add ability to configure netty for ssl

[jahlborn]

it is not currently possible to configure netty directly outside of the simple host,port configuration. it would be nice to expose more advanced configuration of netty, primarily ssl, but also possibly things like thread pools, socket params, etc.

[jfarcand]

Agree. Working on it.

[tnn]

Second this. We would like to help if needed.

[jfarcand]

Yes, I will work on this as soon as I'm back working in 2 weeks :-)

[jacomoman]

Hi,

Has there been any resolution to this issue? In particular SSL support in Nettosphere?

I have another question with regards to securing communications between an external client and a Nettosphere server behind a firewall. What if the SSL was provided by a load-balancer (LB) just past the firewall? Then the Nettosphere server sat behind the LB and the LB directed the request to Nettosphere in plain HTTP. Do you think this scenario would work?

Thanks,
-Jac

[jfarcand]

Working on it.

[jfarcand]

OK fixed, just set an SSLEngine on the Config object to enable it.

[marcoslot]

Hey, thanks for the fix, but you need to create a new SSLEngine for every pipeline. Otherwise, you'll run into a "bad record MAC" SSLException on the second request and netty will just quietly freeze.

[jfarcand]

Euh....my bad. I will fix it ASAP.

[jfarcand]

OK finally fixed. You can now just do:

        final SSLContext sslContext = createSSLContext();
        Config config = new Config.Builder()
                .port(port)
                .host("127.0.0.1")
                .sslContext(sslContext)
                .resource(new Handler() {

                    @Override
                    public void handle(AtmosphereResource r) {
                        r.getResponse().write("Hello World from Nettosphere").closeStreamOrWriter();
                    }
                }).build();

You can also add an SSLContextListener to customize the SSLEngine:

/**
 * A callback used to configure {@link javax.net.ssl.SSLEngine} before they get injected in Netty.
 */
public interface SSLContextListener {

    SSLContextListener DEFAULT = new SSLContextListener(){

        @Override
        public void onPostCreate(SSLEngine e) {
            e.setEnabledCipherSuites(new String[]{"SSL_DH_anon_WITH_RC4_128_MD5"});
            e.setUseClientMode(false);
        }
    };

    /**
     * Invoked just after the {@link SSLEngine} has been created, but not yet injected in Netty.
     * @param e SSLEngine;
     */
    public void onPostCreate(SSLEngine e);

}

[rahulva]

Hi
I'm trying to set up a WSS(Secured Web Socket) using Nettosphere, is there any tutorial or reference, working sample available? Please help if anyone have one..
I was unable to find one...

[jdo1]

@rahulva : This worked for me:

• install strong encryption package (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) - without modern browsers will fail during SSL handshake
• use in the Config.Builder the call sslContext(..) with org.jboss.netty.handler.ssl.SslContext param, the method with javax.net.ssl.SSLContext doesnt work (seems to be ignored inside Netty)
• the org.jboss.netty.handler.ssl.SslContext you can create like this:

       File cert = new File("path/to/cert.pem");
       File key = new File("path/to/key.pem.pcks8");
       SslContext sslNettyContext = SslContext.newServerContext(SslProvider.JDK, cert, key, "thePassword");

       Config config = new Config.Builder()
                .port(port)
                .host("127.0.0.1")
                .sslContext(sslNettyContext)
                .resource(new Handler() {
                    @Override
                    public void handle(AtmosphereResource r) {
                        r.getResponse().write("Secure Hello World").closeStreamOrWriter();
                    }
                }).build();

       server = new Nettosphere.Builder().config(config).build();
       server.start();

• note that the key needs to be PKCS8 format - I converted from "normal" via:

    openssl pkcs8 -topk8 -inform PEM -outform PEM -in key.pem -out key.pem.pcks8

• then browser show the normal "untrusted cert" warning and after accepting you see "Secure Hello World"

[aguel]

I've been struggling with implementing Nettosphere with keystore file (JKS). Any example of code snippet please? Thanks