Merge pull request #2514 from ravindu25/master

Skip faulty SSL profiles on startup when ssl.profile.skip.failures is enabled

Author: malakaganga

modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/NhttpConstants.java

@@ -282,4 +282,6 @@ public class NhttpConstants {
      */
     public static final String DEFAULT_MEDIATE_OPERATION = "_default_mediate_operation_";
 
+    public static final String SSL_PROFILE_SKIP_FAILURES = "ssl.profile.skip.failures";
+
 }

modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/config/ClientConnFactoryBuilder.java

@@ -67,6 +67,8 @@
 public class ClientConnFactoryBuilder {
 
     private static final Log log = LogFactory.getLog(ClientConnFactoryBuilder.class);
+    private static final boolean skipSslProfileFailures =
+            Boolean.parseBoolean(System.getProperty(NhttpConstants.SSL_PROFILE_SKIP_FAILURES));
 
     private final TransportOutDescription transportOut;
     private final String name;
@@ -277,6 +279,16 @@ private Map<RequestDescriptor, SSLContext> getCustomSSLContexts(TransportOutDesc
                         sslContext = createSSLContext(ksElt, trElt, novalidatecert, secretResolver);
                     } catch (AxisFault axisFault) {
                         String err = "Error occurred while creating SSL context for the servers " + serversElt.getText();
+                        if (skipSslProfileFailures) {
+                            if (log.isWarnEnabled()) {
+                                String cause = axisFault.getCause() != null
+                                        ? axisFault.getCause().getClass().getName() + ": " + axisFault.getCause().getMessage()
+                                        : axisFault.getMessage();
+                                log.warn(name + " " + err + ". Skipping this SSL profile and continuing "
+                                        + "with the remaining profiles. Cause: " + cause);
+                            }
+                            continue;
+                        }
                         // This runtime exception stop the server startup But it will not affect for dynamic change
                         throw new InvalidConfigurationException(err, axisFault);
                     }
@@ -307,6 +319,16 @@ private Map<RequestDescriptor, SSLContext> getCustomSSLContexts(TransportOutDesc
                     sslContext = createSSLContext(ksElt, trElt, novalidatecert, secretResolver);
                 } catch (AxisFault axisFault) {
                     String err = "Error occurred while creating SSL context for the servers " + serversElt.getText();
+                    if (skipSslProfileFailures) {
+                        if (log.isWarnEnabled()) {
+                            String cause = axisFault.getCause() != null
+                                    ? axisFault.getCause().getClass().getName() + ": " + axisFault.getCause().getMessage()
+                                    : axisFault.getMessage();
+                            log.warn(name + " " + err + ". Skipping this SSL profile and continuing "
+                                    + "with the remaining profiles. Cause: " + cause);
+                        }
+                        continue;
+                    }
                     // This runtime exception stop the server startup But it will not affect for dynamic change
                     throw new InvalidConfigurationException(err, axisFault);
                 }
@@ -485,10 +507,14 @@ private SSLContext createSSLContext(OMElement keyStoreElt, OMElement trustStoreE
                 keymanagers = kmfactory.getKeyManagers();
 
             } catch (GeneralSecurityException gse) {
-                log.error(name + " Error loading Keystore : " + location, gse);
+                if (!skipSslProfileFailures) {
+                    log.error(name + " Error loading Keystore : " + location, gse);
+                }
                 throw new AxisFault("Error loading Keystore : " + location, gse);
             } catch (IOException ioe) {
-                log.error(name + " Error opening Keystore : " + location, ioe);
+                if (!skipSslProfileFailures) {
+                    log.error(name + " Error opening Keystore : " + location, ioe);
+                }
                 throw new AxisFault("Error opening Keystore : " + location, ioe);
             } 
         }
@@ -521,10 +547,14 @@ private SSLContext createSSLContext(OMElement keyStoreElt, OMElement trustStoreE
                 sslSenderTrustStoreHolder.setPassword(storePassword);
 
             } catch (GeneralSecurityException gse) {
-                log.error(name + " Error loading Key store : " + location, gse);
+                if (!skipSslProfileFailures) {
+                    log.error(name + " Error loading Key store : " + location, gse);
+                }
                 throw new AxisFault("Error loading Key store : " + location, gse);
             } catch (IOException ioe) {
-                log.error(name + " Error opening Key store : " + location, ioe);
+                if (!skipSslProfileFailures) {
+                    log.error(name + " Error opening Key store : " + location, ioe);
+                }
                 throw new AxisFault("Error opening Key store : " + location, ioe);
             }
         } else if (novalidatecert) {
@@ -543,7 +573,9 @@ private SSLContext createSSLContext(OMElement keyStoreElt, OMElement trustStoreE
             return sslcontext;
 
         } catch (GeneralSecurityException gse) {
-            log.error(name + " Unable to create SSL context with the given configuration", gse);
+            if (!skipSslProfileFailures) {
+                log.error(name + " Unable to create SSL context with the given configuration", gse);
+            }
             throw new AxisFault("Unable to create SSL context with the given configuration", gse);
         }
     }