Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
Kwan的解忧杂货铺@新空间代码工作室
Rocketmq
提交
9cd0b885
R
Rocketmq
项目概览
Kwan的解忧杂货铺@新空间代码工作室
/
Rocketmq
与 Fork 源项目一致
Fork自
Apache RocketMQ / Rocketmq
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
Rocketmq
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
提交
9cd0b885
编写于
12月 09, 2017
作者:
Y
yukon
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Centralize the TLS related configurations
上级
81507467
变更
8
隐藏空白更改
内联
并排
Showing
8 changed file
with
385 addition
and
43 deletion
+385
-43
broker/src/main/java/org/apache/rocketmq/broker/BrokerStartup.java
...c/main/java/org/apache/rocketmq/broker/BrokerStartup.java
+7
-2
client/src/main/java/org/apache/rocketmq/client/ClientConfig.java
...rc/main/java/org/apache/rocketmq/client/ClientConfig.java
+2
-1
remoting/src/main/java/org/apache/rocketmq/remoting/common/TlsMode.java
...ain/java/org/apache/rocketmq/remoting/common/TlsMode.java
+6
-6
remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingClient.java
...g/apache/rocketmq/remoting/netty/NettyRemotingClient.java
+1
-1
remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingServer.java
...g/apache/rocketmq/remoting/netty/NettyRemotingServer.java
+11
-11
remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettySystemConfig.java
...org/apache/rocketmq/remoting/netty/NettySystemConfig.java
+0
-22
remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsHelper.java
...in/java/org/apache/rocketmq/remoting/netty/TlsHelper.java
+233
-0
remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsSystemConfig.java
...a/org/apache/rocketmq/remoting/netty/TlsSystemConfig.java
+125
-0
未找到文件。
broker/src/main/java/org/apache/rocketmq/broker/BrokerStartup.java
浏览文件 @
9cd0b885
...
...
@@ -32,10 +32,11 @@ import org.apache.rocketmq.common.MQVersion;
import
org.apache.rocketmq.common.MixAll
;
import
org.apache.rocketmq.common.constant.LoggerName
;
import
org.apache.rocketmq.remoting.common.RemotingUtil
;
import
org.apache.rocketmq.remoting.common.
Ssl
Mode
;
import
org.apache.rocketmq.remoting.common.
Tls
Mode
;
import
org.apache.rocketmq.remoting.netty.NettyClientConfig
;
import
org.apache.rocketmq.remoting.netty.NettyServerConfig
;
import
org.apache.rocketmq.remoting.netty.NettySystemConfig
;
import
org.apache.rocketmq.remoting.netty.TlsSystemConfig
;
import
org.apache.rocketmq.remoting.protocol.RemotingCommand
;
import
org.apache.rocketmq.srvutil.ServerUtil
;
import
org.apache.rocketmq.store.config.BrokerRole
;
...
...
@@ -43,6 +44,8 @@ import org.apache.rocketmq.store.config.MessageStoreConfig;
import
org.slf4j.Logger
;
import
org.slf4j.LoggerFactory
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_ENABLE
;
public
class
BrokerStartup
{
public
static
Properties
properties
=
null
;
public
static
CommandLine
commandLine
=
null
;
...
...
@@ -98,7 +101,9 @@ public class BrokerStartup {
final
BrokerConfig
brokerConfig
=
new
BrokerConfig
();
final
NettyServerConfig
nettyServerConfig
=
new
NettyServerConfig
();
final
NettyClientConfig
nettyClientConfig
=
new
NettyClientConfig
();
nettyClientConfig
.
setUseTLS
(
NettySystemConfig
.
sslMode
==
SslMode
.
ENFORCING
);
nettyClientConfig
.
setUseTLS
(
Boolean
.
parseBoolean
(
System
.
getProperty
(
TLS_ENABLE
,
String
.
valueOf
(
TlsSystemConfig
.
tlsMode
==
TlsMode
.
ENFORCING
))));
nettyServerConfig
.
setListenPort
(
10911
);
final
MessageStoreConfig
messageStoreConfig
=
new
MessageStoreConfig
();
...
...
client/src/main/java/org/apache/rocketmq/client/ClientConfig.java
浏览文件 @
9cd0b885
...
...
@@ -19,6 +19,7 @@ package org.apache.rocketmq.client;
import
org.apache.rocketmq.common.MixAll
;
import
org.apache.rocketmq.common.UtilAll
;
import
org.apache.rocketmq.remoting.common.RemotingUtil
;
import
org.apache.rocketmq.remoting.netty.TlsSystemConfig
;
/**
* Client Common configuration
...
...
@@ -45,7 +46,7 @@ public class ClientConfig {
private
String
unitName
;
private
boolean
vipChannelEnabled
=
Boolean
.
parseBoolean
(
System
.
getProperty
(
SEND_MESSAGE_WITH_VIP_CHANNEL_PROPERTY
,
"true"
));
private
boolean
useTLS
;
private
boolean
useTLS
=
TlsSystemConfig
.
tlsEnable
;
public
String
buildMQClientId
()
{
StringBuilder
sb
=
new
StringBuilder
();
...
...
remoting/src/main/java/org/apache/rocketmq/remoting/common/
Ssl
Mode.java
→
remoting/src/main/java/org/apache/rocketmq/remoting/common/
Tls
Mode.java
浏览文件 @
9cd0b885
...
...
@@ -25,7 +25,7 @@ package org.apache.rocketmq.remoting.common;
* <li><strong>enforcing:</strong> SSL is required, aka, non SSL connection will be rejected.</li>
* </ol>
*/
public
enum
Ssl
Mode
{
public
enum
Tls
Mode
{
DISABLED
(
"disabled"
),
PERMISSIVE
(
"permissive"
),
...
...
@@ -33,14 +33,14 @@ public enum SslMode {
private
String
name
;
Ssl
Mode
(
String
name
)
{
Tls
Mode
(
String
name
)
{
this
.
name
=
name
;
}
public
static
Ssl
Mode
parse
(
String
mode
)
{
for
(
SslMode
sslMode:
Ssl
Mode
.
values
())
{
if
(
ssl
Mode
.
name
.
equals
(
mode
))
{
return
ssl
Mode
;
public
static
Tls
Mode
parse
(
String
mode
)
{
for
(
TlsMode
tlsMode
:
Tls
Mode
.
values
())
{
if
(
tls
Mode
.
name
.
equals
(
mode
))
{
return
tls
Mode
;
}
}
...
...
remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingClient.java
浏览文件 @
9cd0b885
...
...
@@ -131,7 +131,7 @@ public class NettyRemotingClient extends NettyRemotingAbstract implements Remoti
if
(
nettyClientConfig
.
isUseTLS
())
{
try
{
sslContext
=
Ssl
Helper
.
buildSslContext
(
true
);
sslContext
=
Tls
Helper
.
buildSslContext
(
true
);
log
.
info
(
"SSL enabled for client"
);
}
catch
(
IOException
e
)
{
log
.
error
(
"Failed to create SSLContext"
,
e
);
...
...
remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingServer.java
浏览文件 @
9cd0b885
...
...
@@ -54,7 +54,7 @@ import org.apache.rocketmq.remoting.RemotingServer;
import
org.apache.rocketmq.remoting.common.Pair
;
import
org.apache.rocketmq.remoting.common.RemotingHelper
;
import
org.apache.rocketmq.remoting.common.RemotingUtil
;
import
org.apache.rocketmq.remoting.common.
Ssl
Mode
;
import
org.apache.rocketmq.remoting.common.
Tls
Mode
;
import
org.apache.rocketmq.remoting.exception.RemotingSendRequestException
;
import
org.apache.rocketmq.remoting.exception.RemotingTimeoutException
;
import
org.apache.rocketmq.remoting.exception.RemotingTooMuchRequestException
;
...
...
@@ -139,12 +139,12 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti
});
}
SslMode
sslMode
=
NettySystemConfig
.
ssl
Mode
;
log
.
info
(
"Server is running in TLS {} mode"
,
ssl
Mode
.
getName
());
TlsMode
tlsMode
=
TlsSystemConfig
.
tls
Mode
;
log
.
info
(
"Server is running in TLS {} mode"
,
tls
Mode
.
getName
());
if
(
sslMode
!=
Ssl
Mode
.
DISABLED
)
{
if
(
tlsMode
!=
Tls
Mode
.
DISABLED
)
{
try
{
sslContext
=
Ssl
Helper
.
buildSslContext
(
false
);
sslContext
=
Tls
Helper
.
buildSslContext
(
false
);
log
.
info
(
"SSLContext created for server"
);
}
catch
(
CertificateException
e
)
{
log
.
error
(
"Failed to create SSLContext for server"
,
e
);
...
...
@@ -189,7 +189,7 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti
public
void
initChannel
(
SocketChannel
ch
)
throws
Exception
{
ch
.
pipeline
()
.
addLast
(
defaultEventExecutorGroup
,
HANDSHAKE_HANDLER_NAME
,
new
HandshakeHandler
(
NettySystemConfig
.
ssl
Mode
))
new
HandshakeHandler
(
TlsSystemConfig
.
tls
Mode
))
.
addLast
(
defaultEventExecutorGroup
,
new
NettyEncoder
(),
new
NettyDecoder
(),
...
...
@@ -326,12 +326,12 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti
class
HandshakeHandler
extends
SimpleChannelInboundHandler
<
ByteBuf
>
{
private
final
SslMode
ssl
Mode
;
private
final
TlsMode
tls
Mode
;
private
static
final
byte
HANDSHAKE_MAGIC_CODE
=
0x16
;
HandshakeHandler
(
SslMode
ssl
Mode
)
{
this
.
sslMode
=
ssl
Mode
;
HandshakeHandler
(
TlsMode
tls
Mode
)
{
this
.
tlsMode
=
tls
Mode
;
}
@Override
...
...
@@ -344,7 +344,7 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti
byte
b
=
msg
.
getByte
(
0
);
if
(
b
==
HANDSHAKE_MAGIC_CODE
)
{
switch
(
ssl
Mode
)
{
switch
(
tls
Mode
)
{
case
DISABLED:
ctx
.
close
();
log
.
warn
(
"Clients intend to establish a SSL connection while this server is running in SSL disabled mode"
);
...
...
@@ -366,7 +366,7 @@ public class NettyRemotingServer extends NettyRemotingAbstract implements Remoti
log
.
warn
(
"Unknown TLS mode"
);
break
;
}
}
else
if
(
sslMode
==
Ssl
Mode
.
ENFORCING
)
{
}
else
if
(
tlsMode
==
Tls
Mode
.
ENFORCING
)
{
ctx
.
close
();
log
.
warn
(
"Clients intend to establish an insecure connection while this server is running in SSL enforcing mode"
);
}
...
...
remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettySystemConfig.java
浏览文件 @
9cd0b885
...
...
@@ -17,8 +17,6 @@
package
org.apache.rocketmq.remoting.netty
;
import
org.apache.rocketmq.remoting.common.SslMode
;
public
class
NettySystemConfig
{
public
static
final
String
COM_ROCKETMQ_REMOTING_NETTY_POOLED_BYTE_BUF_ALLOCATOR_ENABLE
=
"com.rocketmq.remoting.nettyPooledByteBufAllocatorEnable"
;
...
...
@@ -31,12 +29,6 @@ public class NettySystemConfig {
public
static
final
String
COM_ROCKETMQ_REMOTING_CLIENT_ONEWAY_SEMAPHORE_VALUE
=
"com.rocketmq.remoting.clientOnewaySemaphoreValue"
;
public
static
final
String
ORG_APACHE_ROCKETMQ_REMOTING_SSL_MODE
=
//
"org.apache.rocketmq.remoting.ssl.mode"
;
public
static
final
String
ORG_APACHE_ROCKETMQ_REMOTING_SSL_CONFIG_FILE
=
//
"org.apache.rocketmq.remoting.ssl.config.file"
;
public
static
final
boolean
NETTY_POOLED_BYTE_BUF_ALLOCATOR_ENABLE
=
//
Boolean
.
parseBoolean
(
System
.
getProperty
(
COM_ROCKETMQ_REMOTING_NETTY_POOLED_BYTE_BUF_ALLOCATOR_ENABLE
,
"false"
));
public
static
final
int
CLIENT_ASYNC_SEMAPHORE_VALUE
=
//
...
...
@@ -47,18 +39,4 @@ public class NettySystemConfig {
Integer
.
parseInt
(
System
.
getProperty
(
COM_ROCKETMQ_REMOTING_SOCKET_SNDBUF_SIZE
,
"65535"
));
public
static
int
socketRcvbufSize
=
Integer
.
parseInt
(
System
.
getProperty
(
COM_ROCKETMQ_REMOTING_SOCKET_RCVBUF_SIZE
,
"65535"
));
/**
* For server, three SSL modes are supported: disabled, permissive and enforcing.
* <ol>
* <li><strong>disabled:</strong> SSL is not supported; any incoming SSL handshake will be rejected, causing connection closed.</li>
* <li><strong>permissive:</strong> SSL is optional, aka, server in this mode can serve client connections with or without SSL;</li>
* <li><strong>enforcing:</strong> SSL is required, aka, non SSL connection will be rejected.</li>
* </ol>
*/
public
static
SslMode
sslMode
=
//
SslMode
.
parse
(
System
.
getProperty
(
ORG_APACHE_ROCKETMQ_REMOTING_SSL_MODE
,
"permissive"
));
public
static
String
sslConfigFile
=
//
System
.
getProperty
(
ORG_APACHE_ROCKETMQ_REMOTING_SSL_CONFIG_FILE
,
"/etc/rocketmq/ssl.properties"
);
}
remoting/src/main/java/org/apache/rocketmq/remoting/netty/
Ssl
Helper.java
→
remoting/src/main/java/org/apache/rocketmq/remoting/netty/
Tls
Helper.java
浏览文件 @
9cd0b885
...
...
@@ -26,7 +26,6 @@ import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import
io.netty.handler.ssl.util.SelfSignedCertificate
;
import
java.io.File
;
import
java.io.FileInputStream
;
import
java.io.FileNotFoundException
;
import
java.io.IOException
;
import
java.io.InputStream
;
import
java.security.cert.CertificateException
;
...
...
@@ -35,7 +34,32 @@ import org.apache.rocketmq.remoting.common.RemotingHelper;
import
org.slf4j.Logger
;
import
org.slf4j.LoggerFactory
;
public
class
SslHelper
{
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_CLIENT_AUTHSERVER
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_CLIENT_CERTPATH
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_CLIENT_KEYPASSWORD
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_CLIENT_KEYPATH
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_CLIENT_TRUSTCERTPATH
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_SERVER_AUTHCLIENT
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_SERVER_CERTPATH
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_SERVER_KEYPASSWORD
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_SERVER_KEYPATH
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_SERVER_NEED_CLIENT_AUTH
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_SERVER_TRUSTCERTPATH
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
TLS_TEST_MODE_ENABLE
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsClientAuthServer
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsClientCertPath
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsClientKeyPassword
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsClientKeyPath
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsClientTrustCertPath
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsServerAuthClient
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsServerCertPath
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsServerKeyPassword
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsServerKeyPath
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsServerNeedClientAuth
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsServerTrustCertPath
;
import
static
org
.
apache
.
rocketmq
.
remoting
.
netty
.
TlsSystemConfig
.
tlsTestModeEnable
;
public
class
TlsHelper
{
public
interface
DecryptionStrategy
{
/**
...
...
@@ -61,34 +85,15 @@ public class SslHelper {
public
static
void
registerDecryptionStrategy
(
final
DecryptionStrategy
decryptionStrategy
)
{
Ssl
Helper
.
decryptionStrategy
=
decryptionStrategy
;
Tls
Helper
.
decryptionStrategy
=
decryptionStrategy
;
}
public
static
SslContext
buildSslContext
(
boolean
forClient
)
throws
IOException
,
CertificateException
{
File
configFile
=
new
File
(
TlsSystemConfig
.
tlsConfigFile
);
extractTlsConfigFromFile
(
configFile
);
logTheFinalUsedTlsConfig
();
File
configFile
=
new
File
(
NettySystemConfig
.
sslConfigFile
);
boolean
testMode
=
!(
configFile
.
exists
()
&&
configFile
.
isFile
()
&&
configFile
.
canRead
());
Properties
properties
=
null
;
if
(!
testMode
)
{
properties
=
new
Properties
();
InputStream
inputStream
=
null
;
try
{
inputStream
=
new
FileInputStream
(
configFile
);
properties
.
load
(
inputStream
);
}
catch
(
FileNotFoundException
ignore
)
{
}
catch
(
IOException
ignore
)
{
}
finally
{
if
(
null
!=
inputStream
)
{
try
{
inputStream
.
close
();
}
catch
(
IOException
ignore
)
{
}
}
}
}
SslProvider
provider
=
null
;
SslProvider
provider
;
if
(
OpenSsl
.
isAvailable
())
{
provider
=
SslProvider
.
OPENSSL
;
LOGGER
.
info
(
"Using OpenSSL provider"
);
...
...
@@ -98,7 +103,7 @@ public class SslHelper {
}
if
(
forClient
)
{
if
(
t
estMod
e
)
{
if
(
t
lsTestModeEnabl
e
)
{
return
SslContextBuilder
.
forClient
()
.
sslProvider
(
SslProvider
.
JDK
)
...
...
@@ -107,23 +112,24 @@ public class SslHelper {
}
else
{
SslContextBuilder
sslContextBuilder
=
SslContextBuilder
.
forClient
().
sslProvider
(
SslProvider
.
JDK
);
if
(
"false"
.
equals
(
properties
.
getProperty
(
"client.auth.server"
)))
{
if
(!
tlsClientAuthServer
)
{
sslContextBuilder
.
trustManager
(
InsecureTrustManagerFactory
.
INSTANCE
);
}
else
{
if
(
properties
.
containsKey
(
"client.trustManager"
))
{
sslContextBuilder
.
trustManager
(
new
File
(
properties
.
getProperty
(
"client.trustManager"
)
));
if
(
!
isNullOrEmpty
(
tlsClientTrustCertPath
))
{
sslContextBuilder
.
trustManager
(
new
File
(
tlsClientTrustCertPath
));
}
}
return
sslContextBuilder
.
keyManager
(
properties
.
containsKey
(
"client.keyCertChainFile"
)
?
new
FileInputStream
(
properties
.
getProperty
(
"client.keyCertChainFile"
)
)
:
null
,
properties
.
containsKey
(
"client.keyFile"
)
?
decryptionStrategy
.
decryptPrivateKey
(
properties
.
getProperty
(
"client.keyFile"
)
,
true
)
:
null
,
properties
.
containsKey
(
"client.password"
)
?
properties
.
getProperty
(
"client.password"
)
:
null
)
!
isNullOrEmpty
(
tlsClientCertPath
)
?
new
FileInputStream
(
tlsClientCertPath
)
:
null
,
!
isNullOrEmpty
(
tlsClientKeyPath
)
?
decryptionStrategy
.
decryptPrivateKey
(
tlsClientKeyPath
,
true
)
:
null
,
!
isNullOrEmpty
(
tlsClientKeyPassword
)
?
tlsClientKeyPassword
:
null
)
.
build
();
}
}
else
{
if
(
t
estMod
e
)
{
if
(
t
lsTestModeEnabl
e
)
{
SelfSignedCertificate
selfSignedCertificate
=
new
SelfSignedCertificate
();
return
SslContextBuilder
.
forServer
(
selfSignedCertificate
.
certificate
(),
selfSignedCertificate
.
privateKey
())
...
...
@@ -131,27 +137,97 @@ public class SslHelper {
.
clientAuth
(
ClientAuth
.
OPTIONAL
)
.
build
();
}
else
{
return
SslContextBuilder
.
forServer
(
properties
.
containsKey
(
"server.keyCertChainFile"
)
?
new
FileInputStream
(
properties
.
getProperty
(
"server.keyCertChainFile"
))
:
null
,
properties
.
containsKey
(
"server.keyFile"
)
?
decryptionStrategy
.
decryptPrivateKey
(
properties
.
getProperty
(
"server.keyFile"
),
false
)
:
null
,
properties
.
containsKey
(
"server.password"
)
?
properties
.
getProperty
(
"server.password"
)
:
null
)
.
sslProvider
(
provider
)
.
trustManager
(
new
File
(
properties
.
getProperty
(
"server.trustManager"
)))
.
clientAuth
(
parseClientAuthMode
(
properties
.
getProperty
(
"server.auth.client"
)))
.
build
();
SslContextBuilder
sslContextBuilder
=
SslContextBuilder
.
forServer
(
!
isNullOrEmpty
(
tlsServerCertPath
)
?
new
FileInputStream
(
tlsServerCertPath
)
:
null
,
!
isNullOrEmpty
(
tlsServerKeyPath
)
?
decryptionStrategy
.
decryptPrivateKey
(
tlsServerKeyPath
,
false
)
:
null
,
!
isNullOrEmpty
(
tlsServerKeyPassword
)
?
tlsServerKeyPassword
:
null
)
.
sslProvider
(
provider
);
if
(!
tlsServerAuthClient
)
{
sslContextBuilder
.
trustManager
(
InsecureTrustManagerFactory
.
INSTANCE
);
}
else
{
if
(!
isNullOrEmpty
(
tlsServerTrustCertPath
))
{
sslContextBuilder
.
trustManager
(
new
File
(
tlsServerTrustCertPath
));
}
}
sslContextBuilder
.
clientAuth
(
parseClientAuthMode
(
tlsServerNeedClientAuth
));
return
sslContextBuilder
.
build
();
}
}
}
private
static
void
extractTlsConfigFromFile
(
final
File
configFile
)
{
if
(!(
configFile
.
exists
()
&&
configFile
.
isFile
()
&&
configFile
.
canRead
()))
{
LOGGER
.
info
(
"Tls config file doesn't exist, skip it"
);
}
Properties
properties
;
properties
=
new
Properties
();
InputStream
inputStream
=
null
;
try
{
inputStream
=
new
FileInputStream
(
configFile
);
properties
.
load
(
inputStream
);
}
catch
(
IOException
ignore
)
{
}
finally
{
if
(
null
!=
inputStream
)
{
try
{
inputStream
.
close
();
}
catch
(
IOException
ignore
)
{
}
}
}
tlsTestModeEnable
=
Boolean
.
parseBoolean
(
properties
.
getProperty
(
TLS_TEST_MODE_ENABLE
,
String
.
valueOf
(
tlsTestModeEnable
)));
tlsServerNeedClientAuth
=
properties
.
getProperty
(
TLS_SERVER_NEED_CLIENT_AUTH
,
tlsServerNeedClientAuth
);
tlsServerKeyPath
=
properties
.
getProperty
(
TLS_SERVER_KEYPATH
,
tlsServerKeyPath
);
tlsServerKeyPassword
=
properties
.
getProperty
(
TLS_SERVER_KEYPASSWORD
,
tlsServerKeyPassword
);
tlsServerCertPath
=
properties
.
getProperty
(
TLS_SERVER_CERTPATH
,
tlsServerCertPath
);
tlsServerAuthClient
=
Boolean
.
parseBoolean
(
properties
.
getProperty
(
TLS_SERVER_AUTHCLIENT
,
String
.
valueOf
(
tlsServerAuthClient
)));
tlsServerTrustCertPath
=
properties
.
getProperty
(
TLS_SERVER_TRUSTCERTPATH
,
tlsServerTrustCertPath
);
tlsClientKeyPath
=
properties
.
getProperty
(
TLS_CLIENT_KEYPATH
,
tlsClientKeyPath
);
tlsClientKeyPassword
=
properties
.
getProperty
(
TLS_CLIENT_KEYPASSWORD
,
tlsClientKeyPassword
);
tlsClientCertPath
=
properties
.
getProperty
(
TLS_CLIENT_CERTPATH
,
tlsClientCertPath
);
tlsClientAuthServer
=
Boolean
.
parseBoolean
(
properties
.
getProperty
(
TLS_CLIENT_AUTHSERVER
,
String
.
valueOf
(
tlsClientAuthServer
)));
tlsClientTrustCertPath
=
properties
.
getProperty
(
TLS_CLIENT_TRUSTCERTPATH
,
tlsClientTrustCertPath
);
}
private
static
void
logTheFinalUsedTlsConfig
()
{
LOGGER
.
info
(
"Log the final used tls related configuration"
);
LOGGER
.
info
(
"{} = {}"
,
TLS_TEST_MODE_ENABLE
,
tlsTestModeEnable
);
LOGGER
.
info
(
"{} = {}"
,
TLS_SERVER_NEED_CLIENT_AUTH
,
tlsServerNeedClientAuth
);
LOGGER
.
info
(
"{} = {}"
,
TLS_SERVER_KEYPATH
,
tlsServerKeyPath
);
LOGGER
.
info
(
"{} = {}"
,
TLS_SERVER_KEYPASSWORD
,
tlsServerKeyPassword
);
LOGGER
.
info
(
"{} = {}"
,
TLS_SERVER_CERTPATH
,
tlsServerCertPath
);
LOGGER
.
info
(
"{} = {}"
,
TLS_SERVER_AUTHCLIENT
,
tlsServerAuthClient
);
LOGGER
.
info
(
"{} = {}"
,
TLS_SERVER_TRUSTCERTPATH
,
tlsServerTrustCertPath
);
LOGGER
.
info
(
"{} = {}"
,
TLS_CLIENT_KEYPATH
,
tlsClientKeyPath
);
LOGGER
.
info
(
"{} = {}"
,
TLS_CLIENT_KEYPASSWORD
,
tlsClientKeyPassword
);
LOGGER
.
info
(
"{} = {}"
,
TLS_CLIENT_CERTPATH
,
tlsClientCertPath
);
LOGGER
.
info
(
"{} = {}"
,
TLS_CLIENT_AUTHSERVER
,
tlsClientAuthServer
);
LOGGER
.
info
(
"{} = {}"
,
TLS_CLIENT_TRUSTCERTPATH
,
tlsClientTrustCertPath
);
}
private
static
ClientAuth
parseClientAuthMode
(
String
authMode
)
{
if
(
null
==
authMode
||
authMode
.
trim
().
isEmpty
())
{
return
ClientAuth
.
NONE
;
}
if
(
"optional"
.
equalsIgnoreCase
(
authMode
))
{
return
ClientAuth
.
OPTIONAL
;
for
(
ClientAuth
clientAuth
:
ClientAuth
.
values
())
{
if
(
clientAuth
.
name
().
equals
(
authMode
.
toUpperCase
()))
{
return
clientAuth
;
}
}
return
ClientAuth
.
REQUIRE
;
return
ClientAuth
.
NONE
;
}
/**
* Determine if a string is {@code null} or {@link String#isEmpty()} returns {@code true}.
*/
private
static
boolean
isNullOrEmpty
(
String
s
)
{
return
s
==
null
||
s
.
isEmpty
();
}
}
remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsSystemConfig.java
0 → 100644
浏览文件 @
9cd0b885
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package
org.apache.rocketmq.remoting.netty
;
import
io.netty.handler.ssl.SslContext
;
import
org.apache.rocketmq.remoting.common.TlsMode
;
public
class
TlsSystemConfig
{
public
static
final
String
TLS_SERVER_MODE
=
"tls.server.mode"
;
public
static
final
String
TLS_ENABLE
=
"tls.enable"
;
public
static
final
String
TLS_CONFIG_FILE
=
"tls.config.file"
;
public
static
final
String
TLS_TEST_MODE_ENABLE
=
"tls.test.mode.enable"
;
public
static
final
String
TLS_SERVER_NEED_CLIENT_AUTH
=
"tls.server.need.client.auth"
;
public
static
final
String
TLS_SERVER_KEYPATH
=
"tls.server.keyPath"
;
public
static
final
String
TLS_SERVER_KEYPASSWORD
=
"tls.server.keyPassword"
;
public
static
final
String
TLS_SERVER_CERTPATH
=
"tls.server.certPath"
;
public
static
final
String
TLS_SERVER_AUTHCLIENT
=
"tls.server.authClient"
;
public
static
final
String
TLS_SERVER_TRUSTCERTPATH
=
"tls.server.trustCertPath"
;
public
static
final
String
TLS_CLIENT_KEYPATH
=
"tls.client.keyPath"
;
public
static
final
String
TLS_CLIENT_KEYPASSWORD
=
"tls.client.keyPassword"
;
public
static
final
String
TLS_CLIENT_CERTPATH
=
"tls.client.certPath"
;
public
static
final
String
TLS_CLIENT_AUTHSERVER
=
"tls.client.authServer"
;
public
static
final
String
TLS_CLIENT_TRUSTCERTPATH
=
"tls.client.trustCertPath"
;
/**
* To determine whether use SSL in client-side, include SDK client and BrokerOuterAPI
*/
public
static
boolean
tlsEnable
=
Boolean
.
parseBoolean
(
System
.
getProperty
(
TLS_ENABLE
,
"false"
));
/**
* To determine whether use test mode when initialize TLS context
*/
public
static
boolean
tlsTestModeEnable
=
Boolean
.
parseBoolean
(
System
.
getProperty
(
TLS_TEST_MODE_ENABLE
,
"false"
));
/**
* Indicates the state of the {@link javax.net.ssl.SSLEngine} with respect to client authentication.
* This configuration item really only applies when building the server-side {@link SslContext},
* and can be set to none, require or optional.
*/
public
static
String
tlsServerNeedClientAuth
=
System
.
getProperty
(
TLS_SERVER_NEED_CLIENT_AUTH
,
"none"
);
/**
* The store path of server-side private key
*/
public
static
String
tlsServerKeyPath
=
System
.
getProperty
(
TLS_SERVER_KEYPATH
,
null
);
/**
* The password of the server-side private key
*/
public
static
String
tlsServerKeyPassword
=
System
.
getProperty
(
TLS_SERVER_KEYPASSWORD
,
null
);
/**
* The store path of server-side X.509 certificate chain in PEM format
*/
public
static
String
tlsServerCertPath
=
System
.
getProperty
(
TLS_SERVER_CERTPATH
,
null
);
/**
* To determine whether verify the client endpoint's certificate strictly
*/
public
static
boolean
tlsServerAuthClient
=
Boolean
.
parseBoolean
(
System
.
getProperty
(
TLS_SERVER_AUTHCLIENT
,
"false"
));
/**
* The store path of trusted certificates for verifying the client endpoint's certificate
*/
public
static
String
tlsServerTrustCertPath
=
System
.
getProperty
(
TLS_SERVER_TRUSTCERTPATH
,
null
);
/**
* The store path of client-side private key
*/
public
static
String
tlsClientKeyPath
=
System
.
getProperty
(
TLS_CLIENT_KEYPATH
,
null
);
/**
* The password of the client-side private key
*/
public
static
String
tlsClientKeyPassword
=
System
.
getProperty
(
TLS_CLIENT_KEYPASSWORD
,
null
);
/**
* The store path of client-side X.509 certificate chain in PEM format
*/
public
static
String
tlsClientCertPath
=
System
.
getProperty
(
TLS_CLIENT_CERTPATH
,
null
);
/**
* To determine whether verify the server endpoint's certificate strictly
*/
public
static
boolean
tlsClientAuthServer
=
Boolean
.
parseBoolean
(
System
.
getProperty
(
TLS_CLIENT_AUTHSERVER
,
"false"
));
/**
* The store path of trusted certificates for verifying the server endpoint's certificate
*/
public
static
String
tlsClientTrustCertPath
=
System
.
getProperty
(
TLS_CLIENT_TRUSTCERTPATH
,
null
);
/**
* For server, three SSL modes are supported: disabled, permissive and enforcing.
* For client, use {@link TlsSystemConfig#tlsEnable} to determine whether use SSL.
* <ol>
* <li><strong>disabled:</strong> SSL is not supported; any incoming SSL handshake will be rejected, causing connection closed.</li>
* <li><strong>permissive:</strong> SSL is optional, aka, server in this mode can serve client connections with or without SSL;</li>
* <li><strong>enforcing:</strong> SSL is required, aka, non SSL connection will be rejected.</li>
* </ol>
*/
public
static
TlsMode
tlsMode
=
TlsMode
.
parse
(
System
.
getProperty
(
TLS_SERVER_MODE
,
"permissive"
));
/**
* A config file to store the above TLS related configurations,
* except {@link TlsSystemConfig#tlsMode} and {@link TlsSystemConfig#tlsEnable}
*/
public
static
String
tlsConfigFile
=
System
.
getProperty
(
TLS_CONFIG_FILE
,
"/etc/rocketmq/tls.properties"
);
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录