Class SslHandler
- All Implemented Interfaces:
ChannelHandler
,ChannelInboundHandler
,ChannelOutboundHandler
Channel
. Please refer
to the "SecureChat" example in the distribution or the web
site for the detailed usage.
Beginning the handshake
Beside using the handshake ChannelFuture
to get notified about the completion of the handshake it's
also possible to detect it by implement the
ChannelInboundHandler.userEventTriggered(ChannelHandlerContext, Object)
method and check for a SslHandshakeCompletionEvent
.
Handshake
The handshake will be automatically issued for you once the Channel
is active and
SSLEngine.getUseClientMode()
returns true
.
So no need to bother with it by your self.
Closing the session
To close the SSL session, the closeOutbound()
method should be
called to send the close_notify
message to the remote peer. One
exception is when you close the Channel
- SslHandler
intercepts the close request and send the close_notify
message
before the channel closure automatically. Once the SSL session is closed,
it is not reusable, and consequently you should create a new
SslHandler
with a new SSLEngine
as explained in the
following section.
Restarting the session
To restart the SSL session, you must remove the existing closed
SslHandler
from the ChannelPipeline
, insert a new
SslHandler
with a new SSLEngine
into the pipeline,
and start the handshake process as described in the first section.
Implementing StartTLS
StartTLS is the communication pattern that secures the wire in the middle of the plaintext connection. Please note that it is different from SSL · TLS, that secures the wire from the beginning of the connection. Typically, StartTLS is composed of three steps:
- Client sends a StartTLS request to server.
- Server sends a StartTLS response to client.
- Client begins SSL handshake.
- create a new
SslHandler
instance withstartTls
flag set totrue
, - insert the
SslHandler
to theChannelPipeline
, and - write a StartTLS response.
SslHandler
before sending
the StartTLS response. Otherwise the client can send begin SSL handshake
before SslHandler
is inserted to the ChannelPipeline
, causing
data corruption.
The client-side implementation is much simpler.
- Write a StartTLS request,
- wait for the StartTLS response,
- create a new
SslHandler
instance withstartTls
flag set tofalse
, - insert the
SslHandler
to theChannelPipeline
, and - Initiate SSL handshake.
Known issues
Because of a known issue with the current implementation of the SslEngine that comes with Java it may be possible that you see blocked IO-Threads while a full GC is done.
So if you are affected you can workaround this problem by adjust the cache settings like shown below:
SslContext context = ...; context.getServerSessionContext().setSessionCacheSize(someSaneSize); context.getServerSessionContext().setSessionTime(someSameTimeout);
What values to use here depends on the nature of your application and should be set based on monitoring and debugging of it. For more details see #832 in our issue tracker.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprivate final class
private final class
private static enum
private final class
Runnable
that will be scheduled on thedelegatedTaskExecutor
and will take care of resume work on theEventExecutor
once the task was executed.Nested classes/interfaces inherited from class io.netty.handler.codec.ByteToMessageDecoder
ByteToMessageDecoder.Cumulator
Nested classes/interfaces inherited from interface io.netty.channel.ChannelHandler
ChannelHandler.Sharable
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate long
private long
private ChannelHandlerContext
private final Executor
private final SSLEngine
private final SslHandler.SslEngineType
private long
private static final Pattern
private static final Pattern
private final boolean
private static final InternalLogger
private static final int
2^14 which is the maximum sized plaintext chunk allowed by the TLS RFC.private int
private SslHandlerCoalescingBufferQueue
private final ResumptionController
private final ByteBuffer[]
Used ifSSLEngine.wrap(ByteBuffer[], ByteBuffer)
andSSLEngine.unwrap(ByteBuffer, ByteBuffer[])
should be called with aByteBuf
that is only backed by oneByteBuffer
to reduce the object creation.private final SslHandler.LazyChannelPromise
private final SslHandler.SslTasksRunner
private final SslHandler.SslTasksRunner
private final boolean
private short
private static final int
private static final int
This flag is used to determine if we need to callChannelHandlerContext.read()
to consume more data whenChannelConfig.isAutoRead()
isfalse
.private static final int
private static final int
private static final int
Set by wrap*() methods when something is produced.private static final int
private static final int
private static final int
private static final int
private static final int
(package private) int
Fields inherited from class io.netty.handler.codec.ByteToMessageDecoder
COMPOSITE_CUMULATOR, MERGE_CUMULATOR
-
Constructor Summary
ConstructorsConstructorDescriptionSslHandler
(SSLEngine engine) Creates a new instance which runs all delegated tasks directly on theEventExecutor
.SslHandler
(SSLEngine engine, boolean startTls) Creates a new instance which runs all delegated tasks directly on theEventExecutor
.SslHandler
(SSLEngine engine, boolean startTls, Executor delegatedTaskExecutor) Creates a new instance.SslHandler
(SSLEngine engine, boolean startTls, Executor delegatedTaskExecutor, ResumptionController resumptionController) SslHandler
(SSLEngine engine, Executor delegatedTaskExecutor) Creates a new instance. -
Method Summary
Modifier and TypeMethodDescriptionprivate static void
addCloseListener
(ChannelFuture future, ChannelPromise promise) private ByteBuf
allocate
(ChannelHandlerContext ctx, int capacity) Always prefer a direct buffer when it's pooled, so that we reduce the number of memory copies inOpenSslEngine
.private ByteBuf
allocateOutNetBuf
(ChannelHandlerContext ctx, int pendingBytes, int numComponents) Allocates an outbound network buffer forSSLEngine.wrap(ByteBuffer, ByteBuffer)
which can encrypt the specified amount of pending bytes.Returns the name of the current application-level protocol.private void
void
bind
(ChannelHandlerContext ctx, SocketAddress localAddress, ChannelPromise promise) Called once a bind operation is made.void
Issues an initial TLS handshake once connected when used in client-modevoid
CallsChannelHandlerContext.fireChannelInactive()
to forward to the nextChannelInboundHandler
in theChannelPipeline
.void
CallsChannelHandlerContext.fireChannelReadComplete()
to forward to the nextChannelInboundHandler
in theChannelPipeline
.private void
private void
clearState
(int bit) close()
Deprecated.void
close
(ChannelHandlerContext ctx, ChannelPromise promise) Called once a close operation is made.close
(ChannelPromise promise) Deprecated.Sends an SSLclose_notify
message to the specified channel and destroys the underlyingSSLEngine
.closeOutbound
(ChannelPromise promise) Sends an SSLclose_notify
message to the specified channel and destroys the underlyingSSLEngine
.private void
closeOutbound0
(ChannelPromise promise) private void
closeOutboundAndChannel
(ChannelHandlerContext ctx, ChannelPromise promise, boolean disconnect) void
connect
(ChannelHandlerContext ctx, SocketAddress remoteAddress, SocketAddress localAddress, ChannelPromise promise) Called once a connect operation is made.protected void
decode
(ChannelHandlerContext ctx, ByteBuf in, List<Object> out) Decode the from oneByteBuf
to an other.private void
private void
void
deregister
(ChannelHandlerContext ctx, ChannelPromise promise) Called once a deregister operation is made from the current registeredEventLoop
.void
disconnect
(ChannelHandlerContext ctx, ChannelPromise promise) Called once a disconnect operation is made.engine()
Returns theSSLEngine
which is used by this handler.void
exceptionCaught
(ChannelHandlerContext ctx, Throwable cause) CallsChannelHandlerContext.fireExceptionCaught(Throwable)
to forward to the nextChannelHandler
in theChannelPipeline
.private void
executeChannelRead
(ChannelHandlerContext ctx, ByteBuf decodedOut) private void
executeDelegatedTask
(boolean inUnwrap) private void
private void
void
Called once a flush operation is made.private void
flush
(ChannelHandlerContext ctx, ChannelPromise promise) private void
private void
final long
Gets the timeout for flushing the close_notify that was triggered by closing theChannel
.final long
Gets the timeout (in ms) for receiving the response for the close_notify that was triggered by closing theChannel
.long
Deprecated.long
private SslHandler.SslTasksRunner
getTaskRunner
(boolean inUnwrap) void
Do nothing by default, sub-classes may override this method.void
Gets called after theByteToMessageDecoder
was removed from the actual context and it doesn't handle events anymore.private void
handleUnwrapThrowable
(ChannelHandlerContext ctx, Throwable cause) private void
handshake
(boolean flushAtEnd) Performs TLS (re)negotiation.Returns aFuture
that will get notified once the current TLS handshake completes.private boolean
Checks if the givenThrowable
can be ignore and just "swallowed" When an ssl connection is closed a close_notify message is sent.private static boolean
inEventLoop
(Executor executor) static boolean
isEncrypted
(ByteBuf buffer) Deprecated.static boolean
isEncrypted
(ByteBuf buffer, boolean probeSSLv2) Returnstrue
if the givenByteBuf
is encrypted.private boolean
isStateSet
(int bit) private static IllegalStateException
private void
notifyClosePromise
(Throwable cause) void
InterceptsChannelHandlerContext.read()
.private void
private void
releaseAndFailAll
(ChannelHandlerContext ctx, Throwable cause) Performs TLS renegotiation.renegotiate
(Promise<Channel> promise) Performs TLS renegotiation.private void
renegotiateOnEventLoop
(Promise<Channel> newHandshakePromise) private boolean
runDelegatedTasks
(boolean inUnwrap) Will either run the delegated task directly callingRunnable.run()
and returntrue
or will offload the delegated task usingExecutor.execute(Runnable)
and returnfalse
.private void
safeClose
(ChannelHandlerContext ctx, ChannelFuture flushFuture, ChannelPromise promise) final void
setCloseNotifyFlushTimeout
(long closeNotifyFlushTimeout, TimeUnit unit) Sets the timeout for flushing the close_notify that was triggered by closing theChannel
.final void
setCloseNotifyFlushTimeoutMillis
(long closeNotifyFlushTimeoutMillis) final void
setCloseNotifyReadTimeout
(long closeNotifyReadTimeout, TimeUnit unit) Sets the timeout for receiving the response for the close_notify that was triggered by closing theChannel
.final void
setCloseNotifyReadTimeoutMillis
(long closeNotifyReadTimeoutMillis) void
setCloseNotifyTimeout
(long closeNotifyTimeout, TimeUnit unit) Deprecated.void
setCloseNotifyTimeoutMillis
(long closeNotifyFlushTimeoutMillis) Deprecated.private void
setHandshakeFailure
(ChannelHandlerContext ctx, Throwable cause) Notify all the handshake futures about the failure during the handshake.private void
setHandshakeFailure
(ChannelHandlerContext ctx, Throwable cause, boolean closeInbound, boolean notify, boolean alwaysFlushAndClose) Notify all the handshake futures about the failure during the handshake.private void
private boolean
Notify all the handshake futures about the successfully handshakeprivate boolean
void
setHandshakeTimeout
(long handshakeTimeout, TimeUnit unit) void
setHandshakeTimeoutMillis
(long handshakeTimeoutMillis) private void
private void
setState
(int bit) final void
setWrapDataSize
(int wrapDataSize) Sets the number of bytes to pass to eachSSLEngine.wrap(ByteBuffer[], int, int, ByteBuffer)
call.private void
startHandshakeProcessing
(boolean flushAtEnd) private static ByteBuffer
toByteBuffer
(ByteBuf out, int index, int len) private int
unwrap
(ChannelHandlerContext ctx, ByteBuf packet, int length) Unwraps inbound SSL records.private int
CallsSSLEngine.unwrap(ByteBuffer, ByteBuffer)
with an empty buffer to handle handshakes, etc.private SSLEngineResult
wrap
(ByteBufAllocator alloc, SSLEngine engine, ByteBuf in, ByteBuf out) private void
wrap
(ChannelHandlerContext ctx, boolean inUnwrap) private void
private SSLEngineResult
wrapMultiple
(ByteBufAllocator alloc, SSLEngine engine, ByteBuf in, ByteBuf out) private boolean
wrapNonAppData
(ChannelHandlerContext ctx, boolean inUnwrap) void
write
(ChannelHandlerContext ctx, Object msg, ChannelPromise promise) Called once a write operation is made.Methods inherited from class io.netty.handler.codec.ByteToMessageDecoder
actualReadableBytes, callDecode, channelRead, decodeLast, discardSomeReadBytes, handlerRemoved, internalBuffer, isSingleDecode, setCumulator, setDiscardAfterReads, setSingleDecode, userEventTriggered
Methods inherited from class io.netty.channel.ChannelInboundHandlerAdapter
channelRegistered, channelUnregistered, channelWritabilityChanged
Methods inherited from class io.netty.channel.ChannelHandlerAdapter
ensureNotSharable, isSharable
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface io.netty.channel.ChannelHandler
handlerRemoved
-
Field Details
-
logger
-
IGNORABLE_CLASS_IN_STACK
-
IGNORABLE_ERROR_MESSAGE
-
STATE_SENT_FIRST_MESSAGE
private static final int STATE_SENT_FIRST_MESSAGE- See Also:
-
STATE_FLUSHED_BEFORE_HANDSHAKE
private static final int STATE_FLUSHED_BEFORE_HANDSHAKE- See Also:
-
STATE_READ_DURING_HANDSHAKE
private static final int STATE_READ_DURING_HANDSHAKE- See Also:
-
STATE_HANDSHAKE_STARTED
private static final int STATE_HANDSHAKE_STARTED- See Also:
-
STATE_NEEDS_FLUSH
private static final int STATE_NEEDS_FLUSHSet by wrap*() methods when something is produced.channelReadComplete(ChannelHandlerContext)
will check this flag, clear it, and call ctx.flush().- See Also:
-
STATE_OUTBOUND_CLOSED
private static final int STATE_OUTBOUND_CLOSED- See Also:
-
STATE_CLOSE_NOTIFY
private static final int STATE_CLOSE_NOTIFY- See Also:
-
STATE_PROCESS_TASK
private static final int STATE_PROCESS_TASK- See Also:
-
STATE_FIRE_CHANNEL_READ
private static final int STATE_FIRE_CHANNEL_READThis flag is used to determine if we need to callChannelHandlerContext.read()
to consume more data whenChannelConfig.isAutoRead()
isfalse
.- See Also:
-
STATE_UNWRAP_REENTRY
private static final int STATE_UNWRAP_REENTRY- See Also:
-
MAX_PLAINTEXT_LENGTH
private static final int MAX_PLAINTEXT_LENGTH2^14 which is the maximum sized plaintext chunk allowed by the TLS RFC.- See Also:
-
ctx
-
engine
-
engineType
-
delegatedTaskExecutor
-
jdkCompatibilityMode
private final boolean jdkCompatibilityMode -
singleBuffer
Used ifSSLEngine.wrap(ByteBuffer[], ByteBuffer)
andSSLEngine.unwrap(ByteBuffer, ByteBuffer[])
should be called with aByteBuf
that is only backed by oneByteBuffer
to reduce the object creation. -
startTls
private final boolean startTls -
resumptionController
-
sslTaskRunnerForUnwrap
-
sslTaskRunner
-
pendingUnencryptedWrites
-
handshakePromise
-
sslClosePromise
-
packetLength
private int packetLength -
state
private short state -
handshakeTimeoutMillis
private volatile long handshakeTimeoutMillis -
closeNotifyFlushTimeoutMillis
private volatile long closeNotifyFlushTimeoutMillis -
closeNotifyReadTimeoutMillis
private volatile long closeNotifyReadTimeoutMillis -
wrapDataSize
volatile int wrapDataSize
-
-
Constructor Details
-
SslHandler
Creates a new instance which runs all delegated tasks directly on theEventExecutor
.- Parameters:
engine
- theSSLEngine
this handler will use
-
SslHandler
Creates a new instance which runs all delegated tasks directly on theEventExecutor
. -
SslHandler
Creates a new instance.- Parameters:
engine
- theSSLEngine
this handler will usedelegatedTaskExecutor
- theExecutor
that will be used to execute tasks that are returned bySSLEngine.getDelegatedTask()
.
-
SslHandler
Creates a new instance.- Parameters:
engine
- theSSLEngine
this handler will usestartTls
-true
if the first write request shouldn't be encrypted by theSSLEngine
delegatedTaskExecutor
- theExecutor
that will be used to execute tasks that are returned bySSLEngine.getDelegatedTask()
.
-
SslHandler
SslHandler(SSLEngine engine, boolean startTls, Executor delegatedTaskExecutor, ResumptionController resumptionController)
-
-
Method Details
-
getHandshakeTimeoutMillis
public long getHandshakeTimeoutMillis() -
setHandshakeTimeout
-
setHandshakeTimeoutMillis
public void setHandshakeTimeoutMillis(long handshakeTimeoutMillis) -
setWrapDataSize
Sets the number of bytes to pass to eachSSLEngine.wrap(ByteBuffer[], int, int, ByteBuffer)
call.This value will partition data which is passed to write
write(ChannelHandlerContext, Object, ChannelPromise)
. The partitioning will work as follows:- If
wrapDataSize <= 0
then we will write each data chunk as is. - If
wrapDataSize > data size
then we will attempt to aggregate multiple data chunks together. - If
wrapDataSize > data size
Else ifwrapDataSize <= data size
then we will divide the data into chunks ofwrapDataSize
when writing.
If the
SSLEngine
doesn't support a gather wrap operation (e.g.SslProvider.OPENSSL
) then aggregating data before wrapping can help reduce the ratio between TLS overhead vs data payload which will lead to better goodput. Writing fixed chunks of data can also help target the underlying transport's (e.g. TCP) frame size. Under lossy/congested network conditions this may help the peer get full TLS packets earlier and be able to do work sooner, as opposed to waiting for the all the pieces of the TLS packet to arrive.- Parameters:
wrapDataSize
- the number of bytes which will be passed to eachSSLEngine.wrap(ByteBuffer[], int, int, ByteBuffer)
call.
- If
-
getCloseNotifyTimeoutMillis
Deprecated. -
setCloseNotifyTimeout
Deprecated. -
setCloseNotifyTimeoutMillis
Deprecated. -
getCloseNotifyFlushTimeoutMillis
public final long getCloseNotifyFlushTimeoutMillis() -
setCloseNotifyFlushTimeout
-
setCloseNotifyFlushTimeoutMillis
public final void setCloseNotifyFlushTimeoutMillis(long closeNotifyFlushTimeoutMillis) -
getCloseNotifyReadTimeoutMillis
public final long getCloseNotifyReadTimeoutMillis() -
setCloseNotifyReadTimeout
-
setCloseNotifyReadTimeoutMillis
public final void setCloseNotifyReadTimeoutMillis(long closeNotifyReadTimeoutMillis) -
engine
Returns theSSLEngine
which is used by this handler. -
applicationProtocol
Returns the name of the current application-level protocol.- Returns:
- the protocol name or
null
if application-level protocol has not been negotiated
-
handshakeFuture
Returns aFuture
that will get notified once the current TLS handshake completes.- Returns:
- the
Future
for the initial TLS handshake ifrenegotiate()
was not invoked. TheFuture
for the most recent TLS renegotiation otherwise.
-
close
Deprecated.UsecloseOutbound()
-
close
Deprecated. -
closeOutbound
Sends an SSLclose_notify
message to the specified channel and destroys the underlyingSSLEngine
. This will not close the underlyingChannel
. If you want to also close theChannel
useChannelOutboundInvoker.close()
orChannelOutboundInvoker.close()
-
closeOutbound
Sends an SSLclose_notify
message to the specified channel and destroys the underlyingSSLEngine
. This will not close the underlyingChannel
. If you want to also close theChannel
useChannelOutboundInvoker.close()
orChannelOutboundInvoker.close()
-
closeOutbound0
-
sslCloseFuture
Return theFuture
that will get notified if the inbound of theSSLEngine
is closed. This method will return the sameFuture
all the time.- See Also:
-
handlerRemoved0
Description copied from class:ByteToMessageDecoder
Gets called after theByteToMessageDecoder
was removed from the actual context and it doesn't handle events anymore.- Overrides:
handlerRemoved0
in classByteToMessageDecoder
- Throws:
Exception
-
bind
public void bind(ChannelHandlerContext ctx, SocketAddress localAddress, ChannelPromise promise) throws Exception Description copied from interface:ChannelOutboundHandler
Called once a bind operation is made.- Specified by:
bind
in interfaceChannelOutboundHandler
- Parameters:
ctx
- theChannelHandlerContext
for which the bind operation is madelocalAddress
- theSocketAddress
to which it should boundpromise
- theChannelPromise
to notify once the operation completes- Throws:
Exception
- thrown if an error occurs
-
connect
public void connect(ChannelHandlerContext ctx, SocketAddress remoteAddress, SocketAddress localAddress, ChannelPromise promise) throws Exception Description copied from interface:ChannelOutboundHandler
Called once a connect operation is made.- Specified by:
connect
in interfaceChannelOutboundHandler
- Parameters:
ctx
- theChannelHandlerContext
for which the connect operation is maderemoteAddress
- theSocketAddress
to which it should connectlocalAddress
- theSocketAddress
which is used as source on connectpromise
- theChannelPromise
to notify once the operation completes- Throws:
Exception
- thrown if an error occurs
-
deregister
Description copied from interface:ChannelOutboundHandler
Called once a deregister operation is made from the current registeredEventLoop
.- Specified by:
deregister
in interfaceChannelOutboundHandler
- Parameters:
ctx
- theChannelHandlerContext
for which the close operation is madepromise
- theChannelPromise
to notify once the operation completes- Throws:
Exception
- thrown if an error occurs
-
disconnect
Description copied from interface:ChannelOutboundHandler
Called once a disconnect operation is made.- Specified by:
disconnect
in interfaceChannelOutboundHandler
- Parameters:
ctx
- theChannelHandlerContext
for which the disconnect operation is madepromise
- theChannelPromise
to notify once the operation completes- Throws:
Exception
- thrown if an error occurs
-
close
Description copied from interface:ChannelOutboundHandler
Called once a close operation is made.- Specified by:
close
in interfaceChannelOutboundHandler
- Parameters:
ctx
- theChannelHandlerContext
for which the close operation is madepromise
- theChannelPromise
to notify once the operation completes- Throws:
Exception
- thrown if an error occurs
-
read
Description copied from interface:ChannelOutboundHandler
InterceptsChannelHandlerContext.read()
.- Specified by:
read
in interfaceChannelOutboundHandler
- Throws:
Exception
-
newPendingWritesNullException
-
write
Description copied from interface:ChannelOutboundHandler
Called once a write operation is made. The write operation will write the messages through theChannelPipeline
. Those are then ready to be flushed to the actualChannel
onceChannel.flush()
is called- Specified by:
write
in interfaceChannelOutboundHandler
- Parameters:
ctx
- theChannelHandlerContext
for which the write operation is mademsg
- the message to writepromise
- theChannelPromise
to notify once the operation completes- Throws:
Exception
- thrown if an error occurs
-
flush
Description copied from interface:ChannelOutboundHandler
Called once a flush operation is made. The flush operation will try to flush out all previous written messages that are pending.- Specified by:
flush
in interfaceChannelOutboundHandler
- Parameters:
ctx
- theChannelHandlerContext
for which the flush operation is made- Throws:
Exception
- thrown if an error occurs
-
wrapAndFlush
- Throws:
SSLException
-
wrap
- Throws:
SSLException
-
wrapNonAppData
This method will not callsetHandshakeFailure(ChannelHandlerContext, Throwable, boolean, boolean, boolean)
orsetHandshakeFailure(ChannelHandlerContext, Throwable)
.- Returns:
true
if this method ends onSSLEngineResult.HandshakeStatus.NOT_HANDSHAKING
.- Throws:
SSLException
-
wrapMultiple
private SSLEngineResult wrapMultiple(ByteBufAllocator alloc, SSLEngine engine, ByteBuf in, ByteBuf out) throws SSLException - Throws:
SSLException
-
wrap
private SSLEngineResult wrap(ByteBufAllocator alloc, SSLEngine engine, ByteBuf in, ByteBuf out) throws SSLException - Throws:
SSLException
-
channelInactive
Description copied from class:ChannelInboundHandlerAdapter
CallsChannelHandlerContext.fireChannelInactive()
to forward to the nextChannelInboundHandler
in theChannelPipeline
. Sub-classes may override this method to change behavior.- Specified by:
channelInactive
in interfaceChannelInboundHandler
- Overrides:
channelInactive
in classByteToMessageDecoder
- Throws:
Exception
-
exceptionCaught
Description copied from class:ChannelInboundHandlerAdapter
CallsChannelHandlerContext.fireExceptionCaught(Throwable)
to forward to the nextChannelHandler
in theChannelPipeline
. Sub-classes may override this method to change behavior.- Specified by:
exceptionCaught
in interfaceChannelHandler
- Specified by:
exceptionCaught
in interfaceChannelInboundHandler
- Overrides:
exceptionCaught
in classChannelInboundHandlerAdapter
- Throws:
Exception
-
ignoreException
Checks if the givenThrowable
can be ignore and just "swallowed" When an ssl connection is closed a close_notify message is sent. After that the peer also sends close_notify however, it's not mandatory to receive the close_notify. The party who sent the initial close_notify can close the connection immediately then the peer will get connection reset error. -
isEncrypted
Deprecated.Returnstrue
if the givenByteBuf
is encrypted. Be aware that this method will not increase the readerIndex of the givenByteBuf
.- Parameters:
buffer
- TheByteBuf
to read from. Be aware that it must have at least 5 bytes to read, otherwise it will throw anIllegalArgumentException
.- Returns:
- encrypted
true
if theByteBuf
is encrypted,false
otherwise. - Throws:
IllegalArgumentException
- Is thrown if the givenByteBuf
has not at least 5 bytes to read.
-
isEncrypted
Returnstrue
if the givenByteBuf
is encrypted. Be aware that this method will not increase the readerIndex of the givenByteBuf
.- Parameters:
buffer
- TheByteBuf
to read from. Be aware that it must have at least 5 bytes to read, otherwise it will throw anIllegalArgumentException
.probeSSLv2
-true
if the inputbuffer
might be SSLv2. Iftrue
is used this methods might produce false-positives in some cases so it's strongly suggested to usefalse
.- Returns:
- encrypted
true
if theByteBuf
is encrypted,false
otherwise. - Throws:
IllegalArgumentException
- Is thrown if the givenByteBuf
has not at least 5 bytes to read.
-
decodeJdkCompatible
private void decodeJdkCompatible(ChannelHandlerContext ctx, ByteBuf in) throws NotSslRecordException - Throws:
NotSslRecordException
-
decodeNonJdkCompatible
-
handleUnwrapThrowable
-
decode
Description copied from class:ByteToMessageDecoder
Decode the from oneByteBuf
to an other. This method will be called till either the inputByteBuf
has nothing to read when return from this method or till nothing was read from the inputByteBuf
.- Specified by:
decode
in classByteToMessageDecoder
- Parameters:
ctx
- theChannelHandlerContext
which thisByteToMessageDecoder
belongs toin
- theByteBuf
from which to read dataout
- theList
to which decoded messages should be added- Throws:
SSLException
-
channelReadComplete
Description copied from class:ChannelInboundHandlerAdapter
CallsChannelHandlerContext.fireChannelReadComplete()
to forward to the nextChannelInboundHandler
in theChannelPipeline
. Sub-classes may override this method to change behavior.- Specified by:
channelReadComplete
in interfaceChannelInboundHandler
- Overrides:
channelReadComplete
in classByteToMessageDecoder
- Throws:
Exception
-
channelReadComplete0
-
readIfNeeded
-
flushIfNeeded
-
unwrapNonAppData
CallsSSLEngine.unwrap(ByteBuffer, ByteBuffer)
with an empty buffer to handle handshakes, etc.- Throws:
SSLException
-
unwrap
Unwraps inbound SSL records.- Throws:
SSLException
-
setHandshakeSuccessUnwrapMarkReentry
- Throws:
SSLException
-
executeNotifyClosePromise
-
executeChannelRead
-
toByteBuffer
-
inEventLoop
-
runDelegatedTasks
private boolean runDelegatedTasks(boolean inUnwrap) Will either run the delegated task directly callingRunnable.run()
and returntrue
or will offload the delegated task usingExecutor.execute(Runnable)
and returnfalse
. If the task is offloaded it will take care to resume its work on theEventExecutor
once there are no more tasks to process. -
getTaskRunner
-
executeDelegatedTask
private void executeDelegatedTask(boolean inUnwrap) -
executeDelegatedTask
-
setHandshakeSuccess
Notify all the handshake futures about the successfully handshake- Returns:
true
ifhandshakePromise
was set successfully and aSslHandshakeCompletionEvent
was fired.false
otherwise.- Throws:
SSLException
-
setHandshakeFailure
Notify all the handshake futures about the failure during the handshake. -
setHandshakeFailure
private void setHandshakeFailure(ChannelHandlerContext ctx, Throwable cause, boolean closeInbound, boolean notify, boolean alwaysFlushAndClose) Notify all the handshake futures about the failure during the handshake. -
setHandshakeFailureTransportFailure
-
releaseAndFailAll
-
notifyClosePromise
-
closeOutboundAndChannel
private void closeOutboundAndChannel(ChannelHandlerContext ctx, ChannelPromise promise, boolean disconnect) throws Exception - Throws:
Exception
-
flush
- Throws:
Exception
-
handlerAdded
Description copied from class:ChannelHandlerAdapter
Do nothing by default, sub-classes may override this method.- Specified by:
handlerAdded
in interfaceChannelHandler
- Overrides:
handlerAdded
in classChannelHandlerAdapter
- Throws:
Exception
-
startHandshakeProcessing
private void startHandshakeProcessing(boolean flushAtEnd) -
renegotiate
Performs TLS renegotiation. -
renegotiate
Performs TLS renegotiation. -
renegotiateOnEventLoop
-
handshake
private void handshake(boolean flushAtEnd) Performs TLS (re)negotiation.- Parameters:
flushAtEnd
- Set totrue
if the outbound buffer should be flushed (written to the network) at the end. Set tofalse
if the handshake will be flushed later, e.g. as part of TCP Fast Open connect.
-
applyHandshakeTimeout
private void applyHandshakeTimeout() -
forceFlush
-
setOpensslEngineSocketFd
-
channelActive
Issues an initial TLS handshake once connected when used in client-mode- Specified by:
channelActive
in interfaceChannelInboundHandler
- Overrides:
channelActive
in classChannelInboundHandlerAdapter
- Throws:
Exception
-
safeClose
private void safeClose(ChannelHandlerContext ctx, ChannelFuture flushFuture, ChannelPromise promise) -
addCloseListener
-
allocate
Always prefer a direct buffer when it's pooled, so that we reduce the number of memory copies inOpenSslEngine
. -
allocateOutNetBuf
Allocates an outbound network buffer forSSLEngine.wrap(ByteBuffer, ByteBuffer)
which can encrypt the specified amount of pending bytes. -
isStateSet
private boolean isStateSet(int bit) -
setState
private void setState(int bit) -
clearState
private void clearState(int bit)
-
getCloseNotifyFlushTimeoutMillis()