Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Conscrypt for Jetty in the Broker and in the Proxy #10541

Merged
merged 9 commits into from
May 12, 2021
Merged

Enable Conscrypt for Jetty in the Broker and in the Proxy #10541

merged 9 commits into from
May 12, 2021

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented May 11, 2021

Fixes #10372

Motivation

Modifications

  • Load Conscrypt if it's available on the classpath
  • Use the Conscrypt Security provider when it's available. Use it for non-Netty TLS configurations created with SecurityUtils or KeyStoreSSLContext class.
  • Move the Pulsar specific HostnameVerifier part of Pulsar Client from pulsar-client module to pulsar-common module so that it can be used with Conscrypt.
  • Configure Conscrypt to use TlsHostnameVerifier.
  • Configure Conscrypt's default hostname verifier to use Pulsar's TlsHostnameVerifier which is more relaxed than the Conscrypt HostnameVerifier checking for RFC 2818 conformity.
    • Certificates used in Pulsar docs and examples aren't strictly RFC 2818 compliant since they use the deprecated way of specifying the hostname in the CN field of the subject DN of the certificate.
    • RFC 2818 recommends the use of SAN (subjectAltName) extension for specifying the hostname in the dNSName field of the subjectAltName extension.
    • Conscrypt's default HostnameVerifier has dropped support for the deprecated method of specifying the hostname in the CN field.
    • Pulsar's TlsHostnameVerifier continues to support the CN field.
  • there's a bug in Conscrypt while setting a custom HostnameVerifier, TrustManagerImpl.defaultHostnameVerifier field is ignored google/conscrypt#1015
    • Add a workaround for setting the HostnameVerifier when using Conscrypt. The workaround can be removed once the bug in Conscrypt is fixed.

@lhotari
Copy link
Member Author

lhotari commented May 11, 2021

/pulsarbot run-failure-checks

@merlimat merlimat added the type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages label May 11, 2021
@merlimat merlimat added this to the 2.8.0 milestone May 11, 2021
@merlimat merlimat merged commit 6178ad0 into apache:master May 12, 2021
eolivelli pushed a commit to datastax/pulsar that referenced this pull request May 12, 2021
@lhotari @eolivelli
Enable Conscrypt for Jetty in the Broker and in the Proxy (apache#10541)
5bc23c6 
* Add jetty-alpn-conscrypt-server jar

* Enable Conscrypt / OpenSSL provider if it is available

* Use conscrypt 2.5.2

* Set default hostname verifier for Conscrypt

* Move TlsHostnameVerifier for pulsar-client to pulsar-common

* Use Pulsar's TlsHostnameVerifier with Conscrypt

* Add conscrypt.version property for managing conscrypt version in pom.xml

* Update LICENSE file

* Add comments about HostnameVerifier in Conscrypt
@michaeljmarshall michaeljmarshall mentioned this pull request Sep 29, 2021
Merged
@wangjialing218 wangjialing218 mentioned this pull request Nov 23, 2021
Closed
@nodece nodece mentioned this pull request Jan 15, 2022
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merlimat merlimat merlimat approved these changes

Assignees

@lhotari lhotari

Labels
type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages
Projects
None yet
Milestone
2.8.0
2 participants
@lhotari @merlimat