The people from Azul have backported JSSE from Java 11 to Java 8 as an
additional provider. It is called OpenJSSE and available under
https://github.com/openjsse/openjsse
They moved packages underneath org.openjsse. OpenJSSE provides eg. TLS
1.3 and ALPN. So using OpenJSSE allows to use TLS 1.3 and HTTP/2 in TC 8
even when running under Java 8.
For those who want to experiment:
- the source code of OpenJSSE is relatively small and builds quickly
with maven.
- you can activate it in Tomcat using eg.
# Adjust the path to your OpenJSSE jar
CLASSPATH=${CATALINA_BASE}/ext/openjsse-1.1.0.jar
# See below for the contents of this file
CATALINA_OPTS=-Djava.security.properties=${CATALINA_BASE}/conf/java.security
and the new java.security file should contain one line like:
security.provider.4=org.openjsse.net.ssl.OpenJSSE
The number 4 has to be replaced by whatever number is used in your
original JVM java.security file for the provider
com.sun.net.ssl.internal.ssl.Provider. On Linux it is most often number
4, on Solaris number 6. Java 9+ uses the name SunJSSE instead of
com.sun.net.ssl.internal.ssl.Provider in the file java.security.
After that TLS 1.3 should be available. So no need for any changes in TC
to support that. But:
For HTTP/2 there is another change possible. We currently detect ALPN
availability by looking at the JVM version. If it is >= 9, we assume
ALPN, if it is smaller, we do not test for ALPN.
I made a patch to detect ALPN support at runtime using reflection.
Please have a look. Feedback welcome, whether we want to include that or
whether we want to stick with the simpler approach we currently use. Of
course the windows for Java 8 plus OpenJSSE is getting smaller over
time, and users could also use tcnative to get TLS 1.3 and HTTP/2. On
the other hand integration of OpenJSSE is pretty simple and some users
don't like native code in their JVM (and its maintenance). IMHO support
for OpenJSSE (including HTTP/2) would be a nice addition.
My TC 9 patch is available under:
http://home.apache.org/~rjung/patches/tc9-openjsse.patch
It moves the ALPN detection from classes Jre(9)Compat to class TLS in
the same package and uses the same approach that we use for other
runtime detection. It needs to make one method accessible, because under
Java 9+ the implementation class SSLEngineImpl is no longer a public
class. Since it is accessed normally via SSLEngine, direct method calls
still work, but reflective calls no longer.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org