Skip to content

Commit ff4cbab

Browse files
scottfrederickscottfrederick
committed
Fix mTLS connections with reactive API using Netty
1 parent 87b9fc4 commit ff4cbab

File tree

2 files changed

+29
-9
lines changed

2 files changed

+29
-9
lines changed

spring-credhub-core/src/main/java/org/springframework/credhub/configuration/ClientHttpConnectorFactory.java

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,14 +16,24 @@
1616

1717
package org.springframework.credhub.configuration;
1818

19+
import java.security.NoSuchAlgorithmException;
20+
1921
import io.netty.channel.ChannelOption;
22+
import io.netty.handler.ssl.ClientAuth;
23+
import io.netty.handler.ssl.IdentityCipherSuiteFilter;
24+
import io.netty.handler.ssl.JdkSslContext;
2025
import io.netty.handler.ssl.SslContextBuilder;
2126
import io.netty.handler.ssl.SslProvider;
27+
2228
import org.springframework.credhub.support.ClientOptions;
2329
import org.springframework.http.client.reactive.ClientHttpConnector;
2430
import org.springframework.http.client.reactive.ReactorClientHttpConnector;
31+
32+
import org.apache.commons.logging.Log;
33+
import org.apache.commons.logging.LogFactory;
2534
import reactor.netty.http.client.HttpClient;
2635

36+
import javax.net.ssl.SSLContext;
2737
import javax.net.ssl.TrustManagerFactory;
2838

2939
/**
@@ -33,8 +43,9 @@
3343
* @author Scott Frederick
3444
*/
3545
public class ClientHttpConnectorFactory {
46+
private static final Log logger = LogFactory.getLog(ClientHttpConnectorFactory.class);
3647

37-
private static SslCertificateUtils sslCertificateUtils = new SslCertificateUtils();
48+
private static final SslCertificateUtils sslCertificateUtils = new SslCertificateUtils();
3849

3950
/**
4051
* Create a {@link ClientHttpConnector} for the given {@link ClientOptions}.
@@ -54,9 +65,16 @@ public static ClientHttpConnector create(ClientOptions options) {
5465
.sslProvider(SslProvider.JDK)
5566
.trustManager(trustManagerFactory)));
5667
} else {
57-
httpClient = httpClient.secure(sslContextSpec -> sslContextSpec
58-
.sslContext(SslContextBuilder.forClient()
59-
.sslProvider(SslProvider.JDK)));
68+
httpClient = httpClient.secure(sslContextSpec -> {
69+
try {
70+
sslContextSpec
71+
.sslContext(new JdkSslContext(SSLContext.getDefault(), true, null,
72+
IdentityCipherSuiteFilter.INSTANCE, null, ClientAuth.REQUIRE, null, false));
73+
} catch (NoSuchAlgorithmException e) {
74+
logger.error("Error configuring HTTP connections", e);
75+
throw new RuntimeException("Error configuring HTTP connections", e);
76+
}
77+
});
6078
}
6179

6280
if (options.getConnectionTimeout() != null) {

spring-credhub-core/src/main/java/org/springframework/credhub/configuration/ClientHttpRequestFactoryFactory.java

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
import javax.net.ssl.X509TrustManager;
2727

2828
import io.netty.handler.ssl.ClientAuth;
29+
import io.netty.handler.ssl.IdentityCipherSuiteFilter;
2930
import io.netty.handler.ssl.JdkSslContext;
3031
import io.netty.handler.ssl.SslContext;
3132
import io.netty.handler.ssl.SslContextBuilder;
@@ -58,7 +59,7 @@
5859
public class ClientHttpRequestFactoryFactory {
5960
private static final Log logger = LogFactory.getLog(ClientHttpRequestFactoryFactory.class);
6061

61-
private static SslCertificateUtils sslCertificateUtils = new SslCertificateUtils();
62+
private static final SslCertificateUtils sslCertificateUtils = new SslCertificateUtils();
6263

6364
private static final boolean HTTP_COMPONENTS_PRESENT = ClassUtils.isPresent(
6465
"org.apache.http.client.HttpClient",
@@ -119,7 +120,7 @@ static ClientHttpRequestFactory usingJdk(ClientOptions options) {
119120
}
120121

121122
SimpleClientHttpRequestFactory factory = new SimpleClientHttpRequestFactory();
122-
123+
123124
if (options.getConnectionTimeout() != null) {
124125
factory.setConnectTimeout(options.getConnectionTimeoutMillis());
125126
}
@@ -235,7 +236,7 @@ static ClientHttpRequestFactory usingNetty(ClientOptions options)
235236
if (usingCustomCerts(options)) {
236237
TrustManagerFactory trustManagerFactory =
237238
sslCertificateUtils.createTrustManagerFactory(options.getCaCertFiles());
238-
239+
239240
SslContext sslContext = SslContextBuilder
240241
.forClient()
241242
.sslProvider(SslProvider.JDK)
@@ -244,7 +245,8 @@ static ClientHttpRequestFactory usingNetty(ClientOptions options)
244245

245246
requestFactory.setSslContext(sslContext);
246247
} else {
247-
SslContext sslContext = new JdkSslContext(SSLContext.getDefault(), true, ClientAuth.REQUIRE);
248+
SslContext sslContext = new JdkSslContext(SSLContext.getDefault(), true, null,
249+
IdentityCipherSuiteFilter.INSTANCE, null, ClientAuth.REQUIRE, null, false);
248250

249251
requestFactory.setSslContext(sslContext);
250252
}
@@ -253,7 +255,7 @@ static ClientHttpRequestFactory usingNetty(ClientOptions options)
253255
}
254256

255257
}
256-
258+
257259
private static boolean usingCustomCerts(ClientOptions options) {
258260
return options.getCaCertFiles() != null;
259261
}

0 commit comments

Comments
 (0)