Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] 回复: Does Jetty support the function of export keying material for TLS defined in RFC5705?
You are using the Java 8 version of BouncyCastle.

org.bouncycastle.jsse.provider.ProvSSLEngine_8

For this to work, you'll need the Java 11+ runtime and Java 11 specific BouncyCastle, as ALPN is built into Java by that point.
Java 8 doesn't have a stable ALPN layer, and each Security provider needs custom work to allow ALPN to work (if at all.  many providers do not support ALPN on Java 8)

For Java 8, our support is OpenJDK and Conscrypt using Jetty 9.
For Java 11+, our support is whatever the JVM has, on any Jetty version.

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Mon, Apr 11, 2022 at 9:29 PM Xia Bing <bing_xia518@xxxxxxxxxxx> wrote:
Hi,

I try to use BouncyCastle as the provider by the following code:

Security.addProvider(new BouncyCastleJsseProvider(true));
sslContextFactory.setProvider("BCJSSE");

And the following exception is raised when creating http2 session:
java.lang.IllegalStateException: No ALPNProcessor for org.bouncycastle.jsse.provider.ProvSSLEngine_8@989a394
at org.eclipse.jetty.alpn.client.ALPNClientConnectionFactory.newConnection(ALPNClientConnectionFactory.java:111)
at org.eclipse.jetty.io.ssl.SslClientConnectionFactory.newConnection(SslClientConnectionFactory.java:136)
at org.eclipse.jetty.http2.client.HTTP2Client.lambda$doStart$1(HTTP2Client.java:165)
at org.eclipse.jetty.http2.client.HTTP2Client$ClientSelectorManager.newConnection(HTTP2Client.java:500)
at org.eclipse.jetty.io.ManagedSelector.createEndPoint(ManagedSelector.java:386)
at org.eclipse.jetty.io.ManagedSelector.access$2100(ManagedSelector.java:65)
at org.eclipse.jetty.io.ManagedSelector$CreateEndPoint.run(ManagedSelector.java:1069)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.base/java.lang.Thread.run(Thread.java:844)

I think that some enhancement in Jetty should be done to support BouncyCastle, is this understanding right?
Best Regards
Bing

发件人: jetty-users <jetty-users-bounces@xxxxxxxxxxx> 代表 Simone Bordet <simone.bordet@xxxxxxxxx>
发送时间: 2022年4月1日 18:05
收件人: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
主题: Re: [jetty-users] Does Jetty support the function of export keying material for TLS defined in RFC5705?
 
Hi,

On Fri, Apr 1, 2022 at 11:45 AM Xia Bing <bing_xia518@xxxxxxxxxxx> wrote:
>
> Hi,  Jetty team,
>
> Could anyone help to clarify the this question:
> After setting up the HTTP2/TLS session by Jetty HTTP2 client, can upper application gets the exported keying material for TLS defined in RFC5705 by some APIs provided by Jetty?
> Looking forward to the reply!

This functionality should be provided by the TLS implementation, and
Jetty can only forward what the TLS implementation provides.
Unfortunately, I don't think the OpenJDK implementation provides EKM,
see https://bugs.openjdk.java.net/browse/JDK-8201287.
If you find otherwise about OpenJDK, let us know.

If you find a way to use EKM with BouncyCastle, let us know how you did it.

--
Simone Bordet
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top