io.netty.handler.ssl

Class SslHandler

java.lang.Object

io.netty.channel.ChannelHandlerAdapter

io.netty.handler.codec.ByteToMessageDecoder

io.netty.handler.ssl.SslHandler

All Implemented Interfaces:

ChannelHandler

public class SslHandler
extends ByteToMessageDecoder

Adds SSL · TLS and StartTLS support to a Channel. Please refer to the "SecureChat" example in the distribution or the web site for the detailed usage.

Beginning the handshake

You must make sure not to write a message while the handshake is in progress unless you are renegotiating. You will be notified by the Future which is returned by the handshakeFuture() method when the handshake process succeeds or fails.

Beside using the handshake ChannelFuture to get notified about the completation of the handshake it's also possible to detect it by implement the ChannelHandler.userEventTriggered(ChannelHandlerContext, Object) method and check for a SslHandshakeCompletionEvent.

Handshake

The handshake will be automaticly issued for you once the Channel is active and SSLEngine.getUseClientMode() returns true. So no need to bother with it by your self.

Closing the session

To close the SSL session, the close() method should be called to send the close_notify message to the remote peer. One exception is when you close the Channel - SslHandler intercepts the close request and send the close_notify message before the channel closure automatically. Once the SSL session is closed, it is not reusable, and consequently you should create a new SslHandler with a new SSLEngine as explained in the following section.

Restarting the session

To restart the SSL session, you must remove the existing closed SslHandler from the ChannelPipeline, insert a new SslHandler with a new SSLEngine into the pipeline, and start the handshake process as described in the first section.

Implementing StartTLS

StartTLS is the communication pattern that secures the wire in the middle of the plaintext connection. Please note that it is different from SSL · TLS, that secures the wire from the beginning of the connection. Typically, StartTLS is composed of three steps:

1. Client sends a StartTLS request to server.
2. Server sends a StartTLS response to client.
3. Client begins SSL handshake.

If you implement a server, you need to:

1. create a new SslHandler instance with startTls flag set to true,
2. insert the SslHandler to the ChannelPipeline, and
3. write a StartTLS response.

Please note that you must insert SslHandler before sending the StartTLS response. Otherwise the client can send begin SSL handshake before SslHandler is inserted to the ChannelPipeline, causing data corruption.

The client-side implementation is much simpler.

1. Write a StartTLS request,
2. wait for the StartTLS response,
3. create a new SslHandler instance with startTls flag set to false,
4. insert the SslHandler to the ChannelPipeline, and
5. Initiate SSL handshake.

Known issues

Because of a known issue with the current implementation of the SslEngine that comes with Java it may be possible that you see blocked IO-Threads while a full GC is done.

So if you are affected you can workaround this problem by adjust the cache settings like shown below:

     SslContext context = ...;
     context.getServerSessionContext().setSessionCacheSize(someSaneSize);
     context.getServerSessionContext().setSessionTime(someSameTimeout);
 

What values to use here depends on the nature of your application and should be set based on monitoring and debugging of it. For more details see #832 in our issue tracker.

Nested Class Summary

Nested classes/interfaces inherited from class io.netty.handler.codec.ByteToMessageDecoder

ByteToMessageDecoder.Cumulator

Nested classes/interfaces inherited from interface io.netty.channel.ChannelHandler

ChannelHandler.Sharable, ChannelHandler.Skip

Field Summary

Fields inherited from class io.netty.handler.codec.ByteToMessageDecoder

COMPOSITE_CUMULATOR, MERGE_CUMULATOR

Constructor Summary

Constructors

Constructor and Description
SslHandler(SSLEngine engine) Creates a new instance.
SslHandler(SSLEngine engine, boolean startTls) Creates a new instance.

Method Summary

Methods

Modifier and Type	Method and Description
void	channelActive(ChannelHandlerContext ctx) Issues an initial TLS handshake once connected when used in client-mode
void	channelInactive(ChannelHandlerContext ctx) Calls ChannelHandlerContext.fireChannelInactive() to forward to the next ChannelHandler in the ChannelPipeline.
void	channelReadComplete(ChannelHandlerContext ctx) Calls ChannelHandlerContext.fireChannelReadComplete() to forward to the next ChannelHandler in the ChannelPipeline.
ChannelFuture	close() Sends an SSL close_notify message to the specified channel and destroys the underlying SSLEngine.
void	close(ChannelHandlerContext ctx, ChannelPromise promise) Calls ChannelHandlerContext.close(ChannelPromise) to forward to the next ChannelHandler in the ChannelPipeline.
ChannelFuture	close(ChannelPromise future) See close()
protected void	decode(ChannelHandlerContext ctx, ByteBuf in, List<Object> out) Decode the from one ByteBuf to an other.
void	disconnect(ChannelHandlerContext ctx, ChannelPromise promise) Calls ChannelHandlerContext.disconnect(ChannelPromise) to forward to the next ChannelHandler in the ChannelPipeline.
SSLEngine	engine() Returns the SSLEngine which is used by this handler.
void	exceptionCaught(ChannelHandlerContext ctx, Throwable cause) Calls ChannelHandlerContext.fireExceptionCaught(Throwable) to forward to the next ChannelHandler in the ChannelPipeline.
void	flush(ChannelHandlerContext ctx) Calls ChannelHandlerContext.flush() to forward to the next ChannelHandler in the ChannelPipeline.
long	getCloseNotifyTimeoutMillis()
long	getHandshakeTimeoutMillis()
void	handlerAdded(ChannelHandlerContext ctx) Do nothing by default, sub-classes may override this method.
void	handlerRemoved0(ChannelHandlerContext ctx) Gets called after the ByteToMessageDecoder was removed from the actual context and it doesn't handle events anymore.
Future<Channel>	handshakeFuture() Returns a Future that will get notified once the current TLS handshake completes.
static boolean	isEncrypted(ByteBuf buffer) Returns true if the given ByteBuf is encrypted.
void	read(ChannelHandlerContext ctx) Calls ChannelHandlerContext.read() to forward to the next ChannelHandler in the ChannelPipeline.
Future<Channel>	renegotiate() Performs TLS renegotiation.
Future<Channel>	renegotiate(Promise<Channel> promise) Performs TLS renegotiation.
void	setCloseNotifyTimeout(long closeNotifyTimeout, TimeUnit unit)
void	setCloseNotifyTimeoutMillis(long closeNotifyTimeoutMillis)
void	setHandshakeTimeout(long handshakeTimeout, TimeUnit unit)
void	setHandshakeTimeoutMillis(long handshakeTimeoutMillis)
Future<Channel>	sslCloseFuture() Return the Future that will get notified if the inbound of the SSLEngine is closed.
void	write(ChannelHandlerContext ctx, Object msg, ChannelPromise promise) Calls ChannelHandlerContext.write(Object) to forward to the next ChannelHandler in the ChannelPipeline.

Methods inherited from class io.netty.handler.codec.ByteToMessageDecoder

actualReadableBytes, callDecode, channelRead, decodeLast, handlerRemoved, internalBuffer, isSingleDecode, setCumulator, setSingleDecode

Methods inherited from class io.netty.channel.ChannelHandlerAdapter

bind, channelRegistered, channelUnregistered, channelWritabilityChanged, connect, deregister, isSharable, userEventTriggered

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SslHandler

public SslHandler(SSLEngine engine)

Creates a new instance.

Parameters:

engine - the SSLEngine this handler will use

SslHandler

public SslHandler(SSLEngine engine,
          boolean startTls)

Creates a new instance.

Parameters:

engine - the SSLEngine this handler will use

startTls - true if the first write request shouldn't be encrypted by the SSLEngine

Method Detail

getHandshakeTimeoutMillis

public long getHandshakeTimeoutMillis()

setHandshakeTimeout

public void setHandshakeTimeout(long handshakeTimeout,
                       TimeUnit unit)

setHandshakeTimeoutMillis

public void setHandshakeTimeoutMillis(long handshakeTimeoutMillis)

getCloseNotifyTimeoutMillis

public long getCloseNotifyTimeoutMillis()

setCloseNotifyTimeout

public void setCloseNotifyTimeout(long closeNotifyTimeout,
                         TimeUnit unit)

setCloseNotifyTimeoutMillis

public void setCloseNotifyTimeoutMillis(long closeNotifyTimeoutMillis)

engine

public SSLEngine engine()

Returns the SSLEngine which is used by this handler.

handshakeFuture

public Future<Channel> handshakeFuture()

Returns a Future that will get notified once the current TLS handshake completes.

Returns:

the Future for the iniital TLS handshake if renegotiate() was not invoked. The Future for the most recent TLS renegotiation otherwise.

close

public ChannelFuture close()

Sends an SSL close_notify message to the specified channel and destroys the underlying SSLEngine.

close

public ChannelFuture close(ChannelPromise future)

See close()

sslCloseFuture

public Future<Channel> sslCloseFuture()

Return the Future that will get notified if the inbound of the SSLEngine is closed. This method will return the same Future all the time.

See Also:

SSLEngine

handlerRemoved0

public void handlerRemoved0(ChannelHandlerContext ctx)
                     throws Exception

Description copied from class: ByteToMessageDecoder

Gets called after the ByteToMessageDecoder was removed from the actual context and it doesn't handle events anymore.

Overrides:

handlerRemoved0 in class ByteToMessageDecoder

Throws:

Exception

disconnect

public void disconnect(ChannelHandlerContext ctx,
              ChannelPromise promise)
                throws Exception

Description copied from class: ChannelHandlerAdapter

Calls ChannelHandlerContext.disconnect(ChannelPromise) to forward to the next ChannelHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

Specified by:

disconnect in interface ChannelHandler

Overrides:

disconnect in class ChannelHandlerAdapter

Parameters:

ctx - the ChannelHandlerContext for which the disconnect operation is made

promise - the ChannelPromise to notify once the operation completes

Throws:

Exception - thrown if an error accour

close

public void close(ChannelHandlerContext ctx,
         ChannelPromise promise)
           throws Exception

Description copied from class: ChannelHandlerAdapter

Calls ChannelHandlerContext.close(ChannelPromise) to forward to the next ChannelHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

Specified by:

close in interface ChannelHandler

Overrides:

close in class ChannelHandlerAdapter

Parameters:

ctx - the ChannelHandlerContext for which the close operation is made

promise - the ChannelPromise to notify once the operation completes

Throws:

Exception - thrown if an error accour

read

public void read(ChannelHandlerContext ctx)
          throws Exception

Description copied from class: ChannelHandlerAdapter

Calls ChannelHandlerContext.read() to forward to the next ChannelHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

Specified by:

read in interface ChannelHandler

Overrides:

read in class ChannelHandlerAdapter

Throws:

Exception

write

public void write(ChannelHandlerContext ctx,
         Object msg,
         ChannelPromise promise)
           throws Exception

Description copied from class: ChannelHandlerAdapter

Calls ChannelHandlerContext.write(Object) to forward to the next ChannelHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

Specified by:

write in interface ChannelHandler

Overrides:

write in class ChannelHandlerAdapter

Parameters:

ctx - the ChannelHandlerContext for which the write operation is made

msg - the message to write

promise - the ChannelPromise to notify once the operation completes

Throws:

Exception - thrown if an error accour

flush

public void flush(ChannelHandlerContext ctx)
           throws Exception

Description copied from class: ChannelHandlerAdapter

Calls ChannelHandlerContext.flush() to forward to the next ChannelHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

Specified by:

flush in interface ChannelHandler

Overrides:

flush in class ChannelHandlerAdapter

Parameters:

ctx - the ChannelHandlerContext for which the flush operation is made

Throws:

Exception - thrown if an error accour

channelInactive

public void channelInactive(ChannelHandlerContext ctx)
                     throws Exception

Description copied from class: ChannelHandlerAdapter

Calls ChannelHandlerContext.fireChannelInactive() to forward to the next ChannelHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

Specified by:

channelInactive in interface ChannelHandler

Overrides:

channelInactive in class ByteToMessageDecoder

Throws:

Exception

exceptionCaught

public void exceptionCaught(ChannelHandlerContext ctx,
                   Throwable cause)
                     throws Exception

Description copied from class: ChannelHandlerAdapter

Calls ChannelHandlerContext.fireExceptionCaught(Throwable) to forward to the next ChannelHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

Specified by:

exceptionCaught in interface ChannelHandler

Overrides:

exceptionCaught in class ChannelHandlerAdapter

Throws:

Exception

isEncrypted

public static boolean isEncrypted(ByteBuf buffer)

Returns true if the given ByteBuf is encrypted. Be aware that this method will not increase the readerIndex of the given ByteBuf.

Parameters:

buffer - The ByteBuf to read from. Be aware that it must have at least 5 bytes to read, otherwise it will throw an IllegalArgumentException.

Returns:

encrypted true if the ByteBuf is encrypted, false otherwise.

Throws:

IllegalArgumentException - Is thrown if the given ByteBuf has not at least 5 bytes to read.

decode

protected void decode(ChannelHandlerContext ctx,
          ByteBuf in,
          List<Object> out)
               throws SSLException

Description copied from class: ByteToMessageDecoder

Decode the from one ByteBuf to an other. This method will be called till either the input ByteBuf has nothing to read when return from this method or till nothing was read from the input ByteBuf.

Specified by:

decode in class ByteToMessageDecoder

Parameters:

ctx - the ChannelHandlerContext which this ByteToMessageDecoder belongs to

in - the ByteBuf from which to read data

out - the List to which decoded messages should be added

Throws:

SSLException

channelReadComplete

public void channelReadComplete(ChannelHandlerContext ctx)
                         throws Exception

Description copied from class: ChannelHandlerAdapter

Calls ChannelHandlerContext.fireChannelReadComplete() to forward to the next ChannelHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

Specified by:

channelReadComplete in interface ChannelHandler

Overrides:

channelReadComplete in class ByteToMessageDecoder

Throws:

Exception

handlerAdded

public void handlerAdded(ChannelHandlerContext ctx)
                  throws Exception

Description copied from class: ChannelHandlerAdapter

Do nothing by default, sub-classes may override this method.

Specified by:

handlerAdded in interface ChannelHandler

Overrides:

handlerAdded in class ChannelHandlerAdapter

Throws:

Exception

renegotiate

public Future<Channel> renegotiate()

Performs TLS renegotiation.

renegotiate

public Future<Channel> renegotiate(Promise<Channel> promise)

Performs TLS renegotiation.

channelActive

public void channelActive(ChannelHandlerContext ctx)
                   throws Exception

Issues an initial TLS handshake once connected when used in client-mode

Specified by:

channelActive in interface ChannelHandler

Overrides:

channelActive in class ChannelHandlerAdapter

Throws:

Exception