With this fix the ovsdb server will provide ssl connection with two way authentication.
Both server and client will authenticate peer certificate.
The method of getting peer certificate is also provided in ovsdb connection info.
Signed-off-by: Hsin-Yi Shen <syshen66@gmail.com>
import java.net.InetAddress;
import java.util.Collection;
import java.net.InetAddress;
import java.util.Collection;
-import io.netty.handler.ssl.SslContext;
+import javax.net.ssl.SSLContext;
/**
* OvsDBConnection Interface provides OVSDB connection management APIs which includes
/**
* OvsDBConnection Interface provides OVSDB connection management APIs which includes
* @return OvsDBClient The primary Client interface for the ovsdb connection.
*/
public OvsdbClient connectWithSsl(final InetAddress address, final int port,
* @return OvsDBClient The primary Client interface for the ovsdb connection.
*/
public OvsdbClient connectWithSsl(final InetAddress address, final int port,
- final SslContext sslContext);
+ final SSLContext sslContext);
/**
* Method to disconnect an existing connection.
/**
* Method to disconnect an existing connection.
* Method to start ovsdb server for passive connection with SSL
*/
public boolean startOvsdbManagerWithSsl(final int ovsdbListenPort,
* Method to start ovsdb server for passive connection with SSL
*/
public boolean startOvsdbManagerWithSsl(final int ovsdbListenPort,
- final SslContext sslContext);
+ final SSLContext sslContext);
/**
* Method to register a Passive Connection Listener with the ConnectionService.
/**
* Method to register a Passive Connection Listener with the ConnectionService.
package org.opendaylight.ovsdb.lib;
import io.netty.channel.Channel;
package org.opendaylight.ovsdb.lib;
import io.netty.channel.Channel;
+import io.netty.handler.ssl.SslHandler;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.InetAddress;
import java.net.InetSocketAddress;
+import java.security.cert.Certificate;
+import javax.net.ssl.SSLPeerUnverifiedException;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlTransient;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlTransient;
public ConnectionType getType() {
return type;
}
public ConnectionType getType() {
return type;
}
+ @XmlElement(name="clientCertificate")
+ public Certificate getCertificate() throws SSLPeerUnverifiedException {
+ SslHandler sslHandler = (SslHandler) channel.pipeline().get("ssl");
+ if (sslHandler != null) {
+ return sslHandler.engine().getSession().getPeerCertificates()[0];
+ }
+ return null;
+ }
@Override
public int hashCode() {
@Override
public int hashCode() {
import io.netty.handler.logging.LogLevel;
import io.netty.handler.logging.LoggingHandler;
import io.netty.util.CharsetUtil;
import io.netty.handler.logging.LogLevel;
import io.netty.handler.logging.LoggingHandler;
import io.netty.util.CharsetUtil;
-import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslHandler;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
import java.net.InetAddress;
import java.util.Collection;
import java.net.InetAddress;
import java.util.Collection;
import org.opendaylight.ovsdb.lib.jsonrpc.JsonRpcEndpoint;
import org.opendaylight.ovsdb.lib.jsonrpc.JsonRpcServiceBinderHandler;
import org.opendaylight.ovsdb.lib.message.OvsdbRPC;
import org.opendaylight.ovsdb.lib.jsonrpc.JsonRpcEndpoint;
import org.opendaylight.ovsdb.lib.jsonrpc.JsonRpcServiceBinderHandler;
import org.opendaylight.ovsdb.lib.message.OvsdbRPC;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
}
@Override
public OvsdbClient connectWithSsl(final InetAddress address, final int port,
}
@Override
public OvsdbClient connectWithSsl(final InetAddress address, final int port,
- final SslContext sslContext) {
+ final SSLContext sslContext) {
try {
Bootstrap bootstrap = new Bootstrap();
bootstrap.group(new NioEventLoopGroup());
try {
Bootstrap bootstrap = new Bootstrap();
bootstrap.group(new NioEventLoopGroup());
public void initChannel(SocketChannel channel) throws Exception {
if (sslContext != null) {
/* First add ssl handler if ssl context is given */
public void initChannel(SocketChannel channel) throws Exception {
if (sslContext != null) {
/* First add ssl handler if ssl context is given */
- channel.pipeline().addLast(sslContext.newHandler(channel.alloc(),
- address.toString(), port));
+ SSLEngine engine =
+ sslContext.createSSLEngine(address.toString(), port);
+ engine.setUseClientMode(true);
+ channel.pipeline().addLast("ssl", new SslHandler(engine));
}
channel.pipeline().addLast(
//new LoggingHandler(LogLevel.INFO),
}
channel.pipeline().addLast(
//new LoggingHandler(LogLevel.INFO),
@Override
synchronized
public boolean startOvsdbManagerWithSsl(final int ovsdbListenPort,
@Override
synchronized
public boolean startOvsdbManagerWithSsl(final int ovsdbListenPort,
- final SslContext sslContext) {
+ final SSLContext sslContext) {
if (!singletonCreated) {
new Thread() {
@Override
if (!singletonCreated) {
new Thread() {
@Override
* OVSDB Passive listening thread that uses Netty ServerBootstrap to open
* passive connection with Ssl and handle channel callbacks.
*/
* OVSDB Passive listening thread that uses Netty ServerBootstrap to open
* passive connection with Ssl and handle channel callbacks.
*/
- private static void ovsdbManagerWithSsl(int port, final SslContext sslContext) {
+ private static void ovsdbManagerWithSsl(int port, final SSLContext sslContext) {
EventLoopGroup bossGroup = new NioEventLoopGroup();
EventLoopGroup workerGroup = new NioEventLoopGroup();
try {
EventLoopGroup bossGroup = new NioEventLoopGroup();
EventLoopGroup workerGroup = new NioEventLoopGroup();
try {
logger.debug("New Passive channel created : "+ channel.toString());
if (sslContext != null) {
/* Add SSL handler first if SSL context is provided */
logger.debug("New Passive channel created : "+ channel.toString());
if (sslContext != null) {
/* Add SSL handler first if SSL context is provided */
- channel.pipeline().addLast(sslContext.newHandler(channel.alloc()));
+ SSLEngine engine = sslContext.createSSLEngine();
+ engine.setUseClientMode(false); // work in a server mode
+ engine.setNeedClientAuth(true); // need client authentication
+ channel.pipeline().addLast("ssl", new SslHandler(engine));
}
channel.pipeline().addLast(
}
channel.pipeline().addLast(