diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java index 88d7604f53..a1516702b7 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java @@ -28,6 +28,8 @@ import org.apache.tomcat.jni.Pool; import org.apache.tomcat.jni.SSL; import org.apache.tomcat.jni.SSLContext; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.Arrays; import java.util.Collections; import java.util.HashSet; @@ -50,6 +52,7 @@ public final class OpenSsl { private static final Set AVAILABLE_OPENSSL_CIPHER_SUITES; private static final Set AVAILABLE_JAVA_CIPHER_SUITES; private static final boolean SUPPORTS_KEYMANAGER_FACTORY; + private static final boolean USE_KEYMANAGER_FACTORY; // Protocols static final String PROTOCOL_SSL_V2_HELLO = "SSLv2Hello"; @@ -120,6 +123,7 @@ public final class OpenSsl { if (cause == null) { final Set availableOpenSslCipherSuites = new LinkedHashSet(128); boolean supportsKeyManagerFactory = false; + boolean useKeyManagerFactory = false; final long aprPool = Pool.create(0); try { final long sslCtx = SSLContext.make(aprPool, SSL.SSL_PROTOCOL_ALL, SSL.SSL_MODE_SERVER); @@ -142,6 +146,13 @@ public final class OpenSsl { certBio = OpenSslContext.toBIO(cert.cert()); SSL.setCertificateChainBio(ssl, certBio, false); supportsKeyManagerFactory = true; + useKeyManagerFactory = AccessController.doPrivileged(new PrivilegedAction() { + @Override + public Boolean run() { + return SystemPropertyUtil.getBoolean( + "io.netty.handler.ssl.openssl.useKeyManagerFactory", true); + } + }); } catch (Throwable ignore) { logger.debug("KeyManagerFactory not supported."); } @@ -183,11 +194,13 @@ public final class OpenSsl { } AVAILABLE_CIPHER_SUITES = availableCipherSuites; SUPPORTS_KEYMANAGER_FACTORY = supportsKeyManagerFactory; + USE_KEYMANAGER_FACTORY = useKeyManagerFactory; } else { AVAILABLE_OPENSSL_CIPHER_SUITES = Collections.emptySet(); AVAILABLE_JAVA_CIPHER_SUITES = Collections.emptySet(); AVAILABLE_CIPHER_SUITES = Collections.emptySet(); SUPPORTS_KEYMANAGER_FACTORY = false; + USE_KEYMANAGER_FACTORY = false; } } @@ -296,6 +309,10 @@ public final class OpenSsl { return SUPPORTS_KEYMANAGER_FACTORY; } + static boolean useKeyManagerFactory() { + return USE_KEYMANAGER_FACTORY; + } + static boolean isError(long errorCode) { return errorCode != SSL.SSL_ERROR_NONE; } diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java index 5a5be8b3ce..b04a3485c2 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java @@ -204,7 +204,7 @@ public final class OpenSslClientContext extends OpenSslContext { } synchronized (OpenSslContext.class) { try { - if (!OpenSsl.supportsKeyManagerFactory()) { + if (!OpenSsl.useKeyManagerFactory()) { if (keyManagerFactory != null) { throw new IllegalArgumentException( "KeyManagerFactory not supported"); diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java index 4986388d07..82ba578c46 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java @@ -352,7 +352,7 @@ public final class OpenSslServerContext extends OpenSslContext { synchronized (OpenSslContext.class) { try { SSLContext.setVerify(ctx, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH); - if (!OpenSsl.supportsKeyManagerFactory()) { + if (!OpenSsl.useKeyManagerFactory()) { if (keyManagerFactory != null) { throw new IllegalArgumentException( "KeyManagerFactory not supported");