diff --git a/modules/common-security/pom.xml b/modules/common-security/pom.xml
index 413a0e257db..97824b96d00 100644
--- a/modules/common-security/pom.xml
+++ b/modules/common-security/pom.xml
@@ -39,5 +39,13 @@
org.italiangrid
voms-api-java
+
+ io.netty
+ netty-handler
+
+
+ io.netty
+ netty-tcnative-boringssl-static
+
diff --git a/modules/common-security/src/main/java/org/dcache/dss/ClientGsiEngineDssContextFactory.java b/modules/common-security/src/main/java/org/dcache/dss/ClientGsiEngineDssContextFactory.java
index 5a13a644ba8..aadc5dbda76 100644
--- a/modules/common-security/src/main/java/org/dcache/dss/ClientGsiEngineDssContextFactory.java
+++ b/modules/common-security/src/main/java/org/dcache/dss/ClientGsiEngineDssContextFactory.java
@@ -21,6 +21,7 @@
import com.google.common.collect.ImmutableSet;
import eu.emi.security.authn.x509.X509Credential;
+import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
@@ -68,9 +69,9 @@ public DssContext create(InetSocketAddress remoteSocketAddress, InetSocketAddres
{
try {
SSLEngine delegate =
- contextFactory.getContext(credential).createSSLEngine(
- remoteSocketAddress.getHostString(),
- remoteSocketAddress.getPort());
+ contextFactory.getContext(SSLContext.class, credential)
+ .createSSLEngine(remoteSocketAddress.getHostString(),
+ remoteSocketAddress.getPort());
SSLParameters sslParameters = delegate.getSSLParameters();
String[] cipherSuites = toArray(filter(asList(sslParameters.getCipherSuites()), not(in(bannedCiphers))), String.class);
String[] protocols = toArray(filter(asList(sslParameters.getProtocols()), not(in(bannedProtocols))), String.class);
diff --git a/modules/common-security/src/main/java/org/dcache/dss/ServerGsiEngineDssContextFactory.java b/modules/common-security/src/main/java/org/dcache/dss/ServerGsiEngineDssContextFactory.java
index 19ff641c52e..3160e6bcdac 100644
--- a/modules/common-security/src/main/java/org/dcache/dss/ServerGsiEngineDssContextFactory.java
+++ b/modules/common-security/src/main/java/org/dcache/dss/ServerGsiEngineDssContextFactory.java
@@ -23,7 +23,9 @@
import eu.emi.security.authn.x509.NamespaceCheckingMode;
import eu.emi.security.authn.x509.OCSPCheckingMode;
-import javax.net.ssl.SSLContext;
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.handler.ssl.SslContext;
+
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
@@ -63,7 +65,7 @@ public class ServerGsiEngineDssContextFactory implements DssContextFactory
private final CertificateFactory cf;
private final Set bannedCiphers;
private final Set bannedProtocols;
- private final Callable factory;
+ private final Callable factory;
private final KeyPairCache keyPairCache;
public ServerGsiEngineDssContextFactory(String args) throws Exception
@@ -97,14 +99,14 @@ public ServerGsiEngineDssContextFactory(File serverKeyPath, File serverCertifica
keyPairCache = new KeyPairCache(keyCacheLifetime, keyCacheLifetimeUnit);
factory = CanlContextFactory.custom()
- .withCertificateAuthorityPath(certificateAuthorityPath.toPath())
- .withCrlCheckingMode(crlMode)
- .withOcspCheckingMode(ocspMode)
- .withNamespaceMode(namespaceMode)
- .withLazy(false)
- .withKeyPath(serverKeyPath.toPath())
- .withCertificatePath(serverCertificatePath.toPath())
- .buildWithCaching();
+ .withCertificateAuthorityPath(certificateAuthorityPath.toPath())
+ .withCrlCheckingMode(crlMode)
+ .withOcspCheckingMode(ocspMode)
+ .withNamespaceMode(namespaceMode)
+ .withLazy(false)
+ .withKeyPath(serverKeyPath.toPath())
+ .withCertificatePath(serverCertificatePath.toPath())
+ .buildWithCaching(SslContext.class);
factory.call(); // Fail fast in case of config errors
}
@@ -113,8 +115,9 @@ public DssContext create(InetSocketAddress remoteSocketAddress, InetSocketAddres
throws IOException
{
try {
- SSLEngine delegate = factory.call().createSSLEngine(remoteSocketAddress.getHostString(),
- remoteSocketAddress.getPort());
+ SSLEngine delegate = factory.call().newEngine(ByteBufAllocator.DEFAULT,
+ remoteSocketAddress.getHostString(),
+ remoteSocketAddress.getPort());
SSLParameters sslParameters = delegate.getSSLParameters();
String[] cipherSuites = toArray(filter(asList(sslParameters.getCipherSuites()), not(in(bannedCiphers))), String.class);
String[] protocols = toArray(filter(asList(sslParameters.getProtocols()), not(in(bannedProtocols))), String.class);
diff --git a/modules/common-security/src/main/java/org/dcache/ssl/CanlContextFactory.java b/modules/common-security/src/main/java/org/dcache/ssl/CanlContextFactory.java
index 60c2577388f..933efce1333 100644
--- a/modules/common-security/src/main/java/org/dcache/ssl/CanlContextFactory.java
+++ b/modules/common-security/src/main/java/org/dcache/ssl/CanlContextFactory.java
@@ -28,22 +28,23 @@
import eu.emi.security.authn.x509.StoreUpdateListener;
import eu.emi.security.authn.x509.ValidationError;
import eu.emi.security.authn.x509.ValidationErrorCategory;
-import eu.emi.security.authn.x509.ValidationErrorListener;
import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager;
import eu.emi.security.authn.x509.impl.OpensslCertChainValidator;
import eu.emi.security.authn.x509.impl.PEMCredential;
import eu.emi.security.authn.x509.impl.ValidatorParams;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.annotation.Nullable;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
+import javax.net.ssl.SSLException;
-import java.io.IOException;
import java.nio.file.FileSystems;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
@@ -62,6 +63,10 @@
/**
* SslContextFactory based on the CANL library. Uses the builder pattern to
* create immutable instances.
+ *
+ *
+ * Implements the SslContextFactory which allows specifying either Java or Native (OpenSSL)
+ * as implementation.
*/
public class CanlContextFactory implements SslContextFactory
{
@@ -72,6 +77,7 @@ public class CanlContextFactory implements SslContextFactory
private final SecureRandom secureRandom = new SecureRandom();
private final TrustManager[] trustManagers;
+ private final boolean startTls;
private static final AutoCloseable NOOP = new AutoCloseable()
{
@@ -81,8 +87,9 @@ public void close() throws Exception
}
};
- protected CanlContextFactory(TrustManager... trustManagers)
+ protected CanlContextFactory(boolean startTls, TrustManager... trustManagers)
{
+ this.startTls = startTls;
this.trustManagers = trustManagers;
}
@@ -102,7 +109,19 @@ public TrustManager[] getTrustManagers()
}
@Override
- public SSLContext getContext(X509Credential credential)
+ public T getContext(Class type, X509Credential credential)
+ throws GeneralSecurityException
+ {
+ if (type.isAssignableFrom(SSLContext.class)) {
+ return (T) getJavaSSLContext(credential);
+ } else if (type.isAssignableFrom(SslContext.class)) {
+ return (T) getNettySslContext(credential);
+ }
+
+ throw new GeneralSecurityException("cannot get SSL context of type " + type);
+ }
+
+ private SSLContext getJavaSSLContext(X509Credential credential)
throws GeneralSecurityException
{
KeyManager[] keyManagers;
@@ -117,6 +136,19 @@ public SSLContext getContext(X509Credential credential)
return context;
}
+ private SslContext getNettySslContext(X509Credential credential)
+ throws GeneralSecurityException
+ {
+ KeyManager keyManager = credential == null ? null : credential.getKeyManager();
+ SslContextBuilder builder = startTls ? SslContextBuilder.forServer(keyManager)
+ : SslContextBuilder.forClient();
+ try {
+ return builder.trustManager(trustManagers[0]).startTls(startTls).build();
+ } catch (SSLException e) {
+ throw new GeneralSecurityException("Could not get Netty SSL context: " + e.getMessage());
+ }
+ }
+
public static class Builder
{
private Path certificateAuthorityPath = FileSystems.getDefault().getPath("/etc/grid-security/certificates");
@@ -131,11 +163,18 @@ public static class Builder
private TimeUnit credentialUpdateIntervalUnit = TimeUnit.MINUTES;
private Supplier loggingContextSupplier = () -> NOOP;
private long validationCacheLifetime = 300000;
+ private boolean startTls = true; // default/server mode
private Builder()
{
}
+ public Builder startTls(boolean startTls)
+ {
+ this.startTls = startTls;
+ return this;
+ }
+
public Builder withCertificateAuthorityPath(Path certificateAuthorityPath)
{
this.certificateAuthorityPath = certificateAuthorityPath;
@@ -271,17 +310,19 @@ public void loadingNotification(String location, String type, Severity level, Ex
}
return false;
});
- return new CanlContextFactory(new SSLTrustManager(v));
+ return new CanlContextFactory(startTls, new SSLTrustManager(v));
}
- public Callable buildWithCaching()
- {
+ public Callable buildWithCaching(Class contextType) throws Exception {
final CanlContextFactory factory = build();
- Callable newContext =
- () -> factory.getContext(
- new PEMCredential(keyPath.toString(), certificatePath.toString(), null));
- return memoizeWithExpiration(memoizeFromFiles(newContext, keyPath, certificatePath),
- credentialUpdateInterval, credentialUpdateIntervalUnit);
+ PEMCredential credential
+ = new PEMCredential(keyPath.toString(), certificatePath.toString(), null);
+ Callable newContext = () -> factory.getContext(contextType, credential);
+ return (Callable) memoizeWithExpiration(memoizeFromFiles(newContext,
+ keyPath,
+ certificatePath),
+ credentialUpdateInterval,
+ credentialUpdateIntervalUnit);
}
}
}
diff --git a/modules/common-security/src/main/java/org/dcache/ssl/CanlSslServerSocketCreator.java b/modules/common-security/src/main/java/org/dcache/ssl/CanlSslServerSocketCreator.java
index 9549614a381..e3e9fc93872 100644
--- a/modules/common-security/src/main/java/org/dcache/ssl/CanlSslServerSocketCreator.java
+++ b/modules/common-security/src/main/java/org/dcache/ssl/CanlSslServerSocketCreator.java
@@ -80,7 +80,7 @@ public CanlSslServerSocketCreator(File keyPath,
.withKeyPath(keyPath.toPath())
.withCertificatePath(certPath.toPath())
.withLazy(false)
- .buildWithCaching();
+ .buildWithCaching(SSLContext.class);
factory.call();
} catch (Exception e) {
Throwables.propagateIfPossible(e, IOException.class);
diff --git a/modules/common-security/src/main/java/org/dcache/ssl/CanlSslSocketCreator.java b/modules/common-security/src/main/java/org/dcache/ssl/CanlSslSocketCreator.java
index 4f416072b90..bd3acfd2e17 100644
--- a/modules/common-security/src/main/java/org/dcache/ssl/CanlSslSocketCreator.java
+++ b/modules/common-security/src/main/java/org/dcache/ssl/CanlSslSocketCreator.java
@@ -79,7 +79,7 @@ public CanlSslSocketCreator(File keyPath,
.withKeyPath(keyPath.toPath())
.withCertificatePath(certPath.toPath())
.withLazy(false)
- .buildWithCaching();
+ .buildWithCaching(SSLContext.class);
factory.call();
} catch (Exception e) {
Throwables.propagateIfPossible(e, IOException.class);
diff --git a/modules/common-security/src/main/java/org/dcache/ssl/SslContextFactory.java b/modules/common-security/src/main/java/org/dcache/ssl/SslContextFactory.java
index 856bae36432..1775eca80b0 100644
--- a/modules/common-security/src/main/java/org/dcache/ssl/SslContextFactory.java
+++ b/modules/common-security/src/main/java/org/dcache/ssl/SslContextFactory.java
@@ -20,21 +20,23 @@
import eu.emi.security.authn.x509.X509Credential;
import javax.annotation.Nullable;
-import javax.net.ssl.SSLContext;
import java.security.GeneralSecurityException;
/**
- * Factory for creating SSLContext instances.
+ * Factory for creating SSL context instances.
+ * (e.g., javax.net.SSLContext or io.netty.handler.ssl.SslContext).
*/
public interface SslContextFactory
{
/**
- * Provides an SSLContext that will use the supplied optional client
+ * Provides an SslContext that will use the supplied optional client
* credential for authentication.
+ * @param type of the context object to create.
* @param credential the credential to use, or null if no X.509 credential.
- * @return an SSLContext to use with an SSLSocket.
+ * @return an SSL context to use.
* @throws GeneralSecurityException if there is a problem establishing the context.
*/
- SSLContext getContext(@Nullable X509Credential credential) throws GeneralSecurityException;
+ T getContext(Class type, @Nullable X509Credential credential)
+ throws GeneralSecurityException;
}
diff --git a/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/TlsFtpInterpreterFactory.java b/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/TlsFtpInterpreterFactory.java
index aa2f0d07c88..c2a548479f8 100644
--- a/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/TlsFtpInterpreterFactory.java
+++ b/modules/dcache-ftp/src/main/java/org/dcache/ftp/door/TlsFtpInterpreterFactory.java
@@ -22,7 +22,9 @@
import eu.emi.security.authn.x509.NamespaceCheckingMode;
import eu.emi.security.authn.x509.OCSPCheckingMode;
-import javax.net.ssl.SSLContext;
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.handler.ssl.SslContext;
+
import javax.net.ssl.SSLEngine;
import java.io.File;
@@ -84,7 +86,7 @@ public class TlsFtpInterpreterFactory extends FtpInterpreterFactory
private Optional anonUser;
- private SSLContext sslContext;
+ private SslContext sslContext;
@Override
public void configure(Args args) throws ConfigurationException
@@ -104,7 +106,7 @@ public void configure(Args args) throws ConfigurationException
@Override
protected AbstractFtpDoorV1 createInterpreter()
{
- SSLEngine engine = sslContext.createSSLEngine();
+ SSLEngine engine = sslContext.newEngine(ByteBufAllocator.DEFAULT);
engine.setNeedClientAuth(false);
/* REVISIT: with FTPS, it is possible for a client to send an X.509
@@ -119,7 +121,7 @@ protected AbstractFtpDoorV1 createInterpreter()
anonymousRoot, requireAnonEmailPassword);
}
- protected SSLContext buildContext() throws Exception
+ protected SslContext buildContext() throws Exception
{
return CanlContextFactory.custom()
.withCertificatePath(service_cert.toPath())
@@ -130,7 +132,7 @@ protected SSLContext buildContext() throws Exception
.withNamespaceMode(namespaceMode)
.withLazy(false)
.withLoggingContext(new CDC()::restore)
- .buildWithCaching()
+ .buildWithCaching(SslContext.class)
.call();
}
diff --git a/modules/dcache-xrootd/src/main/java/org/dcache/xrootd/plugins/tls/CDCCanlTLSHandlerFactory.java b/modules/dcache-xrootd/src/main/java/org/dcache/xrootd/plugins/tls/CDCCanlTLSHandlerFactory.java
index eeb90e2beea..c44605947fb 100644
--- a/modules/dcache-xrootd/src/main/java/org/dcache/xrootd/plugins/tls/CDCCanlTLSHandlerFactory.java
+++ b/modules/dcache-xrootd/src/main/java/org/dcache/xrootd/plugins/tls/CDCCanlTLSHandlerFactory.java
@@ -17,13 +17,13 @@
*/
package org.dcache.xrootd.plugins.tls;
-import dmg.cells.nucleus.CDC;
import eu.emi.security.authn.x509.CrlCheckingMode;
import eu.emi.security.authn.x509.NamespaceCheckingMode;
import eu.emi.security.authn.x509.OCSPCheckingMode;
+import io.netty.handler.ssl.SslContext;
import java.io.File;
import java.util.Properties;
-import javax.net.ssl.SSLContext;
+
import org.dcache.ssl.CanlContextFactory;
/**
@@ -42,7 +42,7 @@ public class CDCCanlTLSHandlerFactory extends SSLHandlerFactory {
private static final String OCSP_MODE = "xrootd.security.tls.ca.ocsp-mode";
@Override
- protected SSLContext buildContext(Properties properties) throws Exception {
+ protected SslContext buildContext(Properties properties) throws Exception {
File serviceKey = new File(properties.getProperty(SERVICE_KEY));
File serviceCert = new File(properties.getProperty(SERVICE_CERT));
File serviceCaCerts = new File(properties.getProperty(SERVICE_CACERTS));
@@ -61,8 +61,8 @@ protected SSLContext buildContext(Properties properties) throws Exception {
.withOcspCheckingMode(ocspMode)
.withNamespaceMode(namespaceMode)
.withLazy(false)
- .withLoggingContext(new CDC()::restore)
- .buildWithCaching()
+ .startTls(startTls)
+ .buildWithCaching(SslContext.class)
.call();
}
}
diff --git a/modules/dcache/pom.xml b/modules/dcache/pom.xml
index 9668d3a013d..b0c5d7a6167 100644
--- a/modules/dcache/pom.xml
+++ b/modules/dcache/pom.xml
@@ -112,6 +112,10 @@
io.netty
netty-codec-haproxy
+
+ io.netty
+ netty-tcnative-boringssl-static
+
com.sleepycat
je
diff --git a/modules/dcache/src/main/java/org/dcache/http/AbstractSslContextFactoryBean.java b/modules/dcache/src/main/java/org/dcache/http/AbstractSslContextFactoryBean.java
new file mode 100644
index 00000000000..451825b8fe2
--- /dev/null
+++ b/modules/dcache/src/main/java/org/dcache/http/AbstractSslContextFactoryBean.java
@@ -0,0 +1,64 @@
+/* dCache - http://www.dcache.org/
+ *
+ * Copyright (C) 2021 Deutsches Elektronen-Synchrotron
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+package org.dcache.http;
+
+import eu.emi.security.authn.x509.CrlCheckingMode;
+import eu.emi.security.authn.x509.OCSPCheckingMode;
+import java.nio.file.Path;
+import org.springframework.beans.factory.FactoryBean;
+import org.springframework.beans.factory.annotation.Required;
+
+abstract class AbstractSslContextFactoryBean implements FactoryBean {
+ protected Path serverCertificatePath;
+ protected Path serverKeyPath;
+ protected Path serverCaPath;
+ protected CrlCheckingMode crlCheckingMode;
+ protected OCSPCheckingMode ocspCheckingMode;
+
+ @Required
+ public void setServerCertificatePath(Path serverCertificatePath) {
+ this.serverCertificatePath = serverCertificatePath;
+ }
+
+ @Required
+ public void setServerKeyPath(Path serverKeyPath) {
+ this.serverKeyPath = serverKeyPath;
+ }
+
+ @Required
+ public void setServerCaPath(Path serverCaPath) {
+ this.serverCaPath = serverCaPath;
+ }
+
+ @Required
+ public void setCrlCheckingMode(CrlCheckingMode crlCheckingMode)
+ {
+ this.crlCheckingMode = crlCheckingMode;
+ }
+
+ @Required
+ public void setOcspCheckingMode(OCSPCheckingMode ocspCheckingMode)
+ {
+ this.ocspCheckingMode = ocspCheckingMode;
+ }
+
+ @Override
+ public boolean isSingleton() {
+ return false;
+ }
+}
diff --git a/modules/dcache/src/main/java/org/dcache/http/HttpsTransferService.java b/modules/dcache/src/main/java/org/dcache/http/HttpsTransferService.java
index 20b7b39a626..25a2b8f5a69 100644
--- a/modules/dcache/src/main/java/org/dcache/http/HttpsTransferService.java
+++ b/modules/dcache/src/main/java/org/dcache/http/HttpsTransferService.java
@@ -23,37 +23,31 @@
import diskCacheV111.util.CacheException;
import diskCacheV111.vehicles.HttpProtocolInfo;
-import eu.emi.security.authn.x509.CrlCheckingMode;
-import eu.emi.security.authn.x509.OCSPCheckingMode;
import io.netty.channel.ChannelPipeline;
import io.netty.handler.codec.http.cors.CorsConfigBuilder;
+import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Required;
-import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
-import java.io.IOException;
import java.net.InetAddress;
import java.net.SocketException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.UnknownHostException;
-import java.nio.file.Path;
import java.util.UUID;
-
public class HttpsTransferService extends HttpTransferService
{
private static final Logger LOGGER = LoggerFactory.getLogger(HttpsTransferService.class);
private static final String PROTOCOL_HTTPS = "https";
- private SSLContext _sslContext;
+ private SslContext _sslContext;
- public void setSslContext(SSLContext sslContext)
+ public void setSslContext(SslContext sslContext)
{
_sslContext = sslContext;
}
@@ -110,8 +104,7 @@ protected URI getUri(HttpProtocolInfo protocolInfo, int port, UUID uuid)
@Override
protected void addChannelHandlers(ChannelPipeline pipeline)
{
- SSLEngine engine = _sslContext.createSSLEngine();
- engine.setUseClientMode(false);
+ SSLEngine engine = _sslContext.newEngine(pipeline.channel().alloc());
engine.setWantClientAuth(false);
pipeline.addLast("ssl", new SslHandler(engine));
super.addChannelHandlers(pipeline);
diff --git a/modules/dcache/src/main/java/org/dcache/http/NettySslContextFactoryBean.java b/modules/dcache/src/main/java/org/dcache/http/NettySslContextFactoryBean.java
new file mode 100644
index 00000000000..a1696ec6ca6
--- /dev/null
+++ b/modules/dcache/src/main/java/org/dcache/http/NettySslContextFactoryBean.java
@@ -0,0 +1,49 @@
+/* dCache - http://www.dcache.org/
+ *
+ * Copyright (C) 2021 Deutsches Elektronen-Synchrotron
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package org.dcache.http;
+
+import dmg.cells.nucleus.CDC;
+import io.netty.handler.ssl.SslContext;
+import org.dcache.ssl.CanlContextFactory;
+
+/**
+ * Netty SslContext context factory which uses native OpenSsl if available, but falls
+ * back to Java if not.
+ */
+public class NettySslContextFactoryBean extends AbstractSslContextFactoryBean {
+
+ @Override
+ public SslContext getObject() throws Exception {
+ return CanlContextFactory.custom()
+ .withCertificateAuthorityPath(serverCaPath)
+ .withCrlCheckingMode(crlCheckingMode)
+ .withOcspCheckingMode(ocspCheckingMode)
+ .withCertificatePath(serverCertificatePath)
+ .withKeyPath(serverKeyPath)
+ .withLazy(false)
+ .withLoggingContext(new CDC()::restore)
+ .buildWithCaching(SslContext.class)
+ .call();
+ }
+
+ @Override
+ public Class getObjectType() {
+ return SslContext.class;
+ }
+}
\ No newline at end of file
diff --git a/modules/dcache/src/main/java/org/dcache/http/SslContextFactoryBean.java b/modules/dcache/src/main/java/org/dcache/http/SslContextFactoryBean.java
deleted file mode 100644
index 445c776e6ec..00000000000
--- a/modules/dcache/src/main/java/org/dcache/http/SslContextFactoryBean.java
+++ /dev/null
@@ -1,105 +0,0 @@
-/* dCache - http://www.dcache.org/
- *
- * Copyright (C) 2019 Deutsches Elektronen-Synchrotron
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see .
- */
-
-
-
-package org.dcache.http;
-
-import eu.emi.security.authn.x509.CrlCheckingMode;
-import eu.emi.security.authn.x509.OCSPCheckingMode;
-
-import java.nio.file.Path;
-import javax.net.ssl.SSLContext;
-
-import org.springframework.beans.factory.FactoryBean;
-import org.springframework.beans.factory.annotation.Required;
-
-import dmg.cells.nucleus.CDC;
-
-
-/**
- *
- */
-public class SslContextFactoryBean implements FactoryBean {
-
-
-
- private Path serverCertificatePath;
- private Path serverKeyPath;
- private Path serverCaPath;
- private CrlCheckingMode crlCheckingMode;
- private OCSPCheckingMode ocspCheckingMode;
-
-
- @Required
- public void setServerCertificatePath(Path serverCertificatePath) {
- this.serverCertificatePath = serverCertificatePath;
- }
-
- @Required
- public void setServerKeyPath(Path serverKeyPath) {
- this.serverKeyPath = serverKeyPath;
- }
-
- @Required
- public void setServerCaPath(Path serverCaPath) {
- this.serverCaPath = serverCaPath;
- }
-
- @Required
- public void setCrlCheckingMode(CrlCheckingMode crlCheckingMode)
- {
- this.crlCheckingMode = crlCheckingMode;
- }
-
- @Required
- public void setOcspCheckingMode(OCSPCheckingMode ocspCheckingMode)
- {
- this.ocspCheckingMode = ocspCheckingMode;
- }
-
- @Override
- public SSLContext getObject() throws Exception {
-
- return org.dcache.ssl.CanlContextFactory.custom()
- .withCertificateAuthorityPath(serverCaPath)
- .withCrlCheckingMode(crlCheckingMode)
- .withOcspCheckingMode(ocspCheckingMode)
- .withCertificatePath(serverCertificatePath)
- .withKeyPath(serverKeyPath)
- .withLazy(false)
- .withLoggingContext(new CDC()::restore)
- .buildWithCaching()
- .call();
-
- }
-
- @Override
- public Class getObjectType() {
- return SSLContext.class;
- }
-
- @Override
- public boolean isSingleton() {
- return false;
- }
-
-}
-
-
-
diff --git a/modules/dcache/src/main/resources/org/dcache/pool/classic/pool.xml b/modules/dcache/src/main/resources/org/dcache/pool/classic/pool.xml
index c5b908ff3cc..3f75612301c 100644
--- a/modules/dcache/src/main/resources/org/dcache/pool/classic/pool.xml
+++ b/modules/dcache/src/main/resources/org/dcache/pool/classic/pool.xml
@@ -285,7 +285,7 @@
-
+
SSL Context factory
diff --git a/modules/srm-common/src/main/java/org/dcache/srm/client/FlexibleCredentialSSLConnectionSocketFactory.java b/modules/srm-common/src/main/java/org/dcache/srm/client/FlexibleCredentialSSLConnectionSocketFactory.java
index 81c6844e16d..9cf5db97eea 100644
--- a/modules/srm-common/src/main/java/org/dcache/srm/client/FlexibleCredentialSSLConnectionSocketFactory.java
+++ b/modules/srm-common/src/main/java/org/dcache/srm/client/FlexibleCredentialSSLConnectionSocketFactory.java
@@ -177,7 +177,7 @@ public Socket createLayeredSocket(
verifyCredentials(context);
final SSLContext sslContext;
try {
- sslContext = contextProvider.getContext(credential);
+ sslContext = contextProvider.getContext(SSLContext.class, credential);
} catch (GeneralSecurityException e) {
throw new IOException("Failed to create SSLContext: " + e.getMessage(), e);
}
diff --git a/pom.xml b/pom.xml
index d15d962598c..914353c69f8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -68,7 +68,7 @@
6.6.0
2.12.0
9.4.40.v20210413
- 4.1.1
+ 4.2.0
2.28
1.6.3
4.1.59.Final
@@ -422,6 +422,11 @@
netty-handler
${version.netty}
+
+ io.netty
+ netty-tcnative-boringssl-static
+ 2.0.39.Final
+
com.sleepycat
je