OF-2559: Introduce Netty for S2S & C2S #2220
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
guusdk
reviewed
Jul 18, 2023
guusdk
reviewed
Jul 18, 2023
xmppserver/src/main/java/org/jivesoftware/admin/PluginFilter.java
Outdated
Show resolved
Hide resolved
guusdk
reviewed
Jul 18, 2023
xmppserver/src/main/java/org/jivesoftware/openfire/spi/MINAConnectionAcceptor.java
Outdated
Show resolved
Hide resolved
AlexGidman
force-pushed
the
OF-2559_mina-to-netty
branch
from
01098be
to
880ef47
Compare
viv
force-pushed
the
OF-2559_mina-to-netty
branch
from
b3afb6f
to
36abd9a
Compare
Replace CopyOnWriteMap from MINA; migrating to netty so replacing MINA utility with something similar. Remove MINA-specific stat collector; migrating to netty so removing MINA specific stat collector. For netty we might look to the following in the future to implement a netty-specific stats collector: - https://netty.io/4.0/api/io/netty/handler/ssl/OpenSslSessionStats.html - https://netty.io/4.0/api/io/netty/handler/traffic/package-summary.html
…incoming c2s and s2s connections
XMLLightweightParserTest now works with the newly refactored XMLLightweightParser (which had MINA specifics extracted).
MINA will wrap the non-mina exception further up the chain, we were not using the hexdump feature the MINA exception added.
…tionAcceptor.buildSocketAcceptor function
Tested with non-netty outbound server to a netty-based inbound, so using TLS 1.2 as restricted by outbound capabilities until we pull netty through into outbound connection.
TLS 1.2 & 1.3 working with S2S
Increased time allowed dialback DNS lookup to timeout and enabled us to debug deeper into the flow.
We are moving to Netty.
Was part of an incomplete migration to Mina.
Explicitly show this by removing the Mina-based implementations from the ConnectionAcceptor.
… S2S connections Adds IdleStateHandler and NettyIdleStateKeepAliveHandler to the NettyServerInitializer pipeline code. If an inbound session idles Openfire will either send a ping to keep the connection alive, or close the connection.
Tested with non-netty outbound server to a netty-based inbound, so using TLS 1.2 as restricted by outbound capabilities until we pull netty through into outbound connection.
TLS 1.2 & 1.3 working with S2S
viv
force-pushed
the
OF-2559_mina-to-netty
branch
from
50b87a2
to
987eb52
Compare
Rather than wait for the Netty-based session to timeout (default 5s) before attempting dialback auth this commit moves the fallback dialback code into Netty-land by listening for `SslHandshakeCompletionEvent`. There's more refactoring required, I dislike the state leaking through the stanza handler - there is perhaps a need for a connection/session that wraps the netty connection. This concept might already exist but can't quite get my head around it yet.
The Connection interface defines methods to read the configuration of TLS and compression policies, even though these are also defined by the ConnectionConfiguration instance that is used to create the connection. It is undesirable to have the configuration of a connection be defined in various places, or be modified after the original connection has been applied. This commit removes the duplication, and ensures that connection configuration is applied as soon as the instance is created. As a side-effect, this solves an issue with the new Netty code, that never explicitly sets the tlsPolicy on the connection. The single functional aspect of the separation of tlsPolicy between connection and configuration (prior to this change) was the following: the state of the connection-tlsPolicy was used to implicitly define if a session was initialized (this was used to close a connection that was sending unencrypted data, when its configuration required encryption). This commit replaces that implicit defintion by a new, explicit 'isInitialized` method on the Connection interface.
…lexer connections We can now deprecate (and remove) all NIO components that were built using the Apache MINA framework
We were seeing resource limit issues (too many open files) when running Outgoing S2S tests. This was caused by the outbound session initialisation failing to clean up its NioEventLoopGroup in many scenarios.
…ted implementations
When the identity store does not contain any certificates, inbound TLS will never be able to succeed. In such cases, lets not advertise the StartTLS feature.
By waiting for handshake to complete before attempting SASL
… LocalOutboundServerSessionTest pass. Also add generic typing for Connection.starttls return type, some tidy up of comments and WIP code.
AlexGidman
force-pushed
the
OF-2559_mina-to-netty
branch
from
05ab969
to
f591cc9
Compare
…penfire into OF-2559_mina-to-netty # Conflicts: # xmppserver/src/main/java/org/jivesoftware/openfire/net/VirtualConnection.java # xmppserver/src/main/java/org/jivesoftware/openfire/nio/NettyConnection.java
Prior to this commit handlers were being shared across all sessions. Now a new handler is instantiated per connection/session.
Prior to this commit SSL Handshake events were not making it down the netty pipeline to our client connection handler (aka business logic handler). This meant that inbound connections were never set to encrypted=true causing the session to be abandoned when TLS was required.
The old implementation (still used by ServerDialback) is unable to negotiate a TLS 1.3 connection. Netty-based connections can use TLS 1.3.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Initial attempt at introducing Netty for S2S and C2S connections. Still to do are:
NettyConnectioHandler.reconfigure()Needs extensive testing but should now support TLS 1.3.