Package io.netty.handler.ssl
Class ReferenceCountedOpenSslContext
java.lang.Object
io.netty.handler.ssl.SslContext
io.netty.handler.ssl.ReferenceCountedOpenSslContext
- All Implemented Interfaces:
ReferenceCounted
- Direct Known Subclasses:
OpenSslContext
,ReferenceCountedOpenSslClientContext
,ReferenceCountedOpenSslServerContext
An implementation of
SslContext
which works with libraries that support the
OpenSsl C library API.
Instances of this class must be released
or else native memory will leak!
Instances of this class must not be released before any ReferenceCountedOpenSslEngine
which depends upon the instance of this class is released. Otherwise if any method of
ReferenceCountedOpenSslEngine
is called which uses this class's JNI resources the JVM may crash.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescription(package private) static class
private static final class
private static final class
private static final class
private static final class
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final OpenSslApplicationProtocolNegotiator
private int
(package private) static final boolean
(package private) static final boolean
(package private) static final boolean
(package private) final ClientAuth
protected long
The OpenSSL SSL_CTX object.(package private) final ReadWriteLock
private static final int
private static final Integer
(package private) final boolean
(package private) final OpenSslEngineMap
(package private) final boolean
(package private) final Certificate[]
private final ResourceLeakTracker
<ReferenceCountedOpenSslContext> private static final ResourceLeakDetector
<ReferenceCountedOpenSslContext> private static final InternalLogger
private final int
(package private) static final OpenSslApplicationProtocolNegotiator
(package private) final String[]
private final AbstractReferenceCounted
(package private) static final boolean
(package private) static final boolean
(package private) static final boolean
(package private) final boolean
(package private) static final boolean
protected static final int
Fields inherited from class io.netty.handler.ssl.SslContext
ALIAS, X509_CERT_FACTORY
-
Constructor Summary
ConstructorsConstructorDescriptionReferenceCountedOpenSslContext
(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn, int mode, Certificate[] keyCertChain, ClientAuth clientAuth, String[] protocols, boolean startTls, boolean enableOcsp, boolean leakDetection, Map.Entry<SslContextOption<?>, Object>... ctxOptions) -
Method Summary
Modifier and TypeMethodDescriptionReturns the object responsible for negotiating application layer protocols for the TLS NPN/ALPN extensions.protected static X509Certificate[]
certificates
(byte[][] chain) protected static X509TrustManager
chooseTrustManager
(TrustManager[] managers) protected static X509KeyManager
chooseX509KeyManager
(KeyManager[] kms) Returns the list of enabled cipher suites, in the order of preference.final long
context()
Deprecated.this method is considered unsafe as the returned pointer may be released later.private void
destroy()
(package private) static void
freeBio
(long bio) int
Returns the size of the buffer used by the BIO for non-application based writesboolean
Deprecated.final boolean
isClient()
Returns thetrue
if and only if this context is for client-side.private static long
final SSLEngine
newEngine
(ByteBufAllocator alloc) Returns a new server-sideSSLEngine
with the current configuration.final SSLEngine
newEngine
(ByteBufAllocator alloc, String peerHost, int peerPort) Creates a newSSLEngine
using advisory peer information.(package private) SSLEngine
newEngine0
(ByteBufAllocator alloc, String peerHost, int peerPort, boolean jdkCompatibilityMode) protected final SslHandler
newHandler
(ByteBufAllocator alloc, boolean startTls) Create a new SslHandler.protected SslHandler
newHandler
(ByteBufAllocator alloc, boolean startTls, Executor executor) Create a new SslHandler.protected final SslHandler
newHandler
(ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls) Create a new SslHandler.protected SslHandler
newHandler
(ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls, Executor executor) private static int
(package private) static OpenSslKeyMaterialProvider
providerFor
(KeyManagerFactory factory, String password) Returns theOpenSslKeyMaterialProvider
that should be used for OpenSSL.final int
refCnt()
Returns the reference count of this object.final boolean
release()
Decreases the reference count by1
and deallocates this object if the reference count reaches at0
.final boolean
release
(int decrement) Decreases the reference count by the specifieddecrement
and deallocates this object if the reference count reaches at0
.final ReferenceCounted
retain()
Increases the reference count by1
.final ReferenceCounted
retain
(int increment) Increases the reference count by the specifiedincrement
.private static ReferenceCountedOpenSslEngine
retrieveEngine
(OpenSslEngineMap engineMap, long ssl) abstract OpenSslSessionContext
Returns theSSLSessionContext
object held by this context.void
setBioNonApplicationBufferSize
(int bioNonApplicationBufferSize) Set the size of the buffer used by the BIO for non-application based writes (e.g.(package private) static void
setKeyMaterial
(long ctx, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword) final void
Deprecated.void
setRejectRemoteInitiatedRenegotiation
(boolean rejectRemoteInitiatedRenegotiation) Deprecated.final void
setTicketKeys
(byte[] keys) Deprecated.final void
setUseTasks
(boolean useTasks) Deprecated.final long
Deprecated.this method is considered unsafe as the returned pointer may be released later.final OpenSslSessionStats
stats()
Deprecated.useinvalid @link
{@link #sessionContext#stats()
(package private) static long
toBIO
(ByteBufAllocator allocator, PemEncoded pem) (package private) static long
toBIO
(ByteBufAllocator allocator, X509Certificate... certChain) (package private) static long
toBIO
(ByteBufAllocator allocator, PrivateKey key) (package private) static OpenSslApplicationProtocolNegotiator
Translate aApplicationProtocolConfig
object to aOpenSslApplicationProtocolNegotiator
object.final ReferenceCounted
touch()
Records the current access location of this object for debugging purposes.final ReferenceCounted
Records the current access location of this object with an additional arbitrary information for debugging purposes.(package private) static boolean
useExtendedTrustManager
(X509TrustManager trustManager) private static byte[]
verifyResult
(byte[] result) Methods inherited from class io.netty.handler.ssl.SslContext
attributes, buildKeyManagerFactory, buildKeyManagerFactory, buildKeyStore, buildTrustManagerFactory, buildTrustManagerFactory, buildTrustManagerFactory, defaultClientProvider, defaultServerProvider, generateKeySpec, isServer, keyStorePassword, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContextInternal, newHandler, newHandler, newHandler, newHandler, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContextInternal, nextProtocols, sessionCacheSize, sessionTimeout, toApplicationProtocolConfig, toPrivateKey, toPrivateKey, toPrivateKey, toPrivateKeyInternal, toX509Certificates, toX509Certificates, toX509CertificatesInternal
-
Field Details
-
logger
-
DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE
private static final int DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE -
USE_TASKS
static final boolean USE_TASKS -
DH_KEY_LENGTH
-
leakDetector
-
VERIFY_DEPTH
protected static final int VERIFY_DEPTH- See Also:
-
CLIENT_ENABLE_SESSION_TICKET
static final boolean CLIENT_ENABLE_SESSION_TICKET -
CLIENT_ENABLE_SESSION_TICKET_TLSV13
static final boolean CLIENT_ENABLE_SESSION_TICKET_TLSV13 -
SERVER_ENABLE_SESSION_TICKET
static final boolean SERVER_ENABLE_SESSION_TICKET -
SERVER_ENABLE_SESSION_TICKET_TLSV13
static final boolean SERVER_ENABLE_SESSION_TICKET_TLSV13 -
SERVER_ENABLE_SESSION_CACHE
static final boolean SERVER_ENABLE_SESSION_CACHE -
CLIENT_ENABLE_SESSION_CACHE
static final boolean CLIENT_ENABLE_SESSION_CACHE -
ctx
protected long ctxThe OpenSSL SSL_CTX object.ctxLock
must be hold while using ctx! -
unmodifiableCiphers
-
apn
-
mode
private final int mode -
leak
-
refCnt
-
keyCertChain
-
clientAuth
-
protocols
-
hasTLSv13Cipher
final boolean hasTLSv13Cipher -
enableOcsp
final boolean enableOcsp -
engineMap
-
ctxLock
-
bioNonApplicationBufferSize
private volatile int bioNonApplicationBufferSize -
NONE_PROTOCOL_NEGOTIATOR
-
tlsFalseStart
final boolean tlsFalseStart
-
-
Constructor Details
-
ReferenceCountedOpenSslContext
ReferenceCountedOpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn, int mode, Certificate[] keyCertChain, ClientAuth clientAuth, String[] protocols, boolean startTls, boolean enableOcsp, boolean leakDetection, Map.Entry<SslContextOption<?>, Object>... ctxOptions) throws SSLException- Throws:
SSLException
-
-
Method Details
-
opensslSelectorFailureBehavior
private static int opensslSelectorFailureBehavior(ApplicationProtocolConfig.SelectorFailureBehavior behavior) -
cipherSuites
Description copied from class:SslContext
Returns the list of enabled cipher suites, in the order of preference.- Specified by:
cipherSuites
in classSslContext
-
applicationProtocolNegotiator
Description copied from class:SslContext
Returns the object responsible for negotiating application layer protocols for the TLS NPN/ALPN extensions.- Specified by:
applicationProtocolNegotiator
in classSslContext
-
isClient
public final boolean isClient()Description copied from class:SslContext
Returns thetrue
if and only if this context is for client-side.- Specified by:
isClient
in classSslContext
-
newEngine
Description copied from class:SslContext
Creates a newSSLEngine
using advisory peer information.If
SslProvider.OPENSSL_REFCNT
is used then the object must be released. One way to do this is to wrap in aSslHandler
and insert it into a pipeline. SeeSslContext.newHandler(ByteBufAllocator, String, int)
.- Specified by:
newEngine
in classSslContext
- Parameters:
peerHost
- the non-authoritative name of the hostpeerPort
- the non-authoritative port- Returns:
- a new
SSLEngine
-
newHandler
Description copied from class:SslContext
Create a new SslHandler.- Overrides:
newHandler
in classSslContext
- See Also:
-
newHandler
protected final SslHandler newHandler(ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls) Description copied from class:SslContext
Create a new SslHandler.- Overrides:
newHandler
in classSslContext
- See Also:
-
newHandler
Description copied from class:SslContext
Create a new SslHandler.- Overrides:
newHandler
in classSslContext
- See Also:
-
newHandler
protected SslHandler newHandler(ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls, Executor executor) - Overrides:
newHandler
in classSslContext
-
newEngine0
SSLEngine newEngine0(ByteBufAllocator alloc, String peerHost, int peerPort, boolean jdkCompatibilityMode) -
newEngine
Returns a new server-sideSSLEngine
with the current configuration.- Specified by:
newEngine
in classSslContext
- Returns:
- a new
SSLEngine
-
context
Deprecated.this method is considered unsafe as the returned pointer may be released later. Dont use it!Returns the pointer to theSSL_CTX
object for thisReferenceCountedOpenSslContext
. Be aware that it is freed as soon as theObject.finalize()
method is called. At this point0
will be returned. -
stats
Deprecated.useinvalid @link
{@link #sessionContext#stats()
Returns the stats of this context. -
setRejectRemoteInitiatedRenegotiation
@Deprecated public void setRejectRemoteInitiatedRenegotiation(boolean rejectRemoteInitiatedRenegotiation) Deprecated.Specify if remote initiated renegotiation is supported or not. If not supported and the remote side tries to initiate a renegotiation aSSLHandshakeException
will be thrown during decoding. -
getRejectRemoteInitiatedRenegotiation
Deprecated.- Returns:
true
because renegotiation is not supported.
-
setBioNonApplicationBufferSize
public void setBioNonApplicationBufferSize(int bioNonApplicationBufferSize) Set the size of the buffer used by the BIO for non-application based writes (e.g. handshake, renegotiation, etc...). -
getBioNonApplicationBufferSize
public int getBioNonApplicationBufferSize()Returns the size of the buffer used by the BIO for non-application based writes -
setTicketKeys
Deprecated.Sets the SSL session ticket keys of this context. -
sessionContext
Description copied from class:SslContext
Returns theSSLSessionContext
object held by this context.- Specified by:
sessionContext
in classSslContext
-
sslCtxPointer
Deprecated.this method is considered unsafe as the returned pointer may be released later. Dont use it!Returns the pointer to theSSL_CTX
object for thisReferenceCountedOpenSslContext
. Be aware that it is freed as soon as therelease()
method is called. At this point0
will be returned. -
setPrivateKeyMethod
Deprecated.Set theOpenSslPrivateKeyMethod
to use. This allows to offload private-key operations if needed. This method is currently only supported whenBoringSSL
is used.- Parameters:
method
- method to use.
-
setUseTasks
Deprecated. -
destroy
private void destroy() -
certificates
-
chooseTrustManager
-
chooseX509KeyManager
-
toNegotiator
Translate aApplicationProtocolConfig
object to aOpenSslApplicationProtocolNegotiator
object.- Parameters:
config
- The configuration which defines the translation- Returns:
- The results of the translation
-
useExtendedTrustManager
-
refCnt
public final int refCnt()Description copied from interface:ReferenceCounted
Returns the reference count of this object. If0
, it means this object has been deallocated.- Specified by:
refCnt
in interfaceReferenceCounted
-
retain
Description copied from interface:ReferenceCounted
Increases the reference count by1
.- Specified by:
retain
in interfaceReferenceCounted
-
retain
Description copied from interface:ReferenceCounted
Increases the reference count by the specifiedincrement
.- Specified by:
retain
in interfaceReferenceCounted
-
touch
Description copied from interface:ReferenceCounted
Records the current access location of this object for debugging purposes. If this object is determined to be leaked, the information recorded by this operation will be provided to you viaResourceLeakDetector
. This method is a shortcut totouch(null)
.- Specified by:
touch
in interfaceReferenceCounted
-
touch
Description copied from interface:ReferenceCounted
Records the current access location of this object with an additional arbitrary information for debugging purposes. If this object is determined to be leaked, the information recorded by this operation will be provided to you viaResourceLeakDetector
.- Specified by:
touch
in interfaceReferenceCounted
-
release
public final boolean release()Description copied from interface:ReferenceCounted
Decreases the reference count by1
and deallocates this object if the reference count reaches at0
.- Specified by:
release
in interfaceReferenceCounted
- Returns:
true
if and only if the reference count became0
and this object has been deallocated
-
release
public final boolean release(int decrement) Description copied from interface:ReferenceCounted
Decreases the reference count by the specifieddecrement
and deallocates this object if the reference count reaches at0
.- Specified by:
release
in interfaceReferenceCounted
- Returns:
true
if and only if the reference count became0
and this object has been deallocated
-
setKeyMaterial
static void setKeyMaterial(long ctx, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword) throws SSLException - Throws:
SSLException
-
freeBio
static void freeBio(long bio) -
toBIO
Return the pointer to a in-memory BIO or0
if thekey
isnull
. The BIO contains the content of thekey
.- Throws:
Exception
-
toBIO
Return the pointer to a in-memory BIO or0
if thecertChain
isnull
. The BIO contains the content of thecertChain
.- Throws:
Exception
-
toBIO
- Throws:
Exception
-
newBIO
- Throws:
Exception
-
providerFor
Returns theOpenSslKeyMaterialProvider
that should be used for OpenSSL. Depending on the givenKeyManagerFactory
this may cache theOpenSslKeyMaterial
for better performance if it can ensure that the same material is always returned for the same alias. -
retrieveEngine
private static ReferenceCountedOpenSslEngine retrieveEngine(OpenSslEngineMap engineMap, long ssl) throws SSLException - Throws:
SSLException
-
verifyResult
- Throws:
SignatureException
-