Examples of io.netty.handler.ssl.SslHandler$LazyChannelPromise

• io.netty.handler.ssl.SslHandler
  kipedia.org/wiki/Transport_Layer_Security">SSL · TLS and StartTLS support to a {@link Channel}. Please refer to the "SecureChat" example in the distribution or the web site for the detailed usage.

  Beginning the handshake

  You must make sure not to write a message while the handshake is in progress unless you are renegotiating. You will be notified by the {@link Future} which isreturned by the {@link #handshakeFuture()} method when the handshakeprocess succeeds or fails.

  Beside using the handshake {@link ChannelFuture} to get notified about the completation of the handshake it'salso possible to detect it by implement the {@link ChannelHandler#userEventTriggered(ChannelHandlerContext,Object)}method and check for a {@link SslHandshakeCompletionEvent}.

  Handshake

  The handshake will be automaticly issued for you once the {@link Channel} is active and{@link SSLEngine#getUseClientMode()} returns {@code true}. So no need to bother with it by your self.

  Closing the session

  To close the SSL session, the {@link #close()} method should becalled to send the {@code close_notify} message to the remote peer. Oneexception is when you close the {@link Channel} - {@link SslHandler}intercepts the close request and send the {@code close_notify} messagebefore the channel closure automatically. Once the SSL session is closed, it is not reusable, and consequently you should create a new {@link SslHandler} with a new {@link SSLEngine} as explained in thefollowing section.

  Restarting the session

  To restart the SSL session, you must remove the existing closed {@link SslHandler} from the {@link ChannelPipeline}, insert a new {@link SslHandler} with a new {@link SSLEngine} into the pipeline,and start the handshake process as described in the first section.

  Implementing StartTLS

  StartTLS is the communication pattern that secures the wire in the middle of the plaintext connection. Please note that it is different from SSL · TLS, that secures the wire from the beginning of the connection. Typically, StartTLS is composed of three steps:

  1. Client sends a StartTLS request to server.
  2. Server sends a StartTLS response to client.
  3. Client begins SSL handshake.

  If you implement a server, you need to:

  1. create a new {@link SslHandler} instance with {@code startTls} flag setto {@code true},
  2. insert the {@link SslHandler} to the {@link ChannelPipeline}, and
  3. write a StartTLS response.

  Please note that you must insert {@link SslHandler} before sendingthe StartTLS response. Otherwise the client can send begin SSL handshake before {@link SslHandler} is inserted to the {@link ChannelPipeline}, causing data corruption.

  The client-side implementation is much simpler.

  1. Write a StartTLS request,
  2. wait for the StartTLS response,
  3. create a new {@link SslHandler} instance with {@code startTls} flag setto {@code false},
  4. insert the {@link SslHandler} to the {@link ChannelPipeline}, and
  5. Initiate SSL handshake.

  Known issues

  Because of a known issue with the current implementation of the SslEngine that comes with Java it may be possible that you see blocked IO-Threads while a full GC is done.

  So if you are affected you can workaround this problem by adjust the cache settings like shown below:

   SslContext context = ...; context.getServerSessionContext().setSessionCacheSize(someSaneSize); context.getServerSessionContext().setSessionTime(someSameTimeout); 

  What values to use here depends on the nature of your application and should be set based on monitoring and debugging of it. For more details see #832 in our issue tracker.

    try {
      if (this.isTls.compareAndSet(false, true)) {
        SSLEngine engine = this.sslContextBuilder.build().createSSLEngine();
        engine.setNeedClientAuth(false);
        engine.setUseClientMode(false);
        this.handler = new SslHandler(engine);
        this.prepareTls.compareAndSet(false, true);
      }
      return true;
    } catch (Exception e) {
      log.error(e.toString());

        final ChannelPipeline pipeline = channel.pipeline();

        final SSLEngine sslEngine = feedbackConnection.sslContext.createSSLEngine();
        sslEngine.setUseClientMode(true);

        pipeline.addLast("ssl", new SslHandler(sslEngine));
        pipeline.addLast("readTimeoutHandler", new ReadTimeoutHandler(feedbackConnection.configuration.getReadTimeout()));
        pipeline.addLast("decoder", new ExpiredTokenDecoder());
        pipeline.addLast("handler", new FeedbackClientHandler(feedbackConnection));
      }
    });

    this.connectFuture = bootstrap.connect(this.environment.getFeedbackHost(), this.environment.getFeedbackPort());
    this.connectFuture.addListener(new GenericFutureListener<ChannelFuture>() {

      @Override
      public void operationComplete(final ChannelFuture connectFuture) {

        if (connectFuture.isSuccess()) {
          log.debug("{} connected; waiting for TLS handshake.", feedbackConnection.name);

          final SslHandler sslHandler = connectFuture.channel().pipeline().get(SslHandler.class);

          try {
            sslHandler.handshakeFuture().addListener(new GenericFutureListener<Future<Channel>>() {

              @Override
              public void operationComplete(final Future<Channel> handshakeFuture) {
                if (handshakeFuture.isSuccess()) {
                  log.debug("{} successfully completed TLS handshake.", feedbackConnection.name);

    final FeedbackServiceConnection feedbackConnection = this;

    return new Runnable() {
      @Override
      public void run() {
        final SslHandler sslHandler = feedbackConnection.connectFuture.channel().pipeline().get(SslHandler.class);

        if (feedbackConnection.connectFuture.isCancellable()) {
          feedbackConnection.connectFuture.cancel(true);
        } else if (sslHandler != null && sslHandler.handshakeFuture().isCancellable()) {
          sslHandler.handshakeFuture().cancel(true);
        } else {
          feedbackConnection.connectFuture.channel().close();
        }
      }
    };

    bootstrap.childHandler(new ChannelInitializer<SocketChannel>() {

      @Override
      protected void initChannel(final SocketChannel channel) throws Exception {
        channel.pipeline().addLast("ssl", new SslHandler(SSLTestUtil.createSSLEngineForMockServer()));
        channel.pipeline().addLast("encoder", new ApnsErrorEncoder());
        channel.pipeline().addLast("decoder", new ApnsPushNotificationDecoder());
        channel.pipeline().addLast("handler", new MockApnsServerHandler(server));
      }
    });

        final ChannelPipeline pipeline = channel.pipeline();

        final SSLEngine sslEngine = apnsConnection.sslContext.createSSLEngine();
        sslEngine.setUseClientMode(true);

        pipeline.addLast("ssl", new SslHandler(sslEngine));
        pipeline.addLast("decoder", new RejectedNotificationDecoder());
        pipeline.addLast("encoder", new ApnsPushNotificationEncoder());
        pipeline.addLast(ApnsConnection.PIPELINE_MAIN_HANDLER, new ApnsConnectionHandler(apnsConnection));
      }
    });

    log.debug("{} beginning connection process.", apnsConnection.name);
    this.connectFuture = bootstrap.connect(this.environment.getApnsGatewayHost(), this.environment.getApnsGatewayPort());
    this.connectFuture.addListener(new GenericFutureListener<ChannelFuture>() {

      @Override
      public void operationComplete(final ChannelFuture connectFuture) {
        if (connectFuture.isSuccess()) {
          log.debug("{} connected; waiting for TLS handshake.", apnsConnection.name);

          final SslHandler sslHandler = connectFuture.channel().pipeline().get(SslHandler.class);

          try {
            sslHandler.handshakeFuture().addListener(new GenericFutureListener<Future<Channel>>() {

              @Override
              public void operationComplete(final Future<Channel> handshakeFuture) {
                if (handshakeFuture.isSuccess()) {
                  log.debug("{} successfully completed TLS handshake.", apnsConnection.name);

    final ApnsConnection<T> apnsConnection = this;

    return new Runnable() {
      @Override
      public void run() {
        final SslHandler sslHandler = apnsConnection.connectFuture.channel().pipeline().get(SslHandler.class);

        if (apnsConnection.connectFuture.isCancellable()) {
          apnsConnection.connectFuture.cancel(true);
        } else if (sslHandler != null && sslHandler.handshakeFuture().isCancellable()) {
          sslHandler.handshakeFuture().cancel(true);
        } else {
          apnsConnection.connectFuture.channel().close();
        }
      }
    };

    final MockFeedbackServer server = this;
    bootstrap.childHandler(new ChannelInitializer<SocketChannel>() {

      @Override
      protected void initChannel(final SocketChannel channel) throws Exception {
        channel.pipeline().addLast("ssl", new SslHandler(SSLTestUtil.createSSLEngineForMockServer()));
        channel.pipeline().addLast("encoder", new ExpiredTokenEncoder());
        channel.pipeline().addLast("handler", new MockFeedbackServerHandler(server));
      }
    });

    @Override
    protected void initChannel(Channel ch) throws Exception {
        // create a new pipeline
        ChannelPipeline pipeline = ch.pipeline();

        SslHandler sslHandler = configureServerSSLOnDemand();
        if (sslHandler != null) {
            //TODO must close on SSL exception
            // sslHandler.setCloseOnSSLException(true);
            LOG.debug("Server SSL handler configured and added as an interceptor against the ChannelPipeline: {}", sslHandler);
            pipeline.addLast("ssl", sslHandler);

            engine.setNeedClientAuth(consumer.getConfiguration().isNeedClientAuth());
            if (consumer.getConfiguration().getSslContextParameters() == null) {
                // just set the enabledProtocols if the SslContextParameter doesn't set
                engine.setEnabledProtocols(consumer.getConfiguration().getEnabledProtocols().split(","));
            }
            return new SslHandler(engine);
        }

        return null;
    }

    @Override
    protected void initChannel(Channel ch) throws Exception {
        // create a new pipeline
        ChannelPipeline pipeline = ch.pipeline();

        SslHandler sslHandler = configureServerSSLOnDemand();
        if (sslHandler != null) {
            LOG.debug("Server SSL handler configured and added as an interceptor against the ChannelPipeline: {}", sslHandler);
            pipeline.addLast("ssl", sslHandler);
        }