Status of SSL support

[P]

Hi,

I was looking for SSL configuration information in aleph/netty and
came across some old thread at http://goo.gl/z6ZYp From reading this
thread, I gather someone added SSL support but I don't think the work
was merged back. Is SSL going to be supported in aleph?

Thanks

[Zach Tellman]

The current suggested approach is to put something else in front of
Aleph to handle the SSL. HTTPS is supported for HTTP clients in
0.2.1, but I don't see any compelling reasons to have SSL support for
servers in Aleph proper, rather than just using a proxy. Am I
overlooking something? I'm willing to be convinced otherwise.

Zach

[Andrew Cholakian]

Agreed that currently it doesn't make much sense.

However, it probably will ultimately be required for SPDY support yes? I think the latest netty now has SPDY support.

[Zach Tellman]

Yes, though my understanding is that as the ecosystem for SPDY support
matures, it's likely that proxies will speak SPDY and transform that
stream into distinct HTTP requests. I'm happy to wait and see how
that plays out.

Zach

[P]

Hi Zach,

Thanks for your response.

I understand your stance on SSL support in aleph proper. Since you are
willing to be convinced otherwise,
I will give it a mild try :)

Let me start by saying that I don't have any empirical measurements to
say that introducing an additional SSL-capable component is
affecting my application adversely. But, in my application, there are
already four intermediaries proxying information from the source
to UI and I would like to avoid introducing another one (I have no
control over these - these are external systems and
networking considerations make it necessary to add some
intermediaries). The components I have implemented have an aleph-based
api (asynchronous requests/responses). There is quite a bit of data
being passed around which requires a lot of memory and even at giga
bytes, it is
still a precious commodity that I would like to reserve for other
purposes.

I am not very familiar with netty but my limited browsing around seems
to say that SSL support is available for it. As work to support SSL in
alpeh
has already been done, it would seem that adding it to aleph would be
a matter of integration/testing and not new development. I have found
aleph/netty work really well in my
use cases and adding SSL support will make it complete from my point
of view. If there are use cases where it makes sense to
offload SSL processing to another component, it is still possible.
OTOH, for those who don't have a strong reason to package and manage
another
component have no choice but do so.

I don't know if this makes for a convincing case but I hope it is
clear where I am coming from. Let me know what you think.

Thanks,

On Mar 12, 3:49 pm, Zach Tellman <ztell...@gmail.com> wrote:
> The current suggested approach is to put something else in front of
> Aleph to handle the SSL.  HTTPS is supported for HTTP clients in
> 0.2.1, but I don't see any compelling reasons to have SSL support for
> servers in Aleph proper, rather than just using a proxy.  Am I
> overlooking something?  I'm willing to be convinced otherwise.
>
> Zach
>
>
>
>
>
>
>
> On Mon, Mar 12, 2012 at 3:36 PM, P <praki.prak...@gmail.com> wrote:
> > Hi,
>
> > I was looking for SSL configuration information in aleph/netty and

> > came across some old thread  athttp://goo.gl/z6ZYpFrom reading this

[Zach Tellman]

I'd be surprised if adding nginx as an additional layer required much
in the way of resources.

You're correct that Netty already supports SSL for servers, but the
question of how to expose that support isn't a trivial one, especially
since I have no prior experience with javax.net.ssl.SSLEngine & co.
If I don't think my version of SSL support will be meaningfully better
than simply adding nginx or something else to your stack, I'd rather
not have to design and support that feature. This leaves my time open
to improve existing functionality, and to implement things that aren't
already provided by existing tools. It's likely those improvements
will have a more substantive impact on the performance of your
application than keeping the SSL handling in a single process.

Thanks for using Aleph, let me know if you ever have a problem I can help with.

Zach

[Tyler Tallman]

It is a big value to my company as we need to have secure websockets and we have been having trouble finding proxy solutions that understand websockets

[Tyler Tallman]

I do not want to add to your plate. But if you could advise us I saw there was a patch submitted would it be wise to follow that branch?

[Zach Tellman]

Something like stud [1], which is an SSL proxy for bare sockets,
should work for your use case (note: I haven't used stud myself, it's
just an example of a class of tool).

That branch is not current, and I don't advise using it in production.

Zach

[1] https://github.com/bumptech/stud

[Tyler Tallman]

Perfect. I had been looking for any solution like that for a while.  I appreciate your help and thank for the great new work lamina.

--
Tyler Tallman
Project Manager
Breeze EHR
(m) (337) 205-2142

[adhertz]

I'm new to clojure and aleph but I think there are some cases where it is nice to have SSL incorporated within Aleph.  For example, I'm interested in Web ID (http://www.w3.org/wiki/WebID) and I think a nice implementation is possible with Aleph.  However, because the authentication scheme depends on some relatively low level SSL stuff, it would be convoluted to split the handler across Aleph and a separate SSL proxy.

I understand your desire to leave SSL out of aleph.  I think rather than providing explicit bindings for Netty's SSL support, it would be nice to provide access to the Netty pipeline that is constructed within Aleph's start-http-server.  With that in mind, I added a "customize-pipeline" option to the start-http-server options map[1].   With this hook in place, I can write some specialized SSL handling code in my own project, entirely outside of Aleph, and then add the associated SSLHandler to the front of the http server Netty pipeline. I don't know if my implementation is the best way to expose the Netty pipeline, but I think something like this provides flexibility that goes well beyond SSL handling, without putting any additional burden on Aleph.    

[1] https://github.com/adhertz/aleph/commit/b18f044d7e0412511ac7ef001e28cbeffad6c0d5

- Alex

[Zach Tellman]

I'd want to put it inside the :netty sub-options, and would prefer to
call it :pipeline-transform, but otherwise that seems like a fine
compromise. If you open a pull request with those changes, I'll merge
it in.

Zach

[adhertz]

Hey Zach,

I made the changes like you described and submitted the pull request a while back.  Let me know if there's any problems keeping you from merging it.

Thanks,

Alex

[Hunter Kelly]

Hi, just wondering if these changes were ever merged in?

I'm looking at the possibility of writing a testing server which accepts messages in different formats, such as APNS, GCM, etc.  APNS uses SSL over TCP.

I'd like to write the server using Aleph (which looks very nice for what I need to do) without having a separate proxy server (such as stud) if at all possible.

Cheers,

H

[Zach Tellman]

Hi Hunter,

There is support defining a Netty pipeline transform function in the start-server options under {:netty {:pipeline-transform ...}}.  You're free to do whatever you like with that.

Zach

--
You received this message because you are subscribed to the Google Groups "Aleph" group.
To unsubscribe from this group and stop receiving emails from it, send an email to aleph-lib+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.