Allow useOpenSsl -> tlsEngineType to be configured by ClientFactoryBuilder
#4962
Conversation
seonWKim
requested review from
ikhoon,
jrhee17,
minwoox and
trustin
as code owners
| * Allow the use of JNI-based TLS support with OpenSSL. | ||
| * @param useOpenSsl Whether to allow the use of JNI-based TLS support with OpenSSL | ||
| */ | ||
| public ClientFactoryBuilder useOpenSsl(boolean useOpenSsl) { |
There was a problem hiding this comment.
Note that currently, we already have the ability to set this per server/clientFactory via tlsCustomizer
I have no problem with adding this API for now, but I slightly worry that this API will become obsolete if a different SslProvider is added in the future.
What do you think other maintainers?
There was a problem hiding this comment.
Good point. It is a possible situation but we may need to provide users a workaround to selectively use JDK SSL over Open SSL.
When SslProvider is made, I think, we have them mutually exclusive.
There was a problem hiding this comment.
What do you think about adding a new enum first, then? @seonwoo960000, how about creating a new PR that deprecates Flags.useOpenSsl() and adding Flags.tlsEngineType() and enum TlsEngineType { JDK, OPENSSL }? You might want to check Flags.useEpoll() and Flags.transportType()?
There was a problem hiding this comment.
@trustin thank you for the detailed comment. So by adding a enum TlsEngineType, armeria should be able to allow users select tls engine not only JDK and OPENSSL but also other engines which might be added in the future. Did I understand correctly 🤔 ?
There was a problem hiding this comment.
I believe you understand it correctly. If a new TLS engine is added, Flags.useOpenSsl() == false could be vague.
| final AggregatedHttpResponse response3 = WebClient.builder(SessionProtocol.HTTP, | ||
| server.httpEndpoint()) | ||
| .factory(sslDisabledClient).build() | ||
| .get("/hello").aggregate().join(); | ||
| assertThat(response3.status()).isEqualTo(HttpStatus.OK); | ||
| assertThat(response3.contentUtf8()).isEqualTo("hello"); | ||
|
|
||
| assertThatThrownBy(() -> WebClient.builder(SessionProtocol.HTTPS, server.httpsEndpoint()) | ||
| .factory(sslDisabledClient).build() | ||
| .get("/hello").aggregate().join()) | ||
| .isInstanceOfSatisfying(CompletionException.class, e -> { | ||
| assertThat(e).hasCauseInstanceOf(UnprocessedRequestException.class); | ||
| }); |
There was a problem hiding this comment.
I'm not sure what these lines are testing 😅 Can we just test once with tlsVerify disabled for each ClientFactory?
ClientFactory sslDisabledClient = ClientFactory.builder().useOpenSsl(false).tlsNoVerify().build();
...
final AggregatedHttpResponse response3 = WebClient.builder(SessionProtocol.HTTPS,
server.httpsEndpoint())
.factory(sslDisabledClient).build()
.get("/hello").aggregate().join();
assertThat(response3.status()).isEqualTo(HttpStatus.OK);
assertThat(response3.contentUtf8()).isEqualTo("hello");
There was a problem hiding this comment.
Please correct me if my understanding is wrong.
- If client doesn't use openSsl, request sent using https protocol will fail(because https require ssl/tls)
The purpose of useOpenSsl() was to test above scenario🤔
There was a problem hiding this comment.
If OpenSSL is disabled, the JDK SSL engine is used instead.
There was a problem hiding this comment.
Oh, then it seems that above mentioned scenario isn't valid. I'll remove the test 👍
core/src/test/java/com/linecorp/armeria/client/HttpClientFactoryTest.java
Outdated
Show resolved
Hide resolved
core/src/main/java/com/linecorp/armeria/server/ServerSslContextUtil.java
Outdated
Show resolved
Hide resolved
seonWKim
force-pushed
the
enable-disable-openssl-4949
branch
3 times, most recently
from
b396271
to
d378831
Compare
seonWKim
changed the title
useOpenSsl to be configured by ClientFactoryBuilder
seonWKim
force-pushed
the
enable-disable-openssl-4949
branch
from
d378831
to
5b6a2d1
Compare
Motivation: Add `TlsEngineType` to let users choose the type of tls engine. (Using `Flags`) Modifications: - Add `TlsEngineType` enum - Deprecate `useOpenSsl` Result: - Related to #<[4949](#4949)>. - Related to #4962 (comment) - `TlsEngineType` is added - `useOpenSsl` is deprecated <!-- Visit this URL to learn more about how to write a pull request description: https://armeria.dev/community/developer-guide#how-to-write-pull-request-description --> --------- Co-authored-by: Ikhun Um <ih.pert@gmail.com> Co-authored-by: Ikhun Um <ikhun.um@linecorp.com> Co-authored-by: jrhee17 <guins_j@guins.org> Co-authored-by: minwoox <songmw725@gmail.com> Co-authored-by: minux <minu.song@linecorp.com>
|
I'll start working on this issue again 🏃 |
seonWKim
force-pushed
the
enable-disable-openssl-4949
branch
from
c2a3d34
to
1800360
Compare
seonWKim
changed the title
useOpenSsl to be configured by ClientFactoryBuilderuseOpenSsl -> tlsEngineType to be configured by ClientFactoryBuilder
| @@ -94,13 +98,26 @@ static SSLSession validateSslContext(SslContext sslContext) { | |||
| return sslSession; | |||
| } | |||
|
|
|||
| private static TlsEngineType determineTlsEngineType(SslContext sslContext) { | |||
There was a problem hiding this comment.
Determining which TlsEngineType should be matched is based on io.netty.handler.ssl.SslContext#newServerContextInternal.
switch (provider) {
case JDK:
if (enableOcsp) {
throw new IllegalArgumentException("OCSP is not supported with this SslProvider: " + provider);
}
return new JdkSslServerContext(sslContextProvider,
trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
clientAuth, protocols, startTls, keyStoreType);
case OPENSSL:
verifyNullSslContextProvider(provider, sslContextProvider);
return new OpenSslServerContext(
trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
clientAuth, protocols, startTls, enableOcsp, keyStoreType, ctxOptions);
case OPENSSL_REFCNT:
verifyNullSslContextProvider(provider, sslContextProvider);
return new ReferenceCountedOpenSslServerContext(
trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
clientAuth, protocols, startTls, enableOcsp, keyStoreType, ctxOptions);
default:
throw new Error(provider.toString());
}
seonWKim
force-pushed
the
enable-disable-openssl-4949
branch
from
efc86ba
to
8b1ddf0
Compare
|
I've not added Please let me know if we should add support for both |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4962 +/- ##
============================================
+ Coverage 74.05% 74.10% +0.04%
- Complexity 21253 21313 +60
============================================
Files 1850 1853 +3
Lines 78600 78775 +175
Branches 10032 10067 +35
============================================
+ Hits 58209 58376 +167
+ Misses 15686 15682 -4
- Partials 4705 4717 +12 ☔ View full report in Codecov by Sentry. |
core/src/main/java/com/linecorp/armeria/client/ClientFactoryBuilder.java
Show resolved
Hide resolved
core/src/main/java/com/linecorp/armeria/client/ClientFactoryOptions.java
Show resolved
Hide resolved
core/src/main/java/com/linecorp/armeria/client/ClientFactoryOptions.java
Show resolved
Hide resolved
core/src/main/java/com/linecorp/armeria/server/VirtualHostBuilder.java
Outdated
Show resolved
Hide resolved
- Add @UnstableApi - set `Flags.tlsEngineType()` as default virtualHostTemplate's tlsEngineType
Motivation:
Let users configure
tlsEngineTypeclient option when usingClientFactoryBuilderorServerBuilderExample
Client
Server
Modifications:
tlsEngineTypemethod inClientFactoryBuilderto allow users choose whether to use openSsl.Result:
tlsEngineTypeusingClientFactoryBuilderorServerBuilder