Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3431 from eclipse/jetty-9.4.x_3425_upgrade_conscrypt_get_rid_reflect 

Issue #3425 upgrade conscrypt to 2.0.0 and get rid reflect usage
This commit is contained in:
Simone Bordet 2019-03-15 09:19:58 +01:00 committed by GitHub
parent 74233d5711 123918018e
commit 01f2a4e16b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 224 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
jetty-alpn/jetty-alpn-conscrypt-client/src/main/java/org/eclipse/jetty/alpn/conscrypt/client/ConscryptClientALPNProcessor.java
View File

@ -18,12 +18,11 @@
package org.eclipse.jetty.alpn.conscrypt.client;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.security.Security;
import javax.net.ssl.SSLEngine;
import org.conscrypt.Conscrypt;
import org.conscrypt.OpenSSLProvider;
import org.eclipse.jetty.alpn.client.ALPNClientConnection;
import org.eclipse.jetty.io.Connection;
@ -40,7 +39,7 @@ public class ConscryptClientALPNProcessor implements ALPNProcessor.Client
@Override
public void init()
{
if (Security.getProvider("Conscrypt")==null)
if (Security.getProvider("Conscrypt") == null)
{
Security.addProvider(new OpenSSLProvider());
if (LOG.isDebugEnabled())
@ -59,11 +58,9 @@ public class ConscryptClientALPNProcessor implements ALPNProcessor.Client
{
try
{
Method setAlpnProtocols = sslEngine.getClass().getDeclaredMethod("setApplicationProtocols", String[].class);
setAlpnProtocols.setAccessible(true);
ALPNClientConnection alpn = (ALPNClientConnection)connection;
String[] protocols = alpn.getProtocols().toArray(new String[0]);
setAlpnProtocols.invoke(sslEngine, (Object)protocols);
Conscrypt.setApplicationProtocols(sslEngine, protocols);
((SslConnection.DecryptedEndPoint)connection.getEndPoint()).getSslConnection()
.addHandshakeListener(new ALPNListener(alpn));
}
@ -92,9 +89,9 @@ public class ConscryptClientALPNProcessor implements ALPNProcessor.Client
try
{
SSLEngine sslEngine = alpnConnection.getSSLEngine();
Method method = sslEngine.getClass().getDeclaredMethod("getApplicationProtocol");
method.setAccessible(true);
String protocol = (String)method.invoke(sslEngine);
String protocol = Conscrypt.getApplicationProtocol(sslEngine);
if (LOG.isDebugEnabled())
LOG.debug("Selected {} for {}", protocol, alpnConnection);
alpnConnection.selected(protocol);
}
catch (Throwable e)

25
jetty-alpn/jetty-alpn-conscrypt-server/pom.xml
View File

@ -38,6 +38,31 @@
<version>${project.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-alpn-conscrypt-client</artifactId>
<version>${project.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-client</artifactId>
<version>${project.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.eclipse.jetty.http2</groupId>
<artifactId>http2-client</artifactId>
<version>${project.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.eclipse.jetty.http2</groupId>
<artifactId>http2-http-client-transport</artifactId>
<version>${project.version}</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>

35
jetty-alpn/jetty-alpn-conscrypt-server/src/main/java/org/eclipse/jetty/alpn/conscrypt/server/ConscryptServerALPNProcessor.java
View File

@ -18,13 +18,14 @@
package org.eclipse.jetty.alpn.conscrypt.server;
import java.lang.reflect.Method;
import java.security.Security;
import java.util.List;
import java.util.function.BiFunction;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSocket;
import org.conscrypt.ApplicationProtocolSelector;
import org.conscrypt.Conscrypt;
import org.conscrypt.OpenSSLProvider;
import org.eclipse.jetty.alpn.server.ALPNServerConnection;
import org.eclipse.jetty.io.Connection;
@ -41,7 +42,7 @@ public class ConscryptServerALPNProcessor implements ALPNProcessor.Server
@Override
public void init()
{
if (Security.getProvider("Conscrypt")==null)
if (Security.getProvider("Conscrypt") == null)
{
Security.addProvider(new OpenSSLProvider());
if (LOG.isDebugEnabled())
@ -56,13 +57,11 @@ public class ConscryptServerALPNProcessor implements ALPNProcessor.Server
}
@Override
public void configure(SSLEngine sslEngine,Connection connection)
public void configure(SSLEngine sslEngine, Connection connection)
{
try
{
Method method = sslEngine.getClass().getMethod("setHandshakeApplicationProtocolSelector", BiFunction.class);
method.setAccessible(true);
method.invoke(sslEngine,new ALPNCallback((ALPNServerConnection)connection));
Conscrypt.setApplicationProtocolSelector(sslEngine, new ALPNCallback((ALPNServerConnection)connection));
}
catch (RuntimeException x)
{
@ -74,23 +73,31 @@ public class ConscryptServerALPNProcessor implements ALPNProcessor.Server
}
}
private final class ALPNCallback implements BiFunction<SSLEngine,List<String>,String>, SslHandshakeListener
private final class ALPNCallback extends ApplicationProtocolSelector implements SslHandshakeListener
{
private final ALPNServerConnection alpnConnection;
private ALPNCallback(ALPNServerConnection connection)
{
alpnConnection = connection;
alpnConnection = connection;
((DecryptedEndPoint)alpnConnection.getEndPoint()).getSslConnection().addHandshakeListener(this);
}
@Override
public String apply(SSLEngine engine, List<String> protocols)
public String selectApplicationProtocol(SSLEngine engine, List<String> protocols)
{
if (LOG.isDebugEnabled())
LOG.debug("apply {} {}", alpnConnection, protocols);
alpnConnection.select(protocols);
return alpnConnection.getProtocol();
String protocol = alpnConnection.getProtocol();
if (LOG.isDebugEnabled())
LOG.debug("Selected {} among {} for {}", protocol, protocols, alpnConnection);
return protocol;
}
@Override
public String selectApplicationProtocol(SSLSocket socket, List<String> protocols)
{
throw new UnsupportedOperationException();
}
@Override
@ -99,7 +106,7 @@ public class ConscryptServerALPNProcessor implements ALPNProcessor.Server
String protocol = alpnConnection.getProtocol();
if (LOG.isDebugEnabled())
LOG.debug("TLS handshake succeeded, protocol={} for {}", protocol, alpnConnection);
if (protocol ==null)
if (protocol == null)
alpnConnection.unsupported();
}

72
jetty-alpn/jetty-alpn-conscrypt-server/src/test/java/org/eclipse/jetty/alpn/conscrypt/server/ConscryptHTTP2Server.java
View File

@ -1,72 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2019 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.alpn.conscrypt.server;
import java.security.Security;
import org.conscrypt.OpenSSLProvider;
import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory;
import org.eclipse.jetty.http2.HTTP2Cipher;
import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.ssl.SslContextFactory;
/**
* Test server that verifies that the Conscrypt ALPN mechanism works.
*/
public class ConscryptHTTP2Server
{
public static void main(String[] args) throws Exception
{
Security.addProvider(new OpenSSLProvider());
Server server = new Server();
HttpConfiguration httpsConfig = new HttpConfiguration();
httpsConfig.setSecureScheme("https");
httpsConfig.setSecurePort(8443);
httpsConfig.setSendXPoweredBy(true);
httpsConfig.setSendServerVersion(true);
httpsConfig.addCustomizer(new SecureRequestCustomizer());
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setProvider("Conscrypt");
sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
sslContextFactory.setCipherComparator(HTTP2Cipher.COMPARATOR);
HttpConnectionFactory http = new HttpConnectionFactory(httpsConfig);
HTTP2ServerConnectionFactory h2 = new HTTP2ServerConnectionFactory(httpsConfig);
ALPNServerConnectionFactory alpn = new ALPNServerConnectionFactory();
alpn.setDefaultProtocol(http.getProtocol());
SslConnectionFactory ssl = new SslConnectionFactory(sslContextFactory, alpn.getProtocol());
ServerConnector http2Connector = new ServerConnector(server, ssl, alpn, h2, http);
http2Connector.setPort(8443);
server.addConnector(http2Connector);
server.start();
}
}

141
jetty-alpn/jetty-alpn-conscrypt-server/src/test/java/org/eclipse/jetty/alpn/conscrypt/server/ConscryptHTTP2ServerTest.java Normal file
View File

@ -0,0 +1,141 @@
//
// ========================================================================
// Copyright (c) 1995-2019 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.alpn.conscrypt.server;
import java.io.File;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.Security;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.conscrypt.OpenSSLProvider;
import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.api.ContentResponse;
import org.eclipse.jetty.http2.client.HTTP2Client;
import org.eclipse.jetty.http2.client.http.HttpClientTransportOverHTTP2;
import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.server.handler.AbstractHandler;
import org.eclipse.jetty.util.JavaVersion;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertEquals;
/**
* Test server that verifies that the Conscrypt ALPN mechanism works for both server and client side
*/
public class ConscryptHTTP2ServerTest
{
static
{
Security.addProvider(new OpenSSLProvider());
}
private Server server = new Server();
private SslContextFactory newSslContextFactory()
{
Path path = Paths.get("src", "test", "resources");
File keys = path.resolve("keystore").toFile();
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyManagerPassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
sslContextFactory.setTrustStorePath(keys.getAbsolutePath());
sslContextFactory.setKeyStorePath(keys.getAbsolutePath());
sslContextFactory.setTrustStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
sslContextFactory.setProvider("Conscrypt");
sslContextFactory.setEndpointIdentificationAlgorithm(null);
if (JavaVersion.VERSION.getPlatform() < 9)
{
// Conscrypt enables TLSv1.3 by default but it's not supported in Java 8.
sslContextFactory.addExcludeProtocols("TLSv1.3");
}
return sslContextFactory;
}
@BeforeEach
public void startServer() throws Exception
{
HttpConfiguration httpsConfig = new HttpConfiguration();
httpsConfig.setSecureScheme("https");
httpsConfig.setSendXPoweredBy(true);
httpsConfig.setSendServerVersion(true);
httpsConfig.addCustomizer(new SecureRequestCustomizer());
HttpConnectionFactory http = new HttpConnectionFactory(httpsConfig);
HTTP2ServerConnectionFactory h2 = new HTTP2ServerConnectionFactory(httpsConfig);
ALPNServerConnectionFactory alpn = new ALPNServerConnectionFactory();
alpn.setDefaultProtocol(http.getProtocol());
SslConnectionFactory ssl = new SslConnectionFactory(newSslContextFactory(), alpn.getProtocol());
ServerConnector http2Connector = new ServerConnector(server, ssl, alpn, h2, http);
http2Connector.setPort(0);
server.addConnector(http2Connector);
server.setHandler(new AbstractHandler()
{
@Override
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response)
{
response.setStatus(200);
baseRequest.setHandled(true);
}
});
server.start();
}
@AfterEach
public void stopServer() throws Exception
{
if (server != null)
server.stop();
}
@Test
public void testSimpleRequest() throws Exception
{
HTTP2Client h2Client = new HTTP2Client();
HttpClient client = new HttpClient(new HttpClientTransportOverHTTP2(h2Client), newSslContextFactory());
client.start();
try
{
int port = ((ServerConnector)server.getConnectors()[0]).getLocalPort();
ContentResponse contentResponse = client.GET("https://localhost:" + port);
assertEquals(200, contentResponse.getStatus());
}
finally
{
client.stop();
}
}
}

BIN
jetty-alpn/jetty-alpn-conscrypt-server/src/test/resources/keystore Normal file
View File

Binary file not shown.

BIN
jetty-alpn/jetty-alpn-conscrypt-server/src/test/resources/keystore.jks
View File

Binary file not shown.

3
jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc
View File

@ -739,6 +739,9 @@ sslContextFactory.setProvider("Conscrypt");
If you are using the Jetty Distribution, please see the section on enabling the link:#jetty-conscrypt-distribution[Conscrypt SSL module.]
If you are using Conscrypt with Java 8, you must exclude `TLSv1.3` protocol as it is now enabled per default with Conscrypt 2.0.0 but not supported by Java 8.
==== Configuring SNI
From Java 8, the JVM contains support for the http://en.wikipedia.org/wiki/Server_Name_Indication[Server Name Indicator (SNI)] extension, which allows a SSL connection handshake to indicate one or more DNS names that it applies to.

2
jetty-home/src/main/resources/modules/conscrypt.mod
View File

@ -29,6 +29,6 @@ Conscrypt is distributed under the Apache Licence 2.0
https://github.com/google/conscrypt/blob/master/LICENSE
[ini]
conscrypt.version?=1.1.4
conscrypt.version?=2.0.0
jetty.sslContext.provider?=Conscrypt

1
jetty-osgi/test-jetty-osgi/pom.xml
View File

@ -548,7 +548,6 @@
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<excludes>
<exclude>**/TestJettyOSGiBootHTTP2JDK9*</exclude>
</excludes>

7
jetty-osgi/test-jetty-osgi/src/test/config/etc/jetty-http2.xml
View File

@ -21,6 +21,13 @@
<Get class="org.eclipse.jetty.http2.HTTP2Cipher" name="COMPARATOR"/>
</Set>
<Set name="useCipherSuitesOrder">true</Set>
<Call name="addExcludeProtocols">
<Arg>
<Array type="java.lang.String">
<Item>TLSv1.3</Item>
</Array>
</Arg>
</Call>
</Ref>
</Configure>

33
jetty-osgi/test-jetty-osgi/src/test/java/org/eclipse/jetty/osgi/test/TestJettyOSGiBootHTTP2Conscrypt.java
View File

@ -31,6 +31,7 @@ import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.api.ContentResponse;
import org.eclipse.jetty.http2.client.HTTP2Client;
import org.eclipse.jetty.http2.client.http.HttpClientTransportOverHTTP2;
import org.eclipse.jetty.util.JavaVersion;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.junit.Test;
@ -66,12 +67,12 @@ public class TestJettyOSGiBootHTTP2Conscrypt
{
ArrayList<Option> options = new ArrayList<>();
options.add(CoreOptions.junitBundles());
options.addAll(TestOSGiUtil.configureJettyHomeAndPort(true,"jetty-http2.xml"));
options.addAll(TestOSGiUtil.configureJettyHomeAndPort(true, "jetty-http2.xml"));
options.add(CoreOptions.bootDelegationPackages("org.xml.sax", "org.xml.*", "org.w3c.*", "javax.xml.*", "javax.activation.*"));
options.add(CoreOptions.systemPackages("com.sun.org.apache.xalan.internal.res","com.sun.org.apache.xml.internal.utils",
"com.sun.org.apache.xml.internal.utils", "com.sun.org.apache.xpath.internal",
"com.sun.org.apache.xpath.internal.jaxp", "com.sun.org.apache.xpath.internal.objects",
"sun.security", "sun.security.x509","sun.security.ssl"));
options.add(CoreOptions.systemPackages("com.sun.org.apache.xalan.internal.res", "com.sun.org.apache.xml.internal.utils",
"com.sun.org.apache.xml.internal.utils", "com.sun.org.apache.xpath.internal",
"com.sun.org.apache.xpath.internal.jaxp", "com.sun.org.apache.xpath.internal.objects",
"sun.security", "sun.security.x509", "sun.security.ssl"));
options.addAll(http2JettyDependencies());
options.addAll(TestOSGiUtil.coreJettyDependencies());
@ -94,10 +95,10 @@ public class TestJettyOSGiBootHTTP2Conscrypt
List<Option> res = new ArrayList<>();
res.add(CoreOptions.systemProperty("jetty.alpn.protocols").value("h2,http/1.1"));
res.add(CoreOptions.systemProperty("jetty.sslContext.provider").value("Conscrypt"));
res.add(wrappedBundle(mavenBundle().groupId("org.conscrypt").artifactId("conscrypt-openjdk-uber").versionAsInProject())
.imports("javax.net.ssl,*")
.exports("org.conscrypt;version="+System.getProperty("conscrypt-version"))
.exports("org.conscrypt;version=" + System.getProperty("conscrypt-version"))
.instructions("Bundle-NativeCode=META-INF/native/libconscrypt_openjdk_jni-linux-x86_64.so")
.start());
res.add(mavenBundle().groupId("org.eclipse.jetty.osgi").artifactId("jetty-osgi-alpn").versionAsInProject().noStart());
@ -127,16 +128,16 @@ public class TestJettyOSGiBootHTTP2Conscrypt
{
if (Boolean.getBoolean(TestOSGiUtil.BUNDLE_DEBUG))
assertAllBundlesActiveOrResolved();
HTTP2Client client = new HTTP2Client();
try
try
{
String port = System.getProperty("boot.https.port");
assertNotNull(port);
Path path = Paths.get("src", "test", "config");
Path path = Paths.get("src", "test", "config");
File keys = path.resolve("etc").resolve("keystore").toFile();
HTTP2Client http2Client = new HTTP2Client();
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyManagerPassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
@ -145,16 +146,20 @@ public class TestJettyOSGiBootHTTP2Conscrypt
sslContextFactory.setTrustStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
sslContextFactory.setProvider("Conscrypt");
sslContextFactory.setEndpointIdentificationAlgorithm(null);
if (JavaVersion.VERSION.getPlatform() < 9)
{
// Conscrypt enables TLSv1.3 by default but it's not supported in Java 8.
sslContextFactory.addExcludeProtocols("TLSv1.3");
}
HttpClient httpClient = new HttpClient(new HttpClientTransportOverHTTP2(http2Client), sslContextFactory);
Executor executor = new QueuedThreadPool();
httpClient.setExecutor(executor);
httpClient.start();
ContentResponse response = httpClient.GET("https://localhost:"+port+"/jsp/jstl.jsp");
ContentResponse response = httpClient.GET("https://localhost:" + port + "/jsp/jstl.jsp");
assertEquals(200, response.getStatus());
assertTrue(response.getContentAsString().contains("JSTL Example"));
}
finally
{

2
pom.xml
View File

@ -28,7 +28,7 @@
<infinispan.version>9.4.8.Final</infinispan.version>
<!-- default values are unsupported, but required to be defined for reactor sanity reasons -->
<alpn.version>undefined</alpn.version>
<conscrypt.version>1.4.1</conscrypt.version>
<conscrypt.version>2.0.0</conscrypt.version>
<asm.version>7.0</asm.version>
<jmh.version>1.21</jmh.version>
<jmhjar.name>benchmarks</jmhjar.name>