Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Avro >> mail # user >> Re: AVRO and SSL/TLS IPC calls


+
Dr. Pala 2013-10-17, 18:42
Copy link to this message
-
Re: AVRO and SSL/TLS IPC calls
I faced this issue while I was writing tests for HTTPS source. Can't recall
the details, but if you can look into the Test case it might help

https://github.com/apache/flume/blob/trunk/flume-ng-core/src/test/java/org/apache/flume/source/http/TestHTTPSource.javalook
into
testHttps()

If time permits, I shall give a shot at the code. Can also debug using
-Djavax.net.debug=ssl
or -Djavax.net.debug=all
On Fri, Oct 18, 2013 at 12:12 AM, Dr. Pala <[EMAIL PROTECTED]> wrote:

>  Hi Connor, all,
>
> thanks for your reply. However, I am trying to use the Netty protocol +
> enforcing mutual authentication under TLS v1.2. I am almost there... but I
> am stuck with an error that is difficult to debug and maybe, guys, you have
> some more insights.
>
> Following this example:
>
>    -
>    http://svn.apache.org/repos/asf/avro/trunk/lang/java/ipc/src/test/java/org/apache/avro/ipc/TestNettyServerWithSSL.java
>
> I am trying to build a small toolkit that will make secure communication
> between the requestor and the responder easy to deploy. For doing that, I
> have some working code that initializes a keystore and uses that for the
> source of trust, here's part of the code:
>
>     // Instantiates a new responder
>     Responder responder = new SpecificResponder(m_protoClass, m_protoHandler);
>
>     // Gets a new Channel Factory
>     ChannelFactory channelFactory = new NioServerSocketChannelFactory(Executors.newCachedThreadPool(), Executors.newCachedThreadPool());
>     // Gets the responder
>     //
>     // NOTE:
>     //
>     // The m_trustManager is a helper class that extends NioClientSocketChannelFactory and
>     // implements X509TrustManager, ChannelPipelineFactory, ChannelFactory
>
>     m_server = new NettyServer(responder, new InetSocketAddress(m_host, m_port),
>         channelFactory, (ChannelPipelineFactory) m_trustManager, null);
>
>
> Internally the TrustManager implements the "*public ChannelPipeline
> getPipeline()*" method as follows:
>
>     // We need to get the pipeline
>     ChannelPipeline pipeline = Channels.pipeline();
>
>     // Set up key manager factory to use our key store
>     String algor = Security.getProperty("ssl.KeyManagerFactory.algorithm");
>     if (algor == null) algor = "SunX509";
>
>     KeyManagerFactory kmf = KeyManagerFactory.getInstance(algor);
>     kmf.init(m_keyStore, null);
>
>     // Now let's instantiate a new SSLContext and initialize it with the
>     // initialized KeyManagers
>     SSLContext serverContext = SSLContext.getInstance("TLSv1.2");
>     serverContext.init(kmf.getKeyManagers(), null, null);
>
>     // Let's create an SSLContext from which we will derive the SSLEngine
>     SSLEngine sslEngine = serverContext.createSSLEngine();
>
>     // DEBUGGING code that prints out the supported and enabled Ciphersuites
>     System.out.println("TrustManager::SERVER Mode::Supported Ciphersuites:");
>     String[] sCipher = sslEngine.getSupportedCipherSuites();
>     for (int i = 0; i < sCipher.length; i++)
>     {
>        System.out.println("- " + sCipher[i]);
>     }
>     String[] eCipher = sslEngine.getEnabledCipherSuites();
>     System.out.println("TrustManager::SERVER Mode::Enabled Ciphersuites:: ");
>     for (int i = 0; i < eCipher.length; i++)
>     {
>       System.out.println("- " + eCipher[i]);
>     }
>
>     // Set Client / Server Mode. This is needed by the application to send
>     // the right messages
>     sslEngine.setUseClientMode(false);
>
>     // Adds a new SslHandler that uses the instantiated SSLEngine to the pipeline
>     pipeline.addLast("ssl", new SslHandler(sslEngine));
>
>     // Return the pipeline
>     return pipeline;
>
>
> everything seems to be working fine, until the client tries to connect to
> the server - at that point, the server replies that there are no common
> ciphersuites with the client and exists. I also tried to connect with
> OpenSSL, but I get the same type of error from the server.
>
> There is definitely something I am forgetting in the initialization of the
thanks
ashish

Blog: http://www.ashishpaliwal.com/blog
My Photo Galleries: http://www.pbase.com/ashishpaliwal