New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add host and port to SSLEngineFactory #527
Conversation
@@ -72,6 +72,9 @@ public void close() { | |||
|
|||
@Override | |||
public <T> ListenableFuture<T> execute(Request request, final AsyncHandler<T> asyncHandler) throws IOException { | |||
final URI uri = request.getURI(); | |||
channels.configureProcessor(requestSender, closed, uri.getHost(), uri.getPort()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure this is right? uri.getPort
will return -1 if using the scheme default port. I think you should be using AsyncHttpProviderUtils.getHost/getPort
Good catch. Fixing the host and port options. |
Grizzly looks like a harder fix: the relevant code for creating an SSLEngine is in |
What we CAN do is make sure that a correctly configured SSLEngine is already in place by the time it does a handleRead:
by ensuring SSL_CTX_ATTR is already set:
|
I'm completely clueless on the Grizzly side. |
I'm not very familiar with Grizzly AHC code, but IMO the following can work:
WBR, |
@oleksiys I'll give that a shot. |
@oleksiys Doesn't quite work -- the |
let me check, are you working on 1.8.x branch? |
@oleksiys No, this is on master. When it works on master, then can maybe think about backporting it, but not until then. |
@wsargent check this gist https://gist.github.com/anonymous/cc11a4806512c3be3c98. Please let me know if it works for you. thanks! |
I have not forked playframework/playframework#2229 got merged into playframework:master, and should be in Play 2.3-M2. Play 2.3 is not out yet, so there's still time to upgrade / patch etc.. It is still using AHC-1.8.x right now. I've had my hands full writing up better documentation and covering the last few holes. I saw @oleksiys's suggestion but haven't had time to look at it. If you want to give it a try, YES, please let me know how it works. I have detailed how to test hostname verification here: http://tersesystems.com/2014/03/31/testing-hostname-verification/ Note that running the AHC tests for me still breaks unless I apply the SSL handshake listener fix in #525 |
No way :) I also have my hands full and have to focus on the Netty provider. |
This PR conflicts with #526. Fun... |
@oleksiys I have a problem with your patch. Where do HOST and PORT come from? https://gist.github.com/anonymous/cc11a4806512c3be3c98#file-gistfile1-java-L99 |
@oleksiys I chatted with @rlubke and he told me to try: InetSocketAddress peerAddress = (InetSocketAddress) connection.getPeerAddress();
String host = peerAddress.getHostString();
int port = peerAddress.getPort();
sslEngine = ((HostPortAwareSSLEngineConfigurator) sslEngineConfigurator)
.createSSLEngine(host, port); Sadly, tests stil fail. :( |
@wsargent If I apply your patches, I have tons of tests failing on the Netty side too. |
@slandelle Ryan's suggestion sounds reasonable. Not sure why the test is failing. Can I ask you to put these changes on some branch, so I can reproduce the failure and work on it? Thank you! |
Try the SSL handshake listener fix in |
hi guys, |
Were you able to fix the test by merging ? |
I haven't checked that, but slandelle said he merged #525, but the test issue was still there. |
final URI uri = request.getURI(); | ||
final String host = AsyncHttpProviderUtils.getHost(uri); | ||
final int port = AsyncHttpProviderUtils.getPort(uri); | ||
channels.configureProcessor(requestSender, closed, host, port); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So you're reconfiguring the bootstraps' ChannelInitializer on EVERY request?!
I checked the Netty part and it seems very racy and inefficient to me. I think the only solution, is to have a custom non shareable handler that replaces itself with a properly configured SslHandler. @wsargent WDYT? |
) ### Motivation With Xcode 13.2, and therefore Swift 5.5.2, Swift Concurrecy is supported on older Apple OSs. async/await suport will no longer be available on Swift before `5.5.2` but this isn't a breaking change because we have not yet made anything of it public. ### Changes - replace all `#if compiler(>=5.5) && canImport(_Concurrency)` with `#if compiler(>=5.5.2) && canImport(_Concurrency)` - replace all `available(macOS 12.0, iOS 15.0, watchOS 8.0, tvOS 15.0, *)` with `available(macOS 10.15, iOS 13.0, watchOS 6.0, tvOS 13.0, *)`
Fixes #513