Package org.apache.cassandra.security
Class SSLFactory
- java.lang.Object
-
- org.apache.cassandra.security.SSLFactory
-
public final class SSLFactory extends java.lang.Object
A Factory for providing and setting up clientSSLSocket
s. Also provides methods for creating both JSSESSLContext
instances as well as nettySslContext
instances.Netty
SslContext
instances are expensive to create (as well as to destroy) and consume a lof of resources (especially direct memory), but instances can be reused across connections (assuming the SSL params are the same). Hence we cache created instances incachedSslContexts
.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
SSLFactory.LoggingCipherSuiteFilter
static class
SSLFactory.SocketType
Indicates if the process holds the inbound/listening end of the socket (SSLFactory.SocketType.SERVER
)), or the outbound side (SSLFactory.SocketType.CLIENT
).
-
Field Summary
Fields Modifier and Type Field Description static int
DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC
Default initial delay for hot reloadingstatic int
DEFAULT_HOT_RELOAD_PERIOD_SEC
Default periodic check delay for hot reloading
-
Constructor Summary
Constructors Constructor Description SSLFactory()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static void
checkCertFilesForHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts)
Performs a lightweight check whether the certificate files have been refreshed.static javax.net.ssl.SSLContext
createSSLContext(EncryptionOptions options, boolean buildTruststore)
Create a JSSESSLContext
.static io.netty.handler.ssl.SslContext
getOrCreateSslContext(EncryptionOptions options, boolean buildTruststore, SSLFactory.SocketType socketType)
get a nettySslContext
instancestatic void
initHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts, boolean force)
Determines whether to hot reload certificates and schedules a periodic task for it.static boolean
openSslIsAvailable()
static java.util.List<java.lang.String>
tlsInstanceProtocolSubstitution()
Provides the list of protocols that would have been supported if "TLS" was selected as the protocol before the change for CASSANDRA-13325 that expects explicit protocol versions.static void
validateSslCerts(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts)
Sanity checks all certificates to ensure we can actually load themstatic void
validateSslContext(java.lang.String contextDescription, EncryptionOptions options, boolean buildTrustStore, boolean logProtocolAndCiphers)
-
-
-
Field Detail
-
DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC
public static final int DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC
Default initial delay for hot reloading- See Also:
- Constant Field Values
-
DEFAULT_HOT_RELOAD_PERIOD_SEC
public static final int DEFAULT_HOT_RELOAD_PERIOD_SEC
Default periodic check delay for hot reloading- See Also:
- Constant Field Values
-
-
Method Detail
-
openSslIsAvailable
public static boolean openSslIsAvailable()
-
tlsInstanceProtocolSubstitution
public static java.util.List<java.lang.String> tlsInstanceProtocolSubstitution()
Provides the list of protocols that would have been supported if "TLS" was selected as the protocol before the change for CASSANDRA-13325 that expects explicit protocol versions.- Returns:
- list of enabled protocol names
-
createSSLContext
public static javax.net.ssl.SSLContext createSSLContext(EncryptionOptions options, boolean buildTruststore) throws java.io.IOException
Create a JSSESSLContext
.- Throws:
java.io.IOException
-
getOrCreateSslContext
public static io.netty.handler.ssl.SslContext getOrCreateSslContext(EncryptionOptions options, boolean buildTruststore, SSLFactory.SocketType socketType) throws java.io.IOException
get a nettySslContext
instance- Throws:
java.io.IOException
-
checkCertFilesForHotReloading
public static void checkCertFilesForHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts)
Performs a lightweight check whether the certificate files have been refreshed.- Throws:
java.lang.IllegalStateException
- ifinitHotReloading(EncryptionOptions.ServerEncryptionOptions, EncryptionOptions, boolean)
is not called first
-
initHotReloading
public static void initHotReloading(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts, boolean force) throws java.io.IOException
Determines whether to hot reload certificates and schedules a periodic task for it.- Parameters:
serverOpts
- Server encryption options (Internode)clientOpts
- Client encryption options (Native Protocol)- Throws:
java.io.IOException
-
validateSslContext
public static void validateSslContext(java.lang.String contextDescription, EncryptionOptions options, boolean buildTrustStore, boolean logProtocolAndCiphers) throws java.io.IOException
- Throws:
java.io.IOException
-
validateSslCerts
public static void validateSslCerts(EncryptionOptions.ServerEncryptionOptions serverOpts, EncryptionOptions clientOpts) throws java.io.IOException
Sanity checks all certificates to ensure we can actually load them- Throws:
java.io.IOException
-
-