Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66715

add Winstone support for running with Conscrypt security provider

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • winstone-jetty
    • None
    • Jenkins 2.289.3 LTS w/standard Winstone container, jdk-11.0.12

      In order to benefit from the much-faster (10x faster?) conscrypt HTTP/2 ALPN implementation (see https://webtide.com/conscrypting-native-ssl-for-jetty/ ), I am trying to enable it using Jenkins 2.289.3 LTS on the built-in Winstone container (based on jetty-9.4.41.v20210516), running under JDK 11.0.12.   Unfortunately, I cannot get it to work, apparently due to the way Jenkins/Winstone (not sure which one) start up Jetty.   There seems to be an ordering issue in how the providers are registered, and the Conscrypt library needs to be loaded first for this to work, but the sun.security.ssl.SSLContextImpl provider is loaded first instead).

      I have also tried using the (much slower) default Jetty ALPN library jetty-alpn-java-server-9.4.41.v20210516.jar and that works fine.  So this appears to be an issue with using the conscrypt ALPN impl library with Winstone/Jetty.

      This conscrypt setup is briefly described in the Jenkins Winstone instructions at https://github.com/jenkinsci/winstone

      I have downloaded and placed

      conscrypt-openjdk-uber-2.5.2.jar
      and
      jetty-alpn-conscrypt-server-9.4.41.v20210516.jar

      in a '/path/to/lib' directory (so they can be picked up by Winstone in the extraLibFolder)

      I also have a winstone.properties file like this:

      extraLibFolder=/path/to/lib

      httpPort=-1

      httpsPort=-1

      http2Port=443

       

      and startup Jenkins like this:   $JAVA_HOME/bin/java -jar ./jenkins.war 

      This works fine when I use the default Jetty ALPN implementation.

      However, I am unable to get the conscrypt ALPN implementation working properly - although it starts up fine, when I hit Jenkins in a browser, I get this exception:

      2021-09-24 02:50:05.976+0000 [id=14] WARNING o.e.j.io.ManagedSelector$Accept#failed: java.lang.IllegalStateException: Connection rejected: No ALPN Processor for sun.security.ssl.SSLEngineImpl from [org.eclipse.jetty.alpn.conscrypt.server.ConscryptServerALPNProcessor@23ac0d3a]

      This appears to be occurring due to the issue described here:
      https://github.com/eclipse/jetty.project/issues/4199

      and here:
      [https://github.com/eclipse/jetty.project/issues/2950
      ](search for text 'This is quite interesting')

      and here:
      https://stackoverflow.com/questions/58378276/jetty-http2-server-is-not-working-on-java-8

      I am wondering if the fix described in those posts - change
      Security.addProvider(new OpenSSLProvider());
      to
      Security.insertProviderAt(new OpenSSLProvider(), 1);
      – can be applied in the Jenkins Winstone integration - so that Jenkins admins can benefit from using the much-faster conscrypt ALPN library.   It seems like it will help with scalability.

            Unassigned Unassigned
            srothco Steve Roth
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: