org.apache.cassandra.security

Class SSLFactory

java.lang.Object

org.apache.cassandra.security.SSLFactory

public final class SSLFactory
extends java.lang.Object

A Factory for providing and setting up client SSLSockets. Also provides methods for creating both JSSE SSLContext instances as well as netty SslContext instances.

Netty SslContext instances are expensive to create (as well as to destroy) and consume a lof of resources (especially direct memory), but instances can be reused across connections (assuming the SSL params are the same). Hence we cache created instances in cachedSslContexts.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	SSLFactory.LoggingCipherSuiteFilter
static class	SSLFactory.SocketType Indicates if the process holds the inbound/listening end of the socket (SSLFactory.SocketType.SERVER)), or the outbound side (SSLFactory.SocketType.CLIENT).

Field Summary

Fields

Modifier and Type	Field and Description
static int	DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC Default initial delay for hot reloading
static int	DEFAULT_HOT_RELOAD_PERIOD_SEC Default periodic check delay for hot reloading

Constructor Summary

Constructors

Constructor and Description
SSLFactory()

Method Summary

Modifier and Type	Method and Description
static void	checkCertFilesForHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts) Performs a lightweight check whether the certificate files have been refreshed.
static javax.net.ssl.SSLContext	createSSLContext(EncryptionOptions options, boolean buildTruststore) Create a JSSE SSLContext.
static io.netty.handler.ssl.SslContext	getOrCreateSslContext(EncryptionOptions options, boolean buildTruststore, SSLFactory.SocketType socketType) get a netty SslContext instance
static void	initHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts, boolean force) Determines whether to hot reload certificates and schedules a periodic task for it.
static boolean	openSslIsAvailable()
static java.util.List<java.lang.String>	tlsInstanceProtocolSubstitution() Provides the list of protocols that would have been supported if "TLS" was selected as the protocol before the change for CASSANDRA-13325 that expects explicit protocol versions.
static void	validateSslCerts(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts) Sanity checks all certificates to ensure we can actually load them
static void	validateSslContext(java.lang.String contextDescription, EncryptionOptions options, boolean buildTrustStore, boolean logProtocolAndCiphers)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC

public static final int DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC

Default initial delay for hot reloading

See Also:

Constant Field Values

DEFAULT_HOT_RELOAD_PERIOD_SEC

public static final int DEFAULT_HOT_RELOAD_PERIOD_SEC

Default periodic check delay for hot reloading

See Also:

Constant Field Values

Constructor Detail

SSLFactory

public SSLFactory()

Method Detail

openSslIsAvailable

public static boolean openSslIsAvailable()

tlsInstanceProtocolSubstitution

public static java.util.List<java.lang.String> tlsInstanceProtocolSubstitution()

Provides the list of protocols that would have been supported if "TLS" was selected as the protocol before the change for CASSANDRA-13325 that expects explicit protocol versions.

Returns:

list of enabled protocol names

createSSLContext

public static javax.net.ssl.SSLContext createSSLContext(EncryptionOptions options,
                                                        boolean buildTruststore)
                                                 throws java.io.IOException

Create a JSSE SSLContext.

Throws:

java.io.IOException

getOrCreateSslContext

public static io.netty.handler.ssl.SslContext getOrCreateSslContext(EncryptionOptions options,
                                                                    boolean buildTruststore,
                                                                    SSLFactory.SocketType socketType)
                                                             throws java.io.IOException

get a netty SslContext instance

Throws:

java.io.IOException

checkCertFilesForHotReloading

public static void checkCertFilesForHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts,
                                                 EncryptionOptions clientOpts)

Performs a lightweight check whether the certificate files have been refreshed.

Throws:

java.lang.IllegalStateException - if initHotReloading(EncryptionOptions.ServerEncryptionOptions, EncryptionOptions, boolean) is not called first

initHotReloading

public static void initHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts,
                                    EncryptionOptions clientOpts,
                                    boolean force)
                             throws java.io.IOException

Determines whether to hot reload certificates and schedules a periodic task for it.

Parameters:

serverOpts - Server encryption options (Internode)

clientOpts - Client encryption options (Native Protocol)

Throws:

java.io.IOException

validateSslContext

public static void validateSslContext(java.lang.String contextDescription,
                                      EncryptionOptions options,
                                      boolean buildTrustStore,
                                      boolean logProtocolAndCiphers)
                               throws java.io.IOException

Throws:

java.io.IOException

validateSslCerts

public static void validateSslCerts(EncryptionOptions.ServerEncryptionOptions serverOpts,
                                    EncryptionOptions clientOpts)
                             throws java.io.IOException

Sanity checks all certificates to ensure we can actually load them

Throws:

java.io.IOException