Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixes #4170 - Client-side alias selection based on SSLEngine. 

Fixed setting of host/port in AbstractConnectorHttpClientTransport
and HttpProxy so that the creation of SSLEngine can use the proper
host/port pair, and can be subsequently used in TLS components.

Introduced SslContextFactory X509ExtendedKeyManagerWrapper and
X509ExtendedTrustManagerWrapper as utility classes used internally
and in tests.

The test case for this issue required 3 keystores, so other test
classes have been refactored to use the new keystores.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
This commit is contained in:
Simone Bordet 2019-10-08 18:32:23 +02:00
parent 7164171674
commit 742f564332
10 changed files with 316 additions and 185 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
jetty-client/src/main/java/org/eclipse/jetty/client/AbstractConnectorHttpClientTransport.java
View File

@ -85,8 +85,8 @@ public abstract class AbstractConnectorHttpClientTransport extends AbstractHttpC
channel.bind(bindAddress);
configure(client, channel);
context.put(SslClientConnectionFactory.SSL_PEER_HOST_CONTEXT_KEY, destination.getHost());
context.put(SslClientConnectionFactory.SSL_PEER_PORT_CONTEXT_KEY, destination.getPort());
context.put(SslClientConnectionFactory.SSL_PEER_HOST_CONTEXT_KEY, address.getHostString());
context.put(SslClientConnectionFactory.SSL_PEER_PORT_CONTEXT_KEY, address.getPort());
boolean connected = true;
if (client.isConnectBlocking())

3
jetty-client/src/main/java/org/eclipse/jetty/client/HttpProxy.java
View File

@ -34,6 +34,7 @@ import org.eclipse.jetty.http.HttpScheme;
import org.eclipse.jetty.http.HttpStatus;
import org.eclipse.jetty.io.ClientConnectionFactory;
import org.eclipse.jetty.io.EndPoint;
import org.eclipse.jetty.io.ssl.SslClientConnectionFactory;
import org.eclipse.jetty.util.Promise;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
@ -205,6 +206,8 @@ public class HttpProxy extends ProxyConfiguration.Proxy
HttpClient client = destination.getHttpClient();
ClientConnectionFactory sslConnectionFactory = client.newSslClientConnectionFactory(connectionFactory);
HttpConnectionOverHTTP oldConnection = (HttpConnectionOverHTTP)endPoint.getConnection();
context.put(SslClientConnectionFactory.SSL_PEER_HOST_CONTEXT_KEY, destination.getHost());
context.put(SslClientConnectionFactory.SSL_PEER_PORT_CONTEXT_KEY, destination.getPort());
org.eclipse.jetty.io.Connection newConnection = sslConnectionFactory.newConnection(endPoint, context);
// Creating the connection will link the new Connection the EndPoint,
// but we need the old Connection linked for the upgrade to do its job.

3
jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ConnectHandlerSSLTest.java
View File

@ -53,10 +53,9 @@ public class ConnectHandlerSSLTest extends AbstractConnectHandlerTest
public void prepare() throws Exception
{
sslContextFactory = new SslContextFactory.Server();
String keyStorePath = MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath();
String keyStorePath = MavenTestingUtils.getTestResourceFile("server_keystore.p12").getAbsolutePath();
sslContextFactory.setKeyStorePath(keyStorePath);
sslContextFactory.setKeyStorePassword("storepwd");
sslContextFactory.setKeyManagerPassword("keypwd");
server = new Server();
serverConnector = new ServerConnector(server, sslContextFactory);
server.addConnector(serverConnector);

54
jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ForwardProxyServerTest.java
View File

@ -45,7 +45,6 @@ import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.hamcrest.Matchers;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
import static org.hamcrest.MatcherAssert.assertThat;
@ -54,36 +53,29 @@ import static org.junit.jupiter.api.Assertions.assertFalse;
public class ForwardProxyServerTest
{
@SuppressWarnings("Duplicates")
public static Stream<Arguments> scenarios()
public static Stream<SslContextFactory.Server> serverTLS()
{
String keyStorePath = MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath();
// no server SSL
SslContextFactory scenario1 = null;
// basic server SSL
SslContextFactory scenario2 = new SslContextFactory.Server();
scenario2.setKeyStorePath(keyStorePath);
scenario2.setKeyStorePassword("storepwd");
scenario2.setKeyManagerPassword("keypwd");
// TODO: add more SslContextFactory configurations/scenarios?
return Stream.of(scenario1, scenario2).map(Arguments::of);
return Stream.of(null, newServerSslContextFactory());
}
private SslContextFactory serverSslContextFactory;
private Server server;
private ServerConnector serverConnector;
private SslContextFactory serverSslContextFactory;
private Server proxy;
private ServerConnector proxyConnector;
public void init(SslContextFactory scenario)
private static SslContextFactory.Server newServerSslContextFactory()
{
serverSslContextFactory = scenario;
SslContextFactory.Server proxyTLS = new SslContextFactory.Server();
String keyStorePath = MavenTestingUtils.getTestResourceFile("server_keystore.p12").getAbsolutePath();
proxyTLS.setKeyStorePath(keyStorePath);
proxyTLS.setKeyStorePassword("storepwd");
return proxyTLS;
}
protected void startServer(ConnectionFactory connectionFactory) throws Exception
protected void startServer(SslContextFactory.Server serverTLS, ConnectionFactory connectionFactory) throws Exception
{
serverSslContextFactory = serverTLS;
QueuedThreadPool serverThreads = new QueuedThreadPool();
serverThreads.setName("server");
server = new Server(serverThreads);
@ -126,28 +118,20 @@ public class ForwardProxyServerTest
protected void stopServer() throws Exception
{
if (server != null)
{
server.stop();
server.join();
}
}
protected void stopProxy() throws Exception
{
if (proxy != null)
{
proxy.stop();
proxy.join();
}
}
@ParameterizedTest
@MethodSource("scenarios")
public void testRequestTarget(SslContextFactory scenario) throws Exception
@MethodSource("serverTLS")
public void testRequestTarget(SslContextFactory.Server serverTLS) throws Exception
{
init(scenario);
startServer(new AbstractConnectionFactory("http/1.1")
startServer(serverTLS, new AbstractConnectionFactory("http/1.1")
{
@Override
public Connection newConnection(Connector connector, EndPoint endPoint)
@ -204,14 +188,8 @@ public class ForwardProxyServerTest
});
startProxy();
String keyStorePath = MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath();
SslContextFactory clientSsl = new SslContextFactory.Client();
clientSsl.setKeyStorePath(keyStorePath);
clientSsl.setKeyStorePassword("storepwd");
clientSsl.setKeyManagerPassword("keypwd");
clientSsl.setEndpointIdentificationAlgorithm(null);
HttpClient httpClient = new HttpClient(clientSsl);
SslContextFactory clientTLS = new SslContextFactory.Client(true);
HttpClient httpClient = new HttpClient(clientTLS);
httpClient.getProxyConfiguration().getProxies().add(newHttpProxy());
httpClient.start();

262
jetty-proxy/src/test/java/org/eclipse/jetty/proxy/ForwardProxyTLSServerTest.java
View File

@ -23,11 +23,16 @@ import java.net.ConnectException;
import java.net.Socket;
import java.net.URI;
import java.net.URLEncoder;
import java.security.KeyStore;
import java.security.Principal;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Stream;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
@ -61,8 +66,8 @@ import org.hamcrest.Matchers;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
import static org.hamcrest.MatcherAssert.assertThat;
@ -73,56 +78,46 @@ import static org.junit.jupiter.api.Assumptions.assumeTrue;
public class ForwardProxyTLSServerTest
{
@SuppressWarnings("Duplicates")
public static Stream<Arguments> scenarios()
public static Stream<SslContextFactory.Server> proxyTLS()
{
String keyStorePath = MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath();
// no server SSL
SslContextFactory.Server scenario1 = null;
// basic server SSL
SslContextFactory.Server scenario2 = new SslContextFactory.Server();
scenario2.setKeyStorePath(keyStorePath);
scenario2.setKeyStorePassword("storepwd");
scenario2.setKeyManagerPassword("keypwd");
// TODO: add more SslContextFactory configurations/scenarios?
return Stream.of(scenario1, scenario2).map(Arguments::of);
return Stream.of(null, newProxySslContextFactory());
}
private SslContextFactory.Server proxySslContextFactory;
private Server server;
private ServerConnector serverConnector;
private Server proxy;
private ServerConnector proxyConnector;
public void init(SslContextFactory.Server scenario)
{
proxySslContextFactory = scenario;
}
private SslContextFactory.Server proxySslContextFactory;
protected void startTLSServer(Handler handler) throws Exception
{
SslContextFactory.Server sslContextFactory = newServerSslContextFactory();
startTLSServer(sslContextFactory, handler);
}
protected void startTLSServer(SslContextFactory.Server sslContextFactory, Handler handler) throws Exception
{
QueuedThreadPool serverThreads = new QueuedThreadPool();
serverThreads.setName("server");
server = new Server(serverThreads);
serverConnector = new ServerConnector(server, newServerSslContextFactory());
serverConnector = new ServerConnector(server, sslContextFactory);
server.addConnector(serverConnector);
server.setHandler(handler);
server.start();
}
protected void startProxy() throws Exception
protected void startProxy(SslContextFactory.Server proxyTLS) throws Exception
{
startProxy(new ConnectHandler());
startProxy(proxyTLS, new ConnectHandler());
}
protected void startProxy(ConnectHandler connectHandler) throws Exception
protected void startProxy(SslContextFactory.Server proxyTLS, ConnectHandler connectHandler) throws Exception
{
proxySslContextFactory = proxyTLS;
QueuedThreadPool proxyThreads = new QueuedThreadPool();
proxyThreads.setName("proxy");
proxy = new Server(proxyThreads);
proxyConnector = new ServerConnector(proxy, proxySslContextFactory);
proxyConnector = new ServerConnector(proxy, proxyTLS);
proxy.addConnector(proxyConnector);
// Under Windows, it takes a while to detect that a connection
// attempt fails, so use an explicit timeout
@ -139,24 +134,24 @@ public class ForwardProxyTLSServerTest
private static SslContextFactory.Server newServerSslContextFactory()
{
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
configureSslContextFactory(sslContextFactory);
String keyStorePath = MavenTestingUtils.getTestResourceFile("server_keystore.p12").getAbsolutePath();
sslContextFactory.setKeyStorePath(keyStorePath);
sslContextFactory.setKeyStorePassword("storepwd");
return sslContextFactory;
}
private static SslContextFactory.Server newProxySslContextFactory()
{
SslContextFactory.Server proxyTLS = new SslContextFactory.Server();
String keyStorePath = MavenTestingUtils.getTestResourceFile("proxy_keystore.p12").getAbsolutePath();
proxyTLS.setKeyStorePath(keyStorePath);
proxyTLS.setKeyStorePassword("storepwd");
return proxyTLS;
}
private static SslContextFactory.Client newClientSslContextFactory()
{
SslContextFactory.Client sslContextFactory = new SslContextFactory.Client();
configureSslContextFactory(sslContextFactory);
sslContextFactory.setEndpointIdentificationAlgorithm(null);
return sslContextFactory;
}
private static void configureSslContextFactory(SslContextFactory sslContextFactory)
{
String keyStorePath = MavenTestingUtils.getTestResourceFile("keystore").getAbsolutePath();
sslContextFactory.setKeyStorePath(keyStorePath);
sslContextFactory.setKeyStorePassword("storepwd");
sslContextFactory.setKeyManagerPassword("keypwd");
return new SslContextFactory.Client(true);
}
@AfterEach
@ -185,12 +180,11 @@ public class ForwardProxyTLSServerTest
}
@ParameterizedTest
@MethodSource("scenarios")
public void testOneExchange(SslContextFactory.Server scenario) throws Exception
@MethodSource("proxyTLS")
public void testOneExchange(SslContextFactory.Server proxyTLS) throws Exception
{
init(scenario);
startTLSServer(new ServerHandler());
startProxy();
startProxy(proxyTLS);
HttpClient httpClient = new HttpClient(newClientSslContextFactory());
httpClient.getProxyConfiguration().getProxies().add(newHttpProxy());
@ -221,12 +215,11 @@ public class ForwardProxyTLSServerTest
}
@ParameterizedTest
@MethodSource("scenarios")
public void testTwoExchanges(SslContextFactory.Server scenario) throws Exception
@MethodSource("proxyTLS")
public void testTwoExchanges(SslContextFactory.Server proxyTLS) throws Exception
{
init(scenario);
startTLSServer(new ServerHandler());
startProxy();
startProxy(proxyTLS);
HttpClient httpClient = new HttpClient(newClientSslContextFactory());
httpClient.getProxyConfiguration().getProxies().add(newHttpProxy());
@ -268,12 +261,11 @@ public class ForwardProxyTLSServerTest
}
@ParameterizedTest
@MethodSource("scenarios")
public void testTwoConcurrentExchanges(SslContextFactory.Server scenario) throws Exception
@MethodSource("proxyTLS")
public void testTwoConcurrentExchanges(SslContextFactory.Server proxyTLS) throws Exception
{
init(scenario);
startTLSServer(new ServerHandler());
startProxy();
startProxy(proxyTLS);
HttpClient httpClient = new HttpClient(newClientSslContextFactory());
httpClient.getProxyConfiguration().getProxies().add(newHttpProxy());
@ -335,15 +327,14 @@ public class ForwardProxyTLSServerTest
}
@ParameterizedTest
@MethodSource("scenarios")
public void testShortIdleTimeoutOverriddenByRequest(SslContextFactory.Server scenario) throws Exception
@MethodSource("proxyTLS")
public void testShortIdleTimeoutOverriddenByRequest(SslContextFactory.Server proxyTLS) throws Exception
{
init(scenario);
// Short idle timeout for HttpClient.
long idleTimeout = 500;
startTLSServer(new ServerHandler());
startProxy(new ConnectHandler()
startProxy(proxyTLS, new ConnectHandler()
{
@Override
protected void handleConnect(Request baseRequest, HttpServletRequest request, HttpServletResponse response, String serverAddress)
@ -391,12 +382,11 @@ public class ForwardProxyTLSServerTest
}
@ParameterizedTest
@MethodSource("scenarios")
public void testProxyDown(SslContextFactory.Server scenario) throws Exception
@MethodSource("proxyTLS")
public void testProxyDown(SslContextFactory.Server proxyTLS) throws Exception
{
init(scenario);
startTLSServer(new ServerHandler());
startProxy();
startProxy(proxyTLS);
int proxyPort = proxyConnector.getLocalPort();
stopProxy();
@ -420,14 +410,13 @@ public class ForwardProxyTLSServerTest
}
@ParameterizedTest
@MethodSource("scenarios")
public void testServerDown(SslContextFactory.Server scenario) throws Exception
@MethodSource("proxyTLS")
public void testServerDown(SslContextFactory.Server proxyTLS) throws Exception
{
init(scenario);
startTLSServer(new ServerHandler());
int serverPort = serverConnector.getLocalPort();
stopServer();
startProxy();
startProxy(proxyTLS);
HttpClient httpClient = new HttpClient(newClientSslContextFactory());
httpClient.getProxyConfiguration().getProxies().add(newHttpProxy());
@ -448,12 +437,11 @@ public class ForwardProxyTLSServerTest
}
@ParameterizedTest
@MethodSource("scenarios")
public void testProxyClosesConnection(SslContextFactory.Server scenario) throws Exception
@MethodSource("proxyTLS")
public void testProxyClosesConnection(SslContextFactory.Server proxyTLS) throws Exception
{
init(scenario);
startTLSServer(new ServerHandler());
startProxy(new ConnectHandler()
startProxy(proxyTLS, new ConnectHandler()
{
@Override
protected void handleConnect(Request baseRequest, HttpServletRequest request, HttpServletResponse response, String serverAddress)
@ -476,12 +464,11 @@ public class ForwardProxyTLSServerTest
}
@ParameterizedTest
@MethodSource("scenarios")
public void testProxyAuthentication(SslContextFactory.Server scenario) throws Exception
@MethodSource("proxyTLS")
public void testProxyAuthentication(SslContextFactory.Server proxyTLS) throws Exception
{
init(scenario);
String realm = "test-realm";
testProxyAuthentication(realm, new ConnectHandler()
testProxyAuthentication(proxyTLS, new ConnectHandler()
{
@Override
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
@ -496,16 +483,15 @@ public class ForwardProxyTLSServerTest
}
super.handle(target, baseRequest, request, response);
}
});
}, realm);
}
@ParameterizedTest
@MethodSource("scenarios")
public void testProxyAuthenticationWithResponseContent(SslContextFactory.Server scenario) throws Exception
@MethodSource("proxyTLS")
public void testProxyAuthenticationWithResponseContent(SslContextFactory.Server proxyTLS) throws Exception
{
init(scenario);
String realm = "test-realm";
testProxyAuthentication(realm, new ConnectHandler()
testProxyAuthentication(proxyTLS, new ConnectHandler()
{
@Override
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
@ -521,16 +507,15 @@ public class ForwardProxyTLSServerTest
}
super.handle(target, baseRequest, request, response);
}
});
}, realm);
}
@ParameterizedTest
@MethodSource("scenarios")
public void testProxyAuthenticationWithIncludedAddressWithResponseContent(SslContextFactory.Server scenario) throws Exception
@MethodSource("proxyTLS")
public void testProxyAuthenticationWithIncludedAddressWithResponseContent(SslContextFactory.Server proxyTLS) throws Exception
{
init(scenario);
String realm = "test-realm";
testProxyAuthentication(realm, new ConnectHandler()
testProxyAuthentication(proxyTLS, new ConnectHandler()
{
@Override
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
@ -546,16 +531,15 @@ public class ForwardProxyTLSServerTest
}
super.handle(target, baseRequest, request, response);
}
}, true);
}, realm, true);
}
@ParameterizedTest
@MethodSource("scenarios")
public void testProxyAuthenticationClosesConnection(SslContextFactory.Server scenario) throws Exception
@MethodSource("proxyTLS")
public void testProxyAuthenticationClosesConnection(SslContextFactory.Server proxyTLS) throws Exception
{
init(scenario);
String realm = "test-realm";
testProxyAuthentication(realm, new ConnectHandler()
testProxyAuthentication(proxyTLS, new ConnectHandler()
{
@Override
protected boolean handleAuthentication(HttpServletRequest request, HttpServletResponse response, String address)
@ -572,18 +556,18 @@ public class ForwardProxyTLSServerTest
return true;
}
}
});
}, realm);
}
private void testProxyAuthentication(String realm, ConnectHandler connectHandler) throws Exception
private void testProxyAuthentication(SslContextFactory.Server proxyTLS, ConnectHandler connectHandler, String realm) throws Exception
{
testProxyAuthentication(realm, connectHandler, false);
testProxyAuthentication(proxyTLS, connectHandler, realm, false);
}
private void testProxyAuthentication(String realm, ConnectHandler connectHandler, boolean includeAddress) throws Exception
private void testProxyAuthentication(SslContextFactory.Server proxyTLS, ConnectHandler connectHandler, String realm, boolean includeAddress) throws Exception
{
startTLSServer(new ServerHandler());
startProxy(connectHandler);
startProxy(proxyTLS, connectHandler);
HttpClient httpClient = new HttpClient(newClientSslContextFactory());
HttpProxy httpProxy = newHttpProxy();
@ -615,13 +599,101 @@ public class ForwardProxyTLSServerTest
}
}
@ParameterizedTest
@MethodSource("scenarios")
@Test
public void testBothProxyAndServerNeedClientAuth() throws Exception
{
// Keystore server_keystore.p12 contains:
// - alias "mykey": self-signed certificate with private key.
// - alias "client_root": certificate from client_keystore.p12 under the "server" alias.
// Keystore proxy_keystore.p12 contains:
// - alias "mykey": self-signed certificate with private key.
// - alias "client_root": certificate from client_keystore.p12 under the "proxy" alias.
// Keystore client_keystore.p12 contains:
// - alias "proxy": self-signed certificate with private key to send to the proxy.
// - alias "server": self-signed certificate with private key to send to the server.
// - alias "proxy_root": certificate from proxy_keystore under the "mykey" alias.
// - alias "server_root": certificate from server_keystore under the "mykey" alias.
// We want setEndpointIdentificationAlgorithm(null) for all 3 SslContextFactory
// because the certificate common names do not match the host names.
SslContextFactory.Server serverTLS = newServerSslContextFactory();
serverTLS.setEndpointIdentificationAlgorithm(null);
serverTLS.setNeedClientAuth(true);
startTLSServer(serverTLS, new ServerHandler());
int serverPort = serverConnector.getLocalPort();
String serverAlias = "server";
SslContextFactory.Server proxyTLS = newProxySslContextFactory();
proxyTLS.setEndpointIdentificationAlgorithm(null);
proxyTLS.setNeedClientAuth(true);
startProxy(proxyTLS);
int proxyPort = proxyConnector.getLocalPort();
String proxyAlias = "proxy";
SslContextFactory.Client clientSslContextFactory = new SslContextFactory.Client()
{
@Override
protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
{
KeyManager[] keyManagers = super.getKeyManagers(keyStore);
for (int i = 0; i < keyManagers.length; i++)
{
KeyManager keyManager = keyManagers[i];
if (keyManager instanceof X509ExtendedKeyManager)
{
X509ExtendedKeyManager extKeyManager = (X509ExtendedKeyManager)keyManager;
keyManagers[i] = new X509ExtendedKeyManagerWrapper(extKeyManager)
{
@Override
public String chooseEngineClientAlias(String[] keyType, Principal[] issuers, SSLEngine engine)
{
int port = engine.getPeerPort();
if (port == serverPort)
return serverAlias;
else if (port == proxyPort)
return proxyAlias;
else
return super.chooseEngineClientAlias(keyType, issuers, engine);
}
};
}
}
return keyManagers;
}
};
clientSslContextFactory.setKeyStorePath(MavenTestingUtils.getTestResourceFile("client_keystore.p12").getAbsolutePath());
clientSslContextFactory.setKeyStorePassword("storepwd");
clientSslContextFactory.setEndpointIdentificationAlgorithm(null);
HttpClient httpClient = new HttpClient(clientSslContextFactory);
httpClient.getProxyConfiguration().getProxies().add(newHttpProxy());
httpClient.start();
try
{
String body = "BODY";
ContentResponse response = httpClient.newRequest("localhost", serverConnector.getLocalPort())
.scheme(HttpScheme.HTTPS.asString())
.method(HttpMethod.GET)
.path("/echo?body=" + URLEncoder.encode(body, "UTF-8"))
.timeout(5, TimeUnit.SECONDS)
.send();
assertEquals(HttpStatus.OK_200, response.getStatus());
String content = response.getContentAsString();
assertEquals(body, content);
}
finally
{
httpClient.stop();
}
}
@Test
@Tag("external")
@Disabled
public void testExternalProxy(SslContextFactory.Server scenario) throws Exception
public void testExternalProxy() throws Exception
{
init(scenario);
// Free proxy server obtained from http://hidemyass.com/proxy-list/
String proxyHost = "81.208.25.53";
int proxyPort = 3128;

BIN
jetty-proxy/src/test/resources/client_keystore.p12 Normal file
View File

Binary file not shown.

BIN
jetty-proxy/src/test/resources/keystore
View File

Binary file not shown.

BIN
jetty-proxy/src/test/resources/proxy_keystore.p12 Normal file
View File

Binary file not shown.

BIN
jetty-proxy/src/test/resources/server_keystore.p12 Normal file
View File

Binary file not shown.

175
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
View File

@ -26,6 +26,8 @@ import java.net.Socket;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CRL;
@ -99,69 +101,24 @@ import org.eclipse.jetty.util.security.Password;
@ManagedObject
public class SslContextFactory extends AbstractLifeCycle implements Dumpable
{
public static final TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{
new X509ExtendedTrustManager()
{
@Override
public X509Certificate[] getAcceptedIssuers()
{
return new X509Certificate[0];
}
@Override
public void checkClientTrusted(X509Certificate[] certs, String authType)
{
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
{
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
{
}
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType)
{
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)
{
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
{
}
}
};
private static final Logger LOG = Log.getLogger(SslContextFactory.class);
private static final Logger LOG_CONFIG = LOG.getLogger("config");
public static final TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509ExtendedTrustManagerWrapper(null)};
public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
/**
* String name of key password property.
*/
public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
/**
* String name of keystore password property.
*/
public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
private static final Logger LOG = Log.getLogger(SslContextFactory.class);
private static final Logger LOG_CONFIG = LOG.getLogger("config");
/**
* Default Excluded Protocols List
*/
private static final String[] DEFAULT_EXCLUDED_PROTOCOLS = {"SSL", "SSLv2", "SSLv2Hello", "SSLv3"};
/**
* Default Excluded Cipher Suite List
*/
@ -2271,4 +2228,126 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
super.setNeedClientAuth(needClientAuth);
}
}
/**
* <p>A wrapper that delegates to another (if not {@code null}) X509ExtendedKeyManager.</p>
*/
public static class X509ExtendedKeyManagerWrapper extends X509ExtendedKeyManager
{
private final X509ExtendedKeyManager keyManager;
public X509ExtendedKeyManagerWrapper(X509ExtendedKeyManager keyManager)
{
this.keyManager = keyManager;
}
@Override
public String[] getClientAliases(String keyType, Principal[] issuers)
{
return keyManager == null ? null : keyManager.getClientAliases(keyType, issuers);
}
@Override
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
{
return keyManager == null ? null : keyManager.chooseClientAlias(keyType, issuers, socket);
}
@Override
public String chooseEngineClientAlias(String[] keyType, Principal[] issuers, SSLEngine engine)
{
return keyManager == null ? null : keyManager.chooseEngineClientAlias(keyType, issuers, engine);
}
@Override
public String[] getServerAliases(String keyType, Principal[] issuers)
{
return keyManager == null ? null : keyManager.getServerAliases(keyType, issuers);
}
@Override
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
{
return keyManager == null ? null : keyManager.chooseServerAlias(keyType, issuers, socket);
}
@Override
public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
{
return keyManager == null ? null : keyManager.chooseEngineServerAlias(keyType, issuers, engine);
}
@Override
public X509Certificate[] getCertificateChain(String alias)
{
return keyManager == null ? null : keyManager.getCertificateChain(alias);
}
@Override
public PrivateKey getPrivateKey(String alias)
{
return keyManager == null ? null : keyManager.getPrivateKey(alias);
}
}
/**
* <p>A wrapper that delegates to another (if not {@code null}) X509ExtendedTrustManager.</p>
*/
public static class X509ExtendedTrustManagerWrapper extends X509ExtendedTrustManager
{
private final X509ExtendedTrustManager trustManager;
public X509ExtendedTrustManagerWrapper(X509ExtendedTrustManager trustManager)
{
this.trustManager = trustManager;
}
@Override
public X509Certificate[] getAcceptedIssuers()
{
return trustManager == null ? new X509Certificate[0] : trustManager.getAcceptedIssuers();
}
@Override
public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException
{
if (trustManager != null)
trustManager.checkClientTrusted(certs, authType);
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException
{
if (trustManager != null)
trustManager.checkClientTrusted(chain, authType, socket);
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException
{
if (trustManager != null)
trustManager.checkClientTrusted(chain, authType, engine);
}
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException
{
if (trustManager != null)
trustManager.checkServerTrusted(certs, authType);
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException
{
if (trustManager != null)
trustManager.checkServerTrusted(chain, authType, socket);
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException
{
if (trustManager != null)
trustManager.checkServerTrusted(chain, authType, engine);
}
}
}