Support session cache for client and server when using native SSLEngi…#10331
Merged
normanmaurer merged 1 commit into4.1from Jul 14, 2020
Merged
Support session cache for client and server when using native SSLEngi…#10331normanmaurer merged 1 commit into4.1from
normanmaurer merged 1 commit into4.1from
Conversation
Member
Author
|
Depends on netty/netty-tcnative#548 |
c33d76d to
7e8856a
Compare
Member
idelpivnitskiy
left a comment
There was a problem hiding this comment.
Looks promising, great work!
Will do a second review pass later
handler/src/main/java/io/netty/handler/ssl/NullOpenSslSession.java
Outdated
Show resolved
Hide resolved
handler/src/main/java/io/netty/handler/ssl/ExtendedOpenSslSession.java
Outdated
Show resolved
Hide resolved
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java
Outdated
Show resolved
Hide resolved
normanmaurer
commented
Jun 3, 2020
handler/src/main/java/io/netty/handler/ssl/OpenSslSessionCache.java
Outdated
Show resolved
Hide resolved
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java
Show resolved
Hide resolved
handler/src/main/java/io/netty/handler/ssl/OpenSslSessionCache.java
Outdated
Show resolved
Hide resolved
handler/src/main/java/io/netty/handler/ssl/OpenSslSessionCache.java
Outdated
Show resolved
Hide resolved
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java
Show resolved
Hide resolved
Member
Author
|
@idelpivnitskiy PTAL again |
d92883c to
c57927a
Compare
Member
Author
|
@netty-bot test this please |
idelpivnitskiy
approved these changes
Jun 26, 2020
Member
idelpivnitskiy
left a comment
There was a problem hiding this comment.
LGTM, awesome work!
A few minor comments and questions:
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java
Outdated
Show resolved
Hide resolved
handler/src/main/java/io/netty/handler/ssl/OpenSslClientSessionCache.java
Show resolved
Hide resolved
| context.setSessionCacheSize((int) Math.min(sessionCacheSize, Integer.MAX_VALUE)); | ||
| } | ||
| if (sessionTimeout > 0) { | ||
| context.setSessionTimeout((int) Math.min(sessionTimeout, Integer.MAX_VALUE)); |
Member
There was a problem hiding this comment.
Should we throw if the requested sessionCacheSize/sessionTimeout is higher than Integer.MAX_VALUE? Or at least log it? Silent override may be confusing.
Member
Author
There was a problem hiding this comment.
this is the same code we use for the JDK implementation. Let me think about it and make a follow up if needed to keep it consistent.
| try { | ||
| doHandshakeVerifyReusedAndClose("a.netty.io", 9999, false); | ||
| // As we have a cache size of 1 we should never have more then one session in the cache | ||
| doHandshakeVerifyReusedAndClose("b.netty.io", 9999, false); |
Member
There was a problem hiding this comment.
Can we verify that a single session available in cache is reused for a.netty.io?
| // the handshake is done. | ||
| // See https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_sess_set_get_cb.html | ||
| if (!SslUtils.PROTOCOL_TLS_V1_3.equals(engine.getSession().getProtocol())) { | ||
| assertEquals(isReused, engine.isSessionReused()); |
Member
There was a problem hiding this comment.
I probably miss it somewhere, but how do you know if the session was reused via session ticket, not session id for TLSv1.2?
Member
Author
|
@netty-bot test this please |
Member
Author
|
Factored out some bug fix in another PR that is not really related to this one #10388 |
c943882 to
e1bcbd5
Compare
Member
Author
|
@netty-bot test this please |
e1bcbd5 to
220ec3f
Compare
730f023 to
f8be4b2
Compare
Member
Author
|
@netty-bot test this please |
Member
Author
|
Once this build passes I will merge this one in.... |
…ne implementation Motivation: At the moment we don't support session caching for client side when using native SSLEngine implementation and our implementation of SSLSessionContext is incomplete. Modification: - Consume netty-tcnative changes to be able to cache session in an external cache - Add and adjust unit tests to test session caching - Add an in memory session cache that is hooked into native SSLEngine Result: Support session caching on the client and server side
bc3568e to
de9c85b
Compare
normanmaurer
added a commit
that referenced
this pull request
Jul 14, 2020
…ne implementation (#10331) Motivation: At the moment we don't support session caching for client side when using native SSLEngine implementation and our implementation of SSLSessionContext is incomplete. Modification: - Consume netty-tcnative changes to be able to cache session in an external cache - Add and adjust unit tests to test session caching - Add an in memory session cache that is hooked into native SSLEngine Result: Support session caching on the client and server side
Kvicii
pushed a commit
to Kvicii/netty
that referenced
this pull request
Jul 15, 2020
* '4.1' of github.com:netty/netty: Support session cache for client and server when using native SSLEngine implementation (netty#10331) Simple fix typo (netty#10403) Eliminate a redundant method call in HpackDynamicTable.add(...) (netty#10399) jdk.tls.client.enableSessionTicketExtension must be respected by OPENSSL and OPENSSL_REFCNT SslProviders (netty#10401)
Kvicii
pushed a commit
to Kvicii/netty
that referenced
this pull request
Jul 20, 2020
* '4.1-read' of github.com:Kvicii/netty: (43 commits) Make the TLSv1.3 check more robust and not depend on the Java version… (netty#10409) Reduce the scope of synchronized block in PoolArena (netty#10410) Add IndexOutOfBoundsException error message (netty#10405) Add default handling for switch statement (netty#10408) Review PooledByteBufAllocator in respect of jemalloc 4.x changes and update allocate algorithm.(netty#10267) Support session cache for client and server when using native SSLEngine implementation (netty#10331) Simple fix typo (netty#10403) Eliminate a redundant method call in HpackDynamicTable.add(...) (netty#10399) jdk.tls.client.enableSessionTicketExtension must be respected by OPENSSL and OPENSSL_REFCNT SslProviders (netty#10401) 重新编译4.1分支 [maven-release-plugin] prepare for next development iteration [maven-release-plugin] prepare release netty-4.1.51.Final Correctly return NEED_WRAP if we produced some data even if we could not consume any during SSLEngine.wrap(...) (netty#10396) Modify OpenSSL native library loading to accommodate GraalVM (netty#10395) Update to netty-tcnative 2.0.31.Final and make SslErrorTest more robust (netty#10392) Add option to HttpObjectDecoder to allow duplicate Content-Lengths (netty#10349) Add detailed error message corresponding to the IndexOutOfBoundsException while calling getEntry(...) (netty#10386) Do not report ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify as blocking call (netty#10387) Add unit test for HpackDynamicTable. (netty#10389) netty用于测试的内嵌Channel | ChannelInboundHandler主要方法 ...
ihanyong
pushed a commit
to ihanyong/netty
that referenced
this pull request
Jul 31, 2020
…ne implementation (netty#10331) Motivation: At the moment we don't support session caching for client side when using native SSLEngine implementation and our implementation of SSLSessionContext is incomplete. Modification: - Consume netty-tcnative changes to be able to cache session in an external cache - Add and adjust unit tests to test session caching - Add an in memory session cache that is hooked into native SSLEngine Result: Support session caching on the client and server side
normanmaurer
added a commit
that referenced
this pull request
Sep 3, 2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…ne implementation
Motivation:
At the moment we don't support session caching for client side when using native SSLEngine implementation and our implementation of SSLSessionContext is incomplete.
Modification:
Result:
Support session caching on the client and server side