andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Allow to explicit disable usage of KeyManagerFactory when using OpenSsl

Browse Source 
Motivation:

Sometimes it may be useful to explicit disable the usage of the KeyManagerFactory when using OpenSsl.

Modifications:

Add io.netty.handler.ssl.openssl.useKeyManagerFactory which can be used to explicit disable KeyManagerFactory usage.

Result:

More flexible usage.
This commit is contained in:
Norman Maurer 2016-08-01 22:17:30 +02:00
parent 5513514d08
commit e5b45f120a
3 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
handler/src/main/java/io/netty/handler/ssl/OpenSsl.java
View File

@ -28,6 +28,8 @@ import org.apache.tomcat.jni.Pool;
import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.jni.SSLContext;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
@ -50,6 +52,7 @@ public final class OpenSsl {
private static final Set<String> AVAILABLE_OPENSSL_CIPHER_SUITES;
private static final Set<String> AVAILABLE_JAVA_CIPHER_SUITES;
private static final boolean SUPPORTS_KEYMANAGER_FACTORY;
private static final boolean USE_KEYMANAGER_FACTORY;
// Protocols
static final String PROTOCOL_SSL_V2_HELLO = "SSLv2Hello";
@ -120,6 +123,7 @@ public final class OpenSsl {
if (cause == null) {
final Set<String> availableOpenSslCipherSuites = new LinkedHashSet<String>(128);
boolean supportsKeyManagerFactory = false;
boolean useKeyManagerFactory = false;
final long aprPool = Pool.create(0);
try {
final long sslCtx = SSLContext.make(aprPool, SSL.SSL_PROTOCOL_ALL, SSL.SSL_MODE_SERVER);
@ -142,6 +146,13 @@ public final class OpenSsl {
certBio = OpenSslContext.toBIO(cert.cert());
SSL.setCertificateChainBio(ssl, certBio, false);
supportsKeyManagerFactory = true;
useKeyManagerFactory = AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
@Override
public Boolean run() {
return SystemPropertyUtil.getBoolean(
"io.netty.handler.ssl.openssl.useKeyManagerFactory", true);
}
});
} catch (Throwable ignore) {
logger.debug("KeyManagerFactory not supported.");
}
@ -183,11 +194,13 @@ public final class OpenSsl {
}
AVAILABLE_CIPHER_SUITES = availableCipherSuites;
SUPPORTS_KEYMANAGER_FACTORY = supportsKeyManagerFactory;
USE_KEYMANAGER_FACTORY = useKeyManagerFactory;
} else {
AVAILABLE_OPENSSL_CIPHER_SUITES = Collections.emptySet();
AVAILABLE_JAVA_CIPHER_SUITES = Collections.emptySet();
AVAILABLE_CIPHER_SUITES = Collections.emptySet();
SUPPORTS_KEYMANAGER_FACTORY = false;
USE_KEYMANAGER_FACTORY = false;
}
}
@ -296,6 +309,10 @@ public final class OpenSsl {
return SUPPORTS_KEYMANAGER_FACTORY;
}
static boolean useKeyManagerFactory() {
return USE_KEYMANAGER_FACTORY;
}
static boolean isError(long errorCode) {
return errorCode != SSL.SSL_ERROR_NONE;
}

2
handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java
View File

@ -204,7 +204,7 @@ public final class OpenSslClientContext extends OpenSslContext {
}
synchronized (OpenSslContext.class) {
try {
if (!OpenSsl.supportsKeyManagerFactory()) {
if (!OpenSsl.useKeyManagerFactory()) {
if (keyManagerFactory != null) {
throw new IllegalArgumentException(
"KeyManagerFactory not supported");

2
handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
View File

@ -352,7 +352,7 @@ public final class OpenSslServerContext extends OpenSslContext {
synchronized (OpenSslContext.class) {
try {
SSLContext.setVerify(ctx, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
if (!OpenSsl.supportsKeyManagerFactory()) {
if (!OpenSsl.useKeyManagerFactory()) {
if (keyManagerFactory != null) {
throw new IllegalArgumentException(
"KeyManagerFactory not supported");