[tomcat] branch master updated: Direct use of the ALPN API

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[tomcat] branch master updated: Direct use of the ALPN API

remm
This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
     new 7763877  Direct use of the ALPN API
7763877 is described below

commit 7763877a98e5c74bb579b64f31e938fea17290a5
Author: remm <[hidden email]>
AuthorDate: Fri Jul 3 10:37:58 2020 +0200

    Direct use of the ALPN API
   
    Tomcat 10 will now require at least Java 8_251, which was released in
    April 2020, for TLS support. Any Java 9+ JVM will work too.
    This will not be backported to Tomcat 9.0 as it slightly changes the
    APIs, although the changes are trivial.
---
 java/org/apache/tomcat/util/compat/JreCompat.java  | 69 ----------------------
 .../tomcat/util/compat/LocalStrings.properties     |  3 -
 .../tomcat/util/net/AbstractJsseEndpoint.java      | 20 +------
 .../apache/tomcat/util/net/SSLImplementation.java  |  1 -
 java/org/apache/tomcat/util/net/SSLUtil.java       | 12 ----
 .../apache/tomcat/util/net/SecureNio2Channel.java  |  9 +--
 .../apache/tomcat/util/net/SecureNioChannel.java   |  9 +--
 .../tomcat/util/net/jsse/JSSEImplementation.java   |  5 --
 .../tomcat/util/net/openssl/OpenSSLEngine.java     |  5 +-
 .../util/net/openssl/OpenSSLImplementation.java    |  5 --
 10 files changed, 7 insertions(+), 131 deletions(-)

diff --git a/java/org/apache/tomcat/util/compat/JreCompat.java b/java/org/apache/tomcat/util/compat/JreCompat.java
index 8275e60..2f0268f 100644
--- a/java/org/apache/tomcat/util/compat/JreCompat.java
+++ b/java/org/apache/tomcat/util/compat/JreCompat.java
@@ -19,18 +19,11 @@ package org.apache.tomcat.util.compat;
 import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.AccessibleObject;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
 import java.net.URL;
 import java.net.URLConnection;
 import java.util.Deque;
 import java.util.jar.JarFile;
 
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLParameters;
-
-import org.apache.tomcat.util.res.StringManager;
-
 /**
  * This is the base implementation class for JRE compatibility and provides an
  * implementation based on Java 8. Sub-classes may extend this class and provide
@@ -44,10 +37,6 @@ public class JreCompat {
     private static final boolean graalAvailable;
     private static final boolean jre11Available;
     private static final boolean jre9Available;
-    private static final StringManager sm = StringManager.getManager(JreCompat.class);
-
-    protected static final Method setApplicationProtocolsMethod;
-    protected static final Method getApplicationProtocolMethod;
 
     static {
         // This is Tomcat 9 with a minimum Java version of Java 8.
@@ -66,17 +55,6 @@ public class JreCompat {
             jre9Available = false;
         }
         jre11Available = instance.jarFileRuntimeMajorVersion() >= 11;
-
-        Method m1 = null;
-        Method m2 = null;
-        try {
-            m1 = SSLParameters.class.getMethod("setApplicationProtocols", String[].class);
-            m2 = SSLEngine.class.getMethod("getApplicationProtocol");
-        } catch (ReflectiveOperationException | IllegalArgumentException e) {
-            // Only the newest Java 8 have the ALPN API, so ignore
-        }
-        setApplicationProtocolsMethod = m1;
-        getApplicationProtocolMethod = m2;
     }
 
 
@@ -90,11 +68,6 @@ public class JreCompat {
     }
 
 
-    public static boolean isAlpnSupported() {
-        return setApplicationProtocolsMethod != null && getApplicationProtocolMethod != null;
-    }
-
-
     public static boolean isJre9Available() {
         return jre9Available;
     }
@@ -123,48 +96,6 @@ public class JreCompat {
 
 
     /**
-     * Set the application protocols the server will accept for ALPN
-     *
-     * @param sslParameters The SSL parameters for a connection
-     * @param protocols     The application protocols to be allowed for that
-     *                      connection
-     */
-    public void setApplicationProtocols(SSLParameters sslParameters, String[] protocols) {
-        if (setApplicationProtocolsMethod != null) {
-            try {
-                setApplicationProtocolsMethod.invoke(sslParameters, (Object) protocols);
-            } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
-                throw new UnsupportedOperationException(e);
-            }
-        } else {
-            throw new UnsupportedOperationException(sm.getString("jreCompat.noApplicationProtocols"));
-        }
-    }
-
-
-    /**
-     * Get the application protocol that has been negotiated for connection
-     * associated with the given SSLEngine.
-     *
-     * @param sslEngine The SSLEngine for which to obtain the negotiated
-     *                  protocol
-     *
-     * @return The name of the negotiated protocol
-     */
-    public String getApplicationProtocol(SSLEngine sslEngine) {
-        if (getApplicationProtocolMethod != null) {
-            try {
-                return (String) getApplicationProtocolMethod.invoke(sslEngine);
-            } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
-                throw new UnsupportedOperationException(e);
-            }
-        } else {
-            throw new UnsupportedOperationException(sm.getString("jreCompat.noApplicationProtocol"));
-        }
-    }
-
-
-    /**
      * Disables caching for JAR URL connections. For Java 8 and earlier, this also disables
      * caching for ALL URL connections.
      *
diff --git a/java/org/apache/tomcat/util/compat/LocalStrings.properties b/java/org/apache/tomcat/util/compat/LocalStrings.properties
index 891782c..34ffd70 100644
--- a/java/org/apache/tomcat/util/compat/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/compat/LocalStrings.properties
@@ -16,6 +16,3 @@
 jre9Compat.invalidModuleUri=The module URI provided [{0}] could not be converted to a URL for the JarScanner to process
 jre9Compat.javaPre9=Class not found so assuming code is running on a pre-Java 9 JVM
 jre9Compat.unexpected=Failed to create references to Java 9 classes and methods
-
-jreCompat.noApplicationProtocol=Java Runtime does not support SSLEngine.getApplicationProtocol(). You must use Java 9 to use this feature.
-jreCompat.noApplicationProtocols=Java Runtime does not support SSLParameters.setApplicationProtocols(). You must use Java 9 to use this feature.
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index 925e91d..1488393 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -28,7 +28,6 @@ import java.util.Set;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 
-import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
 
 public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
@@ -123,7 +122,7 @@ public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
 
         SSLParameters sslParameters = engine.getSSLParameters();
         sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
-        if (JreCompat.isAlpnSupported() && clientRequestedApplicationProtocols != null
+        if (clientRequestedApplicationProtocols != null
                 && clientRequestedApplicationProtocols.size() > 0
                 && negotiableProtocols.size() > 0) {
             // Only try to negotiate if both client and server have at least
@@ -134,7 +133,7 @@ public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
             commonProtocols.retainAll(clientRequestedApplicationProtocols);
             if (commonProtocols.size() > 0) {
                 String[] commonProtocolsArray = commonProtocols.toArray(new String[0]);
-                JreCompat.getInstance().setApplicationProtocols(sslParameters, commonProtocolsArray);
+                sslParameters.setApplicationProtocols(commonProtocolsArray);
             }
         }
         switch (sslHostConfig.getCertificateVerification()) {
@@ -193,20 +192,7 @@ public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
     @Override
     public boolean isAlpnSupported() {
         // ALPN requires TLS so if TLS is not enabled, ALPN cannot be supported
-        if (!isSSLEnabled()) {
-            return false;
-        }
-
-        // Depends on the SSLImplementation.
-        SSLImplementation sslImplementation;
-        try {
-            sslImplementation = SSLImplementation.getInstance(getSslImplementationName());
-        } catch (ClassNotFoundException e) {
-            // Ignore the exception. It will be logged when trying to start the
-            // end point.
-            return false;
-        }
-        return sslImplementation.isAlpnSupported();
+        return isSSLEnabled();
     }
 
 
diff --git a/java/org/apache/tomcat/util/net/SSLImplementation.java b/java/org/apache/tomcat/util/net/SSLImplementation.java
index 43ccbe5..fb11b82 100644
--- a/java/org/apache/tomcat/util/net/SSLImplementation.java
+++ b/java/org/apache/tomcat/util/net/SSLImplementation.java
@@ -68,5 +68,4 @@ public abstract class SSLImplementation {
 
     public abstract SSLUtil getSSLUtil(SSLHostConfigCertificate certificate);
 
-    public abstract boolean isAlpnSupported();
 }
diff --git a/java/org/apache/tomcat/util/net/SSLUtil.java b/java/org/apache/tomcat/util/net/SSLUtil.java
index c65f7a2..4ba3504 100644
--- a/java/org/apache/tomcat/util/net/SSLUtil.java
+++ b/java/org/apache/tomcat/util/net/SSLUtil.java
@@ -67,16 +67,4 @@ public interface SSLUtil {
      */
     public String[] getEnabledCiphers() throws IllegalArgumentException;
 
-    /**
-     * Optional interface that can be implemented by
-     * {@link javax.net.ssl.SSLEngine}s to indicate that they support ALPN and
-     * can provided the protocol agreed with the client.
-     */
-    public interface ProtocolInfo {
-        /**
-         * ALPN information.
-         * @return the protocol selected using ALPN
-         */
-        public String getNegotiatedProtocol();
-    }
 }
diff --git a/java/org/apache/tomcat/util/net/SecureNio2Channel.java b/java/org/apache/tomcat/util/net/SecureNio2Channel.java
index 394837c..3db1038 100644
--- a/java/org/apache/tomcat/util/net/SecureNio2Channel.java
+++ b/java/org/apache/tomcat/util/net/SecureNio2Channel.java
@@ -38,7 +38,6 @@ import javax.net.ssl.SSLException;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.buf.ByteBufferUtils;
-import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.TLSClientHelloExtractor.ExtractorResult;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
 import org.apache.tomcat.util.res.StringManager;
@@ -242,13 +241,7 @@ public class SecureNio2Channel extends Nio2Channel  {
                 }
                 case FINISHED: {
                     if (endpoint.hasNegotiableProtocols()) {
-                        if (sslEngine instanceof SSLUtil.ProtocolInfo) {
-                            socketWrapper.setNegotiatedProtocol(
-                                    ((SSLUtil.ProtocolInfo) sslEngine).getNegotiatedProtocol());
-                        } else if (JreCompat.isAlpnSupported()) {
-                            socketWrapper.setNegotiatedProtocol(
-                                    JreCompat.getInstance().getApplicationProtocol(sslEngine));
-                        }
+                        socketWrapper.setNegotiatedProtocol(sslEngine.getApplicationProtocol());
                     }
                     //we are complete if we have delivered the last package
                     handshakeComplete = !netOutBuffer.hasRemaining();
diff --git a/java/org/apache/tomcat/util/net/SecureNioChannel.java b/java/org/apache/tomcat/util/net/SecureNioChannel.java
index a176675..ef0a33e 100644
--- a/java/org/apache/tomcat/util/net/SecureNioChannel.java
+++ b/java/org/apache/tomcat/util/net/SecureNioChannel.java
@@ -35,7 +35,6 @@ import javax.net.ssl.SSLException;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.buf.ByteBufferUtils;
-import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.NioEndpoint.NioSocketWrapper;
 import org.apache.tomcat.util.net.TLSClientHelloExtractor.ExtractorResult;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
@@ -167,13 +166,7 @@ public class SecureNioChannel extends NioChannel {
                     throw new IOException(sm.getString("channel.nio.ssl.notHandshaking"));
                 case FINISHED:
                     if (endpoint.hasNegotiableProtocols()) {
-                        if (sslEngine instanceof SSLUtil.ProtocolInfo) {
-                            socketWrapper.setNegotiatedProtocol(
-                                    ((SSLUtil.ProtocolInfo) sslEngine).getNegotiatedProtocol());
-                        } else if (JreCompat.isAlpnSupported()) {
-                            socketWrapper.setNegotiatedProtocol(
-                                    JreCompat.getInstance().getApplicationProtocol(sslEngine));
-                        }
+                        socketWrapper.setNegotiatedProtocol(sslEngine.getApplicationProtocol());
                     }
                     //we are complete if we have delivered the last package
                     handshakeComplete = !netOutBuffer.hasRemaining();
diff --git a/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java b/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
index 1c1eae8..4fa54be 100644
--- a/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
+++ b/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
@@ -18,7 +18,6 @@ package org.apache.tomcat.util.net.jsse;
 
 import javax.net.ssl.SSLSession;
 
-import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
 import org.apache.tomcat.util.net.SSLImplementation;
 import org.apache.tomcat.util.net.SSLSupport;
@@ -50,8 +49,4 @@ public class JSSEImplementation extends SSLImplementation {
         return new JSSEUtil(certificate);
     }
 
-    @Override
-    public boolean isAlpnSupported() {
-        return JreCompat.isAlpnSupported();
-    }
 }
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 058ee71..16f1451 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -46,7 +46,6 @@ import org.apache.tomcat.jni.SSL;
 import org.apache.tomcat.jni.SSLContext;
 import org.apache.tomcat.util.buf.ByteBufferUtils;
 import org.apache.tomcat.util.net.Constants;
-import org.apache.tomcat.util.net.SSLUtil;
 import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -55,7 +54,7 @@ import org.apache.tomcat.util.res.StringManager;
  * <a href="https://www.openssl.org/docs/crypto/BIO_s_bio.html#EXAMPLE">OpenSSL
  * BIO abstractions</a>.
  */
-public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolInfo {
+public final class OpenSSLEngine extends SSLEngine {
 
     private static final Log logger = LogFactory.getLog(OpenSSLEngine.class);
     private static final StringManager sm = StringManager.getManager(OpenSSLEngine.class);
@@ -209,7 +208,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
     }
 
     @Override
-    public String getNegotiatedProtocol() {
+    public String getApplicationProtocol() {
         return selectedProtocol;
     }
 
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java
index 94b4bf2..6f2c3bf 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java
@@ -36,9 +36,4 @@ public class OpenSSLImplementation extends SSLImplementation {
         return new OpenSSLUtil(certificate);
     }
 
-    @Override
-    public boolean isAlpnSupported() {
-        // OpenSSL supported ALPN
-        return true;
-    }
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [tomcat] branch master updated: Direct use of the ALPN API

remm
On Fri, Jul 3, 2020 at 10:38 AM <[hidden email]> wrote:
This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
     new 7763877  Direct use of the ALPN API
7763877 is described below

commit 7763877a98e5c74bb579b64f31e938fea17290a5
Author: remm <[hidden email]>
AuthorDate: Fri Jul 3 10:37:58 2020 +0200

    Direct use of the ALPN API

    Tomcat 10 will now require at least Java 8_251, which was released in
    April 2020, for TLS support. Any Java 9+ JVM will work too.
    This will not be backported to Tomcat 9.0 as it slightly changes the
    APIs, although the changes are trivial.

Ok, so I messed up (I always use Java 8 to build): https://github.com/apache/tomcat/actions/runs/156360081

Basically, if compiling for 8 as a source/target/release, 11 will produce (bogus) compilation errors. Setting the target for 9 works for compiling the classes but isn't a solution obviously. So Tomcat only builds on 8 now :( Unless there's another compiler parameter to avoid that, there's no option but to revert and go back to using reflection.

Rémy