diff --git a/jetty-documentation/src/main/asciidoc/administration/http2/configuring-haproxy.adoc b/jetty-documentation/src/main/asciidoc/administration/http2/configuring-haproxy.adoc index aa494ee6b8a..6dd48700654 100644 --- a/jetty-documentation/src/main/asciidoc/administration/http2/configuring-haproxy.adoc +++ b/jetty-documentation/src/main/asciidoc/administration/http2/configuring-haproxy.adoc @@ -42,8 +42,6 @@ Alternatively you can download the HAProxy source code and build it on your envi ____ [NOTE] HAProxy supports ALPN only if built with OpenSSL 1.0.2 or greater. -Alternatively, HAProxy supports NPN when built with OpenSSL 1.0.1 or greater. -You must upgrade OpenSSL if you have a version earlier than 1.0.1. Use `haproxy -vv` to know with which OpenSSL version HAProxy has been built. ____ diff --git a/jetty-documentation/src/main/asciidoc/administration/npn/chapter.adoc b/jetty-documentation/src/main/asciidoc/administration/npn/chapter.adoc deleted file mode 100644 index b589fce4fdf..00000000000 --- a/jetty-documentation/src/main/asciidoc/administration/npn/chapter.adoc +++ /dev/null @@ -1,18 +0,0 @@ -// ======================================================================== -// Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd. -// ======================================================================== -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== - -[[npn-chapter]] -== NPN diff --git a/jetty-documentation/src/main/asciidoc/administration/npn/npn.adoc b/jetty-documentation/src/main/asciidoc/administration/npn/npn.adoc deleted file mode 100644 index 34ee58af58c..00000000000 --- a/jetty-documentation/src/main/asciidoc/administration/npn/npn.adoc +++ /dev/null @@ -1,305 +0,0 @@ -// ======================================================================== -// Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd. -// ======================================================================== -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== - -How to build NPN -================ - -[[npn]] -= - -[[npn-introduction]] -== Configuring NPN - -The Jetty project provides an implementation of the Transport Layer -Security (TLS) extension for Next Protocol Negotiation (NPN) for OpenJDK -7 (but not for OpenJDK 8 or greater - see xref:alpn-chapter[] for -using a TLS protocol negotiation extension with OpenJDK 8 or greater). -NPN allows the application layer to negotiate which protocol to use over -the secure connection. - -NPN currently negotiates using SPDY as an application level protocol on -port 443, and also negotiates the SPDY version. However, NPN is not -SPDY-specific in any way. Jetty's NPN implementation, although hosted -under the umbrella of the Jetty project, is independent of Jetty (the -servlet container); you can use it in any other Java network server. - -[[npn-starting]] -== Starting the JVM - -To enable NPN support, start the JVM as follows: - -[source, plain, subs="{sub-order}"] ----- -java -Xbootclasspath/p: ... ----- - -where `path_to_npn_boot_jar` is the path on the file system for the NPN -Boot Jar file, for example, one at the Maven coordinates -org.mortbay.jetty.npn:npn-boot. - -Be aware that the current versions of the npn packages no longer align -with Jetty versions. Look at the dates in those file paths before -looking at the version number. - -[[npn-osgi]] -=== Starting in OSGi - -To use NPN in an OSGi environment, in addition to putting the NPN jar on -the boot classpath for the container, you will also need to deploy the -jetty-osgi-npn jar. This jar contains a Fragment-Host directive that -ensures the NPN classes will be available from the system bundle. - -You can download the jetty-osgi-npn jar from maven central: -http://central.maven.org/maven2/org/eclipse/jetty/osgi/jetty-osgi-npn/ - -[[npn-understanding]] -== Understanding the NPN API - -Applications need to interact with NPN TLS extension protocol -negotiations. For example, server applications need to know whether the -client supports NPN, and client applications needs to know the list of -protocols the server supports, and so on. - -To implement this interaction, Jetty's NPN implementation provides an -API to applications, hosted at Maven coordinates -org.eclipse.jetty.npn:npn-api. You need to declare this dependency as -provided, because the npn-boot Jar already includes it (see the previous -section), and it is therefore available in the boot classpath. - -The API consists of a single class, -`org.eclipse.jetty.npn.NextProtoNego`, and applications need to register -instances of SSLSocket or SSLEngine with a ClientProvider or -ServerProvider (depending on whether the application is a client or -server application). Refer to NextProtoNego Javadocs and to the examples -below for further details about client and server provider methods. - -[[client-example]] -== Client Example - -[source, java, subs="{sub-order}"] ----- -SSLContext sslContext = ...; -final SSLSocket sslSocket = (SSLSocket)context.getSocketFactory().createSocket("localhost", server.getLocalPort()); - -NextProtoNego.put(sslSocket, new NextProtoNego.ClientProvider() -{ - @Override - public boolean supports() - { - return true; - } - - @Override - public void unsupported() - { - NextProtoNego.remove(sslSocket); - } - - @Override - public String selectProtocol(List protocols) - { - NextProtoNego.remove(sslSocket); - return protocols.get(0); - } -}); ----- - -The NPN implementation calls `NextProtoNego.ClientProvider` methods -`supports()`, `unsupported()` and `selectProtocol(List)`, so -that the client application can: - -* decide whether to support NPN. -* know whether the server supports NPN. -* select one of the protocols the server supports. - -[[server-example]] -== Server Example - -The example for SSLEngine is identical, and you just need to replace the -SSLSocket instance with an SSLEngine instance. - -[source, java, subs="{sub-order}"] ----- -final SSLSocket sslSocket = ...; -NextProtoNego.put(sslSocket, new NextProtoNego.ServerProvider() -{ - @Override - public void unsupported() - { - NextProtoNego.remove(sslSocket); - } - - @Override - public List protocols() - { - return Arrays.asList("http/1.1"); - } - - @Override - public void protocolSelected(String protocol) - { - NextProtoNego.remove(sslSocket); - System.out.println("Protocol Selected is: " + protocol); - } -}); ----- - -The NPN implementation calls `NextProtoNego.ServerProvider` methods -`unsupported()`, `protocols()` and `protocolSelected(String),` so that -the server application can: - -* know whether the client supports NPN. -* provide the list of protocols the server supports. -* know which protocol the client chooses. - -[[npn-implementation]] -== Implementation Details - -It is common that the NextProtoNego.ServerProvider and the -NextProtoNego.ClientProvider are implemented as (anonymous) inner -classes, and that their methods' implementations require references to -the the sslSocket (or sslEngine), either directly or indirectly. - -Since the NextProtoNego class holds [sslSocket/sslEngine, provider] -pairs in a `WeakHashMap`, if the value (that is, the provider -implementation) holds a strong (even indirect) reference to the key, -then the `WeakHashMap` entries are never removed, leading to a memory -leak. - -It is important that implementations of `NextProtoNego.ServerProvider` -and `NextProtoNego.ClientProvider` remove the `sslSocket` or `sslEngine` -when the negotiation is complete, like shown in the examples above. - -Be aware that declaring the SslConnection as a final local variable and -referencing it from within the anonymous NextProtoNego.ServerProvider -class generates a hidden field in the anonymous inner class, that may -cause a memory leak if the implementation does not call -`NextProtoNego.remove()`. - -[[npn-tests]] -== Unit Tests - -You can write and run unit tests that use the NPN implementation. The -solution that we use with Maven is to specify an additional command line -argument to the Surefire plugin: - -[source, xml, subs="{sub-order}"] ----- - - - - 1.1.1.v20121030 - - - - - - maven-surefire-plugin - - - -Xbootclasspath/p:${settings.localRepository}/org/mortbay/jetty/npn/npn-boot/${npn-version}/npn-boot-${npn-version}.jar - - - - - ... - - - - -... - - ----- - -[[npn-debugging]] -== Debugging - -You can enable debug logging for the NPN implementation in this way: - -.... -NextProtoNego.debug = true; -.... - -Since the NextProtoNego class is in the boot classpath, we chose not to -use logging libraries because we do not want to override application -logging library choices; therefore the logging is performed directly on -`System.err.` - -[[npn-license-details]] -== License Details - -The NPN implementation relies on modification of a few OpenJDK classes -and on a few new classes that need to live in the `sun.security.ssl` -package. These classes are released under the same GPLv2+exception -license of OpenJDK. - -The NextProtoNego class is released under same license as the classes of -the Jetty project. - -[[npn-versions]] -== Versions - -The NPN implementation, relying on modifications of OpenJDK classes, -updates every time there are updates to the modified OpenJDK classes. - -.NPN vs. OpenJDK versions -[cols=",",options="header",] -|========================================================== -|NPN version |OpenJDK version -|1.0.0.v20120402 |1.7.0 - 1.7.0u2 - 1.7.0u3 -|1.1.0.v20120525 |1.7.0u4 - 1.7.0u5 -|1.1.1.v20121030 |1.7.0u6 - 1.7.0u7 -|1.1.3.v20130313 |1.7.0u9 - 1.7.0u10 - 1.7.0u11 -|1.1.4.v20130313 |1.7.0u13 -|1.1.5.v20130313 |1.7.0u15 - 1.7.0u17 - 1.7.0u21 - 1.7.0u25 -|1.1.6.v20130911 |1.7.0u40 - 1.7.0u45 - 1.7.0u51 -|1.1.8.v20141013 |1.7.0u55 - 1.7.0u60 - 1.7.0u65 - 1.7.0u67 -|1.1.9.v20141016 |1.7.0u71 - 1.7.0u72 -|1.1.10.v20150130 |1.7.0u75 - 1.7.0u76 - 1.7.0u79 -|1.1.11.v20150415 |1.7.0u80 -|========================================================== - -[[npn-build]] -== How to build NPN - -This section is for Jetty developers that need to update the NPN -implementation with the OpenJDK versions. - -Clone the OpenJDK repository with the following command: - -[source, screen, subs="{sub-order}"] -.... -$ hg clone http://hg.openjdk.java.net/jdk7u/jdk7u jdk7u -$ cd jdk7u -$ ./get_source.sh - -.... - -To update the source to a specific tag, use the following command: - -[source, screen, subs="{sub-order}"] -.... -$ ./make/scripts/hgforest.sh update - -.... - -The list of OpenJDK tags can be obtained from -http://hg.openjdk.java.net/jdk7u/jdk7u/tags[this page]. - -Then you need to compare and incorporate the OpenJDK source changes into -the modified OpenJDK classes at the -https://github.com/jetty-project/jetty-npn[NPN GitHub Repository]. diff --git a/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-connectors.adoc b/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-connectors.adoc index d5518ca8621..18db3c60120 100644 --- a/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-connectors.adoc +++ b/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-connectors.adoc @@ -305,7 +305,7 @@ link:{GITBROWSEURL}/jetty-server/src/main/config/etc/jetty-https.xml[`jetty-http link:{GITBROWSEURL}/jetty-server/src/main/config/etc/jetty-http-forwarded.xml[`jetty-http-forwarded.xml`]:: Adds a link:{JDURL}/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[`ForwardedRequestCustomizer`]to the HTTP Connector to process forwarded-for style headers from a proxy. link:{GITBROWSEURL}/jetty-http2/http2-server/src/main/config/etc/jetty-http2.xml[`jetty-http2.xml`]:: - Adds a link:{JDURL}/org/eclipse/jetty/http2/server/HTTP2ServerConnectionFactory.html[`Http2ServerConnectionFactory`] to the link:{JDURL}/org/eclipse/jetty/server/ServerConnector.html[`ServerConnector`] configured by `jetty-ssl.xml` to support the http2 protocol. Also prepends either `protonego-alpn.xml` or `protonego-npn.xml` so that the next protocol can be negotiated, which allows the same SSL port to handle multiple protocols. + Adds a link:{JDURL}/org/eclipse/jetty/http2/server/HTTP2ServerConnectionFactory.html[`Http2ServerConnectionFactory`] to the link:{JDURL}/org/eclipse/jetty/server/ServerConnector.html[`ServerConnector`] configured by `jetty-ssl.xml` to support the http2 protocol. link:{GITBROWSEURL}/jetty-alpn/jetty-alpn-server/src/main/config/etc/jetty-alpn.xml[`jetty-alpn.xml`]:: Adds an link:{JDURL}/org/eclipse/jetty/alpn/server/ALPNServerConnectionFactory.html[`ALPNServerConnectionFactory`] to the link:{JDURL}/org/eclipse/jetty/server/ServerConnector.html[`ServerConnector`] configured by `jetty-ssl.xml` which allows the one SSL connector to support multiple protocols with the ALPN extension used to select the protocol to be used for each connection. diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java index 2056d0256c1..d2126d77618 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java @@ -111,8 +111,7 @@ public class SniX509ExtendedKeyManager extends X509ExtendedKeyManager public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) { SSLSocket sslSocket = (SSLSocket)socket; - - String alias = chooseServerAlias(keyType,issuers,sslSocket.getSSLParameters().getSNIMatchers(),sslSocket.getHandshakeSession()); + String alias = socket==null?NO_MATCHERS:chooseServerAlias(keyType,issuers,sslSocket.getSSLParameters().getSNIMatchers(),sslSocket.getHandshakeSession()); if (alias==NO_MATCHERS) alias=_delegate.chooseServerAlias(keyType,issuers,socket); if (LOG.isDebugEnabled()) @@ -123,7 +122,7 @@ public class SniX509ExtendedKeyManager extends X509ExtendedKeyManager @Override public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine) { - String alias = chooseServerAlias(keyType,issuers,engine.getSSLParameters().getSNIMatchers(),engine.getHandshakeSession()); + String alias = engine==null?NO_MATCHERS:chooseServerAlias(keyType,issuers,engine.getSSLParameters().getSNIMatchers(),engine.getHandshakeSession()); if (alias==NO_MATCHERS) alias=_delegate.chooseEngineServerAlias(keyType,issuers,engine); if (LOG.isDebugEnabled())