-
Notifications
You must be signed in to change notification settings - Fork 896
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow useOpenSsl
-> tlsEngineType
to be configured by ClientFactoryBuilder
#4962
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Left some minor comments on testing 🙇
* Allow the use of JNI-based TLS support with OpenSSL. | ||
* @param useOpenSsl Whether to allow the use of JNI-based TLS support with OpenSSL | ||
*/ | ||
public ClientFactoryBuilder useOpenSsl(boolean useOpenSsl) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that currently, we already have the ability to set this per server/clientFactory via tlsCustomizer
I have no problem with adding this API for now, but I slightly worry that this API will become obsolete if a different SslProvider
is added in the future.
What do you think other maintainers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. It is a possible situation but we may need to provide users a workaround to selectively use JDK SSL over Open SSL.
When SslProvider
is made, I think, we have them mutually exclusive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about adding a new enum first, then? @seonwoo960000, how about creating a new PR that deprecates Flags.useOpenSsl()
and adding Flags.tlsEngineType()
and enum TlsEngineType { JDK, OPENSSL }
? You might want to check Flags.useEpoll()
and Flags.transportType()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@trustin thank you for the detailed comment. So by adding a enum TlsEngineType
, armeria should be able to allow users select tls engine not only JDK
and OPENSSL
but also other engines which might be added in the future. Did I understand correctly 🤔 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe you understand it correctly. If a new TLS engine is added, Flags.useOpenSsl() == false
could be vague.
final AggregatedHttpResponse response3 = WebClient.builder(SessionProtocol.HTTP, | ||
server.httpEndpoint()) | ||
.factory(sslDisabledClient).build() | ||
.get("/hello").aggregate().join(); | ||
assertThat(response3.status()).isEqualTo(HttpStatus.OK); | ||
assertThat(response3.contentUtf8()).isEqualTo("hello"); | ||
|
||
assertThatThrownBy(() -> WebClient.builder(SessionProtocol.HTTPS, server.httpsEndpoint()) | ||
.factory(sslDisabledClient).build() | ||
.get("/hello").aggregate().join()) | ||
.isInstanceOfSatisfying(CompletionException.class, e -> { | ||
assertThat(e).hasCauseInstanceOf(UnprocessedRequestException.class); | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what these lines are testing 😅 Can we just test once with tlsVerify
disabled for each ClientFactory?
ClientFactory sslDisabledClient = ClientFactory.builder().useOpenSsl(false).tlsNoVerify().build();
...
final AggregatedHttpResponse response3 = WebClient.builder(SessionProtocol.HTTPS,
server.httpsEndpoint())
.factory(sslDisabledClient).build()
.get("/hello").aggregate().join();
assertThat(response3.status()).isEqualTo(HttpStatus.OK);
assertThat(response3.contentUtf8()).isEqualTo("hello");
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please correct me if my understanding is wrong.
- If client doesn't use openSsl, request sent using https protocol will fail(because https require ssl/tls)
The purpose of useOpenSsl()
was to test above scenario🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If OpenSSL is disabled, the JDK SSL engine is used instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, then it seems that above mentioned scenario isn't valid. I'll remove the test 👍
core/src/test/java/com/linecorp/armeria/client/HttpClientFactoryTest.java
Outdated
Show resolved
Hide resolved
core/src/main/java/com/linecorp/armeria/server/ServerSslContextUtil.java
Outdated
Show resolved
Hide resolved
b396271
to
d378831
Compare
useOpenSsl
to be configured by ClientFactoryBuilder
d378831
to
5b6a2d1
Compare
Motivation: Add `TlsEngineType` to let users choose the type of tls engine. (Using `Flags`) Modifications: - Add `TlsEngineType` enum - Deprecate `useOpenSsl` Result: - Related to #<[4949](#4949)>. - Related to #4962 (comment) - `TlsEngineType` is added - `useOpenSsl` is deprecated <!-- Visit this URL to learn more about how to write a pull request description: https://armeria.dev/community/developer-guide#how-to-write-pull-request-description --> --------- Co-authored-by: Ikhun Um <ih.pert@gmail.com> Co-authored-by: Ikhun Um <ikhun.um@linecorp.com> Co-authored-by: jrhee17 <guins_j@guins.org> Co-authored-by: minwoox <songmw725@gmail.com> Co-authored-by: minux <minu.song@linecorp.com>
I'll start working on this issue again 🏃 |
c2a3d34
to
1800360
Compare
useOpenSsl
to be configured by ClientFactoryBuilder
useOpenSsl
-> tlsEngineType
to be configured by ClientFactoryBuilder
@@ -94,13 +98,26 @@ static SSLSession validateSslContext(SslContext sslContext) { | |||
return sslSession; | |||
} | |||
|
|||
private static TlsEngineType determineTlsEngineType(SslContext sslContext) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Determining which TlsEngineType
should be matched is based on io.netty.handler.ssl.SslContext#newServerContextInternal
.
switch (provider) {
case JDK:
if (enableOcsp) {
throw new IllegalArgumentException("OCSP is not supported with this SslProvider: " + provider);
}
return new JdkSslServerContext(sslContextProvider,
trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
clientAuth, protocols, startTls, keyStoreType);
case OPENSSL:
verifyNullSslContextProvider(provider, sslContextProvider);
return new OpenSslServerContext(
trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
clientAuth, protocols, startTls, enableOcsp, keyStoreType, ctxOptions);
case OPENSSL_REFCNT:
verifyNullSslContextProvider(provider, sslContextProvider);
return new ReferenceCountedOpenSslServerContext(
trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
clientAuth, protocols, startTls, enableOcsp, keyStoreType, ctxOptions);
default:
throw new Error(provider.toString());
}
efc86ba
to
8b1ddf0
Compare
I've not added Please let me know if we should add support for both |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4962 +/- ##
============================================
+ Coverage 74.05% 74.10% +0.04%
- Complexity 21253 21313 +60
============================================
Files 1850 1853 +3
Lines 78600 78775 +175
Branches 10032 10067 +35
============================================
+ Hits 58209 58376 +167
+ Misses 15686 15682 -4
- Partials 4705 4717 +12 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just left nits. Thanks! 👍
core/src/main/java/com/linecorp/armeria/client/ClientFactoryBuilder.java
Show resolved
Hide resolved
core/src/main/java/com/linecorp/armeria/client/ClientFactoryOptions.java
Show resolved
Hide resolved
core/src/main/java/com/linecorp/armeria/client/ClientFactoryOptions.java
Show resolved
Hide resolved
core/src/main/java/com/linecorp/armeria/server/VirtualHostBuilder.java
Outdated
Show resolved
Hide resolved
- Add @UnstableApi - set `Flags.tlsEngineType()` as default virtualHostTemplate's tlsEngineType
Motivation:
Let users configure
tlsEngineType
client option when usingClientFactoryBuilder
orServerBuilder
Example
Client
Server
Modifications:
tlsEngineType
method inClientFactoryBuilder
to allow users choose whether to use openSsl.Result:
tlsEngineType
usingClientFactoryBuilder
orServerBuilder