Fix mTLS connections with reactive API using Netty

scottfrederick · scottfrederick · commit ff4cbabcec00 · 2020-05-14T10:50:28.000-05:00
diff --git a/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/ClientHttpConnectorFactory.java b/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/ClientHttpConnectorFactory.java
@@ -16,14 +16,24 @@
 
 package org.springframework.credhub.configuration;
 
+import java.security.NoSuchAlgorithmException;
+
 import io.netty.channel.ChannelOption;
+import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.IdentityCipherSuiteFilter;
+import io.netty.handler.ssl.JdkSslContext;
 import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.SslProvider;
+
 import org.springframework.credhub.support.ClientOptions;
 import org.springframework.http.client.reactive.ClientHttpConnector;
 import org.springframework.http.client.reactive.ReactorClientHttpConnector;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import reactor.netty.http.client.HttpClient;
 
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManagerFactory;
 
 /**
@@ -33,8 +43,9 @@
  * @author Scott Frederick
  */
 public class ClientHttpConnectorFactory {
+	private static final Log logger = LogFactory.getLog(ClientHttpConnectorFactory.class);
 
-	private static SslCertificateUtils sslCertificateUtils = new SslCertificateUtils();
+	private static final SslCertificateUtils sslCertificateUtils = new SslCertificateUtils();
 
 	/**
 	 * Create a {@link ClientHttpConnector} for the given {@link ClientOptions}.
@@ -54,9 +65,16 @@ public static ClientHttpConnector create(ClientOptions options) {
 							.sslProvider(SslProvider.JDK)
 							.trustManager(trustManagerFactory)));
 		} else {
-			httpClient = httpClient.secure(sslContextSpec -> sslContextSpec
-					.sslContext(SslContextBuilder.forClient()
-							.sslProvider(SslProvider.JDK)));
+			httpClient = httpClient.secure(sslContextSpec -> {
+				try {
+					sslContextSpec
+							.sslContext(new JdkSslContext(SSLContext.getDefault(), true, null,
+									IdentityCipherSuiteFilter.INSTANCE, null, ClientAuth.REQUIRE, null, false));
+				} catch (NoSuchAlgorithmException e) {
+					logger.error("Error configuring HTTP connections", e);
+					throw new RuntimeException("Error configuring HTTP connections", e);
+				}
+			});
 		}
 
 		if (options.getConnectionTimeout() != null) {
diff --git a/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/ClientHttpRequestFactoryFactory.java b/spring-credhub-core/src/main/java/org/springframework/credhub/configuration/ClientHttpRequestFactoryFactory.java
@@ -26,6 +26,7 @@
 import javax.net.ssl.X509TrustManager;
 
 import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.IdentityCipherSuiteFilter;
 import io.netty.handler.ssl.JdkSslContext;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
@@ -58,7 +59,7 @@
 public class ClientHttpRequestFactoryFactory {
 	private static final Log logger = LogFactory.getLog(ClientHttpRequestFactoryFactory.class);
 
-	private static SslCertificateUtils sslCertificateUtils = new SslCertificateUtils();
+	private static final SslCertificateUtils sslCertificateUtils = new SslCertificateUtils();
 
 	private static final boolean HTTP_COMPONENTS_PRESENT = ClassUtils.isPresent(
 			"org.apache.http.client.HttpClient",
@@ -119,7 +120,7 @@ static ClientHttpRequestFactory usingJdk(ClientOptions options) {
 			}
 
 			SimpleClientHttpRequestFactory factory = new SimpleClientHttpRequestFactory();
-			
+
 			if (options.getConnectionTimeout() != null) {
 				factory.setConnectTimeout(options.getConnectionTimeoutMillis());
 			}
@@ -235,7 +236,7 @@ static ClientHttpRequestFactory usingNetty(ClientOptions options)
 			if (usingCustomCerts(options)) {
 				TrustManagerFactory trustManagerFactory =
 						sslCertificateUtils.createTrustManagerFactory(options.getCaCertFiles());
-				
+
 				SslContext sslContext = SslContextBuilder
 						.forClient()
 						.sslProvider(SslProvider.JDK)
@@ -244,7 +245,8 @@ static ClientHttpRequestFactory usingNetty(ClientOptions options)
 
 				requestFactory.setSslContext(sslContext);
 			} else {
-				SslContext sslContext = new JdkSslContext(SSLContext.getDefault(), true, ClientAuth.REQUIRE);
+				SslContext sslContext = new JdkSslContext(SSLContext.getDefault(), true, null,
+						IdentityCipherSuiteFilter.INSTANCE, null, ClientAuth.REQUIRE, null, false);
 
 				requestFactory.setSslContext(sslContext);
 			}
@@ -253,7 +255,7 @@ static ClientHttpRequestFactory usingNetty(ClientOptions options)
 		}
 
 	}
-	
+
 	private static boolean usingCustomCerts(ClientOptions options) {
 		return options.getCaCertFiles() != null;
 	}
