Reload Netty Server's SSL Context for gRPC

Question

Can someone tell me how to reload the SSLContext when a server certificate it refreshed/renewed without restarting the gRPC server?

I have this code to build and start a gRPC server. The method certificateRefreshed() gets called whenever a certificate changes which is when I create a new SSL context, but this doesn't work unless I restart the grpc server.

public class ServerWithTls {
    Server server;
    SslContext sslContext;

    public ServerWithTls() {
        this.sslContext = getSslContext();

        NettyServerBuilder serverBuilder = NettyServerBuilder
            .forPort(settings.port())
            .executor(executorService)
            .addService(myService);
            .sslContext(this.sslContext);

        server = serverBuilder.build();
        server.start();
    }

    public io.netty.handler.ssl.SslContext getSslContext() {
        // returns ssl context based on cert and key
    }

    // gets notified when a server cert changes
    public void certificateRefreshed() {
        // create a new SSL context when cert changes
        this.sslContext = getSslContext();
    }

}

Refreshing the cert without restarting the server is currently not supported. — Carl Mastrangelo, Jul 25 '18 at 20:34

score 1 · Answer 1 · answered Aug 28 '18 at 23:33

I'm unsure if there are easier alternatives, but I see two potentially possible ways.

Make your own SslContext, mimicking DelegatingSslContext. You would swap to a different SslContext (especially during newEngine) when you want a different certificate.
Use a KeyManagerFactory whose key material can change over time. I'm not aware of a pre-existing implementation of such a factory, so you probably would need to implement a KeyManagerFactorySpi that delegates to a KeyManagerFactory. You could then swap out the KeyManagerFactory over time.

I will warn that it would have been easy for me to miss something that would invalidate the approaches.

score 0 · Answer 2 · answered Jan 19 '22 at 15:55

This question is similar to this question: Reloading a java.net.http.HttpClient's SSLContext

This option is unfortunately not available by default. After you have supplied the SSLContext to the Server and build the Server you cannot change the SSLContext. You will need to create a new SSLContext and a new Server.

I had the same challenge for one of my projects and I solved it by using a custom trustmanager and keymanager which wraps around the actual trustmanager and keymanager while having the capability of swapping the actual trustmanager and trustmanager. So you can use the following setup if you still want to accomplish it without the need of recreating the Server and SSLContext:

SSLFactory sslFactory = SSLFactory.builder()
    .withSwappableIdentityMaterial()
    .withIdentityMaterial("identity.jks", "password".toCharArray())
    .withSwappableTrustMaterial()
    .withTrustMaterial("truststore.jks", "password".toCharArray())
    .build();

SslContext sslContext = NettySslUtils.forServer(sslFactory).build();
          
Server server = NettyServerBuilder
    .forPort(8443)
    .executor(executorService)
    .addService(myService)
    .sslContext(sslContext)
    .build();

server.start();

// swap identity and trust materials and reuse existing server
KeyManagerUtils.swapKeyManager(sslFactory.getKeyManager().get(), anotherKeyManager);
TrustManagerUtils.swapTrustManager(sslFactory.getTrustManager().get(), anotherTrustManager);

// Cleanup old ssl sessions by invalidating them all. Forces to use new ssl sessions which will be created by the swapped KeyManager/TrustManager
SSLSessionUtils.invalidateCaches(sslFactory.getSslContext());

In the above code example you need to replace the second parameter of the swapKeyManager and swapTrustManager method with the newly created KeyManager and TrustManager when you have new certificates.

See here for the documentation of this option: Swapping KeyManager and TrustManager at runtime

And here for an actual working example with Jetty (similar to Netty): Example swapping certificates at runtime with Jetty Server

You can add the library to your project with:

<dependency>
    <groupId>io.github.hakky54</groupId>
    <artifactId>sslcontext-kickstart-for-netty</artifactId>
    <version>7.2.0</version>
</dependency>

You can view the full documentation and other examples here: GitHub - SSLContext Kickstart

By the way I need to add a small disclaimer I am the maintainer of the library.

Reload Netty Server's SSL Context for gRPC

2 Answers2