Examples of SSLHandler

• by.stub.handlers.SslHandler
• com.facebook.presto.jdbc.internal.netty.handler.ssl.SslHandler
  kipedia.org/wiki/Transport_Layer_Security">SSL · TLS and StartTLS support to a {@link Channel}. Please refer to the "SecureChat" example in the distribution or the web site for the detailed usage.

  Beginning the handshake

  You must make sure not to write a message while the {@linkplain #handshake() handshake} is in progress unless you arerenegotiating. You will be notified by the {@link ChannelFuture} which isreturned by the {@link #handshake()} method when the handshakeprocess succeeds or fails.

  Handshake

  If {@link #isIssueHandshake()} is {@code false}(default) you will need to take care of calling {@link #handshake()} by your own. In mostsituations were {@link SslHandler} is used in 'client mode' you want to issue a handshake oncethe connection was established. if {@link #setIssueHandshake(boolean)} is set to {@code true}you don't need to worry about this as the {@link SslHandler} will take care of it.

  Renegotiation

  If {@link #isEnableRenegotiation() enableRenegotiation} is {@code true}(default) and the initial handshake has been done successfully, you can call {@link #handshake()} to trigger the renegotiation.

  If {@link #isEnableRenegotiation() enableRenegotiation} is {@code false}, an attempt to trigger renegotiation will result in the connection closure.

  Please note that TLS renegotiation had a security issue before. If your runtime environment did not fix it, please make sure to disable TLS renegotiation by calling {@link #setEnableRenegotiation(boolean)} with{@code false}. For more information, please refer to the following documents:

  • CVE-2009-3555
  • RFC5746
  • Phased Approach to Fixing the TLS Renegotiation Issue

  Closing the session

  To close the SSL session, the {@link #close()} method should becalled to send the {@code close_notify} message to the remote peer. Oneexception is when you close the {@link Channel} - {@link SslHandler}intercepts the close request and send the {@code close_notify} messagebefore the channel closure automatically. Once the SSL session is closed, it is not reusable, and consequently you should create a new {@link SslHandler} with a new {@link SSLEngine} as explained in thefollowing section.

  Restarting the session

  To restart the SSL session, you must remove the existing closed {@link SslHandler} from the {@link ChannelPipeline}, insert a new {@link SslHandler} with a new {@link SSLEngine} into the pipeline,and start the handshake process as described in the first section.

  Implementing StartTLS

  StartTLS is the communication pattern that secures the wire in the middle of the plaintext connection. Please note that it is different from SSL · TLS, that secures the wire from the beginning of the connection. Typically, StartTLS is composed of three steps:

  1. Client sends a StartTLS request to server.
  2. Server sends a StartTLS response to client.
  3. Client begins SSL handshake.

  If you implement a server, you need to:

  1. create a new {@link SslHandler} instance with {@code startTls} flag setto {@code true},
  2. insert the {@link SslHandler} to the {@link ChannelPipeline}, and
  3. write a StartTLS response.

  Please note that you must insert {@link SslHandler} before sendingthe StartTLS response. Otherwise the client can send begin SSL handshake before {@link SslHandler} is inserted to the {@link ChannelPipeline}, causing data corruption.

  The client-side implementation is much simpler.

  1. Write a StartTLS request,
  2. wait for the StartTLS response,
  3. create a new {@link SslHandler} instance with {@code startTls} flag setto {@code false},
  4. insert the {@link SslHandler} to the {@link ChannelPipeline}, and
  5. Initiate SSL handshake by calling {@link SslHandler#handshake()}.

  Known issues

  Because of a known issue with the current implementation of the SslEngine that comes with Java it may be possible that you see blocked IO-Threads while a full GC is done.

  So if you are affected you can workaround this problem by adjust the cache settings like shown below:

   SslContext context = ...; context.getServerSessionContext().setSessionCacheSize(someSaneSize); context.getServerSessionContext().setSessionTime(someSameTimeout); 

  What values to use here depends on the nature of your application and should be set based on monitoring and debugging of it. For more details see #832 in our issue tracker. @apiviz.landmark @apiviz.uses com.facebook.presto.jdbc.internal.netty.handler.ssl.SslBufferPool

• io.fletty.handler.ssl.SslHandler
• io.netty.handler.ssl.SslHandler
  kipedia.org/wiki/Transport_Layer_Security">SSL · TLS and StartTLS support to a {@link Channel}. Please refer to the "SecureChat" example in the distribution or the web site for the detailed usage.

  Beginning the handshake

  You must make sure not to write a message while the {@linkplain #handshake() handshake} is in progress unless you arerenegotiating. You will be notified by the {@link ChannelFuture} which isreturned by the {@link #handshake()} method when the handshakeprocess succeeds or fails.

  Handshake

  If {@link #isIssueHandshake()} is {@code false}(default) you will need to take care of calling {@link #handshake()} by your own. In most situations were {@link SslHandler} is used in 'client mode'you want to issue a handshake once the connection was established. if {@link #setIssueHandshake(boolean)} is set to true you don't need to worry about this as the {@link SslHandler} will take care of it.

  Renegotiation

  If {@link #isEnableRenegotiation() enableRenegotiation} is {@code true}(default) and the initial handshake has been done successfully, you can call {@link #handshake()} to trigger the renegotiation.

  If {@link #isEnableRenegotiation() enableRenegotiation} is {@code false}, an attempt to trigger renegotiation will result in the connection closure.

  Please note that TLS renegotiation had a security issue before. If your runtime environment did not fix it, please make sure to disable TLS renegotiation by calling {@link #setEnableRenegotiation(boolean)} with{@code false}. For more information, please refer to the following documents:

  • CVE-2009-3555
  • RFC5746
  • Phased Approach to Fixing the TLS Renegotiation Issue

  Closing the session

  To close the SSL session, the {@link #close()} method should becalled to send the {@code close_notify} message to the remote peer. Oneexception is when you close the {@link Channel} - {@link SslHandler}intercepts the close request and send the {@code close_notify} messagebefore the channel closure automatically. Once the SSL session is closed, it is not reusable, and consequently you should create a new {@link SslHandler} with a new {@link SSLEngine} as explained in thefollowing section.

  Restarting the session

  To restart the SSL session, you must remove the existing closed {@link SslHandler} from the {@link ChannelPipeline}, insert a new {@link SslHandler} with a new {@link SSLEngine} into the pipeline,and start the handshake process as described in the first section.

  Implementing StartTLS

  StartTLS is the communication pattern that secures the wire in the middle of the plaintext connection. Please note that it is different from SSL · TLS, that secures the wire from the beginning of the connection. Typically, StartTLS is composed of three steps:

  1. Client sends a StartTLS request to server.
  2. Server sends a StartTLS response to client.
  3. Client begins SSL handshake.

  If you implement a server, you need to:

  1. create a new {@link SslHandler} instance with {@code startTls} flag setto {@code true},
  2. insert the {@link SslHandler} to the {@link ChannelPipeline}, and
  3. write a StartTLS response.

  Please note that you must insert {@link SslHandler} before sendingthe StartTLS response. Otherwise the client can send begin SSL handshake before {@link SslHandler} is inserted to the {@link ChannelPipeline}, causing data corruption.

  The client-side implementation is much simpler.

  1. Write a StartTLS request,
  2. wait for the StartTLS response,
  3. create a new {@link SslHandler} instance with {@code startTls} flag setto {@code false},
  4. insert the {@link SslHandler} to the {@link ChannelPipeline}, and
  5. Initiate SSL handshake by calling {@link SslHandler#handshake()}.

  @apiviz.landmark @apiviz.uses io.netty.handler.ssl.SslBufferPool
• org.apache.mina.filter.support.SSLHandler
  A helper class using the SSLEngine API to decrypt/encrypt data.

  Each connection has a SSLEngine that is used through the lifetime of the connection. We allocate byte buffers for use as the outbound and inbound network buffers. These buffers handle all of the intermediary data for the SSL connection. To make things easy, we'll require outNetBuffer be completely flushed before trying to wrap any more data. @author The Apache Directory Project (mina-dev@directory.apache.org) @version $Rev: 561232 $, $Date: 2007-07-31 14:19:37 +0900 (Tue, 31 Jul 2007) $

• org.jboss.netty.handler.ssl.SslHandler
  kipedia.org/wiki/Transport_Layer_Security">SSL · TLS and StartTLS support to a {@link Channel}. Please refer to the "SecureChat" example in the distribution or the web site for the detailed usage.

  Beginning the handshake

  A user should make sure not to write a message while the {@linkplain #handshake(Channel) handshake} is in progress unless it is arenegotiation. You will be notified by the {@link ChannelFuture} which isreturned by the {@link #handshake(Channel)} method when the handshakeprocess succeeds or fails.

  Renegotiation

  Once the initial handshake is done successfully. You can always call {@link #handshake(Channel)} again to renegotiate the SSL session parameters.

  Closing the session

  To close the SSL session, the {@link #close(Channel)} method should becalled to send the {@code close_notify} message to the remote peer. Oneexception is when you close the {@link Channel} - {@link SslHandler}intercepts the close request and send the {@code close_notify} messagebefore the channel closure automatically. Once the SSL session is closed, it is not reusable, and consequently you should create a new {@link SslHandler} with a new {@link SSLEngine} as explained in thefollowing section.

  Restarting the session

  To restart the SSL session, you must remove the existing closed {@link SslHandler} from the {@link ChannelPipeline}, insert a new {@link SslHandler} with a new {@link SSLEngine} into the pipeline,and start the handshake process as described in the first section. @author The Netty Project (netty-dev@lists.jboss.org) @author Trustin Lee (tlee@redhat.com) @version $Rev: 981 $, $Date: 2009-03-04 23:11:54 +0900 (Wed, 04 Mar 2009) $ @apiviz.landmark @apiviz.uses org.jboss.netty.handler.ssl.SslBufferPool

Examples of org.jboss.netty.handler.ssl.SslHandler

            if (sslOptions != null) {
                SSLEngine engine = sslOptions.context.createSSLEngine();
                engine.setUseClientMode(true);
                engine.setEnabledCipherSuites(sslOptions.cipherSuites);
                SslHandler handler = new SslHandler(engine);
                handler.setCloseOnSSLException(true);
                pipeline.addLast("ssl", handler);
            }

            //pipeline.addLast("debug", new LoggingHandler(InternalLogLevel.INFO));

Examples of org.jboss.netty.handler.ssl.SslHandler

    public ChannelPipeline getPipeline() throws Exception {
        // create a new pipeline
        ChannelPipeline channelPipeline = Channels.pipeline();

        SslHandler sslHandler = configureClientSSLOnDemand();
        if (sslHandler != null) {
            // must close on SSL exception
            sslHandler.setCloseOnSSLException(true);
            LOG.debug("Client SSL handler configured and added to the ChannelPipeline: {}", sslHandler);
            addToPipeline("ssl", channelPipeline, sslHandler);
        }

        List<ChannelHandler> decoders = producer.getConfiguration().getDecoders();

Examples of org.jboss.netty.handler.ssl.SslHandler

        if (producer.getConfiguration().getSslHandler() != null) {
            return producer.getConfiguration().getSslHandler();
        } else if (sslContext != null) {
            SSLEngine engine = sslContext.createSSLEngine();
            engine.setUseClientMode(true);
            return new SslHandler(engine);
        } else {
            if (producer.getConfiguration().getKeyStoreFile() == null && producer.getConfiguration().getKeyStoreResource() == null) {
                LOG.debug("keystorefile is null");
            }
            if (producer.getConfiguration().getTrustStoreFile() == null && producer.getConfiguration().getTrustStoreResource() == null) {
                LOG.debug("truststorefile is null");
            }
            if (producer.getConfiguration().getPassphrase().toCharArray() == null) {
                LOG.debug("passphrase is null");
            }
            SSLEngineFactory sslEngineFactory;
            if (producer.getConfiguration().getKeyStoreFile() != null || producer.getConfiguration().getTrustStoreFile() != null) {
                sslEngineFactory = new SSLEngineFactory(
                    producer.getConfiguration().getKeyStoreFormat(),
                    producer.getConfiguration().getSecurityProvider(),
                    producer.getConfiguration().getKeyStoreFile(),
                    producer.getConfiguration().getTrustStoreFile(),
                    producer.getConfiguration().getPassphrase().toCharArray());
            } else {
                sslEngineFactory = new SSLEngineFactory(producer.getContext().getClassResolver(),
                        producer.getConfiguration().getKeyStoreFormat(),
                        producer.getConfiguration().getSecurityProvider(),
                        producer.getConfiguration().getKeyStoreResource(),
                        producer.getConfiguration().getTrustStoreResource(),
                        producer.getConfiguration().getPassphrase().toCharArray());
            }
            SSLEngine sslEngine = sslEngineFactory.createClientSSLEngine();
            return new SslHandler(sslEngine);
        }
    }

Examples of org.jboss.netty.handler.ssl.SslHandler

    @Override
    public ChannelPipeline getPipeline() throws Exception {
        ChannelPipeline channelPipeline = Channels.pipeline();

        SslHandler sslHandler = configureServerSSLOnDemand();
        if (sslHandler != null) {
            // must close on SSL exception
            sslHandler.setCloseOnSSLException(true);
            LOG.debug("Server SSL handler configured and added as an interceptor against the ChannelPipeline: {}", sslHandler);
            addToPipeline("ssl", channelPipeline, sslHandler);
        }

        List<ChannelHandler> encoders = consumer.getConfiguration().getEncoders();

Examples of org.jboss.netty.handler.ssl.SslHandler

            return consumer.getConfiguration().getSslHandler();
        } else if (sslContext != null) {
            SSLEngine engine = sslContext.createSSLEngine();
            engine.setUseClientMode(false);
            engine.setNeedClientAuth(consumer.getConfiguration().isNeedClientAuth());
            return new SslHandler(engine);
        } else {
            if (consumer.getConfiguration().getKeyStoreFile() == null && consumer.getConfiguration().getKeyStoreResource() == null) {
                LOG.debug("keystorefile is null");
            }
            if (consumer.getConfiguration().getTrustStoreFile() == null && consumer.getConfiguration().getTrustStoreResource() == null) {
                LOG.debug("truststorefile is null");
            }
            if (consumer.getConfiguration().getPassphrase().toCharArray() == null) {
                LOG.debug("passphrase is null");
            }
            SSLEngineFactory sslEngineFactory;
            if (consumer.getConfiguration().getKeyStoreFile() != null || consumer.getConfiguration().getTrustStoreFile() != null) {
                sslEngineFactory = new SSLEngineFactory(
                        consumer.getConfiguration().getKeyStoreFormat(),
                        consumer.getConfiguration().getSecurityProvider(),
                        consumer.getConfiguration().getKeyStoreFile(),
                        consumer.getConfiguration().getTrustStoreFile(),
                        consumer.getConfiguration().getPassphrase().toCharArray());
            } else {
                sslEngineFactory = new SSLEngineFactory(consumer.getContext().getClassResolver(),
                        consumer.getConfiguration().getKeyStoreFormat(),
                        consumer.getConfiguration().getSecurityProvider(),
                        consumer.getConfiguration().getKeyStoreResource(),
                        consumer.getConfiguration().getTrustStoreResource(),
                        consumer.getConfiguration().getPassphrase().toCharArray());
            }
            SSLEngine sslEngine = sslEngineFactory.createServerSSLEngine();
            sslEngine.setUseClientMode(false);
            sslEngine.setNeedClientAuth(consumer.getConfiguration().isNeedClientAuth());
            return new SslHandler(sslEngine);
        }
    }