Package org.apache.cassandra.security
Class SSLFactory
- java.lang.Object
-
- org.apache.cassandra.security.SSLFactory
-
public final class SSLFactory extends java.lang.ObjectA Factory for providing and setting up clientSSLSockets. Also provides methods for creating both JSSESSLContextinstances as well as nettySslContextinstances.Netty
SslContextinstances are expensive to create (as well as to destroy) and consume a lof of resources (especially direct memory), but instances can be reused across connections (assuming the SSL params are the same). Hence we cache created instances incachedSslContexts.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classSSLFactory.LoggingCipherSuiteFilter
-
Field Summary
Fields Modifier and Type Field Description static intDEFAULT_HOT_RELOAD_INITIAL_DELAY_SECDefault initial delay for hot reloadingstatic intDEFAULT_HOT_RELOAD_PERIOD_SECDefault periodic check delay for hot reloading
-
Constructor Summary
Constructors Constructor Description SSLFactory()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static voidcheckCertFilesForHotReloading()Performs a lightweight check whether the certificate files have been refreshed.static voidclearSslContextCache()This clears the cache of Netty's SslContext objects for Client and Server sockets.static javax.net.ssl.SSLContextcreateSSLContext(EncryptionOptions options, boolean verifyPeerCertificate)Create a JSSESSLContext.static voidforceCheckCertFiles()Forces revalidation and loading of SSL certifcates if validstatic io.netty.handler.ssl.SslContextgetOrCreateSslContext(EncryptionOptions options, boolean verifyPeerCertificate, ISslContextFactory.SocketType socketType, java.lang.String contextDescription)get a nettySslContextinstancestatic voidinitHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts, boolean force)Determines whether to hot reload certificates and schedules a periodic task for it.static booleanopenSslIsAvailable()static java.util.List<java.lang.String>tlsInstanceProtocolSubstitution()Provides the list of protocols that would have been supported if "TLS" was selected as the protocol before the change for CASSANDRA-13325 that expects explicit protocol versions.static voidvalidateSslCerts(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts)Sanity checks all certificates to ensure we can actually load themstatic voidvalidateSslContext(java.lang.String contextDescription, EncryptionOptions options, boolean verifyPeerCertificate, boolean logProtocolAndCiphers)
-
-
-
Field Detail
-
DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC
public static final int DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC
Default initial delay for hot reloading- See Also:
- Constant Field Values
-
DEFAULT_HOT_RELOAD_PERIOD_SEC
public static final int DEFAULT_HOT_RELOAD_PERIOD_SEC
Default periodic check delay for hot reloading- See Also:
- Constant Field Values
-
-
Method Detail
-
openSslIsAvailable
public static boolean openSslIsAvailable()
-
tlsInstanceProtocolSubstitution
public static java.util.List<java.lang.String> tlsInstanceProtocolSubstitution()
Provides the list of protocols that would have been supported if "TLS" was selected as the protocol before the change for CASSANDRA-13325 that expects explicit protocol versions.- Returns:
- list of enabled protocol names
-
createSSLContext
public static javax.net.ssl.SSLContext createSSLContext(EncryptionOptions options, boolean verifyPeerCertificate) throws java.io.IOException
Create a JSSESSLContext.- Throws:
java.io.IOException
-
getOrCreateSslContext
public static io.netty.handler.ssl.SslContext getOrCreateSslContext(EncryptionOptions options, boolean verifyPeerCertificate, ISslContextFactory.SocketType socketType, java.lang.String contextDescription) throws java.io.IOException
get a nettySslContextinstance- Throws:
java.io.IOException
-
checkCertFilesForHotReloading
public static void checkCertFilesForHotReloading()
Performs a lightweight check whether the certificate files have been refreshed.- Throws:
java.lang.IllegalStateException- ifinitHotReloading(EncryptionOptions.ServerEncryptionOptions, EncryptionOptions, boolean)is not called first
-
forceCheckCertFiles
public static void forceCheckCertFiles()
Forces revalidation and loading of SSL certifcates if valid
-
clearSslContextCache
public static void clearSslContextCache()
This clears the cache of Netty's SslContext objects for Client and Server sockets. This is made publically available so that anyISslContextFactory's implementation can call this to handle any special scenario to invalidate the SslContext cache. This should be used with caution since the purpose of this cache is save costly creation of Netty's SslContext objects and this essentially results in re-creating it.
-
initHotReloading
public static void initHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts, boolean force) throws java.io.IOException
Determines whether to hot reload certificates and schedules a periodic task for it.- Parameters:
serverOpts- Server encryption options (Internode)clientOpts- Client encryption options (Native Protocol)- Throws:
java.io.IOException
-
validateSslContext
public static void validateSslContext(java.lang.String contextDescription, EncryptionOptions options, boolean verifyPeerCertificate, boolean logProtocolAndCiphers) throws java.io.IOException- Throws:
java.io.IOException
-
validateSslCerts
public static void validateSslCerts(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts) throws java.io.IOException
Sanity checks all certificates to ensure we can actually load them- Throws:
java.io.IOException
-
-