Add host and port to SSLEngineFactory

[wsargent]

Fixes #513

[slandelle]

Are you sure this is right? uri.getPort will return -1 if using the scheme default port. I think you should be using AsyncHttpProviderUtils.getHost/getPort

[wsargent]

Good catch. Fixing the host and port options.

[wsargent]

Grizzly looks like a harder fix: the relevant code for creating an SSLEngine is in SSLEngineConfigurator.createSSLEngine() but it does not take a peerName or peerPort, and is called from SSLBaseFilter.handleRead inside a couple of blocks of code.

[wsargent]

What we CAN do is make sure that a correctly configured SSLEngine is already in place by the time it does a handleRead:

    @Override
    public NextAction handleRead(final FilterChainContext ctx)
    throws IOException {
        final Connection connection = ctx.getConnection();
        final SSLConnectionContext sslCtx = obtainSslConnectionContext(connection);
        SSLEngine sslEngine = sslCtx.getSslEngine();

by ensuring SSL_CTX_ATTR is already set:

    static SSLConnectionContext obtainSslConnectionContext(
            final Connection connection) {
        SSLConnectionContext sslCtx = SSL_CTX_ATTR.get(connection);
        if (sslCtx == null) {
            sslCtx = new SSLConnectionContext(connection);
            SSL_CTX_ATTR.set(connection, sslCtx);
        }

        return sslCtx;
    }

[slandelle]

I'm completely clueless on the Grizzly side.
If you can't fix it, I say we leave it as is, maybe disable the failing tests on the grizzly side, and open issues so they get tracked and someone with Grizzly skills can fix them.

[slandelle]

@wsargent I just chatted with @jfarcand : let's do as I suggested: disable failing Grizzly tests and open new issues targeting only Grizzly and documenting what you've done so far. Are you fine with that?

[oleksiys]

I'm not very familiar with Grizzly AHC code, but IMO the following can work:

1. extend SSLEngineConfigurator passed to the SSLFilter with additional
   createSSLEngine(String, int) method
2. override SSLFilter.handshake method to call the new
   SSLEngineConfigurator.createSSLEngine(String, int) method, created on the
   1st step.

WBR,
Alexey.

[wsargent]

@oleksiys I'll give that a shot.

[wsargent]

@oleksiys Doesn't quite work -- the handshakeContextAttr is private and final to SSLFilter. I might have to replace it with something extending from SSLBaseFilter.

[oleksiys]

let me check, are you working on 1.8.x branch?

[wsargent]

@oleksiys No, this is on master. When it works on master, then can maybe think about backporting it, but not until then.

[oleksiys]

@wsargent check this gist https://gist.github.com/anonymous/cc11a4806512c3be3c98. Please let me know if it works for you. thanks!

[slandelle]

@wsargent Just saw your tweet. Did you fork AHC (as PR are not merged yet)? WDYT about @oleksiys 's suggestion? Do you want to give it a try, or do you want me to merge what you've done so for only for the Netty provider?

[wsargent]

I have not forked

playframework/playframework#2229 got merged into playframework:master, and should be in Play 2.3-M2. Play 2.3 is not out yet, so there's still time to upgrade / patch etc.. It is still using AHC-1.8.x right now.

I've had my hands full writing up better documentation and covering the last few holes. I saw @oleksiys's suggestion but haven't had time to look at it.

If you want to give it a try, YES, please let me know how it works.

I have detailed how to test hostname verification here: http://tersesystems.com/2014/03/31/testing-hostname-verification/

Note that running the AHC tests for me still breaks unless I apply the SSL handshake listener fix in #525

[slandelle]

If you want to give it a try, YES, please let me know how it works.

No way :) I also have my hands full and have to focus on the Netty provider.
I'm going to do as I suggested: pick your changes for the Netty provider. Maybe @oleksiys will fix the Grizzly part.

[slandelle]

This PR conflicts with #526. Fun...

[slandelle]

@oleksiys I have a problem with your patch. Where do HOST and PORT come from? https://gist.github.com/anonymous/cc11a4806512c3be3c98#file-gistfile1-java-L99

[slandelle]

@oleksiys I chatted with @rlubke and he told me to try:

InetSocketAddress peerAddress = (InetSocketAddress) connection.getPeerAddress();
String host = peerAddress.getHostString();
int port = peerAddress.getPort();
sslEngine = ((HostPortAwareSSLEngineConfigurator) sslEngineConfigurator)
        .createSSLEngine(host, port);

Sadly, tests stil fail. :(

[slandelle]

@wsargent If I apply your patches, I have tons of tests failing on the Netty side too.

[oleksiys]

@slandelle Ryan's suggestion sounds reasonable. Not sure why the test is failing. Can I ask you to put these changes on some branch, so I can reproduce the failure and work on it?

Thank you!

[slandelle]

@oleksiys Thanks a lot for getting in touch. I've just pushed a branch named ssl-wip with the changes proposed by @wsargent and yours. Note that the tests also fail on the Netty provider, so I can't tell what's wrong (the proposed changes, the tests?).

Cheers!

[wsargent]

Try the SSL handshake listener fix in
#525 to fix the
tests. If the hostname verification happens before the SSL handshake, you
will get sslSession.isValid() == false.

[slandelle]

@wsargent I've already merged #525, both on master and on the ssl-wip branches!

[oleksiys]

hi guys,
do the tests work now?
On my local machine I made them work (both Grizzly and Netty) by reverting (reworking) SslUtils changes (0347bec), the diff is here [1].

[1] https://gist.github.com/oleksiys/baa7ca013f35cc9541b2

[wsargent]

Were you able to fix the test by merging

#525

?

[oleksiys]

I haven't checked that, but slandelle said he merged #525, but the test issue was still there.

[slandelle]

So you're reconfiguring the bootstraps' ChannelInitializer on EVERY request?!

[slandelle]

I checked the Netty part and it seems very racy and inefficient to me.
You're creating a new ChannelInitializer for the 4 bootstraps on every request. But if you try to send 2 requests to differents (host, port) from different threads, there's a chance you end up with the wrong SSLEngine.

I think the only solution, is to have a custom non shareable handler that replaces itself with a properly configured SslHandler.

@wsargent WDYT?