SSLFactory (apache-cassandra API)

java.lang.Object
- org.apache.cassandra.security.SSLFactory

```
public final class SSLFactory
extends java.lang.Object
```
A Factory for providing and setting up client SSLSockets. Also provides methods for creating both JSSE SSLContext instances as well as netty SslContext instances.
Netty SslContext instances are expensive to create (as well as to destroy) and consume a lof of resources (especially direct memory), but instances can be reused across connections (assuming the SSL params are the same). Hence we cache created instances in cachedSslContexts.

Nested Class Summary

Nested Classes
Modifier and Type Class and Description

static class SSLFactory.LoggingCipherSuiteFilter

Nested Classes
Modifier and Type	Class and Description
`static class`	`SSLFactory.LoggingCipherSuiteFilter`

Field Summary

Fields
Modifier and Type	Field and Description
`static int`	`DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC` Default initial delay for hot reloading
`static int`	`DEFAULT_HOT_RELOAD_PERIOD_SEC` Default periodic check delay for hot reloading

Constructor Summary

Constructors
Constructor and Description

SSLFactory()

Constructors
Constructor and Description
`SSLFactory()`

Method Summary

All Methods Static Methods Concrete Methods
Modifier and Type	Method and Description
`static void`	`checkCertFilesForHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts)` Performs a lightweight check whether the certificate files have been refreshed.
`static void`	`clearSslContextCache()` This clears the cache of Netty's SslContext objects for Client and Server sockets.
`static javax.net.ssl.SSLContext`	`createSSLContext(EncryptionOptions options, boolean verifyPeerCertificate)` Create a JSSE `SSLContext`.
`static io.netty.handler.ssl.SslContext`	`getOrCreateSslContext(EncryptionOptions options, boolean verifyPeerCertificate, ISslContextFactory.SocketType socketType)` get a netty `SslContext` instance
`static void`	`initHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts, boolean force)` Determines whether to hot reload certificates and schedules a periodic task for it.
`static boolean`	`openSslIsAvailable()`
`static java.util.List<java.lang.String>`	`tlsInstanceProtocolSubstitution()` Provides the list of protocols that would have been supported if "TLS" was selected as the protocol before the change for CASSANDRA-13325 that expects explicit protocol versions.
`static void`	`validateSslCerts(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts)` Sanity checks all certificates to ensure we can actually load them
`static void`	`validateSslContext(java.lang.String contextDescription, EncryptionOptions options, boolean verifyPeerCertificate, boolean logProtocolAndCiphers)`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail
- DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC
```
public static final int DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC
```
  Default initial delay for hot reloading
  
  See Also:
  
  Constant Field Values
- DEFAULT_HOT_RELOAD_PERIOD_SEC
```
public static final int DEFAULT_HOT_RELOAD_PERIOD_SEC
```
  Default periodic check delay for hot reloading
  
  See Also:
  
  Constant Field Values

Constructor Detail
- SSLFactory
```
public SSLFactory()
```

Method Detail

openSslIsAvailable

public static boolean openSslIsAvailable()

tlsInstanceProtocolSubstitution
```
public static java.util.List<java.lang.String> tlsInstanceProtocolSubstitution()
```
Provides the list of protocols that would have been supported if "TLS" was selected as the protocol before the change for CASSANDRA-13325 that expects explicit protocol versions.

Returns:

list of enabled protocol names

createSSLContext

public static javax.net.ssl.SSLContext createSSLContext(EncryptionOptions options,
                                                        boolean verifyPeerCertificate)
                                                 throws java.io.IOException

Create a JSSE SSLContext.

Throws:: java.io.IOException

getOrCreateSslContext

public static io.netty.handler.ssl.SslContext getOrCreateSslContext(EncryptionOptions options,
                                                                    boolean verifyPeerCertificate,
                                                                    ISslContextFactory.SocketType socketType)
                                                             throws java.io.IOException

get a netty SslContext instance

Throws:: java.io.IOException

checkCertFilesForHotReloading
```
public static void checkCertFilesForHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts,
                                                 EncryptionOptions clientOpts)
```
Performs a lightweight check whether the certificate files have been refreshed.

Throws:

java.lang.IllegalStateException - if initHotReloading(EncryptionOptions.ServerEncryptionOptions, EncryptionOptions, boolean) is not called first

clearSslContextCache
```
public static void clearSslContextCache()
```
This clears the cache of Netty's SslContext objects for Client and Server sockets. This is made publically available so that any ISslContextFactory's implementation can call this to handle any special scenario to invalidate the SslContext cache. This should be used with caution since the purpose of this cache is save costly creation of Netty's SslContext objects and this essentially results in re-creating it.

initHotReloading

public static void initHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts,
                                    EncryptionOptions clientOpts,
                                    boolean force)
                             throws java.io.IOException

Determines whether to hot reload certificates and schedules a periodic task for it.

Parameters:: serverOpts - Server encryption options (Internode); clientOpts - Client encryption options (Native Protocol)
Throws:: java.io.IOException

validateSslContext

public static void validateSslContext(java.lang.String contextDescription,
                                      EncryptionOptions options,
                                      boolean verifyPeerCertificate,
                                      boolean logProtocolAndCiphers)
                               throws java.io.IOException

Throws:: java.io.IOException

validateSslCerts

public static void validateSslCerts(EncryptionOptions.ServerEncryptionOptions serverOpts,
                                    EncryptionOptions clientOpts)
                             throws java.io.IOException

Sanity checks all certificates to ensure we can actually load them

Throws:: java.io.IOException

Class SSLFactory

Nested Class Summary

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC

DEFAULT_HOT_RELOAD_PERIOD_SEC

Constructor Detail

SSLFactory