cdegroc commented on code in PR #3078:
URL: https://github.com/apache/tinkerpop/pull/3078#discussion_r2018567513
##########
gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java:
##########
@@ -307,74 +329,59 @@ private void configureSerializers() {
}
}
- private SslContext createSSLContext(final Settings settings) {
+ private SSLFactory.Builder createSSLFactoryBuilder(final Settings
settings) {
final Settings.SslSettings sslSettings = settings.ssl;
- if (sslSettings.getSslContext().isPresent()) {
- logger.info("Using the SslContext override");
- return sslSettings.getSslContext().get();
- }
-
- final SslProvider provider = SslProvider.JDK;
-
- final SslContextBuilder builder;
-
- // Build JSSE SSLContext
+ final SSLFactory.Builder builder = SSLFactory.builder();
try {
- final KeyManagerFactory kmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-
- // Load private key and signed cert
if (null != sslSettings.keyStore) {
final String keyStoreType = null == sslSettings.keyStoreType ?
KeyStore.getDefaultType() : sslSettings.keyStoreType;
- final KeyStore keystore = KeyStore.getInstance(keyStoreType);
- final char[] password = null == sslSettings.keyStorePassword ?
null : sslSettings.keyStorePassword.toCharArray();
+ final char[] keyStorePassword = null ==
sslSettings.keyStorePassword ? null :
sslSettings.keyStorePassword.toCharArray();
try (final InputStream in = new
FileInputStream(sslSettings.keyStore)) {
- keystore.load(in, password);
+ builder.withIdentityMaterial(in, keyStorePassword,
keyStoreType);
}
- kmf.init(keystore, password);
} else {
throw new IllegalStateException("keyStore must be configured
when SSL is enabled.");
}
- builder = SslContextBuilder.forServer(kmf);
-
// Load custom truststore for client auth certs
if (null != sslSettings.trustStore) {
final String trustStoreType = null !=
sslSettings.trustStoreType ? sslSettings.trustStoreType
- : sslSettings.keyStoreType != null ?
sslSettings.keyStoreType : KeyStore.getDefaultType();
-
- final KeyStore truststore =
KeyStore.getInstance(trustStoreType);
- final char[] password = null == sslSettings.trustStorePassword
? null : sslSettings.trustStorePassword.toCharArray();
+ : sslSettings.keyStoreType != null ?
sslSettings.keyStoreType : KeyStore.getDefaultType();
+ final char[] trustStorePassword = null ==
sslSettings.trustStorePassword ? null :
sslSettings.trustStorePassword.toCharArray();
try (final InputStream in = new
FileInputStream(sslSettings.trustStore)) {
- truststore.load(in, password);
+ builder.withTrustMaterial(in, trustStorePassword,
trustStoreType);
}
- final TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init(truststore);
- builder.trustManager(tmf);
}
-
- } catch (UnrecoverableKeyException | NoSuchAlgorithmException |
KeyStoreException | CertificateException | IOException e) {
+ } catch (GenericSecurityException | IOException e) {
logger.error(e.getMessage());
throw new RuntimeException("There was an error enabling SSL.", e);
}
if (null != sslSettings.sslCipherSuites &&
!sslSettings.sslCipherSuites.isEmpty()) {
- builder.ciphers(sslSettings.sslCipherSuites);
+ builder.withCiphers(sslSettings.sslCipherSuites.toArray(new
String[] {}));
}
if (null != sslSettings.sslEnabledProtocols &&
!sslSettings.sslEnabledProtocols.isEmpty()) {
- builder.protocols(sslSettings.sslEnabledProtocols.toArray(new
String[] {}));
+ builder.withProtocols(sslSettings.sslEnabledProtocols.toArray(new
String[] {}));
}
-
+
if (null != sslSettings.needClientAuth && ClientAuth.OPTIONAL ==
sslSettings.needClientAuth) {
logger.warn("needClientAuth = OPTIONAL is not a secure
configuration. Setting to REQUIRE.");
sslSettings.needClientAuth = ClientAuth.REQUIRE;
}
- builder.clientAuth(sslSettings.needClientAuth).sslProvider(provider);
Review Comment:
📝 `SSLFactory` does not expose an option to configure the SSL Provider.
Instead, we configure it below (L. 381) on the Netty SslContextBuilder built
from the `SSLFactory`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
