honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NETWORKING: Add SSL Handler before other Handlers (#34636) 

* NETWORKING: Add SSL Handler before other Handlers

* The only way to run into the issue in #33998 is for `Netty4MessageChannelHandler`
to be in the pipeline while the SslHandler is not. Adding the SslHandler before any
other handlers should ensure correct ordering here even when we handle upstream events
in our own thread pool
* Ensure that channels that were closed concurrently don't trip the assertion
* Closes #33998
This commit is contained in:
Armin Braun 2018-10-25 07:51:14 +02:00 committed by GitHub
parent 59536966c2
commit e7ced94a65
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.java
View File

@ -157,11 +157,12 @@ public class SecurityNetty4Transport extends Netty4Transport {
@Override @Override
protected void initChannel(Channel ch) throws Exception { protected void initChannel(Channel ch) throws Exception {
super.initChannel(ch);
SSLEngine serverEngine = sslService.createSSLEngine(configuration, null, -1); SSLEngine serverEngine = sslService.createSSLEngine(configuration, null, -1);
serverEngine.setUseClientMode(false); serverEngine.setUseClientMode(false);
final SslHandler sslHandler = new SslHandler(serverEngine); final SslHandler sslHandler = new SslHandler(serverEngine);
ch.pipeline().addFirst("sslhandler", sslHandler); ch.pipeline().addFirst("sslhandler", sslHandler);
super.initChannel(ch);
assert ch.pipeline().first() == sslHandler : "SSL handler must be first handler in pipeline";
} }
} }

9
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SSLEngineUtils.java
View File

@ -6,6 +6,7 @@
package org.elasticsearch.xpack.security.transport; package org.elasticsearch.xpack.security.transport;
import io.netty.channel.Channel; import io.netty.channel.Channel;
import io.netty.channel.ChannelException;
import io.netty.handler.ssl.SslHandler; import io.netty.handler.ssl.SslHandler;
import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage; import org.apache.logging.log4j.message.ParameterizedMessage;
@ -59,7 +60,13 @@ public class SSLEngineUtils {
if (tcpChannel instanceof Netty4TcpChannel) { if (tcpChannel instanceof Netty4TcpChannel) {
Channel nettyChannel = ((Netty4TcpChannel) tcpChannel).getNettyChannel(); Channel nettyChannel = ((Netty4TcpChannel) tcpChannel).getNettyChannel();
SslHandler handler = nettyChannel.pipeline().get(SslHandler.class); SslHandler handler = nettyChannel.pipeline().get(SslHandler.class);
assert handler != null : "Must have SslHandler"; if (handler == null) {
if (nettyChannel.isOpen()) {
assert false : "Must have SslHandler";
} else {
throw new ChannelException("Channel is closed.");
}
}
return handler.engine(); return handler.engine();
} else if (tcpChannel instanceof NioTcpChannel) { } else if (tcpChannel instanceof NioTcpChannel) {
SocketChannelContext context = ((NioTcpChannel) tcpChannel).getContext(); SocketChannelContext context = ((NioTcpChannel) tcpChannel).getContext();