object o) {
unwrap().putValue(s, o);
}
@Override
public Object getValue(String s) {
return unwrap().getValue(s);
}
@Override
public void removeValue(String s) {
unwrap().removeValue(s);
}
@Override
public String[] getValueNames() {
return unwrap().getValueNames();
}
@Override
public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
return unwrap().getPeerCertificates();
}
@Override
public Certificate[] getLocalCertificates() {
return unwrap().getLocalCertificates();
}
@Override
public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
return unwrap().getPeerCertificateChain();
}
@Override
public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
return unwrap().getPeerPrincipal();
}
@Override
public Principal getLocalPrincipal() {
return unwrap().getLocalPrincipal();
}
@Override
public String getCipherSuite() {
return unwrap().getCipherSuite();
}
@Override
public String getPeerHost() {
return unwrap().getPeerHost();
}
@Override
public int getPeerPort() {
return unwrap().getPeerPort();
}
@Override
public int getPacketBufferSize() {
return unwrap().getPacketBufferSize();
}
@Override
public int getApplicationBufferSize() {
return unwrap().getApplicationBufferSize();
}
}

View File

@ -85,7 +85,7 @@ public final class OpenSslEngine extends SSLEngine {
private volatile int destroyed; private volatile int destroyed;
private String cipher; private String cipher;
private String protocol; private volatile String applicationProtocol;
// SSL Engine status variables // SSL Engine status variables
private boolean isInboundDone; private boolean isInboundDone;
@ -95,6 +95,7 @@ public final class OpenSslEngine extends SSLEngine {
private int lastPrimingReadResult; private int lastPrimingReadResult;
private final ByteBufAllocator alloc; private final ByteBufAllocator alloc;
private final String fallbackApplicationProtocol;
private SSLSession session; private SSLSession session;
/** /**
@ -103,7 +104,7 @@ public final class OpenSslEngine extends SSLEngine {
* @param sslCtx an OpenSSL {@code SSL_CTX} object * @param sslCtx an OpenSSL {@code SSL_CTX} object
* @param alloc the {@link ByteBufAllocator} that will be used by this engine * @param alloc the {@link ByteBufAllocator} that will be used by this engine
*/ */
public OpenSslEngine(long sslCtx, ByteBufAllocator alloc) { public OpenSslEngine(long sslCtx, ByteBufAllocator alloc, String fallbackApplicationProtocol) {
OpenSsl.ensureAvailability(); OpenSsl.ensureAvailability();
if (sslCtx == 0) { if (sslCtx == 0) {
throw new NullPointerException("sslContext"); throw new NullPointerException("sslContext");
@ -115,6 +116,7 @@ public final class OpenSslEngine extends SSLEngine {
this.alloc = alloc; this.alloc = alloc;
ssl = SSL.newSSL(sslCtx, true); ssl = SSL.newSSL(sslCtx, true);
networkBIO = SSL.makeNetworkBIO(ssl); networkBIO = SSL.makeNetworkBIO(ssl);
this.fallbackApplicationProtocol = fallbackApplicationProtocol;
} }
/** /**
@ -708,7 +710,13 @@ public final class OpenSslEngine extends SSLEngine {
@Override @Override
public String getProtocol() { public String getProtocol() {
return protocol; // TODO: Figure out how to get the current protocol.
String applicationProtocol = OpenSslEngine.this.applicationProtocol;
if (applicationProtocol == null) {
return "unknown";
} else {
return "unknown:" + applicationProtocol;
}
} }
@Override @Override
@ -796,7 +804,11 @@ public final class OpenSslEngine extends SSLEngine {
if (SSL.isInInit(ssl) == 0) { if (SSL.isInInit(ssl) == 0) {
handshakeFinished = true; handshakeFinished = true;
cipher = SSL.getCipherForSSL(ssl); cipher = SSL.getCipherForSSL(ssl);
protocol = SSL.getNextProtoNegotiated(ssl); String applicationProtocol = SSL.getNextProtoNegotiated(ssl);
if (applicationProtocol == null) {
applicationProtocol = fallbackApplicationProtocol;
}
this.applicationProtocol = applicationProtocol;
return FINISHED; return FINISHED;
} }

View File

@ -310,7 +310,11 @@ public final class OpenSslServerContext extends SslContext {
*/ */
@Override @Override
public SSLEngine newEngine(ByteBufAllocator alloc) { public SSLEngine newEngine(ByteBufAllocator alloc) {
return new OpenSslEngine(ctx, alloc); if (unmodifiableNextProtocols.isEmpty()) {
return new OpenSslEngine(ctx, alloc, null);
} else {
return new OpenSslEngine(ctx, alloc, unmodifiableNextProtocols.get(unmodifiableNextProtocols.size() - 1));
}
} }
@Override @Override

View File

@ -26,6 +26,7 @@ import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.TrustManagerFactory;
import java.io.File; import java.io.File;
import java.util.ArrayList;
import java.util.List; import java.util.List;
/** /**
@ -373,6 +374,83 @@ public abstract class SslContext {
ciphers, nextProtocolSelector, sessionCacheSize, sessionTimeout); ciphers, nextProtocolSelector, sessionCacheSize, sessionTimeout);
} }
/**
* Creates a simple client-side {@link ApplicationProtocolSelector} that selects the most preferred protocol
* among the application protocols sent by the server. If there is no match, it chooses the least preferred one.
*
* @param nextProtocols the list of the supported client-side application protocols, in the order of preference
* @return the new {@link ApplicationProtocolSelector}.
* {@code null} if the specified {@code nextProtocols} does not contain any elements.
*
*/
public static ApplicationProtocolSelector newApplicationProtocolSelector(String... nextProtocols) {
if (nextProtocols == null) {
throw new NullPointerException("nextProtocols");
}
final List<String> list = new ArrayList<String>();
for (String p: nextProtocols) {
if (p == null) {
break;
}
list.add(p);
}
if (list.isEmpty()) {
return null;
}
return newApplicationProtocolSelector(list);
}
private static ApplicationProtocolSelector newApplicationProtocolSelector(final List<String> list) {
return new ApplicationProtocolSelector() {
@Override
public String selectProtocol(List<String> protocols) throws Exception {
for (String p: list) {
if (protocols.contains(p)) {
return p;
}
}
return list.get(list.size() - 1);
}
@Override
public String toString() {
return "ApplicationProtocolSelector(" + list + ')';
}
};
}
/**
* Creates a simple client-side {@link ApplicationProtocolSelector} that selects the most preferred protocol
* among the application protocols sent by the server. If there is no match, it chooses the least preferred one.
*
* @param nextProtocols the list of the supported client-side application protocols, in the order of preference
* @return the new {@link ApplicationProtocolSelector}.
* {@code null} if the specified {@code nextProtocols} does not contain any elements.
*
*/
public static ApplicationProtocolSelector newApplicationProtocolSelector(Iterable<String> nextProtocols) {
if (nextProtocols == null) {
throw new NullPointerException("nextProtocols");
}
final List<String> list = new ArrayList<String>();
for (String p: nextProtocols) {
if (p == null) {
break;
}
list.add(p);
}
if (list.isEmpty()) {
return null;
}
return newApplicationProtocolSelector(list);
}
SslContext() { } SslContext() { }
/** /**

View File

@ -668,6 +668,9 @@
<ignore>sun.security.x509.X500Name</ignore> <ignore>sun.security.x509.X500Name</ignore>
<ignore>sun.security.x509.X509CertInfo</ignore> <ignore>sun.security.x509.X509CertInfo</ignore>
<ignore>sun.security.x509.X509CertImpl</ignore> <ignore>sun.security.x509.X509CertImpl</ignore>
<!-- SSLSession implelementation -->
<ignore>javax.net.ssl.SSLEngine</ignore>
</ignores> </ignores>
</configuration> </configuration>
<executions> <executions>