Permalink
Browse files

pass SSL cipher through as a header

  • Loading branch information...
1 parent 7bd0097 commit 39f3f057076e773410b77e057f8c7d344cbc651c wilhelm bierbaum committed Mar 22, 2011
@@ -38,6 +38,7 @@ class Http(compressionLevel: Int = 0) extends Codec[HttpRequest, HttpResponse] {
// Response to Expect: Continue
pipeline.addLast("respondToExpectContinue", new RespondToExpectContinue)
pipeline.addLast("httpDechunker", new HttpChunkAggregator(10<<20))
+ pipeline.addLast("annotateCipher", new AnnotateCipher)
pipeline.addLast(
"connectionLifecycleManager",
@@ -6,7 +6,7 @@ import scala.collection.JavaConversions._
import java.util.concurrent.{Executors, LinkedBlockingQueue}
import java.util.logging.Logger
import java.net.SocketAddress
-import javax.net.ssl.SSLContext
+import javax.net.ssl.{SSLContext, SSLEngine}
import org.jboss.netty.bootstrap.ServerBootstrap
import org.jboss.netty.channel._
@@ -64,7 +64,7 @@ case class ServerBuilder[Req, Rep](
private val _recvBufferSize: Option[Int],
private val _bindTo: Option[SocketAddress],
private val _logger: Option[Logger],
- private val _tls: Option[SslContext,
+ private val _tls: Option[SSLContext],
private val _startTls: Boolean,
private val _channelFactory: Option[ReferenceCountedChannelFactory],
private val _maxConcurrentRequests: Option[Int],
@@ -257,12 +257,15 @@ case class ServerBuilder[Req, Rep](
new WriteCompletionTimeoutHandler(Timer.default, howlong))
}
+ var sslEngine: SSLEngine = null
+
// SSL comes first so that ChannelSnooper gets plaintext
_tls foreach { ctx: SSLContext =>
- val sslEngine = ctx.createSSLEngine()
+ sslEngine = ctx.createSSLEngine()
sslEngine.setUseClientMode(false)
sslEngine.setEnableSessionCreation(true)
+ pipeline.addFirst("sslCipherAttribution", new SslCipherAttributionHandler(sslEngine))
pipeline.addFirst("ssl", new SslHandler(sslEngine, _startTls))
}
@@ -9,6 +9,9 @@ import java.security.spec._
import javax.net.ssl._
import java.util.Random
+import org.jboss.netty.channel.{Channel, ChannelLocal, ChannelHandlerContext,
+ MessageEvent, SimpleChannelHandler}
+
import scala.collection.mutable.ArrayBuffer
import scala.collection.JavaConversions._
import scala.util.control.Breaks._
@@ -20,6 +23,32 @@ case class SslServerConfiguration(
val certificatePath: String,
val keyPath: String)
+object SslCipherAttribution extends ChannelLocal[String] {
+
+ /**
+ * Set the cipher suite attribution for the given Channel to the current cipher
+ * in use in the specified SSLEngine.
+ *
+ * Fails silently if either is null.
+ */
+ def apply(channel: Channel, sslEngine: SSLEngine) {
+ if (channel != null && sslEngine != null)
+ set(channel, sslEngine.getSession.getCipherSuite)
+ }
+
+ def apply(channel: Channel) =
+ get(channel)
+
+ override protected def initialValue(channel: Channel): String = "plaintext"
+}
+
+class SslCipherAttributionHandler(sslEngine: SSLEngine) extends SimpleChannelHandler {
+ override def messageReceived(ctx: ChannelHandlerContext, e: MessageEvent) {
+ SslCipherAttribution(ctx.getChannel, sslEngine)
+ super.messageReceived(ctx, e)
+ }
+}
+
/**
* Creates KeyManagers for PEM files.
*/
@@ -0,0 +1,23 @@
+package com.twitter.finagle.http
+
+import com.twitter.finagle.builder.SslCipherAttribution
+
+import org.jboss.netty.channel.{Channel, ChannelHandler, ChannelHandlerContext, MessageEvent,
+ SimpleChannelHandler}
+import org.jboss.netty.handler.codec.http.{HttpRequest, HttpResponse}
+
+/**
+ * Extract the cipher from the SslCipherAttribution ChannelLocal variable and
+ * set it as a header on the HTTP request befor sending it upstream.
+ */
+class AnnotateCipher extends SimpleChannelHandler {
+ override def messageReceived(ctx: ChannelHandlerContext, e: MessageEvent) {
+ if (e.getMessage.isInstanceOf[HttpRequest]) {
+ val req = e.getMessage.asInstanceOf[HttpRequest]
+ val cipher = SslCipherAttribution(ctx.getChannel)
+ req.setHeader("X-Transport-Cipher", cipher)
+ }
+
+ super.messageReceived(ctx, e)
+ }
+}
@@ -58,6 +58,8 @@ case class Http(
"httpDechunker",
new HttpChunkAggregator(_maxRequestSize.inBytes.toInt))
+ pipeline.addLast("annotateCipher", new AnnotateCipher)
+
pipeline.addLast(
"connectionLifecycleManager",
new ServerConnectionManager)

0 comments on commit 39f3f05

Please sign in to comment.