diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-21 11:47:53 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-21 15:30:19 +0200 |
commit | 0d69bcaca8a9af188e0d93dfb3d4911113558ec9 (patch) | |
tree | 45a37849e1ad4a9511a07e80e2a8861b8bc70b5c /jrt | |
parent | 37b82350dd673de1d7375c01838123bf0b1e1a91 (diff) |
Get ConnectionAuthContext from SSL session after handshake is complete
Bound key-value pairs from SSL handshake session are now copied to the final SSL session object.
This simplifies the dataflow - not need to retrieve the instance right after our custom trust manager is invoked.
Diffstat (limited to 'jrt')
-rw-r--r-- | jrt/src/com/yahoo/jrt/TlsCryptoSocket.java | 19 |
1 files changed, 7 insertions, 12 deletions
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java index 13274dc3ba5..d83c1ee8baa 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java @@ -2,7 +2,8 @@ package com.yahoo.jrt; import com.yahoo.security.tls.ConnectionAuthContext; -import com.yahoo.security.tls.PeerAuthorizerTrustManager; +import com.yahoo.security.tls.PeerAuthorizationFailedException; +import com.yahoo.security.tls.TransportSecurityUtils; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; @@ -97,15 +98,6 @@ public class TlsCryptoSocket implements CryptoSocket { channelRead(); break; case NEED_WORK: - if (authContext == null) { - PeerAuthorizerTrustManager.getConnectionAuthContext(sslEngine) // only available during handshake - .ifPresent(ctx -> { - if (!ctx.authorized()) { - metrics.incrementPeerAuthorizationFailures(); - } - authContext = ctx; - }); - } break; case COMPLETED: return HandshakeState.COMPLETED; @@ -122,6 +114,10 @@ public class TlsCryptoSocket implements CryptoSocket { SSLSession session = sslEngine.getSession(); sessionApplicationBufferSize = session.getApplicationBufferSize(); sessionPacketBufferSize = session.getPacketBufferSize(); + authContext = TransportSecurityUtils.getConnectionAuthContext(session).orElseThrow(); + if (!authContext.authorized()) { + metrics.incrementPeerAuthorizationFailures(); + } log.fine(() -> String.format("Handshake complete: protocol=%s, cipherSuite=%s", session.getProtocol(), session.getCipherSuite())); if (sslEngine.getUseClientMode()) { metrics.incrementClientTlsConnectionsEstablished(); @@ -143,8 +139,7 @@ public class TlsCryptoSocket implements CryptoSocket { } } } catch (SSLHandshakeException e) { - // sslEngine.getDelegatedTask().run() and handshakeWrap() may throw SSLHandshakeException, potentially handshakeUnwrap() and sslEngine.beginHandshake() as well. - if (authContext == null || authContext.authorized()) { // don't include handshake failures due from PeerAuthorizerTrustManager + if (!(e.getCause() instanceof PeerAuthorizationFailedException)) { metrics.incrementTlsCertificateVerificationFailures(); } throw e; |