Skip to content

Commit

Permalink
[feat][broker] Full-support set ssl provider, ciphers and protocols (a…
Browse files Browse the repository at this point in the history
…pache#14569)

Signed-off-by: Zixuan Liu <[email protected]>
  • Loading branch information
nodece authored Apr 1, 2022
1 parent 384c528 commit 9b2ba05
Show file tree
Hide file tree
Showing 19 changed files with 433 additions and 76 deletions.
8 changes: 5 additions & 3 deletions conf/broker.conf
Original file line number Diff line number Diff line change
Expand Up @@ -618,13 +618,15 @@ tlsCiphers=
# authentication.
tlsRequireTrustedClientCertOnConnect=false

# Specify the TLS provider for the broker service:
# When using TLS authentication with CACert, the valid value is either OPENSSL or JDK.
# When using TLS authentication with KeyStore, available values can be SunJSSE, Conscrypt and etc.
tlsProvider=

### --- KeyStore TLS config variables --- ###
# Enable TLS with KeyStore type configuration in broker.
tlsEnabledWithKeyStore=false

# TLS Provider for KeyStore type
tlsProvider=

# TLS KeyStore type configuration in broker: JKS, PKCS12
tlsKeyStoreType=JKS

Expand Down
8 changes: 5 additions & 3 deletions conf/standalone.conf
Original file line number Diff line number Diff line change
Expand Up @@ -379,13 +379,15 @@ tlsCiphers=
# authentication.
tlsRequireTrustedClientCertOnConnect=false

# Specify the TLS provider for the broker service:
# When using TLS authentication with CACert, the valid value is either OPENSSL or JDK.
# When using TLS authentication with KeyStore, available values can be SunJSSE, Conscrypt and etc.
tlsProvider=

### --- KeyStore TLS config variables --- ###
# Enable TLS with KeyStore type configuration in broker.
tlsEnabledWithKeyStore=false

# TLS Provider for KeyStore type
tlsProvider=

# TLS KeyStore type configuration in broker: JKS, PKCS12
tlsKeyStoreType=JKS

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2484,7 +2484,9 @@ public class ServiceConfiguration implements PulsarConfiguration {

@FieldContext(
category = CATEGORY_KEYSTORE_TLS,
doc = "TLS Provider for KeyStore type"
doc = "TLS Provider for Specify the SSL provider for the broker service: \n"
+ "When using TLS authentication with CACert, the valid value is either OPENSSL or JDK.\n"
+ "When using TLS authentication with KeyStore, available values can be SunJSSE, Conscrypt and etc."
)
private String tlsProvider = null;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import io.netty.handler.flow.FlowControlHandler;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import java.net.SocketAddress;
import java.util.concurrent.TimeUnit;
import lombok.Builder;
Expand Down Expand Up @@ -92,10 +93,18 @@ public PulsarChannelInitializer(PulsarService pulsar, PulsarChannelOptions opts)
serviceConfig.getTlsProtocols(),
serviceConfig.getTlsCertRefreshCheckDurationSec());
} else {
sslCtxRefresher = new NettyServerSslContextBuilder(serviceConfig.isTlsAllowInsecureConnection(),
serviceConfig.getTlsTrustCertsFilePath(), serviceConfig.getTlsCertificateFilePath(),
SslProvider sslProvider = null;
if (serviceConfig.getTlsProvider() != null) {
sslProvider = SslProvider.valueOf(serviceConfig.getTlsProvider());
}
sslCtxRefresher = new NettyServerSslContextBuilder(
sslProvider,
serviceConfig.isTlsAllowInsecureConnection(),
serviceConfig.getTlsTrustCertsFilePath(),
serviceConfig.getTlsCertificateFilePath(),
serviceConfig.getTlsKeyFilePath(),
serviceConfig.getTlsCiphers(), serviceConfig.getTlsProtocols(),
serviceConfig.getTlsCiphers(),
serviceConfig.getTlsProtocols(),
serviceConfig.isTlsRequireTrustedClientCertOnConnect(),
serviceConfig.getTlsCertRefreshCheckDurationSec());
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponse;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslProvider;
import io.netty.util.concurrent.DefaultThreadFactory;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
Expand Down Expand Up @@ -137,21 +138,32 @@ public boolean keepAlive(InetSocketAddress remoteAddress, Request ahcRequest,
JsseSslEngineFactory sslEngineFactory = new JsseSslEngineFactory(sslCtx);
confBuilder.setSslEngineFactory(sslEngineFactory);
} else {
SslProvider sslProvider = null;
if (conf.getSslProvider() != null) {
sslProvider = SslProvider.valueOf(conf.getSslProvider());
}
SslContext sslCtx = null;
if (authData.hasDataForTls()) {
sslCtx = authData.getTlsTrustStoreStream() == null
? SecurityUtility.createAutoRefreshSslContextForClient(
conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
conf.getTlsTrustCertsFilePath(), authData.getTlsCerificateFilePath(),
authData.getTlsPrivateKeyFilePath(), null, autoCertRefreshTimeSeconds, delayer)
sslProvider,
conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
conf.getTlsTrustCertsFilePath(), authData.getTlsCerificateFilePath(),
authData.getTlsPrivateKeyFilePath(), null, autoCertRefreshTimeSeconds, delayer)
: SecurityUtility.createNettySslContextForClient(
conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
authData.getTlsTrustStoreStream(), authData.getTlsCertificates(),
authData.getTlsPrivateKey());
sslProvider,
conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
authData.getTlsTrustStoreStream(), authData.getTlsCertificates(),
authData.getTlsPrivateKey(),
conf.getTlsCiphers(),
conf.getTlsProtocols());
} else {
sslCtx = SecurityUtility.createNettySslContextForClient(
sslProvider,
conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
conf.getTlsTrustCertsFilePath());
conf.getTlsTrustCertsFilePath(),
conf.getTlsCiphers(),
conf.getTlsProtocols());
}
confBuilder.setSslContext(sslCtx);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,14 @@
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponse;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslProvider;
import java.io.Closeable;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.URI;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
Expand Down Expand Up @@ -109,24 +111,33 @@ public boolean keepAlive(InetSocketAddress remoteAddress, Request ahcRequest,
JsseSslEngineFactory sslEngineFactory = new JsseSslEngineFactory(sslCtx);
confBuilder.setSslEngineFactory(sslEngineFactory);
} else {
SslProvider sslProvider = null;
if (conf.getSslProvider() != null) {
sslProvider = SslProvider.valueOf(conf.getSslProvider());
}
SslContext sslCtx = null;
if (authData.hasDataForTls()) {
sslCtx = authData.getTlsTrustStoreStream() == null
? SecurityUtility.createNettySslContextForClient(conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath(), authData.getTlsCertificates(),
authData.getTlsPrivateKey())
: SecurityUtility.createNettySslContextForClient(conf.isTlsAllowInsecureConnection(),
authData.getTlsTrustStoreStream(), authData.getTlsCertificates(),
authData.getTlsPrivateKey());
? SecurityUtility.createNettySslContextForClient(sslProvider,
conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath(), authData.getTlsCertificates(),
authData.getTlsPrivateKey(), conf.getTlsCiphers(), conf.getTlsProtocols())
: SecurityUtility.createNettySslContextForClient(sslProvider,
conf.isTlsAllowInsecureConnection(),
authData.getTlsTrustStoreStream(), authData.getTlsCertificates(),
authData.getTlsPrivateKey(), conf.getTlsCiphers(), conf.getTlsProtocols());
} else {
sslCtx = SecurityUtility.createNettySslContextForClient(
sslProvider,
conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath());
conf.getTlsTrustCertsFilePath(), conf.getTlsCiphers(), conf.getTlsProtocols());
}
confBuilder.setSslContext(sslCtx);
}

confBuilder.setUseInsecureTrustManager(conf.isTlsAllowInsecureConnection());
} catch (GeneralSecurityException e) {
throw new PulsarClientException.InvalidConfigurationException(e);
} catch (Exception e) {
throw new PulsarClientException.InvalidConfigurationException(e);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import io.netty.handler.proxy.Socks5ProxyHandler;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import java.net.InetSocketAddress;
import java.util.Objects;
import java.util.concurrent.CompletableFuture;
Expand Down Expand Up @@ -92,19 +93,36 @@ public PulsarChannelInitializer(ClientConfigurationData conf, Supplier<ClientCnx

sslContextSupplier = new ObjectCache<SslContext>(() -> {
try {
SslProvider sslProvider = null;
if (conf.getSslProvider() != null) {
sslProvider = SslProvider.valueOf(conf.getSslProvider());
}

// Set client certificate if available
AuthenticationDataProvider authData = conf.getAuthentication().getAuthData();
if (authData.hasDataForTls()) {
return authData.getTlsTrustStoreStream() == null
? SecurityUtility.createNettySslContextForClient(conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath(),
authData.getTlsCertificates(), authData.getTlsPrivateKey())
: SecurityUtility.createNettySslContextForClient(conf.isTlsAllowInsecureConnection(),
authData.getTlsTrustStoreStream(),
authData.getTlsCertificates(), authData.getTlsPrivateKey());
? SecurityUtility.createNettySslContextForClient(
sslProvider,
conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath(),
authData.getTlsCertificates(),
authData.getTlsPrivateKey(),
conf.getTlsCiphers(),
conf.getTlsProtocols())
: SecurityUtility.createNettySslContextForClient(sslProvider,
conf.isTlsAllowInsecureConnection(),
authData.getTlsTrustStoreStream(),
authData.getTlsCertificates(), authData.getTlsPrivateKey(),
conf.getTlsCiphers(),
conf.getTlsProtocols());
} else {
return SecurityUtility.createNettySslContextForClient(conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath());
return SecurityUtility.createNettySslContextForClient(
sslProvider,
conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath(),
conf.getTlsCiphers(),
conf.getTlsProtocols());
}
} catch (Exception e) {
throw new RuntimeException("Failed to create TLS context", e);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,12 @@
package org.apache.pulsar.common.util;

import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslProvider;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.Set;
import javax.net.ssl.SSLException;
import lombok.extern.slf4j.Slf4j;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
Expand All @@ -33,15 +35,20 @@
@Slf4j
public class NettyClientSslContextRefresher extends SslContextAutoRefreshBuilder<SslContext> {
private volatile SslContext sslNettyContext;
private boolean tlsAllowInsecureConnection;
private final boolean tlsAllowInsecureConnection;
protected final FileModifiedTimeUpdater tlsTrustCertsFilePath;
protected final FileModifiedTimeUpdater tlsCertsFilePath;
protected final FileModifiedTimeUpdater tlsPrivateKeyFilePath;
private AuthenticationDataProvider authData;
private final AuthenticationDataProvider authData;
private final SslProvider sslProvider;
private final Set<String> ciphers;
private final Set<String> protocols;

public NettyClientSslContextRefresher(boolean allowInsecure,
public NettyClientSslContextRefresher(SslProvider sslProvider, boolean allowInsecure,
String trustCertsFilePath,
AuthenticationDataProvider authData,
Set<String> ciphers,
Set<String> protocols,
long delayInSeconds)
throws IOException, GeneralSecurityException {
super(delayInSeconds);
Expand All @@ -52,22 +59,26 @@ public NettyClientSslContextRefresher(boolean allowInsecure,
authData != null ? authData.getTlsCerificateFilePath() : null);
this.tlsPrivateKeyFilePath = new FileModifiedTimeUpdater(
authData != null ? authData.getTlsPrivateKeyFilePath() : null);
this.sslProvider = sslProvider;
this.ciphers = ciphers;
this.protocols = protocols;
}

@Override
public synchronized SslContext update()
throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
if (authData != null && authData.hasDataForTls()) {
this.sslNettyContext = authData.getTlsTrustStoreStream() == null
? SecurityUtility.createNettySslContextForClient(this.tlsAllowInsecureConnection,
tlsTrustCertsFilePath.getFileName(), (X509Certificate[]) authData.getTlsCertificates(),
authData.getTlsPrivateKey())
: SecurityUtility.createNettySslContextForClient(this.tlsAllowInsecureConnection,
authData.getTlsTrustStoreStream(), (X509Certificate[]) authData.getTlsCertificates(),
authData.getTlsPrivateKey());
? SecurityUtility.createNettySslContextForClient(this.sslProvider, this.tlsAllowInsecureConnection,
tlsTrustCertsFilePath.getFileName(), (X509Certificate[]) authData.getTlsCertificates(),
authData.getTlsPrivateKey(), this.ciphers, this.protocols)
: SecurityUtility.createNettySslContextForClient(this.sslProvider, this.tlsAllowInsecureConnection,
authData.getTlsTrustStoreStream(), (X509Certificate[]) authData.getTlsCertificates(),
authData.getTlsPrivateKey(), this.ciphers, this.protocols);
} else {
this.sslNettyContext = SecurityUtility.createNettySslContextForClient(this.tlsAllowInsecureConnection,
this.tlsTrustCertsFilePath.getFileName());
this.sslNettyContext =
SecurityUtility.createNettySslContextForClient(this.sslProvider, this.tlsAllowInsecureConnection,
this.tlsTrustCertsFilePath.getFileName(), this.ciphers, this.protocols);
}
return this.sslNettyContext;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
package org.apache.pulsar.common.util;

import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslProvider;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.GeneralSecurityException;
Expand All @@ -36,8 +37,10 @@ public class NettyServerSslContextBuilder extends SslContextAutoRefreshBuilder<S
protected final Set<String> tlsCiphers;
protected final Set<String> tlsProtocols;
protected final boolean tlsRequireTrustedClientCertOnConnect;
protected final SslProvider sslProvider;

public NettyServerSslContextBuilder(boolean allowInsecure, String trustCertsFilePath, String certificateFilePath,
public NettyServerSslContextBuilder(SslProvider sslProvider, boolean allowInsecure, String trustCertsFilePath,
String certificateFilePath,
String keyFilePath, Set<String> ciphers, Set<String> protocols,
boolean requireTrustedClientCertOnConnect,
long delayInSeconds) {
Expand All @@ -49,14 +52,17 @@ public NettyServerSslContextBuilder(boolean allowInsecure, String trustCertsFile
this.tlsCiphers = ciphers;
this.tlsProtocols = protocols;
this.tlsRequireTrustedClientCertOnConnect = requireTrustedClientCertOnConnect;
this.sslProvider = sslProvider;
}

@Override
public synchronized SslContext update()
throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
this.sslNettyContext = SecurityUtility.createNettySslContextForServer(tlsAllowInsecureConnection,
tlsTrustCertsFilePath.getFileName(), tlsCertificateFilePath.getFileName(), tlsKeyFilePath.getFileName(),
tlsCiphers, tlsProtocols, tlsRequireTrustedClientCertOnConnect);
throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
this.sslNettyContext =
SecurityUtility.createNettySslContextForServer(this.sslProvider, tlsAllowInsecureConnection,
tlsTrustCertsFilePath.getFileName(), tlsCertificateFilePath.getFileName(),
tlsKeyFilePath.getFileName(),
tlsCiphers, tlsProtocols, tlsRequireTrustedClientCertOnConnect);
return this.sslNettyContext;
}

Expand Down
Loading

0 comments on commit 9b2ba05

Please sign in to comment.