[GitHub] [geode] jdeppe-pivotal commented on a change in pull request #6826: GEODE-9542: Enable SSL client authentication for Radish

Wed, 01 Sep 2021 14:35:59 -0700 


jdeppe-pivotal commented on a change in pull request #6826:
URL: https://github.com/apache/geode/pull/6826#discussion_r700590513



##########
File path: 
geode-apis-compatible-with-redis/src/main/java/org/apache/geode/redis/internal/netty/NettyRedisServer.java
##########
@@ -180,29 +181,45 @@ public void initChannel(SocketChannel socketChannel) {
 
   private void addSSLIfEnabled(SocketChannel ch, ChannelPipeline p) {
 
-    SSLConfig sslConfigForComponent =
+    SSLConfig sslConfigForServer =
         SSLConfigurationFactory.getSSLConfigForComponent(configSupplier.get(),
             SecurableCommunicationChannel.SERVER);
 
-    if (!sslConfigForComponent.isEnabled()) {
+    if (!sslConfigForServer.isEnabled()) {
       return;
     }
 
     SslContext sslContext;
-    try (FileInputStream fileInputStream =
-        new FileInputStream(sslConfigForComponent.getKeystore())) {
-      KeyStore ks = KeyStore.getInstance("JKS");
-      ks.load(fileInputStream, 
sslConfigForComponent.getKeystorePassword().toCharArray());
-      // Set up key manager factory to use our key store
-      KeyManagerFactory kmf =
-          
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-      kmf.init(ks, sslConfigForComponent.getKeystorePassword().toCharArray());
-
-      SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(kmf);
-      sslContext = sslContextBuilder.build();
+    try {
+      KeyManagerFactory keyManagerFactory = null;
+      if (sslConfigForServer.getKeystore() != null) {
+        keyManagerFactory = new KeyManagerFactoryWrapper(
+            
FileWatchingX509ExtendedKeyManager.newFileWatchingKeyManager(sslConfigForServer));
+      }
+
+      TrustManagerFactory trustManagerFactory = null;
+      if (sslConfigForServer.getTruststore() != null) {
+        trustManagerFactory = new TrustManagerFactoryWrapper(
+            
FileWatchingX509ExtendedTrustManager.newFileWatchingTrustManager(sslConfigForServer));
+      }
+
+      SslContextBuilder sslContextBuilder = 
SslContextBuilder.forServer(keyManagerFactory);

Review comment:
       Good catch. I cannot think why no keystore would be provided and it 
seems like a misconfiguration. You *need* a keystore if you want to use 
SSL/TLS. To that end I think it's OK to throw an exception in that case. WDYT?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to