SSL/TLS Support Questions

861 views
Skip to first unread message

Stevo

unread,
Dec 19, 2011, 2:42:56 PM12/19/11
to spray-user
I know that Spray doesn't currently support SSL, but would it be
possible to derive this via Mist? Also, will the integration of SSL/
TLS support mutual authentication?

Thanks in advance and best regards,


Steve Thompson
--

Mathias

unread,
Dec 19, 2011, 2:52:18 PM12/19/11
to spray...@googlegroups.com
Steve,

if you use spray-server on a servlet container (Jetty, Tomcat, Glassfish...) your application will be able to serve content over SSL without any problems.
The "no-SSL-yet" limitation only applies to the spray-can layer (and spray-client depending on it).

Akka Mist only supports servlet containers, so it doesn't buy us anything in this regard...

Cheers,
Mathias

---
mat...@spray.cc
http://www.spray.cc

Henry Story

unread,
Jan 28, 2012, 11:56:36 AM1/28/12
to spray...@googlegroups.com
Hi, I just discovered spray.cc, which looks very nice. My use case is building a Linked Data server - to server and consume 
linked data.  You can see a simple version of this here: https://dvcs.w3.org/hg/read-write-web/ (WebID branch)
Currently I am using apache's http client, which is easy to use. Of course to use spray, I would have to duplicate the

 - redirect functionality that comes with it (and avoidance of infinite loops)
 - tcp/ip session management (so as to re-use existing connections to servers when possible

I suppose the code to do that would end up looking a lot better in spray with aktors, than in apache's http client.


It looks like spray is not quite ready for what I need, because of lack of support for https. This is because I am working on WebID
a distributed authentication using TLS http://webid.info/spec

Btw. Netty allows one to set the NEED or WANT mode for the server per connection, which is very useful - in case you add TLS to
your server, keep in mind that having functionality such as the following is extreemly useful:

   217     val sslh = r.underlying.context.getPipeline.get(classOf[SslHandler])
   219     trySome(sslh.getEngine.getSession.getPeerCertificates.toIndexedSeq) orElse {
   220       //it seems that the jvm does not keep a very good cache of remote certificates in a session. But
   222       if (!fetch) None
   223       else {
   224         sslh.setEnableRenegotiation(true) // todo: does this have to be done on every request?
   225         r match {
   226           case UserAgent(agent) if needAuth(agent) => sslh.getEngine.setNeedClientAuth(true)
   227           case _ => sslh.getEngine.setWantClientAuth(true)
   228         }
   229         val future = sslh.handshake()
   230         future.await(30000) //that's certainly way too long.
   231         if (future.isDone && future.isSuccess)
   232           trySome(sslh.getEngine.getSession.getPeerCertificates.toIndexedSeq)
   233         else
   234           None
   235       }



Btw. Spray seems quite similar to twitter's finagle. There too one has to set up the connections for each server
individually, and they seem to have very much tuned it for one server at a time.

Just searching around for the moment,

all the best,

   Henry

Mathias

unread,
Jan 28, 2012, 2:26:08 PM1/28/12
to spray...@googlegroups.com
Henry,

> It looks like spray is not quite ready for what I need, because of lack of support for https.

Yes, we know that SSL support is criticial for many users, so it's a top priority for spray-can right now.
We are currently in the middle of a major upgrade to the spray-can layer, which among other things (like an easy transition to Akka 2.0) will deliver SSL support.
However, it's not quite done yet so, at this time, spray is indeed not ready for what you need.

> Btw. Netty allows one to set the NEED or WANT mode for the server per connection, which is very useful - in case you add TLS to
> your server, keep in mind that having functionality such as the following is extreemly useful:

I don't know what you mean by the "NEED or WANT mode for the server per connection".
Could you go into a little more details?
What exactly is the functionality you think would be extremely useful?

> Btw. Spray seems quite similar to twitter's finagle. There too one has to set up the connections for each server
> individually, and they seem to have very much tuned it for one server at a time.

Finagle is _much_ bigger than spray-can.
More features, a lot more dependencies and a lot more general weight.
At the time we started spray-can there was no version for Scala 2.9.1 yet (it just came out very recently).
That said, it certainly be not hard to move enable spray to run on Finagle as the basic HTTP layer...
(or on Netty directly).

Cheers,
Mathias

---
mat...@spray.cc
http://www.spray.cc

Mathias

unread,
Oct 2, 2012, 10:33:31 AM10/2/12
to spray...@googlegroups.com
Interesting!

We haven't yet had any reason to include client certificate access or TLS renegotiation.
However, from the looks of it the addition of these two should be quite easy (thanks to the new spray-io pipeline architecture).

Basically the way it would work is by sending a `TlsRenegotiate` command to the sender ActorRef of an incoming HttpRequest, upon which the SSLEngine is asked start renegotiation. Asking for client certs would be similar: Just send a `GetClientCertificates` command to the sender and receive back a message holding the certificates.
I have just added an issue to track this feature: https://github.com/spray/spray/issues/138

Thanks for bringing it up!

Cheers,
mathias

---
mat...@spray.cc
http://www.spray.cc

On 02.10.2012, at 16:12, Alexandre Bertails wrote:

> I'm really *really* interested in Spray for many reasons. I see that SSL is now fully supported, but I'm wondering how one can access a client certificate, and ask for TLS renegotiation (the certificate is not asked up front).
>
> This would be the same as Henry's work in https://github.com/playframework/Play20/pull/340 .
>
> Any clue?
>
> Alexandre.
> --
>
>

Alexandre Bertails

unread,
Oct 2, 2012, 10:50:34 AM10/2/12
to spray...@googlegroups.com
Wow, what a quick answer :-)

On Tue, Oct 2, 2012 at 10:33 AM, Mathias <mat...@spray.cc> wrote:
> Interesting!
>
> We haven't yet had any reason to include client certificate access or TLS renegotiation.
> However, from the looks of it the addition of these two should be quite easy (thanks to the new spray-io pipeline architecture).
>
> Basically the way it would work is by sending a `TlsRenegotiate` command to the sender ActorRef of an incoming HttpRequest, upon which the SSLEngine is asked start renegotiation. Asking for client certs would be similar: Just send a `GetClientCertificates` command to the sender and receive back a message holding the certificates.

Sounds good.

> I have just added an issue to track this feature: https://github.com/spray/spray/issues/138
>
> Thanks for bringing it up!

I'm now following #138 with great interest! This would be another
reason to build our Linked Data server on top of Spray instead of the
Play.

Alexandre.
> --
>
>

Mathias

unread,
Oct 2, 2012, 11:00:00 AM10/2/12
to spray...@googlegroups.com
> I'm now following #138 with great interest! This would be another
> reason to build our Linked Data server on top of Spray instead of the
> Play.

Great!

We are working hard on the docs for the next release...
When they are done and the release is out #138 should be a quick thing.

Cheers,
Mathias

---
mat...@spray.cc
http://www.spray.cc

> --
>
>

Henry Story

unread,
Oct 16, 2012, 7:35:43 AM10/16/12
to spray...@googlegroups.com
The Play people are delaying their support of TLS client certs to 2.2.
But my work there got some review which should be interesting to you 

Mathias

unread,
Oct 16, 2012, 7:54:32 AM10/16/12
to spray...@googlegroups.com
Henry,

thanks a lot for the pointers.
We'll dive into this content soon.

Great to have you on the list, maybe you'll even be around to help reviewing the spray-io implementation, which we expect to be quite light-weight.

Cheers,
Mathias

---
mat...@spray.io
http://www.spray.io
> --
>
>

Henry Story

unread,
Oct 16, 2012, 8:04:42 AM10/16/12
to spray...@googlegroups.com


On Tuesday, 16 October 2012 13:54:38 UTC+2, Mathias wrote:
Henry,

thanks a lot for the pointers.
We'll dive into this content soon.

Great to have you on the list, maybe you'll even be around to help reviewing the spray-io implementation, which we expect to be quite light-weight.

I'll be keeping my eyes out for this. 
In the immediate future I need to prepare for TPAC at the end of the month in Lyon 
http://www.w3.org/2012/10/TPAC/  where the WebID group is meeting. 
After that I'd like to also end up running WebID inside of Tor for Xmas ... (If that interests anyone)

If you have question don't hesitate to call...

Henry Story

unread,
Dec 23, 2013, 6:47:43 AM12/23/13
to spray...@googlegroups.com
Hi all,

    We are really thinking of moving over to Spray, but we still need better client certificate
support for the WebID authentication protocol, which is the cornerstore of our application.
There was a bug open last year on this issue but it seems to have gotten lost in the move
between repositories.

I re-opened it here:


I can help out, but this is probably going to be much easier to do for people who wrote the TLS layer to
get going.
Reply all
Reply to author
Forward
0 new messages