提交 9cd0b885 编写于 作者: Y yukon

Centralize the TLS related configurations

上级 81507467
...@@ -32,10 +32,11 @@ import org.apache.rocketmq.common.MQVersion; ...@@ -32,10 +32,11 @@ import org.apache.rocketmq.common.MQVersion;
import org.apache.rocketmq.common.MixAll; import org.apache.rocketmq.common.MixAll;
import org.apache.rocketmq.common.constant.LoggerName; import org.apache.rocketmq.common.constant.LoggerName;
import org.apache.rocketmq.remoting.common.RemotingUtil; import org.apache.rocketmq.remoting.common.RemotingUtil;
import org.apache.rocketmq.remoting.common.SslMode; import org.apache.rocketmq.remoting.common.TlsMode;
import org.apache.rocketmq.remoting.netty.NettyClientConfig; import org.apache.rocketmq.remoting.netty.NettyClientConfig;
import org.apache.rocketmq.remoting.netty.NettyServerConfig; import org.apache.rocketmq.remoting.netty.NettyServerConfig;
import org.apache.rocketmq.remoting.netty.NettySystemConfig; import org.apache.rocketmq.remoting.netty.NettySystemConfig;
import org.apache.rocketmq.remoting.netty.TlsSystemConfig;
import org.apache.rocketmq.remoting.protocol.RemotingCommand; import org.apache.rocketmq.remoting.protocol.RemotingCommand;
import org.apache.rocketmq.srvutil.ServerUtil; import org.apache.rocketmq.srvutil.ServerUtil;
import org.apache.rocketmq.store.config.BrokerRole; import org.apache.rocketmq.store.config.BrokerRole;
...@@ -43,6 +44,8 @@ import org.apache.rocketmq.store.config.MessageStoreConfig; ...@@ -43,6 +44,8 @@ import org.apache.rocketmq.store.config.MessageStoreConfig;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_ENABLE;
public class BrokerStartup { public class BrokerStartup {
public static Properties properties = null; public static Properties properties = null;
public static CommandLine commandLine = null; public static CommandLine commandLine = null;
...@@ -98,7 +101,9 @@ public class BrokerStartup { ...@@ -98,7 +101,9 @@ public class BrokerStartup {
final BrokerConfig brokerConfig = new BrokerConfig(); final BrokerConfig brokerConfig = new BrokerConfig();
final NettyServerConfig nettyServerConfig = new NettyServerConfig(); final NettyServerConfig nettyServerConfig = new NettyServerConfig();
final NettyClientConfig nettyClientConfig = new NettyClientConfig(); final NettyClientConfig nettyClientConfig = new NettyClientConfig();
nettyClientConfig.setUseTLS(NettySystemConfig.sslMode == SslMode.ENFORCING);
nettyClientConfig.setUseTLS(Boolean.parseBoolean(System.getProperty(TLS_ENABLE,
String.valueOf(TlsSystemConfig.tlsMode == TlsMode.ENFORCING))));
nettyServerConfig.setListenPort(10911); nettyServerConfig.setListenPort(10911);
final MessageStoreConfig messageStoreConfig = new MessageStoreConfig(); final MessageStoreConfig messageStoreConfig = new MessageStoreConfig();
......
...@@ -19,6 +19,7 @@ package org.apache.rocketmq.client; ...@@ -19,6 +19,7 @@ package org.apache.rocketmq.client;
import org.apache.rocketmq.common.MixAll; import org.apache.rocketmq.common.MixAll;
import org.apache.rocketmq.common.UtilAll; import org.apache.rocketmq.common.UtilAll;
import org.apache.rocketmq.remoting.common.RemotingUtil; import org.apache.rocketmq.remoting.common.RemotingUtil;
import org.apache.rocketmq.remoting.netty.TlsSystemConfig;
/** /**
* Client Common configuration * Client Common configuration
...@@ -45,7 +46,7 @@ public class ClientConfig { ...@@ -45,7 +46,7 @@ public class ClientConfig {
private String unitName; private String unitName;
private boolean vipChannelEnabled = Boolean.parseBoolean(System.getProperty(SEND_MESSAGE_WITH_VIP_CHANNEL_PROPERTY, "true")); private boolean vipChannelEnabled = Boolean.parseBoolean(System.getProperty(SEND_MESSAGE_WITH_VIP_CHANNEL_PROPERTY, "true"));
private boolean useTLS; private boolean useTLS = TlsSystemConfig.tlsEnable;
public String buildMQClientId() { public String buildMQClientId() {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
......
...@@ -25,7 +25,7 @@ package org.apache.rocketmq.remoting.common; ...@@ -25,7 +25,7 @@ package org.apache.rocketmq.remoting.common;
* <li><strong>enforcing:</strong> SSL is required, aka, non SSL connection will be rejected.</li> * <li><strong>enforcing:</strong> SSL is required, aka, non SSL connection will be rejected.</li>
* </ol> * </ol>
*/ */
public enum SslMode { public enum TlsMode {
DISABLED("disabled"), DISABLED("disabled"),
PERMISSIVE("permissive"), PERMISSIVE("permissive"),
...@@ -33,14 +33,14 @@ public enum SslMode { ...@@ -33,14 +33,14 @@ public enum SslMode {
private String name; private String name;
SslMode(String name) { TlsMode(String name) {
this.name = name; this.name = name;
} }
public static SslMode parse(String mode) { public static TlsMode parse(String mode) {
for (SslMode sslMode: SslMode.values()) { for (TlsMode tlsMode : TlsMode.values()) {
if (sslMode.name.equals(mode)) { if (tlsMode.name.equals(mode)) {
return sslMode; return tlsMode;
} }
} }
......
...@@ -131,7 +131,7 @@ public class NettyRemotingClient extends NettyRemotingAbstract implements Remoti ...@@ -131,7 +131,7 @@ public class NettyRemotingClient extends NettyRemotingAbstract implements Remoti
if (nettyClientConfig.isUseTLS()) { if (nettyClientConfig.isUseTLS()) {
try { try {
sslContext = SslHelper.buildSslContext(true); sslContext = TlsHelper.buildSslContext(true);
log.info("SSL enabled for client"); log.info("SSL enabled for client");
} catch (IOException e) { } catch (IOException e) {
log.error("Failed to create SSLContext", e); log.error("Failed to create SSLContext", e);
......
...@@ -54,7 +54,7 @@ import org.apache.rocketmq.remoting.RemotingServer; ...@@ -54,7 +54,7 @@ import org.apache.rocketmq.remoting.RemotingServer;
import org.apache.rocketmq.remoting.common.Pair; import org.apache.rocketmq.remoting.common.Pair;
import org.apache.rocketmq.remoting.common.RemotingHelper; import org.apache.rocketmq.remoting.common.RemotingHelper;
import org.apache.rocketmq.remoting.common.RemotingUtil; import org.apache.rocketmq.remoting.common.RemotingUtil;
import org.apache.rocketmq.remoting.common.SslMode; import org.apache.rocketmq.remoting.common.TlsMode;
import org.apache.rocketmq.remoting.exception.RemotingSendRequestException; import org.apache.rocketmq.remoting.exception.RemotingSendRequestException;
import org.apache.rocketmq.remoting.exception.RemotingTimeoutException; import org.apache.rocketmq.remoting.exception.RemotingTimeoutException;
import org.apache.rocketmq.remoting.exception.RemotingTooMuchRequestException; import org.apache.rocketmq.remoting.exception.RemotingTooMuchRequestException;
...@@ -139,12 +139,12 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti ...@@ -139,12 +139,12 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti
}); });
} }
SslMode sslMode = NettySystemConfig.sslMode; TlsMode tlsMode = TlsSystemConfig.tlsMode;
log.info("Server is running in TLS {} mode", sslMode.getName()); log.info("Server is running in TLS {} mode", tlsMode.getName());
if (sslMode != SslMode.DISABLED) { if (tlsMode != TlsMode.DISABLED) {
try { try {
sslContext = SslHelper.buildSslContext(false); sslContext = TlsHelper.buildSslContext(false);
log.info("SSLContext created for server"); log.info("SSLContext created for server");
} catch (CertificateException e) { } catch (CertificateException e) {
log.error("Failed to create SSLContext for server", e); log.error("Failed to create SSLContext for server", e);
...@@ -189,7 +189,7 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti ...@@ -189,7 +189,7 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti
public void initChannel(SocketChannel ch) throws Exception { public void initChannel(SocketChannel ch) throws Exception {
ch.pipeline() ch.pipeline()
.addLast(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME, .addLast(defaultEventExecutorGroup, HANDSHAKE_HANDLER_NAME,
new HandshakeHandler(NettySystemConfig.sslMode)) new HandshakeHandler(TlsSystemConfig.tlsMode))
.addLast(defaultEventExecutorGroup, .addLast(defaultEventExecutorGroup,
new NettyEncoder(), new NettyEncoder(),
new NettyDecoder(), new NettyDecoder(),
...@@ -326,12 +326,12 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti ...@@ -326,12 +326,12 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti
class HandshakeHandler extends SimpleChannelInboundHandler<ByteBuf> { class HandshakeHandler extends SimpleChannelInboundHandler<ByteBuf> {
private final SslMode sslMode; private final TlsMode tlsMode;
private static final byte HANDSHAKE_MAGIC_CODE = 0x16; private static final byte HANDSHAKE_MAGIC_CODE = 0x16;
HandshakeHandler(SslMode sslMode) { HandshakeHandler(TlsMode tlsMode) {
this.sslMode = sslMode; this.tlsMode = tlsMode;
} }
@Override @Override
...@@ -344,7 +344,7 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti ...@@ -344,7 +344,7 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti
byte b = msg.getByte(0); byte b = msg.getByte(0);
if (b == HANDSHAKE_MAGIC_CODE) { if (b == HANDSHAKE_MAGIC_CODE) {
switch (sslMode) { switch (tlsMode) {
case DISABLED: case DISABLED:
ctx.close(); ctx.close();
log.warn("Clients intend to establish a SSL connection while this server is running in SSL disabled mode"); log.warn("Clients intend to establish a SSL connection while this server is running in SSL disabled mode");
...@@ -366,7 +366,7 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti ...@@ -366,7 +366,7 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti
log.warn("Unknown TLS mode"); log.warn("Unknown TLS mode");
break; break;
} }
} else if (sslMode == SslMode.ENFORCING) { } else if (tlsMode == TlsMode.ENFORCING) {
ctx.close(); ctx.close();
log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode"); log.warn("Clients intend to establish an insecure connection while this server is running in SSL enforcing mode");
} }
......
...@@ -17,8 +17,6 @@ ...@@ -17,8 +17,6 @@
package org.apache.rocketmq.remoting.netty; package org.apache.rocketmq.remoting.netty;
import org.apache.rocketmq.remoting.common.SslMode;
public class NettySystemConfig { public class NettySystemConfig {
public static final String COM_ROCKETMQ_REMOTING_NETTY_POOLED_BYTE_BUF_ALLOCATOR_ENABLE = public static final String COM_ROCKETMQ_REMOTING_NETTY_POOLED_BYTE_BUF_ALLOCATOR_ENABLE =
"com.rocketmq.remoting.nettyPooledByteBufAllocatorEnable"; "com.rocketmq.remoting.nettyPooledByteBufAllocatorEnable";
...@@ -31,12 +29,6 @@ public class NettySystemConfig { ...@@ -31,12 +29,6 @@ public class NettySystemConfig {
public static final String COM_ROCKETMQ_REMOTING_CLIENT_ONEWAY_SEMAPHORE_VALUE = public static final String COM_ROCKETMQ_REMOTING_CLIENT_ONEWAY_SEMAPHORE_VALUE =
"com.rocketmq.remoting.clientOnewaySemaphoreValue"; "com.rocketmq.remoting.clientOnewaySemaphoreValue";
public static final String ORG_APACHE_ROCKETMQ_REMOTING_SSL_MODE = //
"org.apache.rocketmq.remoting.ssl.mode";
public static final String ORG_APACHE_ROCKETMQ_REMOTING_SSL_CONFIG_FILE = //
"org.apache.rocketmq.remoting.ssl.config.file";
public static final boolean NETTY_POOLED_BYTE_BUF_ALLOCATOR_ENABLE = // public static final boolean NETTY_POOLED_BYTE_BUF_ALLOCATOR_ENABLE = //
Boolean.parseBoolean(System.getProperty(COM_ROCKETMQ_REMOTING_NETTY_POOLED_BYTE_BUF_ALLOCATOR_ENABLE, "false")); Boolean.parseBoolean(System.getProperty(COM_ROCKETMQ_REMOTING_NETTY_POOLED_BYTE_BUF_ALLOCATOR_ENABLE, "false"));
public static final int CLIENT_ASYNC_SEMAPHORE_VALUE = // public static final int CLIENT_ASYNC_SEMAPHORE_VALUE = //
...@@ -47,18 +39,4 @@ public class NettySystemConfig { ...@@ -47,18 +39,4 @@ public class NettySystemConfig {
Integer.parseInt(System.getProperty(COM_ROCKETMQ_REMOTING_SOCKET_SNDBUF_SIZE, "65535")); Integer.parseInt(System.getProperty(COM_ROCKETMQ_REMOTING_SOCKET_SNDBUF_SIZE, "65535"));
public static int socketRcvbufSize = public static int socketRcvbufSize =
Integer.parseInt(System.getProperty(COM_ROCKETMQ_REMOTING_SOCKET_RCVBUF_SIZE, "65535")); Integer.parseInt(System.getProperty(COM_ROCKETMQ_REMOTING_SOCKET_RCVBUF_SIZE, "65535"));
/**
* For server, three SSL modes are supported: disabled, permissive and enforcing.
* <ol>
* <li><strong>disabled:</strong> SSL is not supported; any incoming SSL handshake will be rejected, causing connection closed.</li>
* <li><strong>permissive:</strong> SSL is optional, aka, server in this mode can serve client connections with or without SSL;</li>
* <li><strong>enforcing:</strong> SSL is required, aka, non SSL connection will be rejected.</li>
* </ol>
*/
public static SslMode sslMode = //
SslMode.parse(System.getProperty(ORG_APACHE_ROCKETMQ_REMOTING_SSL_MODE, "permissive"));
public static String sslConfigFile = //
System.getProperty(ORG_APACHE_ROCKETMQ_REMOTING_SSL_CONFIG_FILE, "/etc/rocketmq/ssl.properties");
} }
...@@ -26,7 +26,6 @@ import io.netty.handler.ssl.util.InsecureTrustManagerFactory; ...@@ -26,7 +26,6 @@ import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.netty.handler.ssl.util.SelfSignedCertificate; import io.netty.handler.ssl.util.SelfSignedCertificate;
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
...@@ -35,7 +34,32 @@ import org.apache.rocketmq.remoting.common.RemotingHelper; ...@@ -35,7 +34,32 @@ import org.apache.rocketmq.remoting.common.RemotingHelper;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
public class SslHelper { import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_AUTHSERVER;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_CERTPATH;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_KEYPASSWORD;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_KEYPATH;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_TRUSTCERTPATH;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_AUTHCLIENT;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_CERTPATH;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_KEYPASSWORD;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_KEYPATH;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_NEED_CLIENT_AUTH;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_TRUSTCERTPATH;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_TEST_MODE_ENABLE;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientAuthServer;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientCertPath;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientKeyPassword;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientKeyPath;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientTrustCertPath;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerAuthClient;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerCertPath;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerKeyPassword;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerKeyPath;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerNeedClientAuth;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerTrustCertPath;
import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsTestModeEnable;
public class TlsHelper {
public interface DecryptionStrategy { public interface DecryptionStrategy {
/** /**
...@@ -61,34 +85,15 @@ public class SslHelper { ...@@ -61,34 +85,15 @@ public class SslHelper {
public static void registerDecryptionStrategy(final DecryptionStrategy decryptionStrategy) { public static void registerDecryptionStrategy(final DecryptionStrategy decryptionStrategy) {
SslHelper.decryptionStrategy = decryptionStrategy; TlsHelper.decryptionStrategy = decryptionStrategy;
} }
public static SslContext buildSslContext(boolean forClient) throws IOException, CertificateException { public static SslContext buildSslContext(boolean forClient) throws IOException, CertificateException {
File configFile = new File(TlsSystemConfig.tlsConfigFile);
extractTlsConfigFromFile(configFile);
logTheFinalUsedTlsConfig();
File configFile = new File(NettySystemConfig.sslConfigFile); SslProvider provider;
boolean testMode = !(configFile.exists() && configFile.isFile() && configFile.canRead());
Properties properties = null;
if (!testMode) {
properties = new Properties();
InputStream inputStream = null;
try {
inputStream = new FileInputStream(configFile);
properties.load(inputStream);
} catch (FileNotFoundException ignore) {
} catch (IOException ignore) {
} finally {
if (null != inputStream) {
try {
inputStream.close();
} catch (IOException ignore) {
}
}
}
}
SslProvider provider = null;
if (OpenSsl.isAvailable()) { if (OpenSsl.isAvailable()) {
provider = SslProvider.OPENSSL; provider = SslProvider.OPENSSL;
LOGGER.info("Using OpenSSL provider"); LOGGER.info("Using OpenSSL provider");
...@@ -98,7 +103,7 @@ public class SslHelper { ...@@ -98,7 +103,7 @@ public class SslHelper {
} }
if (forClient) { if (forClient) {
if (testMode) { if (tlsTestModeEnable) {
return SslContextBuilder return SslContextBuilder
.forClient() .forClient()
.sslProvider(SslProvider.JDK) .sslProvider(SslProvider.JDK)
...@@ -107,23 +112,24 @@ public class SslHelper { ...@@ -107,23 +112,24 @@ public class SslHelper {
} else { } else {
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient().sslProvider(SslProvider.JDK); SslContextBuilder sslContextBuilder = SslContextBuilder.forClient().sslProvider(SslProvider.JDK);
if ("false".equals(properties.getProperty("client.auth.server"))) {
if (!tlsClientAuthServer) {
sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
} else { } else {
if (properties.containsKey("client.trustManager")) { if (!isNullOrEmpty(tlsClientTrustCertPath)) {
sslContextBuilder.trustManager(new File(properties.getProperty("client.trustManager"))); sslContextBuilder.trustManager(new File(tlsClientTrustCertPath));
} }
} }
return sslContextBuilder.keyManager( return sslContextBuilder.keyManager(
properties.containsKey("client.keyCertChainFile") ? new FileInputStream(properties.getProperty("client.keyCertChainFile")) : null, !isNullOrEmpty(tlsClientCertPath) ? new FileInputStream(tlsClientCertPath) : null,
properties.containsKey("client.keyFile") ? decryptionStrategy.decryptPrivateKey(properties.getProperty("client.keyFile"), true) : null, !isNullOrEmpty(tlsClientKeyPath) ? decryptionStrategy.decryptPrivateKey(tlsClientKeyPath, true) : null,
properties.containsKey("client.password") ? properties.getProperty("client.password") : null) !isNullOrEmpty(tlsClientKeyPassword) ? tlsClientKeyPassword : null)
.build(); .build();
} }
} else { } else {
if (testMode) { if (tlsTestModeEnable) {
SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate(); SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
return SslContextBuilder return SslContextBuilder
.forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey()) .forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey())
...@@ -131,27 +137,97 @@ public class SslHelper { ...@@ -131,27 +137,97 @@ public class SslHelper {
.clientAuth(ClientAuth.OPTIONAL) .clientAuth(ClientAuth.OPTIONAL)
.build(); .build();
} else { } else {
return SslContextBuilder.forServer( SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(
properties.containsKey("server.keyCertChainFile") ? new FileInputStream(properties.getProperty("server.keyCertChainFile")) : null, !isNullOrEmpty(tlsServerCertPath) ? new FileInputStream(tlsServerCertPath) : null,
properties.containsKey("server.keyFile") ? decryptionStrategy.decryptPrivateKey(properties.getProperty("server.keyFile"), false) : null, !isNullOrEmpty(tlsServerKeyPath) ? decryptionStrategy.decryptPrivateKey(tlsServerKeyPath, false) : null,
properties.containsKey("server.password") ? properties.getProperty("server.password") : null) !isNullOrEmpty(tlsServerKeyPassword) ? tlsServerKeyPassword : null)
.sslProvider(provider) .sslProvider(provider);
.trustManager(new File(properties.getProperty("server.trustManager")))
.clientAuth(parseClientAuthMode(properties.getProperty("server.auth.client"))) if (!tlsServerAuthClient) {
.build(); sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
} else {
if (!isNullOrEmpty(tlsServerTrustCertPath)) {
sslContextBuilder.trustManager(new File(tlsServerTrustCertPath));
}
}
sslContextBuilder.clientAuth(parseClientAuthMode(tlsServerNeedClientAuth));
return sslContextBuilder.build();
} }
} }
} }
private static void extractTlsConfigFromFile(final File configFile) {
if (!(configFile.exists() && configFile.isFile() && configFile.canRead())) {
LOGGER.info("Tls config file doesn't exist, skip it");
}
Properties properties;
properties = new Properties();
InputStream inputStream = null;
try {
inputStream = new FileInputStream(configFile);
properties.load(inputStream);
} catch (IOException ignore) {
} finally {
if (null != inputStream) {
try {
inputStream.close();
} catch (IOException ignore) {
}
}
}
tlsTestModeEnable = Boolean.parseBoolean(properties.getProperty(TLS_TEST_MODE_ENABLE, String.valueOf(tlsTestModeEnable)));
tlsServerNeedClientAuth = properties.getProperty(TLS_SERVER_NEED_CLIENT_AUTH, tlsServerNeedClientAuth);
tlsServerKeyPath = properties.getProperty(TLS_SERVER_KEYPATH, tlsServerKeyPath);
tlsServerKeyPassword = properties.getProperty(TLS_SERVER_KEYPASSWORD, tlsServerKeyPassword);
tlsServerCertPath = properties.getProperty(TLS_SERVER_CERTPATH, tlsServerCertPath);
tlsServerAuthClient = Boolean.parseBoolean(properties.getProperty(TLS_SERVER_AUTHCLIENT, String.valueOf(tlsServerAuthClient)));
tlsServerTrustCertPath = properties.getProperty(TLS_SERVER_TRUSTCERTPATH, tlsServerTrustCertPath);
tlsClientKeyPath = properties.getProperty(TLS_CLIENT_KEYPATH, tlsClientKeyPath);
tlsClientKeyPassword = properties.getProperty(TLS_CLIENT_KEYPASSWORD, tlsClientKeyPassword);
tlsClientCertPath = properties.getProperty(TLS_CLIENT_CERTPATH, tlsClientCertPath);
tlsClientAuthServer = Boolean.parseBoolean(properties.getProperty(TLS_CLIENT_AUTHSERVER, String.valueOf(tlsClientAuthServer)));
tlsClientTrustCertPath = properties.getProperty(TLS_CLIENT_TRUSTCERTPATH, tlsClientTrustCertPath);
}
private static void logTheFinalUsedTlsConfig() {
LOGGER.info("Log the final used tls related configuration");
LOGGER.info("{} = {}", TLS_TEST_MODE_ENABLE, tlsTestModeEnable);
LOGGER.info("{} = {}", TLS_SERVER_NEED_CLIENT_AUTH, tlsServerNeedClientAuth);
LOGGER.info("{} = {}", TLS_SERVER_KEYPATH, tlsServerKeyPath);
LOGGER.info("{} = {}", TLS_SERVER_KEYPASSWORD, tlsServerKeyPassword);
LOGGER.info("{} = {}", TLS_SERVER_CERTPATH, tlsServerCertPath);
LOGGER.info("{} = {}", TLS_SERVER_AUTHCLIENT, tlsServerAuthClient);
LOGGER.info("{} = {}", TLS_SERVER_TRUSTCERTPATH, tlsServerTrustCertPath);
LOGGER.info("{} = {}", TLS_CLIENT_KEYPATH, tlsClientKeyPath);
LOGGER.info("{} = {}", TLS_CLIENT_KEYPASSWORD, tlsClientKeyPassword);
LOGGER.info("{} = {}", TLS_CLIENT_CERTPATH, tlsClientCertPath);
LOGGER.info("{} = {}", TLS_CLIENT_AUTHSERVER, tlsClientAuthServer);
LOGGER.info("{} = {}", TLS_CLIENT_TRUSTCERTPATH, tlsClientTrustCertPath);
}
private static ClientAuth parseClientAuthMode(String authMode) { private static ClientAuth parseClientAuthMode(String authMode) {
if (null == authMode || authMode.trim().isEmpty()) { if (null == authMode || authMode.trim().isEmpty()) {
return ClientAuth.NONE; return ClientAuth.NONE;
} }
if ("optional".equalsIgnoreCase(authMode)) { for (ClientAuth clientAuth : ClientAuth.values()) {
return ClientAuth.OPTIONAL; if (clientAuth.name().equals(authMode.toUpperCase())) {
return clientAuth;
}
} }
return ClientAuth.REQUIRE; return ClientAuth.NONE;
}
/**
* Determine if a string is {@code null} or {@link String#isEmpty()} returns {@code true}.
*/
private static boolean isNullOrEmpty(String s) {
return s == null || s.isEmpty();
} }
} }
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rocketmq.remoting.netty;
import io.netty.handler.ssl.SslContext;
import org.apache.rocketmq.remoting.common.TlsMode;
public class TlsSystemConfig {
public static final String TLS_SERVER_MODE = "tls.server.mode";
public static final String TLS_ENABLE = "tls.enable";
public static final String TLS_CONFIG_FILE = "tls.config.file";
public static final String TLS_TEST_MODE_ENABLE = "tls.test.mode.enable";
public static final String TLS_SERVER_NEED_CLIENT_AUTH = "tls.server.need.client.auth";
public static final String TLS_SERVER_KEYPATH = "tls.server.keyPath";
public static final String TLS_SERVER_KEYPASSWORD = "tls.server.keyPassword";
public static final String TLS_SERVER_CERTPATH = "tls.server.certPath";
public static final String TLS_SERVER_AUTHCLIENT = "tls.server.authClient";
public static final String TLS_SERVER_TRUSTCERTPATH = "tls.server.trustCertPath";
public static final String TLS_CLIENT_KEYPATH = "tls.client.keyPath";
public static final String TLS_CLIENT_KEYPASSWORD = "tls.client.keyPassword";
public static final String TLS_CLIENT_CERTPATH = "tls.client.certPath";
public static final String TLS_CLIENT_AUTHSERVER = "tls.client.authServer";
public static final String TLS_CLIENT_TRUSTCERTPATH = "tls.client.trustCertPath";
/**
* To determine whether use SSL in client-side, include SDK client and BrokerOuterAPI
*/
public static boolean tlsEnable = Boolean.parseBoolean(System.getProperty(TLS_ENABLE, "false"));
/**
* To determine whether use test mode when initialize TLS context
*/
public static boolean tlsTestModeEnable = Boolean.parseBoolean(System.getProperty(TLS_TEST_MODE_ENABLE, "false"));
/**
* Indicates the state of the {@link javax.net.ssl.SSLEngine} with respect to client authentication.
* This configuration item really only applies when building the server-side {@link SslContext},
* and can be set to none, require or optional.
*/
public static String tlsServerNeedClientAuth = System.getProperty(TLS_SERVER_NEED_CLIENT_AUTH, "none");
/**
* The store path of server-side private key
*/
public static String tlsServerKeyPath = System.getProperty(TLS_SERVER_KEYPATH, null);
/**
* The password of the server-side private key
*/
public static String tlsServerKeyPassword = System.getProperty(TLS_SERVER_KEYPASSWORD, null);
/**
* The store path of server-side X.509 certificate chain in PEM format
*/
public static String tlsServerCertPath = System.getProperty(TLS_SERVER_CERTPATH, null);
/**
* To determine whether verify the client endpoint's certificate strictly
*/
public static boolean tlsServerAuthClient = Boolean.parseBoolean(System.getProperty(TLS_SERVER_AUTHCLIENT, "false"));
/**
* The store path of trusted certificates for verifying the client endpoint's certificate
*/
public static String tlsServerTrustCertPath = System.getProperty(TLS_SERVER_TRUSTCERTPATH, null);
/**
* The store path of client-side private key
*/
public static String tlsClientKeyPath = System.getProperty(TLS_CLIENT_KEYPATH, null);
/**
* The password of the client-side private key
*/
public static String tlsClientKeyPassword = System.getProperty(TLS_CLIENT_KEYPASSWORD, null);
/**
* The store path of client-side X.509 certificate chain in PEM format
*/
public static String tlsClientCertPath = System.getProperty(TLS_CLIENT_CERTPATH, null);
/**
* To determine whether verify the server endpoint's certificate strictly
*/
public static boolean tlsClientAuthServer = Boolean.parseBoolean(System.getProperty(TLS_CLIENT_AUTHSERVER, "false"));
/**
* The store path of trusted certificates for verifying the server endpoint's certificate
*/
public static String tlsClientTrustCertPath = System.getProperty(TLS_CLIENT_TRUSTCERTPATH, null);
/**
* For server, three SSL modes are supported: disabled, permissive and enforcing.
* For client, use {@link TlsSystemConfig#tlsEnable} to determine whether use SSL.
* <ol>
* <li><strong>disabled:</strong> SSL is not supported; any incoming SSL handshake will be rejected, causing connection closed.</li>
* <li><strong>permissive:</strong> SSL is optional, aka, server in this mode can serve client connections with or without SSL;</li>
* <li><strong>enforcing:</strong> SSL is required, aka, non SSL connection will be rejected.</li>
* </ol>
*/
public static TlsMode tlsMode = TlsMode.parse(System.getProperty(TLS_SERVER_MODE, "permissive"));
/**
* A config file to store the above TLS related configurations,
* except {@link TlsSystemConfig#tlsMode} and {@link TlsSystemConfig#tlsEnable}
*/
public static String tlsConfigFile = System.getProperty(TLS_CONFIG_FILE, "/etc/rocketmq/tls.properties");
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册