No ssl-context via SslContext in Aleph 0.7.0 and later
#727
Comments
|
Thanks for the detailed report! I'm investigating it closer now and will get back to you when I've fully figured out what's going on! |
|
So regarding the main issue: The problem is that along with the introduction of HTTP/2 support in 0.7.0, we (accidentally?) made ALPN config for a custom We could probably allow custom contexts without ALPN config again when only HTTP/1 is desired anyway (WDYT @KingMob?). Otherwise, this should to be documented, indeed. @David-Ongaro In the meantime, here's how you can configure your custom context to make it work again: (def ssl-context (.. (io.netty.handler.ssl.SslContextBuilder/forClient)
(applicationProtocolConfig (aleph.netty/application-protocol-config [:http1]))
(build)))The reason why it "works" (modulo the issue you mention in your addendum, which I'll break out into a separate ticket) when using the options map instead of a custom |
I'm missing a bit of context here, but I'm wondering if this, while a breaking change, has not been made on purpose : #687 (review) |
I suppose you're referring to this bit specifically:
That confirms that the consistency check for the ALPN config is intentional in this case but I don't think that breaking the old behavior (i.e. allow HTTP/1.1-only without ALPN config) was necessarily intended. |
|
Yeah, I don't think my old comment meant this was a deliberate change, but it's been a while. I agree that ALPN should be optional for HTTP1-only contexts, and if not, that's a bug. But it should still be an error if they request HTTP2/3 and fail to supply an ALPN, since the ALPN fallback for HTTP when one peer doesn't have ALPN is always 1.1. This: :else
(do
(assert-consistent-alpn-config!
(some-> ^SslContext ssl-context
(.applicationProtocolNegotiator)
(.protocols))
desired-http-versions)
ssl-context)should be something like: (some? (.applicationProtocolNegotiator ^SslContext ssl-context))
(do
(assert-consistent-alpn-config!
(some-> ^SslContext ssl-context
(.applicationProtocolNegotiator)
(.protocols))
desired-http-versions)
ssl-context)
:else
(if (= #{:http1} desired-http-versions)
ssl-context
(throw (ex-info "No ALPN supplied, but requested non-HTTP/1 versions that require ALPN."
{:desired-http-versions desired-http-versions})))Totally untested, but that's the idea. |
|
Great, thanks for the quick feedback! I'll whip up a patch with a corresponding test case. |
With the introduction of HTTP/2 support, Aleph started to require a matching ALPN config to be present in custom `SslContext` objects. This needlessly broke existing HTTP/1.1-only uses. With this change, we now allow custom `SslContext` objects without ALPN config again if only HTTP/1.1 is desired (via the `http-versions` option). Since this still happens to be the default, existing uses should just work again. Fixes #727
|
@David-Ongaro Patch is ready at #730 - would you be able to give it a try to see whether it makes your original code work again? 🙏 |
|
OK went ahead and merged this already. Will cut a new release soon! |
|
Thank you @DerGuteMoritz ! |
I'm sorry I didn't have the time last week, but I'll test this as soon as the new release is out. |
Ok, I could now try out Aleph Though, as long as the proxy config is broken (as mentioned in #731) at least one of our services is blocked from updating. |
When trying to upgrade one of our services from Aleph 0.6.4 to 0.8.0 I saw this strange exception in the logs:
When trying to pin this down, I could confirm that this already happens in Aleph 0.7.0 (even for the alpha versions) and it only happens when the pool is configured with an
io.netty.handler.ssl.SslContextinstance. I.e.Note that the exception happens even before the deferred is dereferenced. Also note that I just use a plain
io.netty.handler.ssl.JdkSslClientContextinstance here without any special SSL config in this example, since the specific config doesn't seem to matter here.If I use a plain map to initialize the
ssl-context, e.g. say(whereas
io/as-fileisclojure.java.io/as-filehere, andclient-caa file path string), this doesn't happen. So that's a viable workaround. Still, I couldn't find any update in the documentation that saysSslClientContextinstances are not supported anymore, so this is at least a documentation "bug".Addendum
As per the docs, instead of
java.io.Fileinstances,java.io.InputStreaminstances are also supported as keys for the:ssl-contextmap. But I can't figure out how this is supposed to be used, as I regularly getjava.lang.IllegalArgumentException: Input stream does not contain valid certificates.exceptions. I.e., preparing a single request just works fine, but preparing them in quick succession may fail:I didn't look into the implementation, but I suspect what's happening here is that when the first thread of the thread pool is initialized, it's exhausting the input-stream instance and this instance is reused during the initialization of a second thread. (At least that's what I hope is happening, since the alternative would be that each thread tries to reread the certificate on each request.)
So the question is, if this doesn't work, why is it even supported? But if this is indeed an issue, it probably should be handled in a separate ticket, since this behavior already applies to Aleph 0.6.4 and therefore can't be considered a regression.
The text was updated successfully, but these errors were encountered: