This is an automated email from the ASF dual-hosted git repository.
He-Pin pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/pekko.git
The following commit(s) were added to refs/heads/main by this push:
new 7becc119d3 fix(remote): eager SSLContext init for artery
ConfigSSLEngineProvider fail-fast (#3200)
7becc119d3 is described below
commit 7becc119d3c90b4dcede55ccf782370c5d6439e0
Author: He-Pin(kerr) <[email protected]>
AuthorDate: Sat Jun 27 21:51:16 2026 +0800
fix(remote): eager SSLContext init for artery ConfigSSLEngineProvider
fail-fast (#3200)
Motivation:
Artery's ConfigSSLEngineProvider has used lazy val sslContext since its
introduction. As a result, keystore and truststore misconfiguration is
only discovered on the first connection attempt rather than at provider
construction. Classic remoting's ConfigSSLEngineProvider was given the
same eager-init fail-fast behavior in #3165; artery should match.
Modification:
Change `private lazy val sslContext` to `private val sslContext` in
org.apache.pekko.remote.artery.tcp.ConfigSSLEngineProvider so that
SslTransportException is raised during construction when the keystore
or truststore cannot be loaded. Add a directional regression test
ArteryConfigSSLEngineProviderSpec that constructs the provider against
a config pointing at nonexistent keystore/truststore paths and asserts
SslTransportException with the "could not be established" message.
Result:
Artery SSL misconfiguration now fails fast at ActorSystem startup with
a clear error, instead of silently succeeding construction and failing
later on the first connection attempt.
Tests:
- sbt "remote / Test / testOnly
org.apache.pekko.remote.artery.tcp.ArteryConfigSSLEngineProviderSpec"
Tests: succeeded 1, failed 0
References:
None - companion to the classic remoting fail-fast fix (#3165)
---
.../artery/tcp/ConfigSSLEngineProvider.scala | 2 +-
.../tcp/ArteryConfigSSLEngineProviderSpec.scala | 43 ++++++++++++++++++++++
2 files changed, 44 insertions(+), 1 deletion(-)
diff --git
a/remote/src/main/scala/org/apache/pekko/remote/artery/tcp/ConfigSSLEngineProvider.scala
b/remote/src/main/scala/org/apache/pekko/remote/artery/tcp/ConfigSSLEngineProvider.scala
index 3fd09f6d6d..a7e3289518 100644
---
a/remote/src/main/scala/org/apache/pekko/remote/artery/tcp/ConfigSSLEngineProvider.scala
+++
b/remote/src/main/scala/org/apache/pekko/remote/artery/tcp/ConfigSSLEngineProvider.scala
@@ -66,7 +66,7 @@ class ConfigSSLEngineProvider(protected val config: Config,
protected val log: M
val SSLRequireMutualAuthentication: Boolean =
sslEngineConfig.SSLRequireMutualAuthentication
val HostnameVerification: Boolean = sslEngineConfig.HostnameVerification
- private lazy val sslContext: SSLContext = {
+ private val sslContext: SSLContext = {
// log hostname verification warning once
if (HostnameVerification)
log.debug("TLS/SSL hostname verification is enabled.")
diff --git
a/remote/src/test/scala/org/apache/pekko/remote/artery/tcp/ArteryConfigSSLEngineProviderSpec.scala
b/remote/src/test/scala/org/apache/pekko/remote/artery/tcp/ArteryConfigSSLEngineProviderSpec.scala
new file mode 100644
index 0000000000..6642357d1b
--- /dev/null
+++
b/remote/src/test/scala/org/apache/pekko/remote/artery/tcp/ArteryConfigSSLEngineProviderSpec.scala
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * license agreements; and to You under the Apache License, version 2.0:
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * This file is part of the Apache Pekko project, which was derived from Akka.
+ */
+
+package org.apache.pekko.remote.artery.tcp
+
+import org.apache.pekko
+import pekko.testkit.PekkoSpec
+
+import com.typesafe.config.ConfigFactory
+
+class ArteryConfigSSLEngineProviderSpec
+ extends PekkoSpec(
+ ConfigFactory.parseString("""
+ pekko {
+ actor.provider = remote
+ remote.artery.ssl.config-ssl-engine {
+ key-store = "/nonexistent/keystore.jks"
+ key-store-password = "changeme"
+ key-password = "changeme"
+ trust-store = "/nonexistent/truststore.jks"
+ trust-store-password = "changeme"
+ protocol = "TLSv1.3"
+ enabled-algorithms = [TLS_AES_128_GCM_SHA256]
+ random-number-generator = ""
+ require-mutual-authentication = off
+ }
+ }
+ """)) {
+
+ "Artery ConfigSSLEngineProvider" must {
+ "fail fast when keystore cannot be loaded" in {
+ intercept[SslTransportException] {
+ new ConfigSSLEngineProvider(system)
+ }.getMessage should include("could not be established")
+ }
+ }
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]