Hi Thomas,
There's some things you should watch out for in your code:
* If you want to use TLS 1.2, you should specify getInstance("TLSv1.2")
specifically (JDK 1.7 defaults to TLS 1.0)
* You should disable SSLv3 (at the very least) using setEnabledProtocols().
* You are better off initializing the SSLContext with null instead of new
SecureRandom, and leave it up to JSSE itself.
Also a couple of configuration points:
* Since you are using SSLEngine in server mode, you should start the JVM
with -Djdk.tls.rejectClientInitiatedRenegotiation=true to disable client
renegotation.
* You should also set -Djdk.tls.ephemeralDHKeySize=2048 to increase the
hardcoded keysize internally.
Finally, as Henry mentioned earlier, the code here doesn't do any server
identity checks. If you're using HTTPS, then you should use
HostnameChecker directly or set setEndpointIdentificationAlgorithm("HTTPS")
directly -- otherwise, you may want to look at RFC 6125 for a generic
server identity check. More
here: http://tersesystems.com/2014/03/23/fixing-hostname-verification/
Hope that helps,
Will.
On Friday, December 19, 2014 8:56:39 AM UTC-8, Thomas Zimmer wrote:
>
> Hi,
>
> I also had this issue but thanks to some examples [
> https://github.com/xbucchiotty/akka-stream-ssltlscipher/blob/master/src/test/scala/Test.scala]
>
> and of course the TLS Specs [
> https://github.com/akka/akka/blob/62a20195af79c7b405303b5f97970c9ca7a6891a/akka-stream/src/test/scala/akka/stream/io/SslTlsFlowSpec.scala]
>
> i could create a small actor-application which is using reactive streams:
>
> https://gist.github.com/Alien2150/d0c74d99c19df59109ff
>
> You can simply run it with openssl s_client (Which I used during testing).
>
> Regards,
> Thomas
>
>
> On Saturday, December 13, 2014 10:42:01 AM UTC+1, Pavel Popov wrote:
>>
>> Big thanks!, it explained a lot.
>>
>> On Sat, Dec 13, 2014 at 11:01 AM, Roland Kuhn <goo...@rkuhn.info> wrote:
>>>
>>> Hi Pavel,
>>>
>>> an SSL engine can operate on any kind of byte stream, it is not tied to
>>> TCP per se. This is why we will offer it as a DSL element that you can plug
>>> anywhere into your pipeline. As to looking into the IO package: I am not
>>> certain that I would expect SSL to be in there given that SSL itself does
>>> not do IO, it is only an encryption protocol suite.
>>>
>>> Regards,
>>>
>>> Roland
>>>
>>> 12 dec 2014 kl. 16:36 skrev Pavel Popov <pa...@blackopsdev.com>:
>>>
>>> Thank you for reply.
>>>
>>> But I don't understand the reason: why it was moved to streams, instead
>>> of being a part of IO?
>>> But from user's perspective It will be predictable to find SSL listener
>>> inside IO package, not somewhere else...
>>>
>>> On Fri, Dec 12, 2014 at 4:00 PM, Björn Antonsson <
>>> bjorn.a...@typesafe.com> wrote:
>>>>
>>>> Hi Paul,
>>>>
>>>> SSL/TLS support in akka will be part of the akka streams work that is
>>>> ongoing right now. The aim is to have it available by Q1 2015.
>>>>
>>>> B/
>>>>
>>>> On 11 December 2014 at 15:36:36, pa...@blackopsdev.com (
>>>> pa...@blackopsdev.com) wrote:
>>>>
>>>> Hello, everyone!
>>>> I'm using akka.io 2.3.7 and I don't see any SSL/TLS support there.
>>>> As far as I understand it was removed (since 2.3.x). Is it correct?
>>>> Why? Will come back?
>>>>
>>>> And... Is there a clean workaround?
>>>> May be this topic was discussed before, but I didn't find an
>>>> appropriate link.
>>>>
>>>>
>>>> Thanks, Paul
>>>>
>>>> --
>>>> >>>>>>>>>> Read the docs: http://akka.io/docs/
>>>> >>>>>>>>>> Check the FAQ:
>>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>>> >>>>>>>>>> Search the archives:
>>>> https://groups.google.com/group/akka-user
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Akka User List" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to akka-user+...@googlegroups.com.
>>>> To post to this group, send email to akka...@googlegroups.com.
>>>> Visit this group at http://groups.google.com/group/akka-user.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>
>>>> --
>>>> Björn Antonsson
>>>> Typesafe <http://typesafe.com/> – Reactive Apps on the JVM
>>>> twitter: @bantonsson <http://twitter.com/#!/bantonsson>
>>>>
>>>>
>>>> --
>>>> >>>>>>>>>> Read the docs: http://akka.io/docs/
>>>> >>>>>>>>>> Check the FAQ:
>>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>>> >>>>>>>>>> Search the archives:
>>>> https://groups.google.com/group/akka-user
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Akka User List" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to akka-user+...@googlegroups.com.
>>>> To post to this group, send email to akka...@googlegroups.com.
>>>> Visit this group at http://groups.google.com/group/akka-user.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>> >>>>>>>>>> Read the docs: http://akka.io/docs/
>>> >>>>>>>>>> Check the FAQ:
>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>> >>>>>>>>>> Search the archives:
>>> https://groups.google.com/group/akka-user
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Akka User List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to akka-user+...@googlegroups.com.
>>> To post to this group, send email to akka...@googlegroups.com.
>>> Visit this group at http://groups.google.com/group/akka-user.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>>
>>>
>>> *Dr. Roland Kuhn*
>>> *Akka Tech Lead*
>>> Typesafe <http://typesafe.com/> – Reactive apps on the JVM.
>>> twitter: @rolandkuhn
>>> <http://twitter.com/#!/rolandkuhn>
>>>
>>> --
>>> >>>>>>>>>> Read the docs: http://akka.io/docs/
>>> >>>>>>>>>> Check the FAQ:
>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>> >>>>>>>>>> Search the archives:
>>> https://groups.google.com/group/akka-user
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Akka User List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to akka-user+...@googlegroups.com.
>>> To post to this group, send email to akka...@googlegroups.com.
>>> Visit this group at http://groups.google.com/group/akka-user.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ:
>>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to akka-user+unsubscr...@googlegroups.com.
To post to this group, send email to akka-user@googlegroups.com.
Visit this group at http://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.
