jdeppe-pivotal commented on a change in pull request #6826:
URL: https://github.com/apache/geode/pull/6826#discussion_r704895552
##########
File path:
geode-apis-compatible-with-redis/src/main/java/org/apache/geode/redis/internal/netty/NettyRedisServer.java
##########
@@ -180,29 +181,47 @@ public void initChannel(SocketChannel socketChannel) {
private void addSSLIfEnabled(SocketChannel ch, ChannelPipeline p) {
- SSLConfig sslConfigForComponent =
+ SSLConfig sslConfigForServer =
SSLConfigurationFactory.getSSLConfigForComponent(configSupplier.get(),
SecurableCommunicationChannel.SERVER);
- if (!sslConfigForComponent.isEnabled()) {
+ if (!sslConfigForServer.isEnabled()) {
return;
}
+ if (sslConfigForServer.getKeystore() == null) {
+ throw new IllegalStateException(
+ "Cannot start netty as no key manager is configured. Please ensure
that the GemFire property 'ssl-keystore' is set.");
+ }
+
SslContext sslContext;
- try (FileInputStream fileInputStream =
- new FileInputStream(sslConfigForComponent.getKeystore())) {
- KeyStore ks = KeyStore.getInstance("JKS");
- ks.load(fileInputStream,
sslConfigForComponent.getKeystorePassword().toCharArray());
- // Set up key manager factory to use our key store
- KeyManagerFactory kmf =
-
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- kmf.init(ks, sslConfigForComponent.getKeystorePassword().toCharArray());
-
- SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(kmf);
- sslContext = sslContextBuilder.build();
+ try {
+ KeyManagerFactory keyManagerFactory = new KeyManagerFactoryWrapper(
+
FileWatchingX509ExtendedKeyManager.newFileWatchingKeyManager(sslConfigForServer));
+
+ TrustManagerFactory trustManagerFactory = null;
+ if (sslConfigForServer.getTruststore() != null) {
+ trustManagerFactory = new TrustManagerFactoryWrapper(
+
FileWatchingX509ExtendedTrustManager.newFileWatchingTrustManager(sslConfigForServer));
+ }
+
+ SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(keyManagerFactory);
+ sslContextBuilder.trustManager(trustManagerFactory);
- } catch (KeyStoreException | NoSuchAlgorithmException |
UnrecoverableKeyException | IOException
- | CertificateException e) {
+ if (!sslConfigForServer.isAnyCiphers()) {
+
sslContextBuilder.ciphers(Arrays.asList(sslConfigForServer.getCiphersAsStringArray()));
+ }
+
+ if (!sslConfigForServer.isAnyProtocols()) {
+ sslContextBuilder.protocols(
+ Arrays.asList(sslConfigForServer.getProtocolsAsStringArray()));
+ }
+
+ if (sslConfigForServer.isRequireAuth()) {
+ sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
+ }
+ sslContext = sslContextBuilder.build();
+ } catch (IOException e) {
throw new RuntimeException(e);
Review comment:
I switched it to an `UncheckIOException` which is probably no better.
However, this code is only triggered when a new inbound connection is
established and, as such, is totally asynchronous and there is no way to
recover from a situation here; like misconfigured SSL params.
##########
File path:
geode-apis-compatible-with-redis/src/main/java/org/apache/geode/redis/internal/netty/NettyRedisServer.java
##########
@@ -180,29 +181,47 @@ public void initChannel(SocketChannel socketChannel) {
private void addSSLIfEnabled(SocketChannel ch, ChannelPipeline p) {
- SSLConfig sslConfigForComponent =
+ SSLConfig sslConfigForServer =
SSLConfigurationFactory.getSSLConfigForComponent(configSupplier.get(),
SecurableCommunicationChannel.SERVER);
- if (!sslConfigForComponent.isEnabled()) {
+ if (!sslConfigForServer.isEnabled()) {
return;
}
+ if (sslConfigForServer.getKeystore() == null) {
+ throw new IllegalStateException(
+ "Cannot start netty as no key manager is configured. Please ensure
that the GemFire property 'ssl-keystore' is set.");
+ }
+
SslContext sslContext;
- try (FileInputStream fileInputStream =
- new FileInputStream(sslConfigForComponent.getKeystore())) {
- KeyStore ks = KeyStore.getInstance("JKS");
- ks.load(fileInputStream,
sslConfigForComponent.getKeystorePassword().toCharArray());
- // Set up key manager factory to use our key store
- KeyManagerFactory kmf =
-
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- kmf.init(ks, sslConfigForComponent.getKeystorePassword().toCharArray());
-
- SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(kmf);
- sslContext = sslContextBuilder.build();
+ try {
+ KeyManagerFactory keyManagerFactory = new KeyManagerFactoryWrapper(
+
FileWatchingX509ExtendedKeyManager.newFileWatchingKeyManager(sslConfigForServer));
+
+ TrustManagerFactory trustManagerFactory = null;
+ if (sslConfigForServer.getTruststore() != null) {
+ trustManagerFactory = new TrustManagerFactoryWrapper(
+
FileWatchingX509ExtendedTrustManager.newFileWatchingTrustManager(sslConfigForServer));
+ }
+
+ SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(keyManagerFactory);
+ sslContextBuilder.trustManager(trustManagerFactory);
- } catch (KeyStoreException | NoSuchAlgorithmException |
UnrecoverableKeyException | IOException
- | CertificateException e) {
+ if (!sslConfigForServer.isAnyCiphers()) {
+
sslContextBuilder.ciphers(Arrays.asList(sslConfigForServer.getCiphersAsStringArray()));
+ }
+
+ if (!sslConfigForServer.isAnyProtocols()) {
+ sslContextBuilder.protocols(
+ Arrays.asList(sslConfigForServer.getProtocolsAsStringArray()));
+ }
+
+ if (sslConfigForServer.isRequireAuth()) {
+ sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
+ }
+ sslContext = sslContextBuilder.build();
+ } catch (IOException e) {
throw new RuntimeException(e);
Review comment:
I switched it to an `UncheckedIOException` which is probably no better.
However, this code is only triggered when a new inbound connection is
established and, as such, is totally asynchronous and there is no way to
recover from a situation here; like misconfigured SSL params.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
