New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support configuration in yml of client TLS properties #1224

Merged
merged 9 commits into from Aug 25, 2015

Conversation

Projects
None yet
3 participants
@chrisholmes
Contributor

chrisholmes commented Aug 18, 2015

This PR introduces the ability to modify the TLS behaviour of a HTTP client through a Dropwizard application's configuration file. The major benefit here is the ability to easily configure a client to connect to servers that are secured in non-trivial ways (e.g. client authentication or custom PKI).

The key features that can be configured are:

  • Disable hostname verification;
  • Use a custom truststore (when dealing with a custom PKI);
  • Use a custom keystore (for client authentication);
  • Allow self-signed certificates if necessary;
  • Specify supported protocols (e.g. TLSv1.2 only);
  • Specify supported ciphers.

@chrisholmes chrisholmes force-pushed the chrisholmes:http_client_tls_configuration branch from a9cfb96 to 3b0c3da Aug 18, 2015

@jplock

This comment has been minimized.

Member

jplock commented Aug 18, 2015

This looks good, but can you fix the tests?

@chrisholmes

This comment has been minimized.

Contributor

chrisholmes commented Aug 19, 2015

Will do. It looks like the exceptions that get thrown are different depending on the OS used, which is a bit frustrating.

@chrisholmes chrisholmes force-pushed the chrisholmes:http_client_tls_configuration branch 5 times, most recently from 255920b to 18d5222 Aug 19, 2015

chrisholmes added some commits Aug 14, 2015

permit extra exceptions to be caught in tests
There appears to be different Exceptions that are thrown depending on the OS
when some of the SSL tests are run. In some cases we may see a
SSLHandshakeException, while in others we see a SocketException due to a
connection reset. I believe this is due to the server's handling of negotiating
TLS sessions different between OSes.

To overcome this, the tests now expect either the SSLHandshakeException or
SocketException in the tests.
support multiple connectors in apprule
Allow testing of different kinds of tls configurations (or other connector
configs) on one app rule by adding the ability to query the ports of the different
connectors using their index

Update tests to use this feature and reduce the number of app rules required in
tls tests

@chrisholmes chrisholmes force-pushed the chrisholmes:http_client_tls_configuration branch from 18d5222 to e59d2bb Aug 24, 2015

@chrisholmes

This comment has been minimized.

Contributor

chrisholmes commented Aug 25, 2015

I think I'm done with changes here. Everything looks to be passing, but it does seem to fall afoul of the intermittent timeout errors in tests that master is also experiencing.

@jplock jplock added this to the 0.9.0 milestone Aug 25, 2015

@jplock

This comment has been minimized.

Member

jplock commented Aug 25, 2015

I think this looks great. Thanks for the contribution!

jplock added a commit that referenced this pull request Aug 25, 2015

Merge pull request #1224 from chrisholmes/http_client_tls_configuration
Support configuration in yml of client TLS properties

@jplock jplock merged commit e193c9f into dropwizard:master Aug 25, 2015

@arteam

This comment has been minimized.

Member

arteam commented Aug 25, 2015

Great contribution, indeed. I'm looking forward to see it in 0.9.0.
Should we update the release notes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment