dschneider-pivotal commented on a change in pull request #6826:
URL: https://github.com/apache/geode/pull/6826#discussion_r701336382
##########
File path:
geode-apis-compatible-with-redis/src/main/java/org/apache/geode/redis/internal/netty/NettyRedisServer.java
##########
@@ -180,29 +181,47 @@ public void initChannel(SocketChannel socketChannel) {
private void addSSLIfEnabled(SocketChannel ch, ChannelPipeline p) {
- SSLConfig sslConfigForComponent =
+ SSLConfig sslConfigForServer =
SSLConfigurationFactory.getSSLConfigForComponent(configSupplier.get(),
SecurableCommunicationChannel.SERVER);
- if (!sslConfigForComponent.isEnabled()) {
+ if (!sslConfigForServer.isEnabled()) {
return;
}
+ if (sslConfigForServer.getKeystore() == null) {
+ throw new IllegalStateException(
+ "Cannot start netty as no key manager is configured. Please ensure
that the Geode property 'ssl-keystore' is set.");
+ }
+
SslContext sslContext;
- try (FileInputStream fileInputStream =
- new FileInputStream(sslConfigForComponent.getKeystore())) {
- KeyStore ks = KeyStore.getInstance("JKS");
- ks.load(fileInputStream,
sslConfigForComponent.getKeystorePassword().toCharArray());
- // Set up key manager factory to use our key store
- KeyManagerFactory kmf =
-
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- kmf.init(ks, sslConfigForComponent.getKeystorePassword().toCharArray());
-
- SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(kmf);
- sslContext = sslContextBuilder.build();
+ try {
+ KeyManagerFactory keyManagerFactory = new KeyManagerFactoryWrapper(
+
FileWatchingX509ExtendedKeyManager.newFileWatchingKeyManager(sslConfigForServer));
+
+ TrustManagerFactory trustManagerFactory = null;
+ if (sslConfigForServer.getTruststore() != null) {
+ trustManagerFactory = new TrustManagerFactoryWrapper(
+
FileWatchingX509ExtendedTrustManager.newFileWatchingTrustManager(sslConfigForServer));
+ }
+
+ SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(keyManagerFactory);
+ sslContextBuilder.trustManager(trustManagerFactory);
- } catch (KeyStoreException | NoSuchAlgorithmException |
UnrecoverableKeyException | IOException
- | CertificateException e) {
+ if (!"any".equals(sslConfigForServer.getCiphers())) {
Review comment:
other code that compares to "any" uses "equalsIgnoreCase". Also
InternalHttpServer treats a blank (StringUtils.isNotBlank) the same as "any>
Seems like this code should also. It seems like this should be encapsulated in
SSLConfig method like isAnyCiphers and isAnyProtocols instead of doing it in
multiple places in our code.
##########
File path:
geode-apis-compatible-with-redis/src/main/java/org/apache/geode/redis/internal/netty/NettyRedisServer.java
##########
@@ -189,13 +189,15 @@ private void addSSLIfEnabled(SocketChannel ch,
ChannelPipeline p) {
return;
}
+ if (sslConfigForServer.getKeystore() == null) {
+ throw new IllegalStateException(
+ "Cannot start netty as no key manager is configured. Please ensure
that the Geode property 'ssl-keystore' is set.");
Review comment:
even Geode docs refer to these as "gemfire properties" (see:
https://geode.apache.org/docs/guide/113/reference/topics/gemfire_properties.html)
so I would replace "Geode" with "gemfire" in this message.
Also if you do a google search for "gemfire property" it gets you to docs
but "geode property" does not.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
