You are viewing a plain text version of this content. The canonical link for it is here.

Posted to gitbox@activemq.apache.org by GitBox <gi...@apache.org> on 2021/02/17 20:26:00 UTC

[GitHub] [activemq-artemis] sebthom opened a new pull request #3459: ARTEMIS-3117 (Alternative) Provide CachingOpenSSLContextFactory

sebthom opened a new pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459


   to mitigate performance degradation in JDK 11 during TLS connection
   initialization.
   
   This is an alternative to https://github.com/apache/activemq-artemis/pull/3456
   based on feedback by @franz1981
   
   This PR introduces an SSLContextConfig object that can be passed around instead of having to provide 6-7 parameters on each method invocation throughout the call chain.
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] jbertram commented on pull request #3459: ARTEMIS-3117 (Alternative) Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

jbertram commented on pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#issuecomment-781603674


   @ehsavoie, can you review this please to make sure it's not going to break any of the integration you implemented originally?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] sebthom commented on a change in pull request #3459: ARTEMIS-3117 Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

sebthom commented on a change in pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#discussion_r579042221



##########
File path: docs/user-manual/en/configuring-transports.md
##########
@@ -499,22 +499,32 @@ for more details.
   [broker's classpath](using-server.md#adding-runtime-dependencies).
 
 
-#### Configuring a SSLContextFactory
+#### Configuring an SSLContextFactory

Review comment:
       Because `SSL` is an abbreviation and you speak it with the vowel "e" first, i.e. "an Es Es El"




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] sebthom edited a comment on pull request #3459: ARTEMIS-3117 Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

sebthom edited a comment on pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#issuecomment-781633827


   @jbertram @ehsavoie I have three questions:
   1. why was the `SSLContextFactory` lookup implemented via a ServiceLoader and using a priority-based selection algo. This seems unnecessarily complicated. why was it not implemented in a way that e.g. the fully qualified class of the context factory to be used can be specified in the transport settings of the `broker.xml` instead?
   1. why is `CachingSSLContextFactory` holding the cache in a static map and not an instance field? https://github.com/apache/activemq-artemis/blob/52263663c48082227916cc3477f8892d9f10134b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/CachingSSLContextFactory.java#L35
   1. the transport settings allow specification of an `sslContext` value, which is basically a fixed cachekey to set/lookup the SSLContext only evaluated by `CachingSSLContextFactory`. Since the `CachingSSLContextFactory` already is capable to calculate a cache key based on keystore/truststore path, why would one want to specify a cachekey anyway? I can only see the disadvantage that using a manually specified cachekey can result in unexpected results/issues if multiple acceptors/connectors are configured to use the same cachekey but configure different key-/truststores.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] jbertram commented on pull request #3459: ARTEMIS-3117 Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

jbertram commented on pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#issuecomment-788234985


   This looks good to me. Do you have any objections @ehsavoie? If not, I'll merge it.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] jbertram commented on a change in pull request #3459: ARTEMIS-3117 (Alternative) Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

jbertram commented on a change in pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#discussion_r578581228



##########
File path: artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextConfig.java
##########
@@ -0,0 +1,215 @@
+/*
+ * Copyright 2021 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.spi.core.remoting.ssl;
+
+import java.util.Objects;
+
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+
+/**
+ * This class holds configuration parameters for SSL context initialization.
+ * To be used with {@link SSLContextFactory} and {@link OpenSSLContextFactory}.
+ */
+public final class SSLContextConfig {
+
+   public static final class Builder {

Review comment:
       This `Builder` class seems a bit redundant to me. It has all the same properties as the parent `SSLContextConfig`. Why not just make `SSLContextConfig` fluent by having normal setter methods which return `this` (as is done for other configuration objects in the code-base, e.g. `org.apache.activemq.artemis.core.config.DivertConfiguration`)?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] sebthom commented on pull request #3459: ARTEMIS-3117 Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

sebthom commented on pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#issuecomment-781633827


   @jbertram @ehsavoie I have two questions:
   1. why was the `SSLContextFactory` lookup implemented via a ServiceLoader and using a priority-based selection algo. This seems unnecessarily complicated. why was it not implemented in a way that e.g. the fully qualified class of the context factory to be used can be specified in the transport settings of the `broker.xml` instead?
   1. why is `CachingSSLContextFactory` holding the cache in a static map and not an instance field? https://github.com/apache/activemq-artemis/blob/52263663c48082227916cc3477f8892d9f10134b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/ssl/CachingSSLContextFactory.java#L35
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] jbertram commented on a change in pull request #3459: ARTEMIS-3117 (Alternative) Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

jbertram commented on a change in pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#discussion_r578707687



##########
File path: artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextConfig.java
##########
@@ -0,0 +1,215 @@
+/*
+ * Copyright 2021 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.spi.core.remoting.ssl;
+
+import java.util.Objects;
+
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+
+/**
+ * This class holds configuration parameters for SSL context initialization.
+ * To be used with {@link SSLContextFactory} and {@link OpenSSLContextFactory}.
+ */
+public final class SSLContextConfig {
+
+   public static final class Builder {

Review comment:
       Makes sense, @sebthom. Thanks for the explanation.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] jbertram commented on pull request #3459: ARTEMIS-3117 Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

jbertram commented on pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#issuecomment-785142771


   The rationale for not using caching by default was simply to avoid changing the default behavior as users can be sensitive to that. Moving to Java 11 may change that. At the very least we should call this out in the upgrade documentation.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] jbertram commented on pull request #3459: ARTEMIS-3117 Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

jbertram commented on pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#issuecomment-789827549


   Great work! Thanks again, @sebthom.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] sebthom commented on a change in pull request #3459: ARTEMIS-3117 (Alternative) Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

sebthom commented on a change in pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#discussion_r578716961



##########
File path: artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
##########
@@ -621,11 +622,23 @@ public void initChannel(Channel channel) throws Exception {
 
             if (sslEnabled && !useServlet) {
 
-               SSLEngine engine;
+               final SSLContextConfig sslContextConfig = SSLContextConfig.builder()
+                  .withKeystoreProvider(realKeyStoreProvider)

Review comment:
       I can change that, no problem.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] sebthom commented on pull request #3459: ARTEMIS-3117 Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

sebthom commented on pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#issuecomment-782386579


   Is there any good reason not enable SSL context caching by default? Esp. since Artemis will require Java 11 soon where SSL context is significantly more expensive.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] sebthom commented on a change in pull request #3459: ARTEMIS-3117 Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

sebthom commented on a change in pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#discussion_r579121829



##########
File path: artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
##########
@@ -621,11 +622,23 @@ public void initChannel(Channel channel) throws Exception {
 
             if (sslEnabled && !useServlet) {
 
-               SSLEngine engine;
+               final SSLContextConfig sslContextConfig = SSLContextConfig.builder()
+                  .withKeystoreProvider(realKeyStoreProvider)

Review comment:
       Done.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] sebthom edited a comment on pull request #3459: ARTEMIS-3117 Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

sebthom edited a comment on pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#issuecomment-782386579


   @jbertram @ehsavoie @franz1981 @clebertsuconic Is there any good reason not to enable SSL context caching by default? Esp. since Artemis will require Java 11 soon where SSL context initialization is significantly more expensive.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] ehsavoie commented on a change in pull request #3459: ARTEMIS-3117 Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

ehsavoie commented on a change in pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#discussion_r579020565



##########
File path: docs/user-manual/en/configuring-transports.md
##########
@@ -499,22 +499,32 @@ for more details.
   [broker's classpath](using-server.md#adding-runtime-dependencies).
 
 
-#### Configuring a SSLContextFactory
+#### Configuring an SSLContextFactory

Review comment:
       Why 'an' ?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] sebthom commented on a change in pull request #3459: ARTEMIS-3117 (Alternative) Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

sebthom commented on a change in pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#discussion_r578585093



##########
File path: artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextConfig.java
##########
@@ -0,0 +1,215 @@
+/*
+ * Copyright 2021 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.spi.core.remoting.ssl;
+
+import java.util.Objects;
+
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+
+/**
+ * This class holds configuration parameters for SSL context initialization.
+ * To be used with {@link SSLContextFactory} and {@link OpenSSLContextFactory}.
+ */
+public final class SSLContextConfig {
+
+   public static final class Builder {

Review comment:
       This way SSLContextConfig is immutable and can be directly used as cache key in the caching factories. So no composite cache keys need to be instantiated on every cache lookup.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] sebthom commented on a change in pull request #3459: ARTEMIS-3117 (Alternative) Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

sebthom commented on a change in pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#discussion_r578585093



##########
File path: artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextConfig.java
##########
@@ -0,0 +1,215 @@
+/*
+ * Copyright 2021 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.spi.core.remoting.ssl;
+
+import java.util.Objects;
+
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+
+/**
+ * This class holds configuration parameters for SSL context initialization.
+ * To be used with {@link SSLContextFactory} and {@link OpenSSLContextFactory}.
+ */
+public final class SSLContextConfig {
+
+   public static final class Builder {

Review comment:
       This way SSLContext is immutable and can be directly used as cache key in the caching factories.

##########
File path: artemis-core-client/src/main/java/org/apache/activemq/artemis/spi/core/remoting/ssl/SSLContextConfig.java
##########
@@ -0,0 +1,215 @@
+/*
+ * Copyright 2021 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.spi.core.remoting.ssl;
+
+import java.util.Objects;
+
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+
+/**
+ * This class holds configuration parameters for SSL context initialization.
+ * To be used with {@link SSLContextFactory} and {@link OpenSSLContextFactory}.
+ */
+public final class SSLContextConfig {
+
+   public static final class Builder {

Review comment:
       This way SSLContextConfig is immutable and can be directly used as cache key in the caching factories.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] jbertram commented on a change in pull request #3459: ARTEMIS-3117 (Alternative) Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

jbertram commented on a change in pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459#discussion_r578710431



##########
File path: artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
##########
@@ -621,11 +622,23 @@ public void initChannel(Channel channel) throws Exception {
 
             if (sslEnabled && !useServlet) {
 
-               SSLEngine engine;
+               final SSLContextConfig sslContextConfig = SSLContextConfig.builder()
+                  .withKeystoreProvider(realKeyStoreProvider)

Review comment:
       Maybe this is a nit-pick, but I prefer not having the "with" on the method names here.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [activemq-artemis] asfgit closed pull request #3459: ARTEMIS-3117 Provide CachingOpenSSLContextFactory

Posted by GitBox <gi...@apache.org>.

asfgit closed pull request #3459:
URL: https://github.com/apache/activemq-artemis/pull/3459


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org