Add support for TLS ALPN

[ktoso]

Issue by jrudolph
Wednesday Feb 11, 2015 at 15:36 GMT
Originally opened as akka/akka#16861

---

RFC 7301

This is a prerequisite to implement HTTP/2 (#16862) if it should be hosted on port 443 together with https fallback (which is recommended).

Ultimately, this needs support in the JDK. For now there's a jetty initiative to add ALPN to the existing implementation.

/cc @sirthias

[ktoso]

Comment by ktoso
Sunday Sep 20, 2015 at 16:51 GMT

---

Jetty's docs on the ALPN lib: (as mentioned by Johannes, they copied and changed one of JDK's classes with changes, thus to use it it has to be first on the classpath): http://www.eclipse.org/jetty/documentation/current/alpn-chapter.html

[ktoso]

Comment by ktoso
Tuesday Oct 20, 2015 at 10:19 GMT

---

HTTP2 is not on the near-term roadmap, moving to backlog (though I'd love to work on it).

[ktoso]

Comment by timcharper
Monday Jan 04, 2016 at 18:54 GMT

---

This project is using Jetty's ALPN:

https://github.com/http4s/blaze

Looks like there's a nice HPack module that Twitter released, too.

[ktoso]

Comment by ktoso
Monday Jan 04, 2016 at 18:55 GMT

---

Yup, we're aware of those :-) I read both and they look v. good.
Thanks for the info nevertheless.

[ktoso]

Comment by timcharper
Monday Jan 04, 2016 at 18:59 GMT

---

Wonderful! Feeling anxious to see this start materializing, and I'd like to help. I know there's lots of important things to do, though. I noticed a mentorship request was declined because you guys are too busy, and maybe my attempts at helping would be more harm than help because you already have a clear idea of how you want to see it implemented.

[ktoso]

Comment by ktoso
Monday Jan 04, 2016 at 19:05 GMT

---

Help certainly is very welcome! The mentorship you mention was a student project which while I think is great, sadly at that point in time was very scalaz and other libraries dependent so it would have been very hard to pull it into akka (we try to be as dependency free as possible).

I'll keep you updated once we have a battle plan. January is performance and Java 8 month :-)

[ktoso]

Comment by hepin1989
Monday Jan 04, 2016 at 19:08 GMT

---

https://github.com/trustin/jetty-alpn-agent

[ktoso]

Comment by ktoso
Monday Jan 04, 2016 at 19:09 GMT

---

This one I did not know, thanks @hepin1989! :-) Sadly enabling ALPN will continue to need such hacks until natively supported by the JDK.

[ktoso]

Comment by hepin1989
Saturday Jan 09, 2016 at 16:52 GMT

---

netty/netty#3481 another link about this.

[jrudolph]

Seems no way around this hack currently. It's major disadvantage is that the jetty package needs to replace parts of the JDK TLS stack with patched versions for which a JAR file needs to be put into the bootclasspath. The patches only work with a concrete particular version of the JRE. The advantage of using the agent (https://github.com/trustin/jetty-alpn-agent) is that it will choose the right version of the patched jar.

[schmitch]

Actually it would be great if the ALPN setup isn't too much different from Netty.
Also @wsargent has made a Design Document how everything is handled in Netty: https://docs.google.com/document/d/1Q70CLP-r6FKmlls9j8kp-_U65H_NuNdNbqU7vmGTG60/edit#heading=h.qoevo0gsdd69 (there is also a way how we setup Akka-Http over SSL)

[wsargent]

@schmitch much of the Netty information starts with http://netty.io/wiki/requirements-for-4.x.html#transport-security-tls

[jrudolph]

Tested both jetty-alpn which works and also netty-tcnative-boringssl-static (in branch jr/http2-on-netty-openssl) which needs a bit of boilerplate to be used as a drop-in replacement but which also seems to work somewhat (it can receive data but then hangs for some reason).