New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to use some custom security provider in HTTP client #2299
Allow to use some custom security provider in HTTP client #2299
Conversation
@@ -71,7 +71,8 @@ private SSLContext buildSslContext() throws SSLInitializationException { | |||
final SSLContext sslContext; | |||
try { | |||
final SSLContextBuilder sslContextBuilder = new SSLContextBuilder(); | |||
sslContextBuilder.useProtocol(configuration.getProtocol()); | |||
sslContextBuilder.setProtocol(configuration.getProtocol()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Method useProtocol
is marked as deprecated, so changing to setProtocol
.
docs/source/manual/configuration.rst
Outdated
@@ -1313,6 +1314,7 @@ Name Default Description | |||
protocol TLSv1.2 The default protocol the client will attempt to use during the SSL Handshake. | |||
See | |||
`here <http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext>`_ for more information. | |||
provider (none) The name of the JCE provider to use on client side for cryptographic support. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please add some examples for valid values here, e. g. "BC" for BouncyCastle or Conscrypt?
@@ -1313,6 +1314,7 @@ Name Default Description | |||
protocol TLSv1.2 The default protocol the client will attempt to use during the SSL Handshake. | |||
See | |||
`here <http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext>`_ for more information. | |||
provider (none) The name of the JCE provider to use on client side for cryptographic support (for example, SunJCE, Conscrypt, BC, etc). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these really valid values for the SSLContextBuilder#setProvider()
method?
And if so, why is "SUN" being used in the example above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SSLContextBuilder#setProvider()
calls Security.getProvider()
under the hood.
public SSLContextBuilder setProvider(final String name) {
this.provider = Security.getProvider(name);
return this;
}
Oracle Standard JDK comes with 10 providers, SUN and SunJCE among them. SUN is what Security.getProviders()[0].getName()
returns on my JDK. Index 0 means it has the highest priority. That's why "SUN" in the example above. But I think now that it's better to specify default value as SunJSSE
, as the provider which will be by default used with TLSv1.2 (in JDK 8) is in fact SunJSSE.
BC
and Conscrypt
will work if they were previously configured using Security.addProvider()
or Security.insertProviderAt()
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explanation! 👍
Please add a link to https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html for a more detailed overview.
@@ -71,7 +71,8 @@ private SSLContext buildSslContext() throws SSLInitializationException { | |||
final SSLContext sslContext; | |||
try { | |||
final SSLContextBuilder sslContextBuilder = new SSLContextBuilder(); | |||
sslContextBuilder.useProtocol(configuration.getProtocol()); | |||
sslContextBuilder.setProtocol(configuration.getProtocol()); | |||
sslContextBuilder.setProvider(configuration.getProvider()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to only set the provider if configuration.getProvider()
wasn't null
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no desperate need in it, because Security.getProvider(null)
doesn't throw NPE, but you're right, better to check. Updated.
Thanks for such a quick merge, @joschi! 👍 |
Problem:
Dropwizard allows to configure JCE provider for server side, passing
jceProvider
property to Jetty. This allows to use some non-standard provider, like Conscrypt. But there is no such setting on client side.Solution:
Add new field
provider
toTlsConfiguration
and pass it to Apache HTTP client builder.