io.netty.handler.ssl

类 SslHandler

java.lang.Object

io.netty.channel.ChannelHandlerAdapter

io.netty.channel.ChannelInboundHandlerAdapter

io.netty.handler.codec.ByteToMessageDecoder

io.netty.handler.ssl.SslHandler

所有已实现的接口:

ChannelHandler, ChannelInboundHandler, ChannelOutboundHandler

public class SslHandler
extends ByteToMessageDecoder
implements ChannelOutboundHandler

Adds SSL · TLS and StartTLS support to a Channel. Please refer to the "SecureChat" example in the distribution or the web site for the detailed usage.

Beginning the handshake

Beside using the handshake ChannelFuture to get notified about the completion of the handshake it's also possible to detect it by implement the ChannelInboundHandler.userEventTriggered(ChannelHandlerContext, Object) method and check for a SslHandshakeCompletionEvent.

Handshake

The handshake will be automatically issued for you once the Channel is active and SSLEngine.getUseClientMode() returns true. So no need to bother with it by your self.

Closing the session

To close the SSL session, the closeOutbound() method should be called to send the close_notify message to the remote peer. One exception is when you close the Channel - SslHandler intercepts the close request and send the close_notify message before the channel closure automatically. Once the SSL session is closed, it is not reusable, and consequently you should create a new SslHandler with a new SSLEngine as explained in the following section.

Restarting the session

To restart the SSL session, you must remove the existing closed SslHandler from the ChannelPipeline, insert a new SslHandler with a new SSLEngine into the pipeline, and start the handshake process as described in the first section.

Implementing StartTLS

StartTLS is the communication pattern that secures the wire in the middle of the plaintext connection. Please note that it is different from SSL · TLS, that secures the wire from the beginning of the connection. Typically, StartTLS is composed of three steps:

1. Client sends a StartTLS request to server.
2. Server sends a StartTLS response to client.
3. Client begins SSL handshake.

If you implement a server, you need to:

1. create a new SslHandler instance with startTls flag set to true,
2. insert the SslHandler to the ChannelPipeline, and
3. write a StartTLS response.

Please note that you must insert SslHandler before sending the StartTLS response. Otherwise the client can send begin SSL handshake before SslHandler is inserted to the ChannelPipeline, causing data corruption.

The client-side implementation is much simpler.

1. Write a StartTLS request,
2. wait for the StartTLS response,
3. create a new SslHandler instance with startTls flag set to false,
4. insert the SslHandler to the ChannelPipeline, and
5. Initiate SSL handshake.

Known issues

Because of a known issue with the current implementation of the SslEngine that comes with Java it may be possible that you see blocked IO-Threads while a full GC is done.

So if you are affected you can workaround this problem by adjust the cache settings like shown below:

     SslContext context = ...;
     context.getServerSessionContext().setSessionCacheSize(someSaneSize);
     context.getServerSessionContext().setSessionTime(someSameTimeout);
 

What values to use here depends on the nature of your application and should be set based on monitoring and debugging of it. For more details see #832 in our issue tracker.

嵌套类概要

从类继承的嵌套类/接口 io.netty.handler.codec.ByteToMessageDecoder

ByteToMessageDecoder.Cumulator

从接口继承的嵌套类/接口 io.netty.channel.ChannelHandler

ChannelHandler.Sharable

字段概要

从类继承的字段 io.netty.handler.codec.ByteToMessageDecoder

COMPOSITE_CUMULATOR, MERGE_CUMULATOR

构造器概要

构造器

构造器和说明
SslHandler(javax.net.ssl.SSLEngine engine) Creates a new instance which runs all delegated tasks directly on the EventExecutor.
SslHandler(javax.net.ssl.SSLEngine engine, boolean startTls) Creates a new instance which runs all delegated tasks directly on the EventExecutor.
SslHandler(javax.net.ssl.SSLEngine engine, boolean startTls, java.util.concurrent.Executor delegatedTaskExecutor) Creates a new instance.
SslHandler(javax.net.ssl.SSLEngine engine, java.util.concurrent.Executor delegatedTaskExecutor) Creates a new instance.

方法概要

限定符和类型	方法和说明
java.lang.String	applicationProtocol() Returns the name of the current application-level protocol.
void	bind(ChannelHandlerContext ctx, java.net.SocketAddress localAddress, ChannelPromise promise) Called once a bind operation is made.
void	channelActive(ChannelHandlerContext ctx) Issues an initial TLS handshake once connected when used in client-mode
void	channelInactive(ChannelHandlerContext ctx) Calls ChannelHandlerContext.fireChannelInactive() to forward to the next ChannelInboundHandler in the ChannelPipeline.
void	channelReadComplete(ChannelHandlerContext ctx) Calls ChannelHandlerContext.fireChannelReadComplete() to forward to the next ChannelInboundHandler in the ChannelPipeline.
ChannelFuture	close() 已过时。
void	close(ChannelHandlerContext ctx, ChannelPromise promise) Called once a close operation is made.
ChannelFuture	close(ChannelPromise promise) 已过时。
ChannelFuture	closeOutbound() Sends an SSL close_notify message to the specified channel and destroys the underlying SSLEngine.
ChannelFuture	closeOutbound(ChannelPromise promise) Sends an SSL close_notify message to the specified channel and destroys the underlying SSLEngine.
void	connect(ChannelHandlerContext ctx, java.net.SocketAddress remoteAddress, java.net.SocketAddress localAddress, ChannelPromise promise) Called once a connect operation is made.
protected void	decode(ChannelHandlerContext ctx, ByteBuf in, java.util.List<java.lang.Object> out) Decode the from one ByteBuf to an other.
void	deregister(ChannelHandlerContext ctx, ChannelPromise promise) Called once a deregister operation is made from the current registered EventLoop.
void	disconnect(ChannelHandlerContext ctx, ChannelPromise promise) Called once a disconnect operation is made.
javax.net.ssl.SSLEngine	engine() Returns the SSLEngine which is used by this handler.
void	exceptionCaught(ChannelHandlerContext ctx, java.lang.Throwable cause) Calls ChannelHandlerContext.fireExceptionCaught(Throwable) to forward to the next ChannelHandler in the ChannelPipeline.
void	flush(ChannelHandlerContext ctx) Called once a flush operation is made.
long	getCloseNotifyFlushTimeoutMillis() Gets the timeout for flushing the close_notify that was triggered by closing the Channel.
long	getCloseNotifyReadTimeoutMillis() Gets the timeout (in ms) for receiving the response for the close_notify that was triggered by closing the Channel.
long	getCloseNotifyTimeoutMillis() 已过时。 use getCloseNotifyFlushTimeoutMillis()
long	getHandshakeTimeoutMillis()
void	handlerAdded(ChannelHandlerContext ctx) Do nothing by default, sub-classes may override this method.
void	handlerRemoved0(ChannelHandlerContext ctx) Gets called after the ByteToMessageDecoder was removed from the actual context and it doesn't handle events anymore.
Future<Channel>	handshakeFuture() Returns a Future that will get notified once the current TLS handshake completes.
static boolean	isEncrypted(ByteBuf buffer) Returns true if the given ByteBuf is encrypted.
void	read(ChannelHandlerContext ctx) Intercepts ChannelHandlerContext.read().
Future<Channel>	renegotiate() Performs TLS renegotiation.
Future<Channel>	renegotiate(Promise<Channel> promise) Performs TLS renegotiation.
void	setCloseNotifyFlushTimeout(long closeNotifyFlushTimeout, java.util.concurrent.TimeUnit unit) Sets the timeout for flushing the close_notify that was triggered by closing the Channel.
void	setCloseNotifyFlushTimeoutMillis(long closeNotifyFlushTimeoutMillis) See setCloseNotifyFlushTimeout(long, TimeUnit).
void	setCloseNotifyReadTimeout(long closeNotifyReadTimeout, java.util.concurrent.TimeUnit unit) Sets the timeout for receiving the response for the close_notify that was triggered by closing the Channel.
void	setCloseNotifyReadTimeoutMillis(long closeNotifyReadTimeoutMillis) See setCloseNotifyReadTimeout(long, TimeUnit).
void	setCloseNotifyTimeout(long closeNotifyTimeout, java.util.concurrent.TimeUnit unit) 已过时。 use setCloseNotifyFlushTimeout(long, TimeUnit)
void	setCloseNotifyTimeoutMillis(long closeNotifyFlushTimeoutMillis) 已过时。 use setCloseNotifyFlushTimeoutMillis(long)
void	setHandshakeTimeout(long handshakeTimeout, java.util.concurrent.TimeUnit unit)
void	setHandshakeTimeoutMillis(long handshakeTimeoutMillis)
void	setWrapDataSize(int wrapDataSize) Sets the number of bytes to pass to each SSLEngine.wrap(ByteBuffer[], int, int, ByteBuffer) call.
Future<Channel>	sslCloseFuture() Return the Future that will get notified if the inbound of the SSLEngine is closed.
void	write(ChannelHandlerContext ctx, java.lang.Object msg, ChannelPromise promise) Called once a write operation is made.

从类继承的方法 io.netty.handler.codec.ByteToMessageDecoder

actualReadableBytes, callDecode, channelRead, decodeLast, discardSomeReadBytes, handlerRemoved, internalBuffer, isSingleDecode, setCumulator, setDiscardAfterReads, setSingleDecode, userEventTriggered

从类继承的方法 io.netty.channel.ChannelInboundHandlerAdapter

channelRegistered, channelUnregistered, channelWritabilityChanged

从类继承的方法 io.netty.channel.ChannelHandlerAdapter

ensureNotSharable, isSharable

从类继承的方法 java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

从接口继承的方法 io.netty.channel.ChannelHandler

handlerRemoved

构造器详细资料

SslHandler

public SslHandler(javax.net.ssl.SSLEngine engine)

Creates a new instance which runs all delegated tasks directly on the EventExecutor.

参数:

engine - the SSLEngine this handler will use

SslHandler

public SslHandler(javax.net.ssl.SSLEngine engine,
                  boolean startTls)

Creates a new instance which runs all delegated tasks directly on the EventExecutor.

参数:

engine - the SSLEngine this handler will use

startTls - true if the first write request shouldn't be encrypted by the SSLEngine

SslHandler

public SslHandler(javax.net.ssl.SSLEngine engine,
                  java.util.concurrent.Executor delegatedTaskExecutor)

Creates a new instance.

参数:

engine - the SSLEngine this handler will use

delegatedTaskExecutor - the Executor that will be used to execute tasks that are returned by SSLEngine.getDelegatedTask().

SslHandler

public SslHandler(javax.net.ssl.SSLEngine engine,
                  boolean startTls,
                  java.util.concurrent.Executor delegatedTaskExecutor)

Creates a new instance.

参数:

engine - the SSLEngine this handler will use

startTls - true if the first write request shouldn't be encrypted by the SSLEngine

delegatedTaskExecutor - the Executor that will be used to execute tasks that are returned by SSLEngine.getDelegatedTask().

方法详细资料

getHandshakeTimeoutMillis

public long getHandshakeTimeoutMillis()

setHandshakeTimeout

public void setHandshakeTimeout(long handshakeTimeout,
                                java.util.concurrent.TimeUnit unit)

setHandshakeTimeoutMillis

public void setHandshakeTimeoutMillis(long handshakeTimeoutMillis)

setWrapDataSize

@UnstableApi
public final void setWrapDataSize(int wrapDataSize)

Sets the number of bytes to pass to each SSLEngine.wrap(ByteBuffer[], int, int, ByteBuffer) call.

This value will partition data which is passed to write write(ChannelHandlerContext, Object, ChannelPromise). The partitioning will work as follows:

• If wrapDataSize <= 0 then we will write each data chunk as is.
• If wrapDataSize > data size then we will attempt to aggregate multiple data chunks together.
• If wrapDataSize > data size Else if wrapDataSize <= data size then we will divide the data into chunks of wrapDataSize when writing.

If the SSLEngine doesn't support a gather wrap operation (e.g. SslProvider.OPENSSL) then aggregating data before wrapping can help reduce the ratio between TLS overhead vs data payload which will lead to better goodput. Writing fixed chunks of data can also help target the underlying transport's (e.g. TCP) frame size. Under lossy/congested network conditions this may help the peer get full TLS packets earlier and be able to do work sooner, as opposed to waiting for the all the pieces of the TLS packet to arrive.

参数:

wrapDataSize - the number of bytes which will be passed to each SSLEngine.wrap(ByteBuffer[], int, int, ByteBuffer) call.

getCloseNotifyTimeoutMillis

@Deprecated
public long getCloseNotifyTimeoutMillis()

已过时。 use getCloseNotifyFlushTimeoutMillis()

setCloseNotifyTimeout

@Deprecated
public void setCloseNotifyTimeout(long closeNotifyTimeout,
                                               java.util.concurrent.TimeUnit unit)

已过时。 use setCloseNotifyFlushTimeout(long, TimeUnit)

setCloseNotifyTimeoutMillis

@Deprecated
public void setCloseNotifyTimeoutMillis(long closeNotifyFlushTimeoutMillis)

已过时。 use setCloseNotifyFlushTimeoutMillis(long)

getCloseNotifyFlushTimeoutMillis

public final long getCloseNotifyFlushTimeoutMillis()

Gets the timeout for flushing the close_notify that was triggered by closing the Channel. If the close_notify was not flushed in the given timeout the Channel will be closed forcibly.

setCloseNotifyFlushTimeout

public final void setCloseNotifyFlushTimeout(long closeNotifyFlushTimeout,
                                             java.util.concurrent.TimeUnit unit)

Sets the timeout for flushing the close_notify that was triggered by closing the Channel. If the close_notify was not flushed in the given timeout the Channel will be closed forcibly.

setCloseNotifyFlushTimeoutMillis

public final void setCloseNotifyFlushTimeoutMillis(long closeNotifyFlushTimeoutMillis)

See setCloseNotifyFlushTimeout(long, TimeUnit).

getCloseNotifyReadTimeoutMillis

public final long getCloseNotifyReadTimeoutMillis()

Gets the timeout (in ms) for receiving the response for the close_notify that was triggered by closing the Channel. This timeout starts after the close_notify message was successfully written to the remote peer. Use 0 to directly close the Channel and not wait for the response.

setCloseNotifyReadTimeout

public final void setCloseNotifyReadTimeout(long closeNotifyReadTimeout,
                                            java.util.concurrent.TimeUnit unit)

Sets the timeout for receiving the response for the close_notify that was triggered by closing the Channel. This timeout starts after the close_notify message was successfully written to the remote peer. Use 0 to directly close the Channel and not wait for the response.

setCloseNotifyReadTimeoutMillis

public final void setCloseNotifyReadTimeoutMillis(long closeNotifyReadTimeoutMillis)

See setCloseNotifyReadTimeout(long, TimeUnit).

engine

public javax.net.ssl.SSLEngine engine()

Returns the SSLEngine which is used by this handler.

applicationProtocol

public java.lang.String applicationProtocol()

Returns the name of the current application-level protocol.

返回:

the protocol name or null if application-level protocol has not been negotiated

handshakeFuture

public Future<Channel> handshakeFuture()

Returns a Future that will get notified once the current TLS handshake completes.

返回:

the Future for the initial TLS handshake if renegotiate() was not invoked. The Future for the most recent TLS renegotiation otherwise.

close

@Deprecated
public ChannelFuture close()

已过时。

Use closeOutbound()

close

@Deprecated
public ChannelFuture close(ChannelPromise promise)

已过时。

Use closeOutbound(ChannelPromise)

closeOutbound

public ChannelFuture closeOutbound()

Sends an SSL close_notify message to the specified channel and destroys the underlying SSLEngine. This will not close the underlying Channel. If you want to also close the Channel use ChannelOutboundInvoker.close() or ChannelOutboundInvoker.close()

closeOutbound

public ChannelFuture closeOutbound(ChannelPromise promise)

Sends an SSL close_notify message to the specified channel and destroys the underlying SSLEngine. This will not close the underlying Channel. If you want to also close the Channel use ChannelOutboundInvoker.close() or ChannelOutboundInvoker.close()

sslCloseFuture

public Future<Channel> sslCloseFuture()

Return the Future that will get notified if the inbound of the SSLEngine is closed. This method will return the same Future all the time.

另请参阅:

SSLEngine

handlerRemoved0

public void handlerRemoved0(ChannelHandlerContext ctx)
                     throws java.lang.Exception

从类复制的说明: ByteToMessageDecoder

Gets called after the ByteToMessageDecoder was removed from the actual context and it doesn't handle events anymore.

覆盖:

handlerRemoved0 在类中 ByteToMessageDecoder

抛出:

java.lang.Exception

bind

public void bind(ChannelHandlerContext ctx,
                 java.net.SocketAddress localAddress,
                 ChannelPromise promise)
          throws java.lang.Exception

从接口复制的说明: ChannelOutboundHandler

Called once a bind operation is made.

指定者:

bind 在接口中 ChannelOutboundHandler

参数:

ctx - the ChannelHandlerContext for which the bind operation is made

localAddress - the SocketAddress to which it should bound

promise - the ChannelPromise to notify once the operation completes

抛出:

java.lang.Exception - thrown if an error occurs

connect

public void connect(ChannelHandlerContext ctx,
                    java.net.SocketAddress remoteAddress,
                    java.net.SocketAddress localAddress,
                    ChannelPromise promise)
             throws java.lang.Exception

从接口复制的说明: ChannelOutboundHandler

Called once a connect operation is made.

指定者:

connect 在接口中 ChannelOutboundHandler

参数:

ctx - the ChannelHandlerContext for which the connect operation is made

remoteAddress - the SocketAddress to which it should connect

localAddress - the SocketAddress which is used as source on connect

promise - the ChannelPromise to notify once the operation completes

抛出:

java.lang.Exception - thrown if an error occurs

deregister

public void deregister(ChannelHandlerContext ctx,
                       ChannelPromise promise)
                throws java.lang.Exception

从接口复制的说明: ChannelOutboundHandler

Called once a deregister operation is made from the current registered EventLoop.

指定者:

deregister 在接口中 ChannelOutboundHandler

参数:

ctx - the ChannelHandlerContext for which the close operation is made

promise - the ChannelPromise to notify once the operation completes

抛出:

java.lang.Exception - thrown if an error occurs

disconnect

public void disconnect(ChannelHandlerContext ctx,
                       ChannelPromise promise)
                throws java.lang.Exception

从接口复制的说明: ChannelOutboundHandler

Called once a disconnect operation is made.

指定者:

disconnect 在接口中 ChannelOutboundHandler

参数:

ctx - the ChannelHandlerContext for which the disconnect operation is made

promise - the ChannelPromise to notify once the operation completes

抛出:

java.lang.Exception - thrown if an error occurs

close

public void close(ChannelHandlerContext ctx,
                  ChannelPromise promise)
           throws java.lang.Exception

从接口复制的说明: ChannelOutboundHandler

Called once a close operation is made.

指定者:

close 在接口中 ChannelOutboundHandler

参数:

ctx - the ChannelHandlerContext for which the close operation is made

promise - the ChannelPromise to notify once the operation completes

抛出:

java.lang.Exception - thrown if an error occurs

read

public void read(ChannelHandlerContext ctx)
          throws java.lang.Exception

从接口复制的说明: ChannelOutboundHandler

Intercepts ChannelHandlerContext.read().

指定者:

read 在接口中 ChannelOutboundHandler

抛出:

java.lang.Exception

write

public void write(ChannelHandlerContext ctx,
                  java.lang.Object msg,
                  ChannelPromise promise)
           throws java.lang.Exception

从接口复制的说明: ChannelOutboundHandler

Called once a write operation is made. The write operation will write the messages through the ChannelPipeline. Those are then ready to be flushed to the actual Channel once Channel.flush() is called

指定者:

write 在接口中 ChannelOutboundHandler

参数:

ctx - the ChannelHandlerContext for which the write operation is made

msg - the message to write

promise - the ChannelPromise to notify once the operation completes

抛出:

java.lang.Exception - thrown if an error occurs

flush

public void flush(ChannelHandlerContext ctx)
           throws java.lang.Exception

从接口复制的说明: ChannelOutboundHandler

Called once a flush operation is made. The flush operation will try to flush out all previous written messages that are pending.

指定者:

flush 在接口中 ChannelOutboundHandler

参数:

ctx - the ChannelHandlerContext for which the flush operation is made

抛出:

java.lang.Exception - thrown if an error occurs

channelInactive

public void channelInactive(ChannelHandlerContext ctx)
                     throws java.lang.Exception

从类复制的说明: ChannelInboundHandlerAdapter

Calls ChannelHandlerContext.fireChannelInactive() to forward to the next ChannelInboundHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

指定者:

channelInactive 在接口中 ChannelInboundHandler

覆盖:

channelInactive 在类中 ByteToMessageDecoder

抛出:

java.lang.Exception

exceptionCaught

public void exceptionCaught(ChannelHandlerContext ctx,
                            java.lang.Throwable cause)
                     throws java.lang.Exception

从类复制的说明: ChannelInboundHandlerAdapter

Calls ChannelHandlerContext.fireExceptionCaught(Throwable) to forward to the next ChannelHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

指定者:

exceptionCaught 在接口中 ChannelHandler

指定者:

exceptionCaught 在接口中 ChannelInboundHandler

覆盖:

exceptionCaught 在类中 ChannelInboundHandlerAdapter

抛出:

java.lang.Exception

isEncrypted

public static boolean isEncrypted(ByteBuf buffer)

Returns true if the given ByteBuf is encrypted. Be aware that this method will not increase the readerIndex of the given ByteBuf.

参数:

buffer - The ByteBuf to read from. Be aware that it must have at least 5 bytes to read, otherwise it will throw an IllegalArgumentException.

返回:

encrypted true if the ByteBuf is encrypted, false otherwise.

抛出:

java.lang.IllegalArgumentException - Is thrown if the given ByteBuf has not at least 5 bytes to read.

decode

protected void decode(ChannelHandlerContext ctx,
                      ByteBuf in,
                      java.util.List<java.lang.Object> out)
               throws javax.net.ssl.SSLException

从类复制的说明: ByteToMessageDecoder

Decode the from one ByteBuf to an other. This method will be called till either the input ByteBuf has nothing to read when return from this method or till nothing was read from the input ByteBuf.

指定者:

decode 在类中 ByteToMessageDecoder

参数:

ctx - the ChannelHandlerContext which this ByteToMessageDecoder belongs to

in - the ByteBuf from which to read data

out - the List to which decoded messages should be added

抛出:

javax.net.ssl.SSLException

channelReadComplete

public void channelReadComplete(ChannelHandlerContext ctx)
                         throws java.lang.Exception

从类复制的说明: ChannelInboundHandlerAdapter

Calls ChannelHandlerContext.fireChannelReadComplete() to forward to the next ChannelInboundHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

指定者:

channelReadComplete 在接口中 ChannelInboundHandler

覆盖:

channelReadComplete 在类中 ByteToMessageDecoder

抛出:

java.lang.Exception

handlerAdded

public void handlerAdded(ChannelHandlerContext ctx)
                  throws java.lang.Exception

从类复制的说明: ChannelHandlerAdapter

Do nothing by default, sub-classes may override this method.

指定者:

handlerAdded 在接口中 ChannelHandler

覆盖:

handlerAdded 在类中 ChannelHandlerAdapter

抛出:

java.lang.Exception

renegotiate

public Future<Channel> renegotiate()

Performs TLS renegotiation.

renegotiate

public Future<Channel> renegotiate(Promise<Channel> promise)

Performs TLS renegotiation.

channelActive

public void channelActive(ChannelHandlerContext ctx)
                   throws java.lang.Exception

Issues an initial TLS handshake once connected when used in client-mode

指定者:

channelActive 在接口中 ChannelInboundHandler

覆盖:

channelActive 在类中 ChannelInboundHandlerAdapter

抛出:

java.lang.Exception