Package io.netty.handler.ssl
Class ReferenceCountedOpenSslContext
- java.lang.Object
-
- io.netty.handler.ssl.SslContext
-
- io.netty.handler.ssl.ReferenceCountedOpenSslContext
-
- All Implemented Interfaces:
ReferenceCounted
- Direct Known Subclasses:
OpenSslContext
,ReferenceCountedOpenSslClientContext
,ReferenceCountedOpenSslServerContext
public abstract class ReferenceCountedOpenSslContext extends SslContext implements ReferenceCounted
An implementation ofSslContext
which works with libraries that support the OpenSsl C library API.Instances of this class must be
released
or else native memory will leak!Instances of this class must not be released before any
ReferenceCountedOpenSslEngine
which depends upon the instance of this class is released. Otherwise if any method ofReferenceCountedOpenSslEngine
is called which uses this class's JNI resources the JVM may crash.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description (package private) static class
ReferenceCountedOpenSslContext.AbstractCertificateVerifier
private static class
ReferenceCountedOpenSslContext.AsyncPrivateKeyMethod
private static class
ReferenceCountedOpenSslContext.CompressionAlgorithm
private static class
ReferenceCountedOpenSslContext.DefaultOpenSslEngineMap
private static class
ReferenceCountedOpenSslContext.PrivateKeyMethod
-
Field Summary
Fields Modifier and Type Field Description private OpenSslApplicationProtocolNegotiator
apn
private int
bioNonApplicationBufferSize
(package private) static boolean
CLIENT_ENABLE_SESSION_CACHE
(package private) static boolean
CLIENT_ENABLE_SESSION_TICKET
(package private) static boolean
CLIENT_ENABLE_SESSION_TICKET_TLSV13
(package private) ClientAuth
clientAuth
protected long
ctx
The OpenSSL SSL_CTX object.(package private) java.util.concurrent.locks.ReadWriteLock
ctxLock
private static int
DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE
private static java.lang.Integer
DH_KEY_LENGTH
(package private) boolean
enableOcsp
(package private) OpenSslEngineMap
engineMap
(package private) boolean
hasTLSv13Cipher
(package private) java.security.cert.Certificate[]
keyCertChain
private ResourceLeakTracker<ReferenceCountedOpenSslContext>
leak
private static ResourceLeakDetector<ReferenceCountedOpenSslContext>
leakDetector
private static InternalLogger
logger
private int
mode
(package private) static OpenSslApplicationProtocolNegotiator
NONE_PROTOCOL_NEGOTIATOR
(package private) java.lang.String[]
protocols
private AbstractReferenceCounted
refCnt
(package private) static boolean
SERVER_ENABLE_SESSION_CACHE
(package private) static boolean
SERVER_ENABLE_SESSION_TICKET
(package private) static boolean
SERVER_ENABLE_SESSION_TICKET_TLSV13
(package private) boolean
tlsFalseStart
private java.util.List<java.lang.String>
unmodifiableCiphers
(package private) static boolean
USE_TASKS
protected static int
VERIFY_DEPTH
-
Fields inherited from class io.netty.handler.ssl.SslContext
ALIAS, X509_CERT_FACTORY
-
-
Constructor Summary
Constructors Constructor Description ReferenceCountedOpenSslContext(java.lang.Iterable<java.lang.String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn, int mode, java.security.cert.Certificate[] keyCertChain, ClientAuth clientAuth, java.lang.String[] protocols, boolean startTls, boolean enableOcsp, boolean leakDetection, java.util.Map.Entry<SslContextOption<?>,java.lang.Object>... ctxOptions)
-
Method Summary
All Methods Static Methods Instance Methods Abstract Methods Concrete Methods Deprecated Methods Modifier and Type Method Description ApplicationProtocolNegotiator
applicationProtocolNegotiator()
Returns the object responsible for negotiating application layer protocols for the TLS NPN/ALPN extensions.protected static java.security.cert.X509Certificate[]
certificates(byte[][] chain)
protected static javax.net.ssl.X509TrustManager
chooseTrustManager(javax.net.ssl.TrustManager[] managers)
protected static javax.net.ssl.X509KeyManager
chooseX509KeyManager(javax.net.ssl.KeyManager[] kms)
java.util.List<java.lang.String>
cipherSuites()
Returns the list of enabled cipher suites, in the order of preference.long
context()
Deprecated.this method is considered unsafe as the returned pointer may be released later.private void
destroy()
(package private) static void
freeBio(long bio)
int
getBioNonApplicationBufferSize()
Returns the size of the buffer used by the BIO for non-application based writesboolean
getRejectRemoteInitiatedRenegotiation()
Deprecated.boolean
isClient()
Returns thetrue
if and only if this context is for client-side.private static long
newBIO(ByteBuf buffer)
javax.net.ssl.SSLEngine
newEngine(ByteBufAllocator alloc)
Returns a new server-sideSSLEngine
with the current configuration.javax.net.ssl.SSLEngine
newEngine(ByteBufAllocator alloc, java.lang.String peerHost, int peerPort)
Creates a newSSLEngine
using advisory peer information.(package private) javax.net.ssl.SSLEngine
newEngine0(ByteBufAllocator alloc, java.lang.String peerHost, int peerPort, boolean jdkCompatibilityMode)
protected SslHandler
newHandler(ByteBufAllocator alloc, boolean startTls)
Create a new SslHandler.protected SslHandler
newHandler(ByteBufAllocator alloc, boolean startTls, java.util.concurrent.Executor executor)
Create a new SslHandler.protected SslHandler
newHandler(ByteBufAllocator alloc, java.lang.String peerHost, int peerPort, boolean startTls)
Create a new SslHandler.protected SslHandler
newHandler(ByteBufAllocator alloc, java.lang.String peerHost, int peerPort, boolean startTls, java.util.concurrent.Executor executor)
private static int
opensslSelectorFailureBehavior(ApplicationProtocolConfig.SelectorFailureBehavior behavior)
(package private) static OpenSslKeyMaterialProvider
providerFor(javax.net.ssl.KeyManagerFactory factory, java.lang.String password)
Returns theOpenSslKeyMaterialProvider
that should be used for OpenSSL.int
refCnt()
Returns the reference count of this object.boolean
release()
Decreases the reference count by1
and deallocates this object if the reference count reaches at0
.boolean
release(int decrement)
Decreases the reference count by the specifieddecrement
and deallocates this object if the reference count reaches at0
.ReferenceCounted
retain()
Increases the reference count by1
.ReferenceCounted
retain(int increment)
Increases the reference count by the specifiedincrement
.private static ReferenceCountedOpenSslEngine
retrieveEngine(OpenSslEngineMap engineMap, long ssl)
abstract OpenSslSessionContext
sessionContext()
Returns theSSLSessionContext
object held by this context.void
setBioNonApplicationBufferSize(int bioNonApplicationBufferSize)
Set the size of the buffer used by the BIO for non-application based writes (e.g.(package private) static void
setKeyMaterial(long ctx, java.security.cert.X509Certificate[] keyCertChain, java.security.PrivateKey key, java.lang.String keyPassword)
void
setPrivateKeyMethod(OpenSslPrivateKeyMethod method)
Deprecated.void
setRejectRemoteInitiatedRenegotiation(boolean rejectRemoteInitiatedRenegotiation)
Deprecated.void
setTicketKeys(byte[] keys)
Deprecated.void
setUseTasks(boolean useTasks)
Deprecated.long
sslCtxPointer()
Deprecated.this method is considered unsafe as the returned pointer may be released later.OpenSslSessionStats
stats()
Deprecated.use {@link #sessionContext#stats()}(package private) static long
toBIO(ByteBufAllocator allocator, PemEncoded pem)
(package private) static long
toBIO(ByteBufAllocator allocator, java.security.cert.X509Certificate... certChain)
(package private) static long
toBIO(ByteBufAllocator allocator, java.security.PrivateKey key)
(package private) static OpenSslApplicationProtocolNegotiator
toNegotiator(ApplicationProtocolConfig config)
Translate aApplicationProtocolConfig
object to aOpenSslApplicationProtocolNegotiator
object.ReferenceCounted
touch()
Records the current access location of this object for debugging purposes.ReferenceCounted
touch(java.lang.Object hint)
Records the current access location of this object with an additional arbitrary information for debugging purposes.(package private) static boolean
useExtendedTrustManager(javax.net.ssl.X509TrustManager trustManager)
private static byte[]
verifyResult(byte[] result)
-
Methods inherited from class io.netty.handler.ssl.SslContext
attributes, buildKeyManagerFactory, buildKeyManagerFactory, buildKeyStore, buildTrustManagerFactory, buildTrustManagerFactory, buildTrustManagerFactory, defaultClientProvider, defaultServerProvider, generateKeySpec, isServer, keyStorePassword, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContextInternal, newHandler, newHandler, newHandler, newHandler, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContextInternal, nextProtocols, sessionCacheSize, sessionTimeout, toApplicationProtocolConfig, toPrivateKey, toPrivateKey, toPrivateKey, toPrivateKeyInternal, toX509Certificates, toX509Certificates, toX509CertificatesInternal
-
-
-
-
Field Detail
-
logger
private static final InternalLogger logger
-
DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE
private static final int DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE
-
USE_TASKS
static final boolean USE_TASKS
-
DH_KEY_LENGTH
private static final java.lang.Integer DH_KEY_LENGTH
-
leakDetector
private static final ResourceLeakDetector<ReferenceCountedOpenSslContext> leakDetector
-
VERIFY_DEPTH
protected static final int VERIFY_DEPTH
- See Also:
- Constant Field Values
-
CLIENT_ENABLE_SESSION_TICKET
static final boolean CLIENT_ENABLE_SESSION_TICKET
-
CLIENT_ENABLE_SESSION_TICKET_TLSV13
static final boolean CLIENT_ENABLE_SESSION_TICKET_TLSV13
-
SERVER_ENABLE_SESSION_TICKET
static final boolean SERVER_ENABLE_SESSION_TICKET
-
SERVER_ENABLE_SESSION_TICKET_TLSV13
static final boolean SERVER_ENABLE_SESSION_TICKET_TLSV13
-
SERVER_ENABLE_SESSION_CACHE
static final boolean SERVER_ENABLE_SESSION_CACHE
-
CLIENT_ENABLE_SESSION_CACHE
static final boolean CLIENT_ENABLE_SESSION_CACHE
-
ctx
protected long ctx
The OpenSSL SSL_CTX object.ctxLock
must be hold while using ctx!
-
unmodifiableCiphers
private final java.util.List<java.lang.String> unmodifiableCiphers
-
apn
private final OpenSslApplicationProtocolNegotiator apn
-
mode
private final int mode
-
leak
private final ResourceLeakTracker<ReferenceCountedOpenSslContext> leak
-
refCnt
private final AbstractReferenceCounted refCnt
-
keyCertChain
final java.security.cert.Certificate[] keyCertChain
-
clientAuth
final ClientAuth clientAuth
-
protocols
final java.lang.String[] protocols
-
hasTLSv13Cipher
final boolean hasTLSv13Cipher
-
enableOcsp
final boolean enableOcsp
-
engineMap
final OpenSslEngineMap engineMap
-
ctxLock
final java.util.concurrent.locks.ReadWriteLock ctxLock
-
bioNonApplicationBufferSize
private volatile int bioNonApplicationBufferSize
-
NONE_PROTOCOL_NEGOTIATOR
static final OpenSslApplicationProtocolNegotiator NONE_PROTOCOL_NEGOTIATOR
-
tlsFalseStart
final boolean tlsFalseStart
-
-
Constructor Detail
-
ReferenceCountedOpenSslContext
ReferenceCountedOpenSslContext(java.lang.Iterable<java.lang.String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn, int mode, java.security.cert.Certificate[] keyCertChain, ClientAuth clientAuth, java.lang.String[] protocols, boolean startTls, boolean enableOcsp, boolean leakDetection, java.util.Map.Entry<SslContextOption<?>,java.lang.Object>... ctxOptions) throws javax.net.ssl.SSLException
- Throws:
javax.net.ssl.SSLException
-
-
Method Detail
-
opensslSelectorFailureBehavior
private static int opensslSelectorFailureBehavior(ApplicationProtocolConfig.SelectorFailureBehavior behavior)
-
cipherSuites
public final java.util.List<java.lang.String> cipherSuites()
Description copied from class:SslContext
Returns the list of enabled cipher suites, in the order of preference.- Specified by:
cipherSuites
in classSslContext
-
applicationProtocolNegotiator
public ApplicationProtocolNegotiator applicationProtocolNegotiator()
Description copied from class:SslContext
Returns the object responsible for negotiating application layer protocols for the TLS NPN/ALPN extensions.- Specified by:
applicationProtocolNegotiator
in classSslContext
-
isClient
public final boolean isClient()
Description copied from class:SslContext
Returns thetrue
if and only if this context is for client-side.- Specified by:
isClient
in classSslContext
-
newEngine
public final javax.net.ssl.SSLEngine newEngine(ByteBufAllocator alloc, java.lang.String peerHost, int peerPort)
Description copied from class:SslContext
Creates a newSSLEngine
using advisory peer information.If
SslProvider.OPENSSL_REFCNT
is used then the object must be released. One way to do this is to wrap in aSslHandler
and insert it into a pipeline. SeeSslContext.newHandler(ByteBufAllocator, String, int)
.- Specified by:
newEngine
in classSslContext
peerHost
- the non-authoritative name of the hostpeerPort
- the non-authoritative port- Returns:
- a new
SSLEngine
-
newHandler
protected final SslHandler newHandler(ByteBufAllocator alloc, boolean startTls)
Description copied from class:SslContext
Create a new SslHandler.- Overrides:
newHandler
in classSslContext
- See Also:
SslContext.newHandler(ByteBufAllocator)
-
newHandler
protected final SslHandler newHandler(ByteBufAllocator alloc, java.lang.String peerHost, int peerPort, boolean startTls)
Description copied from class:SslContext
Create a new SslHandler.- Overrides:
newHandler
in classSslContext
- See Also:
SslContext.newHandler(ByteBufAllocator, String, int, boolean, Executor)
-
newHandler
protected SslHandler newHandler(ByteBufAllocator alloc, boolean startTls, java.util.concurrent.Executor executor)
Description copied from class:SslContext
Create a new SslHandler.- Overrides:
newHandler
in classSslContext
- See Also:
SslContext.newHandler(ByteBufAllocator, String, int, boolean, Executor)
-
newHandler
protected SslHandler newHandler(ByteBufAllocator alloc, java.lang.String peerHost, int peerPort, boolean startTls, java.util.concurrent.Executor executor)
- Overrides:
newHandler
in classSslContext
-
newEngine0
javax.net.ssl.SSLEngine newEngine0(ByteBufAllocator alloc, java.lang.String peerHost, int peerPort, boolean jdkCompatibilityMode)
-
newEngine
public final javax.net.ssl.SSLEngine newEngine(ByteBufAllocator alloc)
Returns a new server-sideSSLEngine
with the current configuration.- Specified by:
newEngine
in classSslContext
- Returns:
- a new
SSLEngine
-
context
@Deprecated public final long context()
Deprecated.this method is considered unsafe as the returned pointer may be released later. Dont use it!Returns the pointer to theSSL_CTX
object for thisReferenceCountedOpenSslContext
. Be aware that it is freed as soon as theObject.finalize()
method is called. At this point0
will be returned.
-
stats
@Deprecated public final OpenSslSessionStats stats()
Deprecated.use {@link #sessionContext#stats()}Returns the stats of this context.
-
setRejectRemoteInitiatedRenegotiation
@Deprecated public void setRejectRemoteInitiatedRenegotiation(boolean rejectRemoteInitiatedRenegotiation)
Deprecated.{@deprecated Renegotiation is not supported} Specify if remote initiated renegotiation is supported or not. If not supported and the remote side tries to initiate a renegotiation aSSLHandshakeException
will be thrown during decoding.
-
getRejectRemoteInitiatedRenegotiation
@Deprecated public boolean getRejectRemoteInitiatedRenegotiation()
Deprecated.{@deprecated Renegotiation is not supported}- Returns:
true
because renegotiation is not supported.
-
setBioNonApplicationBufferSize
public void setBioNonApplicationBufferSize(int bioNonApplicationBufferSize)
Set the size of the buffer used by the BIO for non-application based writes (e.g. handshake, renegotiation, etc...).
-
getBioNonApplicationBufferSize
public int getBioNonApplicationBufferSize()
Returns the size of the buffer used by the BIO for non-application based writes
-
setTicketKeys
@Deprecated public final void setTicketKeys(byte[] keys)
Deprecated.Sets the SSL session ticket keys of this context.
-
sessionContext
public abstract OpenSslSessionContext sessionContext()
Description copied from class:SslContext
Returns theSSLSessionContext
object held by this context.- Specified by:
sessionContext
in classSslContext
-
sslCtxPointer
@Deprecated public final long sslCtxPointer()
Deprecated.this method is considered unsafe as the returned pointer may be released later. Dont use it!Returns the pointer to theSSL_CTX
object for thisReferenceCountedOpenSslContext
. Be aware that it is freed as soon as therelease()
method is called. At this point0
will be returned.
-
setPrivateKeyMethod
@Deprecated @UnstableApi public final void setPrivateKeyMethod(OpenSslPrivateKeyMethod method)
Deprecated.Set theOpenSslPrivateKeyMethod
to use. This allows to offload private-key operations if needed. This method is currently only supported whenBoringSSL
is used.- Parameters:
method
- method to use.
-
setUseTasks
@Deprecated public final void setUseTasks(boolean useTasks)
Deprecated.
-
destroy
private void destroy()
-
certificates
protected static java.security.cert.X509Certificate[] certificates(byte[][] chain)
-
chooseTrustManager
protected static javax.net.ssl.X509TrustManager chooseTrustManager(javax.net.ssl.TrustManager[] managers)
-
chooseX509KeyManager
protected static javax.net.ssl.X509KeyManager chooseX509KeyManager(javax.net.ssl.KeyManager[] kms)
-
toNegotiator
static OpenSslApplicationProtocolNegotiator toNegotiator(ApplicationProtocolConfig config)
Translate aApplicationProtocolConfig
object to aOpenSslApplicationProtocolNegotiator
object.- Parameters:
config
- The configuration which defines the translation- Returns:
- The results of the translation
-
useExtendedTrustManager
static boolean useExtendedTrustManager(javax.net.ssl.X509TrustManager trustManager)
-
refCnt
public final int refCnt()
Description copied from interface:ReferenceCounted
Returns the reference count of this object. If0
, it means this object has been deallocated.- Specified by:
refCnt
in interfaceReferenceCounted
-
retain
public final ReferenceCounted retain()
Description copied from interface:ReferenceCounted
Increases the reference count by1
.- Specified by:
retain
in interfaceReferenceCounted
-
retain
public final ReferenceCounted retain(int increment)
Description copied from interface:ReferenceCounted
Increases the reference count by the specifiedincrement
.- Specified by:
retain
in interfaceReferenceCounted
-
touch
public final ReferenceCounted touch()
Description copied from interface:ReferenceCounted
Records the current access location of this object for debugging purposes. If this object is determined to be leaked, the information recorded by this operation will be provided to you viaResourceLeakDetector
. This method is a shortcut totouch(null)
.- Specified by:
touch
in interfaceReferenceCounted
-
touch
public final ReferenceCounted touch(java.lang.Object hint)
Description copied from interface:ReferenceCounted
Records the current access location of this object with an additional arbitrary information for debugging purposes. If this object is determined to be leaked, the information recorded by this operation will be provided to you viaResourceLeakDetector
.- Specified by:
touch
in interfaceReferenceCounted
-
release
public final boolean release()
Description copied from interface:ReferenceCounted
Decreases the reference count by1
and deallocates this object if the reference count reaches at0
.- Specified by:
release
in interfaceReferenceCounted
- Returns:
true
if and only if the reference count became0
and this object has been deallocated
-
release
public final boolean release(int decrement)
Description copied from interface:ReferenceCounted
Decreases the reference count by the specifieddecrement
and deallocates this object if the reference count reaches at0
.- Specified by:
release
in interfaceReferenceCounted
- Returns:
true
if and only if the reference count became0
and this object has been deallocated
-
setKeyMaterial
static void setKeyMaterial(long ctx, java.security.cert.X509Certificate[] keyCertChain, java.security.PrivateKey key, java.lang.String keyPassword) throws javax.net.ssl.SSLException
- Throws:
javax.net.ssl.SSLException
-
freeBio
static void freeBio(long bio)
-
toBIO
static long toBIO(ByteBufAllocator allocator, java.security.PrivateKey key) throws java.lang.Exception
Return the pointer to a in-memory BIO or0
if thekey
isnull
. The BIO contains the content of thekey
.- Throws:
java.lang.Exception
-
toBIO
static long toBIO(ByteBufAllocator allocator, java.security.cert.X509Certificate... certChain) throws java.lang.Exception
Return the pointer to a in-memory BIO or0
if thecertChain
isnull
. The BIO contains the content of thecertChain
.- Throws:
java.lang.Exception
-
toBIO
static long toBIO(ByteBufAllocator allocator, PemEncoded pem) throws java.lang.Exception
- Throws:
java.lang.Exception
-
newBIO
private static long newBIO(ByteBuf buffer) throws java.lang.Exception
- Throws:
java.lang.Exception
-
providerFor
static OpenSslKeyMaterialProvider providerFor(javax.net.ssl.KeyManagerFactory factory, java.lang.String password)
Returns theOpenSslKeyMaterialProvider
that should be used for OpenSSL. Depending on the givenKeyManagerFactory
this may cache theOpenSslKeyMaterial
for better performance if it can ensure that the same material is always returned for the same alias.
-
retrieveEngine
private static ReferenceCountedOpenSslEngine retrieveEngine(OpenSslEngineMap engineMap, long ssl) throws javax.net.ssl.SSLException
- Throws:
javax.net.ssl.SSLException
-
verifyResult
private static byte[] verifyResult(byte[] result) throws java.security.SignatureException
- Throws:
java.security.SignatureException
-
-