Using ssl and tls with akka 2.3.7

[pa...@blackopsdev.com]

Hello, everyone!

I'm using akka.io 2.3.7 and I don't see any SSL/TLS support there.

As far as I understand it was removed (since 2.3.x). Is it correct?

Why? Will come back?

And... Is there a clean workaround? 

May be this topic was discussed before, but I didn't find an appropriate link.

Thanks, Paul

[Henry Story]

On 11 Dec 2014, at 16:07, henry...@bblfish.net wrote:

On 11 Dec 2014, at 14:33, pa...@blackopsdev.com wrote:

Hello, everyone!

I'm using akka.io 2.3.7 and I don't see any SSL/TLS support there.

As far as I understand it was removed (since 2.3.x). Is it correct?

Why? Will come back?

TLS (a.k.a SSL ) server support has been added recently .

It is still missing client certificate renegotiation for it to be useful enough for

me to move my server away from netty to akka.

https://github.com/akka/akka/issues/15833

And... Is there a clean workaround? 

May be this topic was discussed before, but I didn't find an appropriate link.

Thanks, Paul

-- 
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
--- 
You received this message because you are subscribed to the Google Groups "Akka User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+...@googlegroups.com.
To post to this group, send email to akka...@googlegroups.com.
Visit this group at http://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.

Social Web Architect

http://bblfish.net/

Social Web Architect

http://bblfish.net/

[Björn Antonsson]

Hi Paul,

SSL/TLS support in akka will be part of the akka streams work that is ongoing right now. The aim is to have it available by Q1 2015.

B/

--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+...@googlegroups.com.
To post to this group, send email to akka...@googlegroups.com.
Visit this group at http://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.

-- 

Björn Antonsson

Typesafe – Reactive Apps on the JVM

twitter: @bantonsson

[Pavel Popov]

Thank you for reply.

But I don't understand the reason: why it was moved to streams, instead of being a part of IO?

But from user's perspective It will be predictable to find SSL listener inside IO package, not somewhere else...

[Roland Kuhn]

Hi Pavel,

an SSL engine can operate on any kind of byte stream, it is not tied to TCP per se. This is why we will offer it as a DSL element that you can plug anywhere into your pipeline. As to looking into the IO package: I am not certain that I would expect SSL to be in there given that SSL itself does not do IO, it is only an encryption protocol suite.

Regards,

Roland

Dr. Roland Kuhn
Akka Tech Lead
Typesafe – Reactive apps on the JVM.
twitter: @rolandkuhn

[Pavel Popov]

Big thanks!, it explained a lot.

[Thomas Zimmer]

Hi,

I also had this issue but thanks to some examples [https://github.com/xbucchiotty/akka-stream-ssltlscipher/blob/master/src/test/scala/Test.scala] and of course the TLS Specs [https://github.com/akka/akka/blob/62a20195af79c7b405303b5f97970c9ca7a6891a/akka-stream/src/test/scala/akka/stream/io/SslTlsFlowSpec.scala] i could create a small actor-application which is using reactive streams:

https://gist.github.com/Alien2150/d0c74d99c19df59109ff

You can simply run it with openssl s_client (Which I used during testing).

Regards,

Thomas

[Pavel Popov]

Thank you Thomas! Now I can make this thing work :)

[Roland Kuhn]

Thanks for sharing!

[Thomas Zimmer]

No problem :) 

The code is only having one issue that is that it only can accept one ssl-connection atm (and than needs to be restarted) which can be easily fixed.

@Rkuhn: Is it correct that i do need a new SSLNegoation instance per client-connection? And is ok to run embeded Flows? Like here: 

ServerBinding.Connections -> TlsCipher -> SessionInboundData. 

Regards,

Thomas

[Will Sargent]

Hi Thomas,

There's some things you should watch out for in your code:

* If you want to use TLS 1.2, you should specify getInstance("TLSv1.2") specifically (JDK 1.7 defaults to TLS 1.0) 

* You should disable SSLv3 (at the very least) using setEnabledProtocols().

* You are better off initializing the SSLContext with null instead of new SecureRandom, and leave it up to JSSE itself.

Also a couple of configuration points:

* Since you are using SSLEngine in server mode, you should start the JVM with -Djdk.tls.rejectClientInitiatedRenegotiation=true to disable client renegotation.

* You should also set -Djdk.tls.ephemeralDHKeySize=2048 to increase the hardcoded keysize internally.

Finally, as Henry mentioned earlier, the code here doesn't do any server identity checks.  If you're using HTTPS, then you should use HostnameChecker directly or set setEndpointIdentificationAlgorithm("HTTPS") directly -- otherwise, you may want to look at RFC 6125 for a generic server identity check.  More here: http://tersesystems.com/2014/03/23/fixing-hostname-verification/

Hope that helps,

Will.

[Thomas Zimmer]

wow thank you so much Will for this Feedback. 

I already have a new version (https://gist.github.com/Alien2150/9468c871135fd94869a2) that can deal with multiple connections. I think i will embed your feedback and will come up with a new version. Meanwhile i am struggling with another issue: https://groups.google.com/forum/#!topic/akka-user/wjUy6g2NUOg

Regards,

Thomas

[Will Sargent]

> Finally, as Henry mentioned earlier, the code here doesn't do any server identity checks.  If you're using HTTPS, then you should use HostnameChecker directly or set setEndpointIdentificationAlgorithm("HTTPS") directly -- otherwise, you may want to look at RFC 6125 for a generic server identity check.  More here: http://tersesystems.com/2014/03/23/fixing-hostname-verification/

Addendum: forgot to mention that server identity checks only really matter if you have SSLEngine operating as a client, rather than as a server, so it's not a requirement.  

Will Sargent

Consultant, Professional Services

Typesafe, the company behind Play Framework, Akka and Scala

[Tim Kellogg]

Hi, 

I tried out this gist with akka-stream % 1.0M5 and it doesn't compile. The main problem is this code

      // Setup flow
      conn.flow.join(
        Flow(
          Sink(cipher.cipherTextInbound), // Incoming data (client -> sslActor -> server)
          Source(cipher.cipherTextOutbound) // Outgoing data (server -> sslActor -> client)
        )
      ).run()

I know this code was written in January, but can someone translate this into code that compiles with the current version of akka-stream? 

Much thanks,

Tim

[Endre Varga]

Hi Tim,

On Thu, Apr 9, 2015 at 1:57 AM, Tim Kellogg <timothy...@gmail.com> wrote:

Hi, 

I tried out this gist with akka-stream % 1.0M5 and it doesn't compile. The main problem is this code

      // Setup flow
      conn.flow.join(
        Flow(
          Sink(cipher.cipherTextInbound), // Incoming data (client -> sslActor -> server)
          Source(cipher.cipherTextOutbound) // Outgoing data (server -> sslActor -> client)
        )
      ).run()

I know this code was written in January, but can someone translate this into code that compiles with the current version of akka-stream? 

The engine is currently being ported to the new API style, the old code you see is very cumbersome and have some bugs we want to fix. The new TLS engine is scheduled for 1.0-RC1 which is our next milestone.

-Endre