Merge pull request #3431 from eclipse/jetty-9.4.x_3425_upgrade_conscrypt_get_rid_reflect
Issue #3425 upgrade conscrypt to 2.0.0 and get rid reflect usage
This commit is contained in:
commit
01f2a4e16b
|
@ -18,12 +18,11 @@
|
|||
|
||||
package org.eclipse.jetty.alpn.conscrypt.client;
|
||||
|
||||
import java.lang.reflect.Method;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.security.Security;
|
||||
|
||||
import javax.net.ssl.SSLEngine;
|
||||
|
||||
import org.conscrypt.Conscrypt;
|
||||
import org.conscrypt.OpenSSLProvider;
|
||||
import org.eclipse.jetty.alpn.client.ALPNClientConnection;
|
||||
import org.eclipse.jetty.io.Connection;
|
||||
|
@ -59,11 +58,9 @@ public class ConscryptClientALPNProcessor implements ALPNProcessor.Client
|
|||
{
|
||||
try
|
||||
{
|
||||
Method setAlpnProtocols = sslEngine.getClass().getDeclaredMethod("setApplicationProtocols", String[].class);
|
||||
setAlpnProtocols.setAccessible(true);
|
||||
ALPNClientConnection alpn = (ALPNClientConnection)connection;
|
||||
String[] protocols = alpn.getProtocols().toArray(new String[0]);
|
||||
setAlpnProtocols.invoke(sslEngine, (Object)protocols);
|
||||
Conscrypt.setApplicationProtocols(sslEngine, protocols);
|
||||
((SslConnection.DecryptedEndPoint)connection.getEndPoint()).getSslConnection()
|
||||
.addHandshakeListener(new ALPNListener(alpn));
|
||||
}
|
||||
|
@ -92,9 +89,9 @@ public class ConscryptClientALPNProcessor implements ALPNProcessor.Client
|
|||
try
|
||||
{
|
||||
SSLEngine sslEngine = alpnConnection.getSSLEngine();
|
||||
Method method = sslEngine.getClass().getDeclaredMethod("getApplicationProtocol");
|
||||
method.setAccessible(true);
|
||||
String protocol = (String)method.invoke(sslEngine);
|
||||
String protocol = Conscrypt.getApplicationProtocol(sslEngine);
|
||||
if (LOG.isDebugEnabled())
|
||||
LOG.debug("Selected {} for {}", protocol, alpnConnection);
|
||||
alpnConnection.selected(protocol);
|
||||
}
|
||||
catch (Throwable e)
|
||||
|
|
|
@ -38,6 +38,31 @@
|
|||
<version>${project.version}</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-alpn-conscrypt-client</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-client</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.jetty.http2</groupId>
|
||||
<artifactId>http2-client</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.jetty.http2</groupId>
|
||||
<artifactId>http2-http-client-transport</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
|
||||
</dependencies>
|
||||
<build>
|
||||
<plugins>
|
||||
|
|
|
@ -18,13 +18,14 @@
|
|||
|
||||
package org.eclipse.jetty.alpn.conscrypt.server;
|
||||
|
||||
import java.lang.reflect.Method;
|
||||
import java.security.Security;
|
||||
import java.util.List;
|
||||
import java.util.function.BiFunction;
|
||||
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.SSLSocket;
|
||||
|
||||
import org.conscrypt.ApplicationProtocolSelector;
|
||||
import org.conscrypt.Conscrypt;
|
||||
import org.conscrypt.OpenSSLProvider;
|
||||
import org.eclipse.jetty.alpn.server.ALPNServerConnection;
|
||||
import org.eclipse.jetty.io.Connection;
|
||||
|
@ -60,9 +61,7 @@ public class ConscryptServerALPNProcessor implements ALPNProcessor.Server
|
|||
{
|
||||
try
|
||||
{
|
||||
Method method = sslEngine.getClass().getMethod("setHandshakeApplicationProtocolSelector", BiFunction.class);
|
||||
method.setAccessible(true);
|
||||
method.invoke(sslEngine,new ALPNCallback((ALPNServerConnection)connection));
|
||||
Conscrypt.setApplicationProtocolSelector(sslEngine, new ALPNCallback((ALPNServerConnection)connection));
|
||||
}
|
||||
catch (RuntimeException x)
|
||||
{
|
||||
|
@ -74,10 +73,11 @@ public class ConscryptServerALPNProcessor implements ALPNProcessor.Server
|
|||
}
|
||||
}
|
||||
|
||||
private final class ALPNCallback implements BiFunction<SSLEngine,List<String>,String>, SslHandshakeListener
|
||||
private final class ALPNCallback extends ApplicationProtocolSelector implements SslHandshakeListener
|
||||
{
|
||||
private final ALPNServerConnection alpnConnection;
|
||||
|
||||
|
||||
private ALPNCallback(ALPNServerConnection connection)
|
||||
{
|
||||
alpnConnection = connection;
|
||||
|
@ -85,12 +85,19 @@ public class ConscryptServerALPNProcessor implements ALPNProcessor.Server
|
|||
}
|
||||
|
||||
@Override
|
||||
public String apply(SSLEngine engine, List<String> protocols)
|
||||
public String selectApplicationProtocol(SSLEngine engine, List<String> protocols)
|
||||
{
|
||||
if (LOG.isDebugEnabled())
|
||||
LOG.debug("apply {} {}", alpnConnection, protocols);
|
||||
alpnConnection.select(protocols);
|
||||
return alpnConnection.getProtocol();
|
||||
String protocol = alpnConnection.getProtocol();
|
||||
if (LOG.isDebugEnabled())
|
||||
LOG.debug("Selected {} among {} for {}", protocol, protocols, alpnConnection);
|
||||
return protocol;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String selectApplicationProtocol(SSLSocket socket, List<String> protocols)
|
||||
{
|
||||
throw new UnsupportedOperationException();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -1,72 +0,0 @@
|
|||
//
|
||||
// ========================================================================
|
||||
// Copyright (c) 1995-2019 Mort Bay Consulting Pty. Ltd.
|
||||
// ------------------------------------------------------------------------
|
||||
// All rights reserved. This program and the accompanying materials
|
||||
// are made available under the terms of the Eclipse Public License v1.0
|
||||
// and Apache License v2.0 which accompanies this distribution.
|
||||
//
|
||||
// The Eclipse Public License is available at
|
||||
// http://www.eclipse.org/legal/epl-v10.html
|
||||
//
|
||||
// The Apache License v2.0 is available at
|
||||
// http://www.opensource.org/licenses/apache2.0.php
|
||||
//
|
||||
// You may elect to redistribute this code under either of these licenses.
|
||||
// ========================================================================
|
||||
//
|
||||
|
||||
package org.eclipse.jetty.alpn.conscrypt.server;
|
||||
|
||||
import java.security.Security;
|
||||
|
||||
import org.conscrypt.OpenSSLProvider;
|
||||
import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory;
|
||||
import org.eclipse.jetty.http2.HTTP2Cipher;
|
||||
import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory;
|
||||
import org.eclipse.jetty.server.HttpConfiguration;
|
||||
import org.eclipse.jetty.server.HttpConnectionFactory;
|
||||
import org.eclipse.jetty.server.SecureRequestCustomizer;
|
||||
import org.eclipse.jetty.server.Server;
|
||||
import org.eclipse.jetty.server.ServerConnector;
|
||||
import org.eclipse.jetty.server.SslConnectionFactory;
|
||||
import org.eclipse.jetty.util.ssl.SslContextFactory;
|
||||
|
||||
/**
|
||||
* Test server that verifies that the Conscrypt ALPN mechanism works.
|
||||
*/
|
||||
public class ConscryptHTTP2Server
|
||||
{
|
||||
public static void main(String[] args) throws Exception
|
||||
{
|
||||
Security.addProvider(new OpenSSLProvider());
|
||||
|
||||
Server server = new Server();
|
||||
|
||||
HttpConfiguration httpsConfig = new HttpConfiguration();
|
||||
httpsConfig.setSecureScheme("https");
|
||||
httpsConfig.setSecurePort(8443);
|
||||
httpsConfig.setSendXPoweredBy(true);
|
||||
httpsConfig.setSendServerVersion(true);
|
||||
httpsConfig.addCustomizer(new SecureRequestCustomizer());
|
||||
|
||||
SslContextFactory sslContextFactory = new SslContextFactory();
|
||||
sslContextFactory.setProvider("Conscrypt");
|
||||
sslContextFactory.setKeyStorePath("src/test/resources/keystore.jks");
|
||||
sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
|
||||
sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
|
||||
sslContextFactory.setCipherComparator(HTTP2Cipher.COMPARATOR);
|
||||
|
||||
HttpConnectionFactory http = new HttpConnectionFactory(httpsConfig);
|
||||
HTTP2ServerConnectionFactory h2 = new HTTP2ServerConnectionFactory(httpsConfig);
|
||||
ALPNServerConnectionFactory alpn = new ALPNServerConnectionFactory();
|
||||
alpn.setDefaultProtocol(http.getProtocol());
|
||||
SslConnectionFactory ssl = new SslConnectionFactory(sslContextFactory, alpn.getProtocol());
|
||||
|
||||
ServerConnector http2Connector = new ServerConnector(server, ssl, alpn, h2, http);
|
||||
http2Connector.setPort(8443);
|
||||
server.addConnector(http2Connector);
|
||||
|
||||
server.start();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,141 @@
|
|||
//
|
||||
// ========================================================================
|
||||
// Copyright (c) 1995-2019 Mort Bay Consulting Pty. Ltd.
|
||||
// ------------------------------------------------------------------------
|
||||
// All rights reserved. This program and the accompanying materials
|
||||
// are made available under the terms of the Eclipse Public License v1.0
|
||||
// and Apache License v2.0 which accompanies this distribution.
|
||||
//
|
||||
// The Eclipse Public License is available at
|
||||
// http://www.eclipse.org/legal/epl-v10.html
|
||||
//
|
||||
// The Apache License v2.0 is available at
|
||||
// http://www.opensource.org/licenses/apache2.0.php
|
||||
//
|
||||
// You may elect to redistribute this code under either of these licenses.
|
||||
// ========================================================================
|
||||
//
|
||||
|
||||
package org.eclipse.jetty.alpn.conscrypt.server;
|
||||
|
||||
import java.io.File;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.security.Security;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.conscrypt.OpenSSLProvider;
|
||||
import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory;
|
||||
import org.eclipse.jetty.client.HttpClient;
|
||||
import org.eclipse.jetty.client.api.ContentResponse;
|
||||
import org.eclipse.jetty.http2.client.HTTP2Client;
|
||||
import org.eclipse.jetty.http2.client.http.HttpClientTransportOverHTTP2;
|
||||
import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory;
|
||||
import org.eclipse.jetty.server.HttpConfiguration;
|
||||
import org.eclipse.jetty.server.HttpConnectionFactory;
|
||||
import org.eclipse.jetty.server.Request;
|
||||
import org.eclipse.jetty.server.SecureRequestCustomizer;
|
||||
import org.eclipse.jetty.server.Server;
|
||||
import org.eclipse.jetty.server.ServerConnector;
|
||||
import org.eclipse.jetty.server.SslConnectionFactory;
|
||||
import org.eclipse.jetty.server.handler.AbstractHandler;
|
||||
import org.eclipse.jetty.util.JavaVersion;
|
||||
import org.eclipse.jetty.util.ssl.SslContextFactory;
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||
|
||||
/**
|
||||
* Test server that verifies that the Conscrypt ALPN mechanism works for both server and client side
|
||||
*/
|
||||
public class ConscryptHTTP2ServerTest
|
||||
{
|
||||
static
|
||||
{
|
||||
Security.addProvider(new OpenSSLProvider());
|
||||
}
|
||||
|
||||
private Server server = new Server();
|
||||
|
||||
private SslContextFactory newSslContextFactory()
|
||||
{
|
||||
Path path = Paths.get("src", "test", "resources");
|
||||
File keys = path.resolve("keystore").toFile();
|
||||
|
||||
SslContextFactory sslContextFactory = new SslContextFactory();
|
||||
sslContextFactory.setKeyManagerPassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
|
||||
sslContextFactory.setTrustStorePath(keys.getAbsolutePath());
|
||||
sslContextFactory.setKeyStorePath(keys.getAbsolutePath());
|
||||
sslContextFactory.setTrustStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
|
||||
sslContextFactory.setProvider("Conscrypt");
|
||||
sslContextFactory.setEndpointIdentificationAlgorithm(null);
|
||||
if (JavaVersion.VERSION.getPlatform() < 9)
|
||||
{
|
||||
// Conscrypt enables TLSv1.3 by default but it's not supported in Java 8.
|
||||
sslContextFactory.addExcludeProtocols("TLSv1.3");
|
||||
}
|
||||
return sslContextFactory;
|
||||
}
|
||||
|
||||
@BeforeEach
|
||||
public void startServer() throws Exception
|
||||
{
|
||||
HttpConfiguration httpsConfig = new HttpConfiguration();
|
||||
httpsConfig.setSecureScheme("https");
|
||||
|
||||
httpsConfig.setSendXPoweredBy(true);
|
||||
httpsConfig.setSendServerVersion(true);
|
||||
httpsConfig.addCustomizer(new SecureRequestCustomizer());
|
||||
|
||||
HttpConnectionFactory http = new HttpConnectionFactory(httpsConfig);
|
||||
HTTP2ServerConnectionFactory h2 = new HTTP2ServerConnectionFactory(httpsConfig);
|
||||
ALPNServerConnectionFactory alpn = new ALPNServerConnectionFactory();
|
||||
alpn.setDefaultProtocol(http.getProtocol());
|
||||
SslConnectionFactory ssl = new SslConnectionFactory(newSslContextFactory(), alpn.getProtocol());
|
||||
|
||||
ServerConnector http2Connector = new ServerConnector(server, ssl, alpn, h2, http);
|
||||
http2Connector.setPort(0);
|
||||
server.addConnector(http2Connector);
|
||||
|
||||
server.setHandler(new AbstractHandler()
|
||||
{
|
||||
@Override
|
||||
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response)
|
||||
{
|
||||
response.setStatus(200);
|
||||
baseRequest.setHandled(true);
|
||||
}
|
||||
});
|
||||
|
||||
server.start();
|
||||
}
|
||||
|
||||
@AfterEach
|
||||
public void stopServer() throws Exception
|
||||
{
|
||||
if (server != null)
|
||||
server.stop();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSimpleRequest() throws Exception
|
||||
{
|
||||
HTTP2Client h2Client = new HTTP2Client();
|
||||
HttpClient client = new HttpClient(new HttpClientTransportOverHTTP2(h2Client), newSslContextFactory());
|
||||
client.start();
|
||||
try
|
||||
{
|
||||
int port = ((ServerConnector)server.getConnectors()[0]).getLocalPort();
|
||||
ContentResponse contentResponse = client.GET("https://localhost:" + port);
|
||||
assertEquals(200, contentResponse.getStatus());
|
||||
}
|
||||
finally
|
||||
{
|
||||
client.stop();
|
||||
}
|
||||
}
|
||||
}
|
Binary file not shown.
Binary file not shown.
|
@ -739,6 +739,9 @@ sslContextFactory.setProvider("Conscrypt");
|
|||
|
||||
If you are using the Jetty Distribution, please see the section on enabling the link:#jetty-conscrypt-distribution[Conscrypt SSL module.]
|
||||
|
||||
If you are using Conscrypt with Java 8, you must exclude `TLSv1.3` protocol as it is now enabled per default with Conscrypt 2.0.0 but not supported by Java 8.
|
||||
|
||||
|
||||
==== Configuring SNI
|
||||
|
||||
From Java 8, the JVM contains support for the http://en.wikipedia.org/wiki/Server_Name_Indication[Server Name Indicator (SNI)] extension, which allows a SSL connection handshake to indicate one or more DNS names that it applies to.
|
||||
|
|
|
@ -29,6 +29,6 @@ Conscrypt is distributed under the Apache Licence 2.0
|
|||
https://github.com/google/conscrypt/blob/master/LICENSE
|
||||
|
||||
[ini]
|
||||
conscrypt.version?=1.1.4
|
||||
conscrypt.version?=2.0.0
|
||||
jetty.sslContext.provider?=Conscrypt
|
||||
|
||||
|
|
|
@ -548,7 +548,6 @@
|
|||
<plugin>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<configuration>
|
||||
|
||||
<excludes>
|
||||
<exclude>**/TestJettyOSGiBootHTTP2JDK9*</exclude>
|
||||
</excludes>
|
||||
|
|
|
@ -21,6 +21,13 @@
|
|||
<Get class="org.eclipse.jetty.http2.HTTP2Cipher" name="COMPARATOR"/>
|
||||
</Set>
|
||||
<Set name="useCipherSuitesOrder">true</Set>
|
||||
<Call name="addExcludeProtocols">
|
||||
<Arg>
|
||||
<Array type="java.lang.String">
|
||||
<Item>TLSv1.3</Item>
|
||||
</Array>
|
||||
</Arg>
|
||||
</Call>
|
||||
</Ref>
|
||||
|
||||
</Configure>
|
||||
|
|
|
@ -31,6 +31,7 @@ import org.eclipse.jetty.client.HttpClient;
|
|||
import org.eclipse.jetty.client.api.ContentResponse;
|
||||
import org.eclipse.jetty.http2.client.HTTP2Client;
|
||||
import org.eclipse.jetty.http2.client.http.HttpClientTransportOverHTTP2;
|
||||
import org.eclipse.jetty.util.JavaVersion;
|
||||
import org.eclipse.jetty.util.ssl.SslContextFactory;
|
||||
import org.eclipse.jetty.util.thread.QueuedThreadPool;
|
||||
import org.junit.Test;
|
||||
|
@ -145,6 +146,11 @@ public class TestJettyOSGiBootHTTP2Conscrypt
|
|||
sslContextFactory.setTrustStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
|
||||
sslContextFactory.setProvider("Conscrypt");
|
||||
sslContextFactory.setEndpointIdentificationAlgorithm(null);
|
||||
if (JavaVersion.VERSION.getPlatform() < 9)
|
||||
{
|
||||
// Conscrypt enables TLSv1.3 by default but it's not supported in Java 8.
|
||||
sslContextFactory.addExcludeProtocols("TLSv1.3");
|
||||
}
|
||||
HttpClient httpClient = new HttpClient(new HttpClientTransportOverHTTP2(http2Client), sslContextFactory);
|
||||
Executor executor = new QueuedThreadPool();
|
||||
httpClient.setExecutor(executor);
|
||||
|
@ -154,7 +160,6 @@ public class TestJettyOSGiBootHTTP2Conscrypt
|
|||
ContentResponse response = httpClient.GET("https://localhost:" + port + "/jsp/jstl.jsp");
|
||||
assertEquals(200, response.getStatus());
|
||||
assertTrue(response.getContentAsString().contains("JSTL Example"));
|
||||
|
||||
}
|
||||
finally
|
||||
{
|
||||
|
|
2
pom.xml
2
pom.xml
|
@ -28,7 +28,7 @@
|
|||
<infinispan.version>9.4.8.Final</infinispan.version>
|
||||
<!-- default values are unsupported, but required to be defined for reactor sanity reasons -->
|
||||
<alpn.version>undefined</alpn.version>
|
||||
<conscrypt.version>1.4.1</conscrypt.version>
|
||||
<conscrypt.version>2.0.0</conscrypt.version>
|
||||
<asm.version>7.0</asm.version>
|
||||
<jmh.version>1.21</jmh.version>
|
||||
<jmhjar.name>benchmarks</jmhjar.name>
|
||||
|
|
Loading…
Reference in New Issue