diff --git a/core/src/main/java/com/threerings/presents/peer/server/PeerManager.java b/core/src/main/java/com/threerings/presents/peer/server/PeerManager.java index 5b6cc00ec..b8c99b63f 100644 --- a/core/src/main/java/com/threerings/presents/peer/server/PeerManager.java +++ b/core/src/main/java/com/threerings/presents/peer/server/PeerManager.java @@ -1319,6 +1319,27 @@ public abstract class PeerManager return PeerNode.class; } + /** + * Sets the {@link SSLContext} that {@link PeerNode}s use to wrap their connections to other + * nodes in TLS. When the cluster's client port is TLS-enabled, peer connections (which connect + * to that same port) must also speak TLS; this is the client-side (pinned-truststore) context + * the peer node installs on its client before logon. Null (the default) leaves peer connections + * plaintext. Set this before peers are discovered/connected. + */ + public void setPeerClientContext (javax.net.ssl.SSLContext ctx) + { + _peerClientContext = ctx; + } + + /** + * Returns the {@link SSLContext} peer nodes use to wrap connections to other nodes, or null if + * peer connections are plaintext. + */ + public javax.net.ssl.SSLContext getPeerClientContext () + { + return _peerClientContext; + } + /** * Creates credentials that a {@link PeerNode} can use to authenticate with another node. */ @@ -1812,6 +1833,9 @@ public abstract class PeerManager protected String _nodeName; protected String _sharedSecret; protected NodeRecord _self; + + /** TLS context peer nodes use when connecting to other nodes, or null for plaintext peering. */ + protected javax.net.ssl.SSLContext _peerClientContext; protected NodeObject _nodeobj; protected String _nodeNamespace; protected Map _peers = Maps.newHashMap(); diff --git a/core/src/main/java/com/threerings/presents/peer/server/PeerNode.java b/core/src/main/java/com/threerings/presents/peer/server/PeerNode.java index 118574891..d54bd236d 100644 --- a/core/src/main/java/com/threerings/presents/peer/server/PeerNode.java +++ b/core/src/main/java/com/threerings/presents/peer/server/PeerNode.java @@ -140,6 +140,9 @@ public class PeerNode // otherwise configure our client with the right bits and logon _client.setCredentials(_peermgr.createCreds()); + // if the cluster's client port is TLS-enabled, peer connections must speak TLS too; + // null (plaintext peering) is a no-op (see PeerManager.setPeerClientContext) + _client.setSSLContext(_peermgr.getPeerClientContext()); _client.setServer(hostName, new int[] { _record.port }); _client.logon(); _lastConnectStamp = System.currentTimeMillis();