Native Sockets TLS Client/Server support for linux #2939
Conversation
TODO: test failed - HttpServerCommonTestSuite.testProxyHeaders
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| handleResult(result) | ||
| if (result.status == SSLEngineResult.Status.CLOSED) break@loop | ||
| } | ||
| } catch (cause: Throwable) { |
There was a problem hiding this comment.
TooGenericExceptionCaught: Caught exception is too generic. Prefer catching specific exceptions to the case that is currently handled.
(at-me in a reply with help or ignore)
| if (unwrapDestination !== initialUnwrapDestination) updateUnwrapDestination(unwrapDestination) | ||
| resumeUnwrapContinuation(result) | ||
| return result | ||
| } catch (cause: Throwable) { |
There was a problem hiding this comment.
TooGenericExceptionCaught: Caught exception is too generic. Prefer catching specific exceptions to the case that is currently handled.
(at-me in a reply with help or ignore)
| } | ||
|
|
||
| return result | ||
| } catch (cause: Throwable) { |
There was a problem hiding this comment.
TooGenericExceptionCaught: Caught exception is too generic. Prefer catching specific exceptions to the case that is currently handled.
(at-me in a reply with help or ignore)
| "Failed to parse PKCS12 file" | ||
| } | ||
| return PKCS12Certificate(privateKey.value!!, x509Certificate.value!!) | ||
| } catch (cause: Throwable) { |
There was a problem hiding this comment.
TooGenericExceptionCaught: Caught exception is too generic. Prefer catching specific exceptions to the case that is currently handled.
(at-me in a reply with help or ignore)
| this.channel.flush() | ||
| //println("[$debugString] READING STEP RESULT: $result") | ||
| } while (result > 0) | ||
| } catch (cause: Throwable) { |
There was a problem hiding this comment.
TooGenericExceptionCaught: Caught exception is too generic. Prefer catching specific exceptions to the case that is currently handled.
(at-me in a reply with help or ignore)
| api(project(":ktor-network")) | ||
| api(project(":ktor-utils")) | ||
| kotlin { | ||
| linuxX64 { |
There was a problem hiding this comment.
could we try adding other platofrms?
|
|
||
| package io.ktor.network.tls | ||
|
|
||
| public class PKCS12Certificate( |
|
|
||
| public class PKCS12Certificate( | ||
| public val path: String, | ||
| public val password: (() -> CharArray)? |
There was a problem hiding this comment.
consider adding default if password really can be null
| public actual val verification: TLSVerificationConfig?, | ||
| ) : Closeable { | ||
| override fun close() { | ||
| //NOOP |
| import io.ktor.utils.io.core.* | ||
|
|
||
| //TODO: make it closeable | ||
| public expect class TLSConfig: Closeable { |
There was a problem hiding this comment.
Could you tell me why the config is closeable?
| writeStringUtf8("Connection: close\r\n\r\n") | ||
| flush() | ||
| } | ||
| println(socket.openReadChannel().readRemaining().readText()) |
|
@olme04 are you still working on this? EDIT: ah, zero contributions the past year, on any github repo :( |
|
@Tiebe just in case, while using openssl here could be a good idea, the main problem with this approach is how to distribute it. I mean, we can do or dynamic or static linking to openssl or 2 separate artefacts for each, but it will be not so straightforward for end-users and library developers what to choose. Also there could be issues with how cinterop for |
|
@whyoleg Fair enough. Would just really love to have a websocket client with TLS support in Kotlin Native. Would you have any recommendations? |
|
@Tiebe I think, that for Apple platforms you can use |
|
@whyoleg Maybe we can use your multiplatform library here, which solves choice of static/dynamic OpenSSL linking by artifact? |
|
Hey @morki, it probably will not work like this.
So only in case 3 we can use my lib. For case 1 and 2 Overall, I believe the best way here is to implement case 1, as it will be the most robust and performant approach I believe. Though, with current Hope this somehow answers the question why it's not that easy to just take and implement TLS for K/N :) |
|
Thank you very much for your time answering this :) looking forward to some day it will maybe be implemented, cause i started creating multiplatform email / smtp lib, and tls sockets are the most common connection for this. But testing with pure sockets is the way forward for now :) |
|
Hey @olme04, @morki, thanks for the bump. The last time I investigated, it was tough to provide dependency for OpenSSL on the user side - in the application setup, the user had to specify the path to OpenSSL headers directly. Could you tell me if you know about changes there? If we could avoid forcing users to write such config files, we can check this and deliver it with 3.0.0 |
|
I am not an expert in the native field, i just use @whyoleg´s library and I think he solved it somehow, bacause the only thing I need as a consumer is choose openssl-shared or openssl-static dependency and everything is sorted out on all systems automatically |
Based on: #2929
Subsystem
Network, CIO
Motivation
partially fixes https://youtrack.jetbrains.com/issue/KTOR-1181 (no darwin support yet)
Solution
Note:
TODO:
tls-certificatesmoduleExperimentalTLSApiannotation, because of possible bugs, and get more feedback on cases, where it can have unexpected behavior?brewlocation, because, at least on my machine, if to use same paths as in curl, it will fail too link binary because of GLIBC issues (related: https://youtrack.jetbrains.com/issue/KT-43501, https://youtrack.jetbrains.com/issue/KT-47061#focus=Comments-27-4947040.0-0)