Allow to use some custom security provider in HTTP client #2299
Conversation
| @@ -71,7 +71,8 @@ private SSLContext buildSslContext() throws SSLInitializationException { | |||
| final SSLContext sslContext; | |||
| try { | |||
| final SSLContextBuilder sslContextBuilder = new SSLContextBuilder(); | |||
| sslContextBuilder.useProtocol(configuration.getProtocol()); | |||
| sslContextBuilder.setProtocol(configuration.getProtocol()); | |||
There was a problem hiding this comment.
Method useProtocol is marked as deprecated, so changing to setProtocol.
docs/source/manual/configuration.rst
Outdated
| @@ -1313,6 +1314,7 @@ Name Default Description | |||
| protocol TLSv1.2 The default protocol the client will attempt to use during the SSL Handshake. | |||
| See | |||
| `here <http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext>`_ for more information. | |||
| provider (none) The name of the JCE provider to use on client side for cryptographic support. | |||
There was a problem hiding this comment.
Could you please add some examples for valid values here, e. g. "BC" for BouncyCastle or Conscrypt?
| @@ -1313,6 +1314,7 @@ Name Default Description | |||
| protocol TLSv1.2 The default protocol the client will attempt to use during the SSL Handshake. | |||
| See | |||
| `here <http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext>`_ for more information. | |||
| provider (none) The name of the JCE provider to use on client side for cryptographic support (for example, SunJCE, Conscrypt, BC, etc). | |||
There was a problem hiding this comment.
Are these really valid values for the SSLContextBuilder#setProvider() method?
And if so, why is "SUN" being used in the example above?
There was a problem hiding this comment.
SSLContextBuilder#setProvider() calls Security.getProvider() under the hood.
public SSLContextBuilder setProvider(final String name) {
this.provider = Security.getProvider(name);
return this;
}Oracle Standard JDK comes with 10 providers, SUN and SunJCE among them. SUN is what Security.getProviders()[0].getName() returns on my JDK. Index 0 means it has the highest priority. That's why "SUN" in the example above. But I think now that it's better to specify default value as SunJSSE, as the provider which will be by default used with TLSv1.2 (in JDK 8) is in fact SunJSSE.
BC and Conscrypt will work if they were previously configured using Security.addProvider() or Security.insertProviderAt().
There was a problem hiding this comment.
Thanks for the explanation! 👍
Please add a link to https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html for a more detailed overview.
| @@ -71,7 +71,8 @@ private SSLContext buildSslContext() throws SSLInitializationException { | |||
| final SSLContext sslContext; | |||
| try { | |||
| final SSLContextBuilder sslContextBuilder = new SSLContextBuilder(); | |||
| sslContextBuilder.useProtocol(configuration.getProtocol()); | |||
| sslContextBuilder.setProtocol(configuration.getProtocol()); | |||
| sslContextBuilder.setProvider(configuration.getProvider()); | |||
There was a problem hiding this comment.
Would it make sense to only set the provider if configuration.getProvider() wasn't null?
There was a problem hiding this comment.
There is no desperate need in it, because Security.getProvider(null) doesn't throw NPE, but you're right, better to check. Updated.
|
Thanks for such a quick merge, @joschi! 👍 |
Problem:
Dropwizard allows to configure JCE provider for server side, passing
jceProviderproperty to Jetty. This allows to use some non-standard provider, like Conscrypt. But there is no such setting on client side.Solution:
Add new field
providertoTlsConfigurationand pass it to Apache HTTP client builder.