lhotari opened a new issue #10372: URL: https://github.com/apache/pulsar/issues/10372
**Is your enhancement request related to a problem? Please describe.** By default, Jetty uses the JSSE provider from the JVM for SSL, which has three significant problems: * It’s slow! * It doesn’t support ALPN in Java 8, which is needed for HTTP/2 * It’s REALLY slow! See: https://webtide.com/conscrypting-native-ssl-for-jetty/ A clear and concise description of what the enhancement is. **Describe the solution you'd like** Enable Conscrypt as the JSSE provider in Broker and Proxy. Conscrypt can be enabled programmatically by this way: ``` import java.security.Security; import org.conscrypt.OpenSSLProvider; Security.insertProviderAt(new OpenSSLProvider(), 1); ``` **Additional context** It seems that TLS handshake is partially broken in Java 11 when using TLS mutual authentication unless Conscrypt is configured as a Security Provider. An unknown certificate won't be detected on Jetty server side and Jetty doesn't properly return 401 in that case. This leads to an exception like this on the client side: ``` javax.net.ssl.SSLException: error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1066) ~[netty-handler-4.1.63.Final.jar:4.1.63.Final] at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1359) ~[netty-handler-4.1.63.Final.jar:4.1.63.Final] at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1308) ~[netty-handler-4.1.63.Final.jar:4.1.63.Final] at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1384) ~[netty-handler-4.1.63.Final.jar:4.1.63.Final] at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1427) ~[netty-handler-4.1.63.Final.jar:4.1.63.Final] at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:208) ~[netty-handler-4.1.63.Final.jar:4.1.63.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1358) ~[netty-handler-4.1.63.Final.jar:4.1.63.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1253) ~[netty-handler-4.1.63.Final.jar:4.1.63.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1300) ~[netty-handler-4.1.63.Final.jar:4.1.63.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508) ~[netty-codec-4.1.63.Final.jar:4.1.63.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447) ~[netty-codec-4.1.63.Final.jar:4.1.63.Final] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-codec-4.1.63.Final.jar:4.1.63.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[netty-transport-4.1.63.Final.jar:4.1.63.Final] ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
