Description
migrated from Bugzilla #470848
status ASSIGNED severity enhancement in component http2 for 9.3.x
Reported in version unspecified on platform All
Assigned to: Greg Wilkins
On 2015-06-23 17:47:12 -0400, Louis Ryan wrote:
Full disclosure: I work on GRPC for Google and we have been using the ALPN/NPN bootclasspath mechanism for a while but are planning to switch to tcnative (specifically http://netty.io/wiki/forked-tomcat-native.html)
This change is motivated by a number of factors:
- Its proven hard to get client developers to properly set their bootclasspath based on their VM. It's been a pain with Maven and other harness-like environments too.
- SSLEngine has poor performance for many of the ciphers mandated by HTTP2 E.g. (https://bugzilla.redhat.com/show_bug.cgi?id=1135504)
- Our benchmarking has shown that a properly compiled pairing of tcnative and openssl outperforms SSLEngine on all ciphers.
- We need to be able to support a transparent fallback from ALPN to NPN when talking to servers that are restricted to using OpenSSL 1.0.1 or earlier (all current releases of Debian and RedHat do not yet have 1.0.2 available on stable). NPN bootclasspath is not supported for JDK1.8 and you cant have both Jetty-ALPN and Jetty-NPN installed at the same time.
Not sure if this is something you've looked into or talked about so I just wanted to make sure it was on your radar
Cheers
- Louis
On 2016-01-26 14:57:03 -0500, Louis Ryan wrote:
Just an update on work occurring in this area
netty-tcnative now statically links boringssl and will likely soon also provide options for a statically linked libressl & openssl for linux/mac/windows
netty/netty-tcnative#89 (comment)
This should fix its remaining installation overheads (e.g. dependency on modern shared openssl to be present in the environment)
This will also address Java7s lack of GCM ciphers (http2 required) and Java8s GCM performance issues which seem unlikely to be fixed until Java9.
There's also some ongoing discussion about doing the same with Androids JCE/JSSE provider Conscrypt which is licensed under Apache 2.
https://android.googlesource.com/platform/external/conscrypt/
On 2016-01-27 15:12:25 -0500, Jesse McConnell wrote:
Greg, circle up with me on this one!
On 2016-02-03 06:24:56 -0500, Greg Wilkins wrote:
We implemented Unix domain socket support for similar reasons. I did look at tcnative at the time but it was a little entangled.
The forks linked in this issue look a lot more usable and the drop in replacement of ssl engine should make this almost trivial to integrate with most work going into the pom and modules.
So worthwhile giving this a try in 9.4.