-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OF-2559: Introduce Netty for S2S & C2S #2220
Commits on Jul 25, 2023
-
OF-2559 Implement Netty inbound connection handlers
Replace CopyOnWriteMap from MINA; migrating to netty so replacing MINA utility with something similar. Remove MINA-specific stat collector; migrating to netty so removing MINA specific stat collector. For netty we might look to the following in the future to implement a netty-specific stats collector: - https://netty.io/4.0/api/io/netty/handler/ssl/OpenSslSessionStats.html - https://netty.io/4.0/api/io/netty/handler/traffic/package-summary.html
Configuration menu - View commit details
-
Copy full SHA for 3ec1999 - Browse repository at this point
Copy the full SHA 3ec1999View commit details -
feat: OF-2559 - add compression for inbound and outbound traffic for …
…incoming c2s and s2s connections
Configuration menu - View commit details
-
Copy full SHA for b0f8731 - Browse repository at this point
Copy the full SHA b0f8731View commit details -
OF-2559 Fixed tests after refactor
XMLLightweightParserTest now works with the newly refactored XMLLightweightParser (which had MINA specifics extracted).
Configuration menu - View commit details
-
Copy full SHA for 2c91f91 - Browse repository at this point
Copy the full SHA 2c91f91View commit details -
OF-2559 Removed last of MINA from XMLLightweightParser
MINA will wrap the non-mina exception further up the chain, we were not using the hexdump feature the MINA exception added.
Configuration menu - View commit details
-
Copy full SHA for 00aa6fa - Browse repository at this point
Copy the full SHA 00aa6faView commit details -
Configuration menu - View commit details
-
Copy full SHA for 16a412e - Browse repository at this point
Copy the full SHA 16a412eView commit details -
feat: OF-2559 - add channel options that match settings in MinaConnec…
…tionAcceptor.buildSocketAcceptor function
Configuration menu - View commit details
-
Copy full SHA for 5af394b - Browse repository at this point
Copy the full SHA 5af394bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 6d9c6f3 - Browse repository at this point
Copy the full SHA 6d9c6f3View commit details -
Configuration menu - View commit details
-
Copy full SHA for 78f05a7 - Browse repository at this point
Copy the full SHA 78f05a7View commit details -
OF-2559 Added TLS handler for inbound netty connections
Tested with non-netty outbound server to a netty-based inbound, so using TLS 1.2 as restricted by outbound capabilities until we pull netty through into outbound connection.
Configuration menu - View commit details
-
Copy full SHA for 1650fe5 - Browse repository at this point
Copy the full SHA 1650fe5View commit details -
OF-2559 S2S outbound with Netty
TLS 1.2 & 1.3 working with S2S
Configuration menu - View commit details
-
Copy full SHA for 48c9599 - Browse repository at this point
Copy the full SHA 48c9599View commit details -
Configuration menu - View commit details
-
Copy full SHA for c8a2ba2 - Browse repository at this point
Copy the full SHA c8a2ba2View commit details -
Configuration menu - View commit details
-
Copy full SHA for c52100f - Browse repository at this point
Copy the full SHA c52100fView commit details -
OF-2559 Remove temporary long timeout
Increased time allowed dialback DNS lookup to timeout and enabled us to debug deeper into the flow.
Configuration menu - View commit details
-
Copy full SHA for ee5bd07 - Browse repository at this point
Copy the full SHA ee5bd07View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3f6241f - Browse repository at this point
Copy the full SHA 3f6241fView commit details -
Configuration menu - View commit details
-
Copy full SHA for dec32a3 - Browse repository at this point
Copy the full SHA dec32a3View commit details -
Configuration menu - View commit details
-
Copy full SHA for cc177aa - Browse repository at this point
Copy the full SHA cc177aaView commit details -
Configuration menu - View commit details
-
Copy full SHA for fe819fb - Browse repository at this point
Copy the full SHA fe819fbView commit details -
OF-2559 Deprecate Mina-based ClientConnectionHandler
We are moving to Netty.
Configuration menu - View commit details
-
Copy full SHA for e71831c - Browse repository at this point
Copy the full SHA e71831cView commit details -
Configuration menu - View commit details
-
Copy full SHA for ad3c115 - Browse repository at this point
Copy the full SHA ad3c115View commit details -
OF-2559 Removed unused connection handler
Was part of an incomplete migration to Mina.
Configuration menu - View commit details
-
Copy full SHA for 4ee6a39 - Browse repository at this point
Copy the full SHA 4ee6a39View commit details -
OF-2559 Netty is always used for S2S and C2S
Explicitly show this by removing the Mina-based implementations from the ConnectionAcceptor.
Configuration menu - View commit details
-
Copy full SHA for 04ecba7 - Browse repository at this point
Copy the full SHA 04ecba7View commit details -
Configuration menu - View commit details
-
Copy full SHA for 31c1b23 - Browse repository at this point
Copy the full SHA 31c1b23View commit details -
Configuration menu - View commit details
-
Copy full SHA for e186bc5 - Browse repository at this point
Copy the full SHA e186bc5View commit details -
feat: OF-2559 - implement handling for idle states in inbound C2S and…
… S2S connections Adds IdleStateHandler and NettyIdleStateKeepAliveHandler to the NettyServerInitializer pipeline code. If an inbound session idles Openfire will either send a ping to keep the connection alive, or close the connection.
Configuration menu - View commit details
-
Copy full SHA for 30237c6 - Browse repository at this point
Copy the full SHA 30237c6View commit details -
Configuration menu - View commit details
-
Copy full SHA for cdac496 - Browse repository at this point
Copy the full SHA cdac496View commit details -
Configuration menu - View commit details
-
Copy full SHA for 08fe9cf - Browse repository at this point
Copy the full SHA 08fe9cfView commit details -
OF-2559 Netty ConnectionAcceptor reconfigure logic
Reconfigures the Netty-based ConnectionAcceptor after changes to the SSL configuration (e.g. certificate updates). Logic ported to match `MINAConnectionAcceptor.reconfigure()`.
Configuration menu - View commit details
-
Copy full SHA for 8223d5e - Browse repository at this point
Copy the full SHA 8223d5eView commit details -
Configuration menu - View commit details
-
Copy full SHA for b8c4554 - Browse repository at this point
Copy the full SHA b8c4554View commit details -
OF-2611: Add unit tests for outbound server session (igniterealtime#2165
) * OF-2611: Refactor PKIX unit tests Adjusts unit tests and their utility methods that test functionality around TLS certificates: - Key size and algorithm, as well as the signature algorithm are now based on constants (allows for them to be changed faster) - Utilities that generate a certificate(chain) now return a holder object that returns both the certificate(chain) as well as the keypair that they were generated from. - Added more extensions to generated certifiates for them to represent certificates used in the wild better. - Additional methods to generate various certificate chains (eg: ones that will generate a chain with an expired intermediate certificate). These improvements facilitate future unit test development (which will be added in the next few commits) * OF-2611: (Draft) unit test for outbound server session * Workaround for OF-2592 * fix: remove wrong cert name, invalid intermediate and root certificates from tests and RemoteServerDummy * RemoteServerDummy config option: disable dialback feature The dummy class used to represent a remote server when testing outbound S2S connections can now be configured to avoid supporting the Dialback authentication mechanism. * RemoteServerDummy config option: disable TLS feature The dummy class used to represent a remote server when testing outbound S2S connections can now be configured to avoid supporting the TLS encryption and authentication mechanism. * RemoteServerDummy should offer Dialback when not authenticated Instead of offering Dialback when there's no TLS encryption, the RemoteServerDummy test tool should offer Dialback whenever the peer is not authenticated. * fix: remove self signed cert test * feat: add Junit 4 parameterised test * OF-2611: Add parameterized local outgoing server session test This commit takes the individual unit tests from the pre-exising LocalOutgoingServerSessionTest, and turns them into one parameterized test. Of this test, the server config (both from the local and remote server) are the arguments. * OF-2611: Modify LocalOutgoingServerSessionTest to use a locally invalid certificate To test outbound connections, the test has been modified to be able to send an invalid (expired) certificate. The dummy server responds to this by rejecting it. * OF-2611: LocalOutBoundServerSessionTest's dummy peer should support an optional TLS policy Previous to this commit, the dummy used for the test could support or disable TLS. For some tests, optional support is desirable. That's added by this commit. * OF-2611: RemoteServerDummy should not allow Dialback when TLS is required, but missing If TLS is required, but not established, the RemoteServerDummy should not allow Dialback authentication (as authentication must follow encryption). * OF-2611: LocalOutgoingServerSessionParameterizedTest's 'invalid' cert should really be invalid This bumps up a 'sleep' to help ensure that a recently generated cert is expired. I do not like this approach. It's based on timing, which does is a brittle (and slow) approach. * OF-2611: RemoteServerDummy should do basic SASL EXTERNAL checking When testing TLS authentication, RemoteServerDummy should do some basic checking of the provided certificates, instead of blindly accepting everything. * fix: add certificate validation to RemoteServerDummy * chore: delete Junit4 parameterised tests * test: add invalid certificate and private key to test fixtures * fix: remove possible leaking state between tests, change invalid local server certificate implementation * fix: increase numeric replication in parameterised tests * test: ignore original attempt at outgoing session tests * feat: add strictCertificateValidation option to admin console and connection settings * fix: fix 8 outgoing server tests that setup a plain dialback connection when it should make no connection * chore: delete old test file * fix: make checkbox render only on s2s page and not the c2s page * Allow Remote test dummy to deal with missing certs Relax client authentication rules in the Remote dummy to just indicate that we would like to authenticate the client, but if client certificates are self-signed or have no certificate chain then we are still good * test: WIP - add parameterised test for incoming server session * fix: log message more accurate when SSLHandshakeException thrown with strictCertificateValidation enabled * chore: add to javadocs * chore: add javadocs for strictCertificateValidation methods * chore: change names of test fixtures * OF-2611: Scaffolding for LocalIncomingServerSessionTest This refactors the existing _outgoing_ server session test, to reuse some of its implementation for an _inbound_ test. An initial inbound test class has been added, which is far from functional * OF-2611: Renamed LocalOutgoingServerSessionParameterizedTest -> LocalOutgoingServerSessionTest * OF-2611: Phase out ServerSettings.EncryptionPolicy EncryptionPolicy was created for unit tests. It duplicates Connection.TLSPolicy. Use the latter instead. * OF-2611: Re-enable all LocalIncomingServerSession unit tests This reverts a temporary limitation used during development. * OF-2611: LocalIncomingServerSession unit test should wait until 'done'. Prior to this commit, the unit test for an inbound server session waited for a certain period of time, assuming that the test had run by that time. In this commit, a structure is introduced that allows the test to explicitly flag the 'done' status. This should improve the time it takes to execute tests. * OF-2611: LocalIncomingServerSession unit test: define a session that's not authenticated as 'no connection' Due to the nature of this test, it's possible for Openfire to keep open a session, while the local test has deduced that it cannot continue. Although the session is not 'null', it still isn't properly set-up. This commit allows a session that is established, but NOT authenticated to pass the 'NO CONNECTION' definition. * OF-2611: Prevent NPE in LocalInboundServerSession unit test Prevent null pointers when interacting with a dialback handler that never was initialized. * OF-2611: LocalIncomingServerSession unit test should wait until 'done'. Removes a hack that was used to work-around the missing 'done' check. This commit can be fixed-up with the commit that introduces this behavior (~3 commits prior to this one). * OF-2611: Make unit test configuration repeat in the same order. * OF-2622: Do not accept inbound Server Dialback when disabled If the Server Dialback feature is disabled, Openfire should not allow peers to authenticate with that authentication mechanism. Additionally, Openfire should not define the corresponding XML namespace when the feature is disabled, as other servers might use that to determine support. * OF-2611: Improve XML parsing This change allows for a root element with child elements to be parsed. Note that an XML snippet that contains several elements (without a shared root) still can't be parsed. * OF-2611: Add TLS support to LocalIncomingServerSessionTest This adds support for encryption and SASL EXTERNAL to the incoming unit tests for S2S. With these changes, 4 of out of the 324 still fail. I'm unsure if this is caused by a faulty test, or bug in the system under test. * OF-2611: Speed up test execution by reducing SO_TIMEOUT By reducing the socket timeout, the S2S unit test execute a lot faster. There's likely a balance between a low timeout value, and introducing timing-related issues. This value might require some tweaking. * test : fix null pointer exception for missing certificate state * OF-2611: Refactor Incoming/Outgoing S2S unit tests for performance The Incoming- and OutgoingServerSessionTest implementations depend heavily on 'mock' server implementations. During the tests, these mocks act as the peer/remote XMPP domain. The test implementation is based on establishing TCP socket connections. As there are many tests that are being executed, the socket timeouts should be kept low. This improves the test execution time. This commit refactors how the dummy implementation works with socket timeouts. Notably: - improve explicit shutdown of sockets/executors to improve throughput - temporarily bump up the allowed timeouts when Server Dialback is used. Server Dialback depends on a second socket, during which interaction on the first socket is paused. * OF-2611: Reduce socket timeout for S2S unit tests By reducing the socket timeout, test execution duration improves. * OF-2611: Optimize S2S unit test for CPU usage Generating certificates is expensive. For performance, it's best to generate each set once, and then reuse those during the execution of the tests. This removes about 70% of the CPU usage during test execution. Locally, the duration of test execution dropped to about 60% of the original duration. * Github CI flow: expose junit reports * OF-2611: Tweak S2S unit test output As these unit tests are parameterized, it's not always straightforward what configuration was used in a failed test. This commit prints the configuration to std-out to make that more clear. * OF-2611: Refactor unit test helper method ServerSettings' constructor arguments should match the toString output for convenience. * OF-2626: Fix Server Dialback race condition Openfire should not report Server Dialback results back to the remote server, before the results have been locally stored. This prevents a race condition in which a remote server starts sending data, before the local server is aware that the remote has finished authentication. * OF-2611: Adjust S2S Unit tests for OF-2626 (Dialback race) * Fix references to RFC6120 * OF-2611: Ensure that strict-certificate setting always prevents dialback Depending on the exception that causes TLS to fail, dialback could still happen. With this change, Dialback won't happen if TLS failed. * OF-2611: Prevent NPEs when running tests that involves having no certs * OF-2611: Improved logging of S2S unit tests * OF-2611: More explicitly link 'strict cert verification' to cert status Previously, 'strict verification' would be applied to any TLS failure. It should be applied to certificate validation failures only. * OF-2611: Improve S2S unit test When the mock server doesn't have PKIX material, that shouldn't be reason to tell the peer that TLS (will) fail. Instead, the purpose of the test is to _see_ this fail. Thus, with this change, the peer is motivated to try (and fail). * OF-2611: S2S Outgoing Server Session unit test, add exemption In a very specific configuration of settings, a connection attempt must fail. However, the system under test can be expected to retry the connection immediately, with another configuration that's permissable under the unit test settings. * OF-2611: Remove unused defintion. * OF-2611: Introduce flag to disable logging to std-out * OF-2611: S2S unit test should print configuration Not all test-runners easily identify the parameters that are used to run each test iteration. Those that do not, typically show a number. By outputting the numbered arguments, they can be cross-referenced with any failed test case. * OF-2611: Add context to StreamError when no message is provided. * OF-2611: When Dialback fails, close the connection * OF-2611: Add copyright header * OF-2611: Modified copyright header This code was ported from a short-lived project in my personal repositories, hence the copyright definition. * OF-2611: Generically add references to specifications for ExpectedOutcome * OF-2611: S2S Unit test: clean up TODOs, add spec references This adds references to RFCs in the ExpectedOutcome calculation, and removes some of the TODO statements in that class. Most of the TODOs are 'resolved' by adding a 'strictCertificateValidation' setting in the calculation. This is used to choose between the multiple possible outcomes that were in the 'TODO'. Note taht the strictCertificateValidation setting is hardcoded in all tests. The current implementation makes it hard to configure different values for the initiating and receiving entities. Also, they would add to an already long list of tests. * OF-2611: Clean up test teardown * OF-2611: Additional null-check * Revert "Workaround for OF-2592" This reverts commit 0445be6. * OF-2611: Additional additional null-check --------- Co-authored-by: Alex Gidman <alex.gidman@surevine.com> Co-authored-by: Matthew Vivian <matthew.vivian@surevine.com> Co-authored-by: Dan Caseley <dan@caseley.me.uk>
Configuration menu - View commit details
-
Copy full SHA for 70294c6 - Browse repository at this point
Copy the full SHA 70294c6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 444836c - Browse repository at this point
Copy the full SHA 444836cView commit details -
OF-2559 Implement Netty inbound connection handlers
Replace CopyOnWriteMap from MINA; migrating to netty so replacing MINA utility with something similar. Remove MINA-specific stat collector; migrating to netty so removing MINA specific stat collector. For netty we might look to the following in the future to implement a netty-specific stats collector: - https://netty.io/4.0/api/io/netty/handler/ssl/OpenSslSessionStats.html - https://netty.io/4.0/api/io/netty/handler/traffic/package-summary.html
Configuration menu - View commit details
-
Copy full SHA for 9385d9e - Browse repository at this point
Copy the full SHA 9385d9eView commit details -
OF-2559 Added TLS handler for inbound netty connections
Tested with non-netty outbound server to a netty-based inbound, so using TLS 1.2 as restricted by outbound capabilities until we pull netty through into outbound connection.
Configuration menu - View commit details
-
Copy full SHA for e56b34c - Browse repository at this point
Copy the full SHA e56b34cView commit details -
OF-2559 S2S outbound with Netty
TLS 1.2 & 1.3 working with S2S
Configuration menu - View commit details
-
Copy full SHA for 545fc8c - Browse repository at this point
Copy the full SHA 545fc8cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 394c090 - Browse repository at this point
Copy the full SHA 394c090View commit details -
Configuration menu - View commit details
-
Copy full SHA for d28136c - Browse repository at this point
Copy the full SHA d28136cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 2066e82 - Browse repository at this point
Copy the full SHA 2066e82View commit details -
Configuration menu - View commit details
-
Copy full SHA for 987eb52 - Browse repository at this point
Copy the full SHA 987eb52View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3f4b065 - Browse repository at this point
Copy the full SHA 3f4b065View commit details
Commits on Jul 26, 2023
-
OF-2559 Faster fallback to Dialback
Rather than wait for the Netty-based session to timeout (default 5s) before attempting dialback auth this commit moves the fallback dialback code into Netty-land by listening for `SslHandshakeCompletionEvent`. There's more refactoring required, I dislike the state leaking through the stanza handler - there is perhaps a need for a connection/session that wraps the netty connection. This concept might already exist but can't quite get my head around it yet.
Configuration menu - View commit details
-
Copy full SHA for 20ac715 - Browse repository at this point
Copy the full SHA 20ac715View commit details -
Remove duplication of connection configuration
The Connection interface defines methods to read the configuration of TLS and compression policies, even though these are also defined by the ConnectionConfiguration instance that is used to create the connection. It is undesirable to have the configuration of a connection be defined in various places, or be modified after the original connection has been applied. This commit removes the duplication, and ensures that connection configuration is applied as soon as the instance is created. As a side-effect, this solves an issue with the new Netty code, that never explicitly sets the tlsPolicy on the connection. The single functional aspect of the separation of tlsPolicy between connection and configuration (prior to this change) was the following: the state of the connection-tlsPolicy was used to implicitly define if a session was initialized (this was used to close a connection that was sending unencrypted data, when its configuration required encryption). This commit replaces that implicit defintion by a new, explicit 'isInitialized` method on the Connection interface.
Configuration menu - View commit details
-
Copy full SHA for 7e43cee - Browse repository at this point
Copy the full SHA 7e43ceeView commit details -
Configuration menu - View commit details
-
Copy full SHA for b43d30b - Browse repository at this point
Copy the full SHA b43d30bView commit details -
Configuration menu - View commit details
-
Copy full SHA for c89095a - Browse repository at this point
Copy the full SHA c89095aView commit details -
feat: OF-2599 - add NettyMultiplexerConnectionHandler to handle Mutip…
…lexer connections We can now deprecate (and remove) all NIO components that were built using the Apache MINA framework
Configuration menu - View commit details
-
Copy full SHA for c095508 - Browse repository at this point
Copy the full SHA c095508View commit details
Commits on Jul 27, 2023
-
OF-2559 Ensure NioEventLoopGroup is closed for outbound S2S
We were seeing resource limit issues (too many open files) when running Outgoing S2S tests. This was caused by the outbound session initialisation failing to clean up its NioEventLoopGroup in many scenarios.
Configuration menu - View commit details
-
Copy full SHA for b25f6ba - Browse repository at this point
Copy the full SHA b25f6baView commit details -
feat: OF-2599 - Delete all MINA dependencies, references, and depreca…
…ted implementations
Configuration menu - View commit details
-
Copy full SHA for ce54590 - Browse repository at this point
Copy the full SHA ce54590View commit details -
OF-2632: Do not offer StartTLS when the identity store is empty
When the identity store does not contain any certificates, inbound TLS will never be able to succeed. In such cases, lets not advertise the StartTLS feature.
Configuration menu - View commit details
-
Copy full SHA for 2b95a74 - Browse repository at this point
Copy the full SHA 2b95a74View commit details
Commits on Jul 31, 2023
-
OF-2559 WIP Fixed TLS negotiation
By waiting for handshake to complete before attempting SASL
Configuration menu - View commit details
-
Copy full SHA for b3832d9 - Browse repository at this point
Copy the full SHA b3832d9View commit details -
fix: OF-2559 - re-implement strictCertificateValidation logic so that…
… LocalOutboundServerSessionTest pass. Also add generic typing for Connection.starttls return type, some tidy up of comments and WIP code.
Configuration menu - View commit details
-
Copy full SHA for 681c496 - Browse repository at this point
Copy the full SHA 681c496View commit details -
Configuration menu - View commit details
-
Copy full SHA for f591cc9 - Browse repository at this point
Copy the full SHA f591cc9View commit details -
Configuration menu - View commit details
-
Copy full SHA for edec92b - Browse repository at this point
Copy the full SHA edec92bView commit details
Commits on Aug 1, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 8d8dd7f - Browse repository at this point
Copy the full SHA 8d8dd7fView commit details -
Configuration menu - View commit details
-
Copy full SHA for e4dd9df - Browse repository at this point
Copy the full SHA e4dd9dfView commit details -
Merge branch 'OF-2559_mina-to-netty' of https://github.com/surevine/O…
…penfire into OF-2559_mina-to-netty # Conflicts: # xmppserver/src/main/java/org/jivesoftware/openfire/net/VirtualConnection.java # xmppserver/src/main/java/org/jivesoftware/openfire/nio/NettyConnection.java
Configuration menu - View commit details
-
Copy full SHA for 1d10a99 - Browse repository at this point
Copy the full SHA 1d10a99View commit details -
Configuration menu - View commit details
-
Copy full SHA for 381286d - Browse repository at this point
Copy the full SHA 381286dView commit details -
OF-2559 Create new business logic handler for each session
Prior to this commit handlers were being shared across all sessions. Now a new handler is instantiated per connection/session.
Configuration menu - View commit details
-
Copy full SHA for 7c9f90d - Browse repository at this point
Copy the full SHA 7c9f90dView commit details -
OF-2559 Pass netty events along pipeline
Prior to this commit SSL Handshake events were not making it down the netty pipeline to our client connection handler (aka business logic handler). This meant that inbound connections were never set to encrypted=true causing the session to be abandoned when TLS was required.
Configuration menu - View commit details
-
Copy full SHA for 0dbf629 - Browse repository at this point
Copy the full SHA 0dbf629View commit details -
OF-2559 Prevent old ssl engine from using TLS 1.3
The old implementation (still used by ServerDialback) is unable to negotiate a TLS 1.3 connection. Netty-based connections can use TLS 1.3.
Configuration menu - View commit details
-
Copy full SHA for 5e06b1e - Browse repository at this point
Copy the full SHA 5e06b1eView commit details