More options for configuring TLS client auth

Author: b

README.md

@@ -54,6 +54,12 @@ attribute:
 
 See property files in conf/
 
+## TLS/SSL Transport
+
+kafka-websocket can be configured to support TLS transport between client and server (not from kafka-websocket to kafka). Client certificates
+can also be used, if desired. Client auth can be set to none, optional, or required, each being, I hope, self-explanatory. See
+conf/server.properties for various configuration options.
+
 ## License
 
 kafka-websocket is copyright 2014 Benjamin Black, and distributed under the Apache License 2.0.

conf/server.properties

@@ -5,6 +5,8 @@ ws.ssl=false
 ws.ssl.port=7443
 ws.ssl.keyStorePath=conf/keystore
 ws.ssl.keyStorePassword=password
+ws.ssl.trustStorePath=conf/keystore
+ws.ssl.trustStorePassword=password
 ws.ssl.protocols=TLSv1.2
 ws.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
-ws.ssl.clientAuth=false
+ws.ssl.clientAuth=none

src/main/java/us/b3k/kafka/ws/KafkaWebsocketServer.java

@@ -46,13 +46,14 @@ public KafkaWebsocketServer(Properties wsProps, Properties consumerProps, Proper
     }
 
     private SslContextFactory newSslContextFactory() {
+        LOG.info("Configuring TLS.");
         String keyStorePath = wsProps.getProperty("ws.ssl.keyStorePath");
         String keyStorePassword = wsProps.getProperty("ws.ssl.keyStorePassword");
         String trustStorePath = wsProps.getProperty("ws.ssl.trustStorePath", keyStorePath);
         String trustStorePassword = wsProps.getProperty("ws.ssl.trustStorePassword", keyStorePassword);
         String[] protocols = wsProps.getProperty("ws.ssl.protocols", DEFAULT_PROTOCOLS).split(",");
         String[] ciphers = wsProps.getProperty("ws.ssl.ciphers", DEFAULT_CIPHERS).split(",");
-        Boolean clientAuth = Boolean.parseBoolean(wsProps.getProperty("ws.ssl.clientAuth", "false"));
+        String clientAuth = wsProps.getProperty("ws.ssl.clientAuth", "none");
 
         SslContextFactory sslContextFactory = new SslContextFactory();
         sslContextFactory.setKeyStorePath(keyStorePath);
@@ -62,8 +63,23 @@ private SslContextFactory newSslContextFactory() {
         sslContextFactory.setTrustStorePassword(trustStorePassword);
         sslContextFactory.setIncludeProtocols(protocols);
         sslContextFactory.setIncludeCipherSuites(ciphers);
-        sslContextFactory.setNeedClientAuth(clientAuth);
-        sslContextFactory.setValidatePeerCerts(clientAuth);
+        switch(clientAuth) {
+            case "required":
+                LOG.info("Client auth required.");
+                sslContextFactory.setNeedClientAuth(true);
+                sslContextFactory.setValidatePeerCerts(true);
+                break;
+            case "optional":
+                LOG.info("Client auth allowed.");
+                sslContextFactory.setWantClientAuth(true);
+                sslContextFactory.setValidatePeerCerts(true);
+                break;
+            default:
+                LOG.info("Client auth disabled.");
+                sslContextFactory.setNeedClientAuth(false);
+                sslContextFactory.setWantClientAuth(false);
+                sslContextFactory.setValidatePeerCerts(false);
+        }
         return sslContextFactory;
     }