From 0e11ec20570f7f6bc79151cf92b7e5d710ff1234 Mon Sep 17 00:00:00 2001 From: Konrad Malawski Date: Mon, 25 Apr 2016 12:01:03 +0200 Subject: [PATCH] !htc #20371 allows for simple HTTPS usage from Java, fixes typo in APIs (#20373) --- .../server/HttpsServerExampleTest.java | 27 +++ ...s-support.rst => client-https-support.rst} | 2 +- akka-docs/rst/java/http/client-side/index.rst | 2 +- akka-docs/rst/java/http/index.rst | 1 + .../java/http/server-side-https-support.rst | 92 ++++++++ .../server/HttpsServerExampleSpec.scala | 72 ++++++ ...s-support.rst => client-https-support.rst} | 2 +- .../rst/scala/http/client-side/index.rst | 2 +- akka-docs/rst/scala/http/index.rst | 1 + akka-docs/rst/scala/http/introduction.rst | 3 +- .../scala/http/low-level-server-side-api.rst | 36 +-- .../rst/scala/http/routing-dsl/index.rst | 4 + .../scala/http/server-side-https-support.rst | 101 +++++++++ .../akka/http/javadsl/ConnectionContext.scala | 7 +- .../main/scala/akka/http/javadsl/Http.scala | 17 +- .../main/scala/akka/http/scaladsl/Http.scala | 10 +- .../scala/akka/http/scaladsl/TestServer.scala | 2 + .../examples/simple/SimpleServerApp.java | 211 ++++++++++++------ .../resources/httpsDemoKeys/keys/README.md | 57 +++++ .../resources/httpsDemoKeys/keys/chain.pem | 40 ++++ .../resources/httpsDemoKeys/keys/rootCA.crt | 21 ++ .../resources/httpsDemoKeys/keys/rootCA.key | 27 +++ .../resources/httpsDemoKeys/keys/server.crt | 19 ++ .../resources/httpsDemoKeys/keys/server.key | 27 +++ .../resources/httpsDemoKeys/keys/server.p12 | Bin 0 -> 3384 bytes .../http/javadsl/client/HttpAPIsTest.java | 4 + .../scala/akka/stream/impl/fusing/Ops.scala | 3 +- project/MiMa.scala | 4 + 28 files changed, 674 insertions(+), 120 deletions(-) create mode 100644 akka-docs/rst/java/code/docs/http/javadsl/server/HttpsServerExampleTest.java rename akka-docs/rst/java/http/client-side/{https-support.rst => client-https-support.rst} (99%) create mode 100644 akka-docs/rst/java/http/server-side-https-support.rst create mode 100644 akka-docs/rst/scala/code/docs/http/scaladsl/server/HttpsServerExampleSpec.scala rename akka-docs/rst/scala/http/client-side/{https-support.rst => client-https-support.rst} (99%) create mode 100644 akka-docs/rst/scala/http/server-side-https-support.rst create mode 100644 akka-http-tests/src/main/resources/httpsDemoKeys/keys/README.md create mode 100644 akka-http-tests/src/main/resources/httpsDemoKeys/keys/chain.pem create mode 100644 akka-http-tests/src/main/resources/httpsDemoKeys/keys/rootCA.crt create mode 100644 akka-http-tests/src/main/resources/httpsDemoKeys/keys/rootCA.key create mode 100644 akka-http-tests/src/main/resources/httpsDemoKeys/keys/server.crt create mode 100644 akka-http-tests/src/main/resources/httpsDemoKeys/keys/server.key create mode 100644 akka-http-tests/src/main/resources/httpsDemoKeys/keys/server.p12 diff --git a/akka-docs/rst/java/code/docs/http/javadsl/server/HttpsServerExampleTest.java b/akka-docs/rst/java/code/docs/http/javadsl/server/HttpsServerExampleTest.java new file mode 100644 index 0000000000..9499b86cbe --- /dev/null +++ b/akka-docs/rst/java/code/docs/http/javadsl/server/HttpsServerExampleTest.java @@ -0,0 +1,27 @@ +/* + * Copyright (C) 2009-2016 Lightbend Inc. + */ + +package docs.http.javadsl.server; + +import akka.actor.ActorSystem; +import com.typesafe.sslconfig.akka.AkkaSSLConfig; +import org.junit.Test; +import org.scalatest.junit.JUnitSuite; + +/* COMPILE ONLY TEST */ +public class HttpsServerExampleTest extends JUnitSuite { + + @Test + public void compileOnlySpec() throws Exception { + // just making sure for it to be really compiled / run even if empty + } + + void sslConfigGet() { + //#akka-ssl-config + final ActorSystem system = ActorSystem.create(); + + final AkkaSSLConfig sslConfig = AkkaSSLConfig.get(system); + //# + } +} diff --git a/akka-docs/rst/java/http/client-side/https-support.rst b/akka-docs/rst/java/http/client-side/client-https-support.rst similarity index 99% rename from akka-docs/rst/java/http/client-side/https-support.rst rename to akka-docs/rst/java/http/client-side/client-https-support.rst index 74cb0ef714..32d8773508 100644 --- a/akka-docs/rst/java/http/client-side/https-support.rst +++ b/akka-docs/rst/java/http/client-side/client-https-support.rst @@ -125,7 +125,7 @@ Disabling TLS security features, at your own risk The following shows an example of disabling SNI for a given connection: -.. includecode:: ../../code/docs/http/scaladsl/HttpsExamplesSpec.scala +.. includecode:: ../../code/docs/http/javadsl/HttpsExamplesDocTest.java :include: disable-sni-connection The ``badSslConfig`` is a copy of the default ``AkkaSSLConfig`` with with the slightly changed configuration to disable SNI. diff --git a/akka-docs/rst/java/http/client-side/index.rst b/akka-docs/rst/java/http/client-side/index.rst index d3235c367a..fb36b40b43 100644 --- a/akka-docs/rst/java/http/client-side/index.rst +++ b/akka-docs/rst/java/http/client-side/index.rst @@ -26,5 +26,5 @@ Akka HTTP will happily handle many thousand concurrent connections to a single o connection-level host-level request-level - https-support + client-https-support websocket-support \ No newline at end of file diff --git a/akka-docs/rst/java/http/index.rst b/akka-docs/rst/java/http/index.rst index 62dee86967..941d803ceb 100644 --- a/akka-docs/rst/java/http/index.rst +++ b/akka-docs/rst/java/http/index.rst @@ -36,6 +36,7 @@ akka-http-jackson server-side/websocket-support routing-dsl/index client-side/index + server-side-https-support configuration .. _jackson: https://github.com/FasterXML/jackson \ No newline at end of file diff --git a/akka-docs/rst/java/http/server-side-https-support.rst b/akka-docs/rst/java/http/server-side-https-support.rst new file mode 100644 index 0000000000..331575a867 --- /dev/null +++ b/akka-docs/rst/java/http/server-side-https-support.rst @@ -0,0 +1,92 @@ +.. _serverSideHTTPS-java: + +Server-Side HTTPS Support +========================= + +Akka HTTP supports TLS encryption on the server-side as well as on the :ref:`client-side `. + +The central vehicle for configuring encryption is the ``HttpsConnectionContext``, which can be created using +the static method ``ConnectionContext.https`` which is defined like this: + +.. includecode:: /../../akka-http-core/src/main/scala/akka/http/javadsl/ConnectionContext.scala + :include: https-context-creation + +On the server-side the ``bind``, and ``bindAndHandleXXX`` methods of the `akka.http.javadsl.Http`_ extension define an +optional ``httpsContext`` parameter, which can receive the HTTPS configuration in the form of an ``HttpsContext`` +instance. +If defined encryption is enabled on all accepted connections. Otherwise it is disabled (which is the default). + +For detailed documentation for client-side HTTPS support refer to :ref:`clientSideHTTPS`. + + +.. _akka.http.javadsl.Http: https://github.com/akka/akka/blob/master/akka-http-core/src/main/scala/akka/http/javadsl/Http.scala + +SSL-Config +---------- + +Akka HTTP heavily relies on, and delegates most configuration of any SSL/TLS related options to +`Lightbend SSL-Config`_, which is a library specialized in providing an secure-by-default SSLContext +and related options. + +Please refer to the `Lightbend SSL-Config`_ documentation for detailed documentation of all available settings. + +SSL Config settings used by Akka HTTP (as well as Streaming TCP) are located under the `akka.ssl-config` namespace. + +.. _Lightbend SSL-Config: http://typesafehub.github.io/ssl-config/ + +In order to use SSL-Config in Akka so it logs to the right ActorSystem-wise logger etc., the +``AkkaSSLConfig`` extension is provided. Obtaining it is as simple as: + +.. includecode2:: ../code/docs/http/javadsl/server/HttpsServerExampleTest.java + :snippet: akka-ssl-config + +While typical usage, for example for configuring http client settings would be applied globally by configuring +ssl-config in ``application.conf``, it's possible to obtain the extension and ``copy`` it while modifying any +configuration that you might need to change and then use that specific ``AkkaSSLConfig`` instance while establishing +connections be it client or server-side. + +Obtaining SSL/TLS Certificates +------------------------------ +In order to run an HTTPS server a certificate has to be provided, which usually is either obtained from a signing +authority or created by yourself for local or staging environment purposes. + +Signing authorities often provide instructions on how to create a Java keystore (typically with reference to Tomcat +configuration). If you want to generate your own certificates, the official Oracle documentation on how to generate +keystores using the JDK keytool utility can be found `here `_. + +SSL-Config provides a more targeted guide on generating certificates, so we recommend you start with the guide +titled `Generating X.509 Certificates `_. + +Using HTTPS +----------- + +Once you have obtained the server certificate, using it is as simple as preparing an ``HttpsConnectionContext`` +and either setting it as the default one to be used by all servers started by the given ``Http`` extension +or passing it in explicitly when binding the server. + +The below example shows how setting up HTTPS works when using the ``akka.http.javadsl.server.HttpApp`` convenience class: + +.. includecode2:: ../../../../akka-http-tests/src/main/java/akka/http/javadsl/server/examples/simple/SimpleServerApp.java + :snippet: https-http-app + + +Further reading +--------------- + +The topic of properly configuring HTTPS for your web server is an always changing one, +thus we recommend staying up to date with various security breach news and of course +keep your JVM at the latest version possible, as the default settings are often updated by +Oracle in reaction to various security updates and known issues. + +We also recommend having a look at the `Play documentation about securing your app`_, +as well as the techniques described in the Play documentation about setting up a `reverse proxy to terminate TLS in +front of your application`_ instead of terminating TLS inside the JVM, and therefore Akka HTTP, itself. + +Other excellent articles on the subject: + +- `Oracle Java SE 8: Creating a Keystore using JSSE `_ +- `Java PKI Programmer's Guide `_ +- `Fixing X.509 Certificates `_ + +.. _Play documentation about securing your app: https://www.playframework.com/documentation/2.5.x/ConfiguringHttps#ssl-certificates +.. _reverse proxy to terminate TLS in front of your application: https://www.playframework.com/documentation/2.5.x/HTTPServer \ No newline at end of file diff --git a/akka-docs/rst/scala/code/docs/http/scaladsl/server/HttpsServerExampleSpec.scala b/akka-docs/rst/scala/code/docs/http/scaladsl/server/HttpsServerExampleSpec.scala new file mode 100644 index 0000000000..e91fcd0d5e --- /dev/null +++ b/akka-docs/rst/scala/code/docs/http/scaladsl/server/HttpsServerExampleSpec.scala @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2009-2016 Lightbend Inc. + */ + +package docs.http.scaladsl.server + +//#imports +import java.io.InputStream +import java.security.{ SecureRandom, KeyStore } +import javax.net.ssl.{ SSLContext, TrustManagerFactory, KeyManagerFactory } + +import akka.actor.ActorSystem +import akka.http.scaladsl.server.{ RouteResult, Route, Directives } +import akka.http.scaladsl.{ ConnectionContext, HttpsConnectionContext, Http } +import akka.stream.ActorMaterializer +import com.typesafe.sslconfig.akka.AkkaSSLConfig +//# + +import docs.CompileOnlySpec +import org.scalatest.{ Matchers, WordSpec } + +abstract class HttpsServerExampleSpec extends WordSpec with Matchers + with Directives with CompileOnlySpec { + + class HowToObtainSSLConfig { + //#akka-ssl-config + implicit val system = ActorSystem() + val sslConfig = AkkaSSLConfig() + //# + } + + "low level api" in compileOnlySpec { + //#low-level-default + implicit val system = ActorSystem() + implicit val mat = ActorMaterializer() + implicit val dispatcher = system.dispatcher + + // Manual HTTPS configuration + + val password: Array[Char] = ??? // do not store passwords in code, read them from somewhere safe! + + val ks: KeyStore = KeyStore.getInstance("PKCS12") + val keystore: InputStream = getClass.getClassLoader.getResourceAsStream("server.p12") + + require(keystore != null, "Keystore required!") + ks.load(keystore, password) + + val keyManagerFactory: KeyManagerFactory = KeyManagerFactory.getInstance("SunX509") + keyManagerFactory.init(ks, password) + + val tmf: TrustManagerFactory = TrustManagerFactory.getInstance("SunX509") + tmf.init(ks) + + val sslContext: SSLContext = SSLContext.getInstance("TLS") + sslContext.init(keyManagerFactory.getKeyManagers, tmf.getTrustManagers, SecureRandom.getInstanceStrong) + val https: HttpsConnectionContext = ConnectionContext.https(sslContext) + + // sets default context to HTTPS – all Http() bound servers for this ActorSystem will use HTTPS from now on + Http().setDefaultServerHttpContext(https) + + //# + + //#bind-low-level-context + Http().bind("127.0.0.1", connectionContext = https) + + // or using the high level routing DSL: + val routes: Route = get { complete("Hello world!") } + Http().bindAndHandle(routes, "127.0.0.1", 8080, connectionContext = https) + //# + } + +} diff --git a/akka-docs/rst/scala/http/client-side/https-support.rst b/akka-docs/rst/scala/http/client-side/client-https-support.rst similarity index 99% rename from akka-docs/rst/scala/http/client-side/https-support.rst rename to akka-docs/rst/scala/http/client-side/client-https-support.rst index be6acf317a..40c72f62a0 100644 --- a/akka-docs/rst/scala/http/client-side/https-support.rst +++ b/akka-docs/rst/scala/http/client-side/client-https-support.rst @@ -3,7 +3,7 @@ Client-Side HTTPS Support ========================= -Akka HTTP supports TLS encryption on the client-side as well as on the :ref:`server-side `. +Akka HTTP supports TLS encryption on the client-side as well as on the :ref:`server-side `. .. warning: diff --git a/akka-docs/rst/scala/http/client-side/index.rst b/akka-docs/rst/scala/http/client-side/index.rst index e03cdc65c1..c0b1f9376e 100644 --- a/akka-docs/rst/scala/http/client-side/index.rst +++ b/akka-docs/rst/scala/http/client-side/index.rst @@ -27,5 +27,5 @@ Akka HTTP will happily handle many thousand concurrent connections to a single o connection-level host-level request-level - https-support + client-https-support websocket-support \ No newline at end of file diff --git a/akka-docs/rst/scala/http/index.rst b/akka-docs/rst/scala/http/index.rst index c3488266a9..59410700dd 100644 --- a/akka-docs/rst/scala/http/index.rst +++ b/akka-docs/rst/scala/http/index.rst @@ -12,4 +12,5 @@ Akka HTTP low-level-server-side-api routing-dsl/index client-side/index + server-side-https-support migration-from-spray diff --git a/akka-docs/rst/scala/http/introduction.rst b/akka-docs/rst/scala/http/introduction.rst index 64d07e1b3f..1c46f92c08 100644 --- a/akka-docs/rst/scala/http/introduction.rst +++ b/akka-docs/rst/scala/http/introduction.rst @@ -11,7 +11,8 @@ This means that, if you have trouble achieving something using a high-level API, it done with a low-level API, which offers more flexibility but might require you to write more application code. Philosophy ---------------- +---------- + Akka HTTP has been driven with a clear focus on providing tools for building integration layers rather than application cores. As such it regards itself as a suite of libraries rather than a framework. A framework, as we’d like to think of the term, gives you a “frame”, in which you build your application. It comes with a lot of decisions already pre-made and provides a foundation including support structures that lets you get started and deliver results quickly. In a way a framework is like a skeleton onto which you put the “flesh” of your application in order to have it come alive. As such frameworks work best if you choose them before you start application development and try to stick to the frameworks “way of doing things” as you go along. diff --git a/akka-docs/rst/scala/http/low-level-server-side-api.rst b/akka-docs/rst/scala/http/low-level-server-side-api.rst index 194e18fa4f..80fce716f4 100644 --- a/akka-docs/rst/scala/http/low-level-server-side-api.rst +++ b/akka-docs/rst/scala/http/low-level-server-side-api.rst @@ -136,39 +136,10 @@ Connection will also be closed if request entity has been cancelled (e.g. by att or consumed only partially (e.g. by using ``take`` combinator). In order to prevent this behaviour entity should be explicitly drained by attaching it to ``Sink.ignore``. +Configuring Server-side HTTPS +----------------------------- -.. _serverSideHTTPS: - -Server-Side HTTPS Support -------------------------- - -Akka HTTP supports TLS encryption on the server-side as well as on the :ref:`client-side `. - -The central vehicle for configuring encryption is the ``HttpsConnectionContext``, which can be created using -the static method ``ConnectionContext.https`` which is defined like this: - -.. includecode:: /../../akka-http-core/src/main/scala/akka/http/scaladsl/ConnectionContext.scala - :include: https-context-creation - -On the server-side the ``bind``, and ``bindAndHandleXXX`` methods of the `akka.http.scaladsl.Http`_ extension define an -optional ``httpsContext`` parameter, which can receive the HTTPS configuration in the form of an ``HttpsContext`` -instance. -If defined encryption is enabled on all accepted connections. Otherwise it is disabled (which is the default). - -For detailed documentation for client-side HTTPS support refer to :ref:`clientSideHTTPS`. - -SSL-Config ----------- - -Akka HTTP heavily relies on, and delegates most configuration of any SSL/TLS related options to -`Lightbend SSL-Config`_, which is a library specialized in providing an secure-by-default SSLContext -and related options. - -Please refer to the `Lightbend SSL-Config`_ documentation for detailed documentation of all available settings. - -SSL Config settings used by Akka HTTP (as well as Streaming TCP) are located under the `akka.ssl-config` namespace. - -.. _Lightbend SSL-Config: http://typesafehub.github.io/ssl-config/ +For detailed documentation about configuring and using HTTPS on the server-side refer to :ref:`serverSideHTTPS-scala`. .. _http-server-layer-scala: @@ -277,3 +248,4 @@ anyway, which is a reasonable default for such problems. In order to learn more about handling exceptions in the actual routing layer, which is where your application code comes into the picture, refer to :ref:`exception-handling-scala` which focuses explicitly on explaining how exceptions thrown in routes can be handled and transformed into :class:`HttpResponse` s with apropriate error codes and human-readable failure descriptions. + diff --git a/akka-docs/rst/scala/http/routing-dsl/index.rst b/akka-docs/rst/scala/http/routing-dsl/index.rst index f1e1ca5dc2..3795d5acbe 100644 --- a/akka-docs/rst/scala/http/routing-dsl/index.rst +++ b/akka-docs/rst/scala/http/routing-dsl/index.rst @@ -97,3 +97,7 @@ and split each line before we send it to an actor for further processing: .. includecode2:: ../../code/docs/http/scaladsl/server/FileUploadExamplesSpec.scala :snippet: stream-csv-upload +Configuring Server-side HTTPS +----------------------------- + +For detailed documentation about configuring and using HTTPS on the server-side refer to :ref:`serverSideHTTPS-scala`. \ No newline at end of file diff --git a/akka-docs/rst/scala/http/server-side-https-support.rst b/akka-docs/rst/scala/http/server-side-https-support.rst new file mode 100644 index 0000000000..11cc6e0ee9 --- /dev/null +++ b/akka-docs/rst/scala/http/server-side-https-support.rst @@ -0,0 +1,101 @@ +.. _serverSideHTTPS-scala: + +Server-Side HTTPS Support +========================= + +Akka HTTP supports TLS encryption on the server-side as well as on the :ref:`client-side `. + +The central vehicle for configuring encryption is the ``HttpsConnectionContext``, which can be created using +the static method ``ConnectionContext.https`` which is defined like this: + +.. includecode:: /../../akka-http-core/src/main/scala/akka/http/scaladsl/ConnectionContext.scala + :include: https-context-creation + +On the server-side the ``bind``, and ``bindAndHandleXXX`` methods of the `akka.http.scaladsl.Http`_ extension define an +optional ``httpsContext`` parameter, which can receive the HTTPS configuration in the form of an ``HttpsContext`` +instance. +If defined encryption is enabled on all accepted connections. Otherwise it is disabled (which is the default). + +For detailed documentation for client-side HTTPS support refer to :ref:`clientSideHTTPS`. + + +.. _akka.http.scaladsl.Http: https://github.com/akka/akka/blob/master/akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala + +SSL-Config +---------- + +Akka HTTP heavily relies on, and delegates most configuration of any SSL/TLS related options to +`Lightbend SSL-Config`_, which is a library specialized in providing an secure-by-default SSLContext +and related options. + +Please refer to the `Lightbend SSL-Config`_ documentation for detailed documentation of all available settings. + +SSL Config settings used by Akka HTTP (as well as Streaming TCP) are located under the `akka.ssl-config` namespace. + +.. _Lightbend SSL-Config: http://typesafehub.github.io/ssl-config/ + +In order to use SSL-Config in Akka so it logs to the right ActorSystem-wise logger etc., the +``AkkaSSLConfig`` extension is provided. Obtaining it is as simple as: + +.. includecode2:: ../code/docs/http/scaladsl/server/HttpsServerExampleSpec.scala + :snippet: akka-ssl-config + +While typical usage, for example for configuring http client settings would be applied globally by configuring +ssl-config in ``application.conf``, it's possible to obtain the extension and ``copy`` it while modifying any +configuration that you might need to change and then use that specific ``AkkaSSLConfig`` instance while establishing +connections be it client or server-side. + +Obtaining SSL/TLS Certificates +------------------------------ +In order to run an HTTPS server a certificate has to be provided, which usually is either obtained from a signing +authority or created by yourself for local or staging environment purposes. + +Signing authorities often provide instructions on how to create a Java keystore (typically with reference to Tomcat +configuration). If you want to generate your own certificates, the official Oracle documentation on how to generate +keystores using the JDK keytool utility can be found `here `_. + +SSL-Config provides a more targeted guide on generating certificates, so we recommend you start with the guide +titled `Generating X.509 Certificates `_. + +Using HTTPS +----------- + +Once you have obtained the server certificate, using it is as simple as preparing an ``HttpsConnectionContext`` +and either setting it as the default one to be used by all servers started by the given ``Http`` extension +or passing it in explicitly when binding the server: + + +.. includecode2:: ../code/docs/http/scaladsl/server/HttpsServerExampleSpec.scala + :snippet: imports + +.. includecode2:: ../code/docs/http/scaladsl/server/HttpsServerExampleSpec.scala + :snippet: low-level-default + +It is also possible to pass in the context to specific ``bind...`` (or client) calls, like displayed below: + +.. includecode2:: ../code/docs/http/scaladsl/server/HttpsServerExampleSpec.scala + :snippet: bind-low-level-context + + + + +Further reading +--------------- + +The topic of properly configuring HTTPS for your web server is an always changing one, +thus we recommend staying up to date with various security breach news and of course +keep your JVM at the latest version possible, as the default settings are often updated by +Oracle in reaction to various security updates and known issues. + +We also recommend having a look at the `Play documentation about securing your app`_, +as well as the techniques described in the Play documentation about setting up a `reverse proxy to terminate TLS in +front of your application`_ instead of terminating TLS inside the JVM, and therefore Akka HTTP, itself. + +Other excellent articles on the subject: + +- `Oracle Java SE 8: Creating a Keystore using JSSE `_ +- `Java PKI Programmer's Guide `_ +- `Fixing X.509 Certificates `_ + +.. _Play documentation about securing your app: https://www.playframework.com/documentation/2.5.x/ConfiguringHttps#ssl-certificates +.. _reverse proxy to terminate TLS in front of your application: https://www.playframework.com/documentation/2.5.x/HTTPServer \ No newline at end of file diff --git a/akka-http-core/src/main/scala/akka/http/javadsl/ConnectionContext.scala b/akka-http-core/src/main/scala/akka/http/javadsl/ConnectionContext.scala index 8cc72354ec..b5d6328c16 100644 --- a/akka-http-core/src/main/scala/akka/http/javadsl/ConnectionContext.scala +++ b/akka-http-core/src/main/scala/akka/http/javadsl/ConnectionContext.scala @@ -18,8 +18,11 @@ object ConnectionContext { scaladsl.ConnectionContext.https(sslContext) /** Used to serve HTTPS traffic. */ - def https(sslContext: SSLContext, enabledCipherSuites: Optional[JCollection[String]], - enabledProtocols: Optional[JCollection[String]], clientAuth: Optional[TLSClientAuth], sslParameters: Optional[SSLParameters]) = + def https(sslContext: SSLContext, + enabledCipherSuites: Optional[JCollection[String]], + enabledProtocols: Optional[JCollection[String]], + clientAuth: Optional[TLSClientAuth], + sslParameters: Optional[SSLParameters]) = scaladsl.ConnectionContext.https(sslContext, sslParameters = OptionConverters.toScala(sslParameters)) //#https-context-creation diff --git a/akka-http-core/src/main/scala/akka/http/javadsl/Http.scala b/akka-http-core/src/main/scala/akka/http/javadsl/Http.scala index e2ee99f9a1..5575137ad4 100644 --- a/akka-http-core/src/main/scala/akka/http/javadsl/Http.scala +++ b/akka-http-core/src/main/scala/akka/http/javadsl/Http.scala @@ -640,13 +640,19 @@ class Http(system: ExtendedActorSystem) extends akka.actor.Extension { def shutdownAllConnectionPools(): CompletionStage[Unit] = delegate.shutdownAllConnectionPools().toJava /** - * Gets the default - * - * @return + * Gets the current default server-side [[ConnectionContext]] – defaults to plain HTTP. + * Can be modified using [[setDefaultServerHttpContext]], and will then apply for servers bound after that call has completed. */ def defaultServerHttpContext: ConnectionContext = delegate.defaultServerHttpContext + /** + * Sets the default server-side [[ConnectionContext]]. + * If it is an instance of [[HttpsConnectionContext]] then the server will be bound using HTTPS. + */ + def setDefaultServerHttpContext(context: ConnectionContext): Unit = + delegate.setDefaultServerHttpContext(context.asScala) + /** * Gets the current default client-side [[ConnectionContext]]. */ @@ -656,7 +662,10 @@ class Http(system: ExtendedActorSystem) extends akka.actor.Extension { * Sets the default client-side [[ConnectionContext]]. */ def setDefaultClientHttpsContext(context: HttpsConnectionContext): Unit = - delegate.setDefaultClientHttpsContext(context.asInstanceOf[akka.http.scaladsl.HttpsConnectionContext]) + delegate.setDefaultClientHttpsContext(context.asScala) + + def createServerHttpsContext(sslConfig: AkkaSSLConfig): HttpsConnectionContext = + delegate.createServerHttpsContext(sslConfig) def createClientHttpsContext(sslConfig: AkkaSSLConfig): HttpsConnectionContext = delegate.createClientHttpsContext(sslConfig) diff --git a/akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala b/akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala index f3471e6879..7b72f05f91 100644 --- a/akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala +++ b/akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala @@ -508,6 +508,7 @@ class HttpExt(private val config: Config)(implicit val system: ActorSystem) exte /** * Gets the current default server-side [[ConnectionContext]] – defaults to plain HTTP. + * Can be modified using [[setDefaultServerHttpContext]], and will then apply for servers bound after that call has completed. */ def defaultServerHttpContext: ConnectionContext = synchronized { @@ -520,7 +521,7 @@ class HttpExt(private val config: Config)(implicit val system: ActorSystem) exte * Sets the default server-side [[ConnectionContext]]. * If it is an instance of [[HttpsConnectionContext]] then the server will be bound using HTTPS. */ - def setDefaultClientHttpsContext(context: ConnectionContext): Unit = + def setDefaultServerHttpContext(context: ConnectionContext): Unit = synchronized { _defaultServerConnectionContext = context } @@ -764,6 +765,13 @@ trait DefaultSSLContextCreation { def createDefaultClientHttpsContext(): HttpsConnectionContext = createClientHttpsContext(sslConfig) + // currently the same configuration as client by default, however we should tune this for server-side apropriately (!) + def createServerHttpsContext(sslConfig: AkkaSSLConfig): HttpsConnectionContext = { + log.warning("Automatic server-side configuration is not supported yet, will attempt to use client-side settings. " + + "Instead it is recommended to construct the Servers HttpsConnectionContext manually (via SSLContext).") + createClientHttpsContext(sslConfig) + } + def createClientHttpsContext(sslConfig: AkkaSSLConfig): HttpsConnectionContext = { val config = sslConfig.config diff --git a/akka-http-core/src/test/scala/akka/http/scaladsl/TestServer.scala b/akka-http-core/src/test/scala/akka/http/scaladsl/TestServer.scala index fc14ae7dc1..105e583289 100644 --- a/akka-http-core/src/test/scala/akka/http/scaladsl/TestServer.scala +++ b/akka-http-core/src/test/scala/akka/http/scaladsl/TestServer.scala @@ -4,6 +4,8 @@ package akka.http.scaladsl +import javax.net.ssl.SSLContext + import akka.NotUsed import scala.concurrent.duration._ diff --git a/akka-http-tests/src/main/java/akka/http/javadsl/server/examples/simple/SimpleServerApp.java b/akka-http-tests/src/main/java/akka/http/javadsl/server/examples/simple/SimpleServerApp.java index 3e25715ff5..c7e5db8221 100644 --- a/akka-http-tests/src/main/java/akka/http/javadsl/server/examples/simple/SimpleServerApp.java +++ b/akka-http-tests/src/main/java/akka/http/javadsl/server/examples/simple/SimpleServerApp.java @@ -4,94 +4,157 @@ package akka.http.javadsl.server.examples.simple; +//#https-http-app + import akka.actor.ActorSystem; +import akka.http.javadsl.ConnectionContext; +import akka.http.javadsl.Http; +import akka.http.javadsl.HttpsConnectionContext; import akka.http.javadsl.server.*; import akka.http.javadsl.server.values.Parameter; import akka.http.javadsl.server.values.Parameters; import akka.http.javadsl.server.values.PathMatcher; import akka.http.javadsl.server.values.PathMatchers; +import com.typesafe.config.ConfigFactory; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.TrustManagerFactory; +import java.io.FileInputStream; import java.io.IOException; -import java.util.concurrent.Callable; +import java.io.InputStream; +import java.security.*; +import java.security.cert.CertificateException; import java.util.concurrent.CompletableFuture; import java.util.concurrent.CompletionStage; public class SimpleServerApp extends HttpApp { - static Parameter x = Parameters.intValue("x"); - static Parameter y = Parameters.intValue("y"); + static Parameter x = Parameters.intValue("x"); + static Parameter y = Parameters.intValue("y"); - static PathMatcher xSegment = PathMatchers.intValue(); - static PathMatcher ySegment = PathMatchers.intValue(); + static PathMatcher xSegment = PathMatchers.intValue(); + static PathMatcher ySegment = PathMatchers.intValue(); - static RequestVal bodyAsName = RequestVals.entityAs(Unmarshallers.String()); + static RequestVal bodyAsName = RequestVals.entityAs(Unmarshallers.String()); - public static RouteResult multiply(RequestContext ctx, int x, int y) { - int result = x * y; - return ctx.complete(String.format("%d * %d = %d", x, y, result)); - } - public static CompletionStage multiplyAsync(final RequestContext ctx, final int x, final int y) { - return CompletableFuture.supplyAsync(() -> multiply(ctx, x, y), ctx.executionContext()); + public static RouteResult multiply(RequestContext ctx, int x, int y) { + int result = x * y; + return ctx.complete(String.format("%d * %d = %d", x, y, result)); + } + + public static CompletionStage multiplyAsync(final RequestContext ctx, final int x, final int y) { + return CompletableFuture.supplyAsync(() -> multiply(ctx, x, y), ctx.executionContext()); + } + + @Override + public Route createRoute() { + Handler addHandler = new Handler() { + @Override + public RouteResult apply(RequestContext ctx) { + int xVal = x.get(ctx); + int yVal = y.get(ctx); + int result = xVal + yVal; + return ctx.complete(String.format("%d + %d = %d", xVal, yVal, result)); + } + }; + Handler2 subtractHandler = new Handler2() { + public RouteResult apply(RequestContext ctx, Integer xVal, Integer yVal) { + int result = xVal - yVal; + return ctx.complete(String.format("%d - %d = %d", xVal, yVal, result)); + } + }; + Handler1 helloPostHandler = + new Handler1() { + @Override + public RouteResult apply(RequestContext ctx, String s) { + return ctx.complete("Hello " + s + "!"); + } + }; + return + route( + // matches the empty path + pathSingleSlash().route( + getFromResource("web/calculator.html") + ), + // matches paths like this: /add?x=42&y=23 + path("add").route( + handleWith(addHandler, x, y) + ), + path("subtract").route( + handleWith2(x, y, subtractHandler) + ), + // matches paths like this: /multiply/{x}/{y} + path("multiply", xSegment, ySegment).route( + // bind handler by reflection + handleReflectively(SimpleServerApp.class, "multiply", xSegment, ySegment) + ), + path("multiplyAsync", xSegment, ySegment).route( + // bind async handler by reflection + handleReflectively(SimpleServerApp.class, "multiplyAsync", xSegment, ySegment) + ), + post( + path("hello").route( + handleWith1(bodyAsName, helloPostHandler) + ) + ) + ); + } + + // ** STARTING THE SERVER ** // + + public static void main(String[] args) throws IOException { + final ActorSystem system = ActorSystem.create("SimpleServerApp"); + final Http http = Http.get(system); + + boolean useHttps = false; // pick value from anywhere + useHttps(system, http, useHttps); + + new SimpleServerApp().bindRoute("localhost", 8080, system); + + System.out.println("Type RETURN to exit"); + System.in.read(); + system.terminate(); + } + + // ** CONFIGURING ADDITIONAL SETTINGS ** // + + public static void useHttps(ActorSystem system, Http http, boolean useHttps) { + if (useHttps) { + + HttpsConnectionContext https = null; + try { + // initialise the keystore + // !!! never put passwords into code !!! + final char[] password = new char[]{'a', 'b', 'c', 'd', 'e', 'f'}; + + final KeyStore ks = KeyStore.getInstance("PKCS12"); + final InputStream keystore = SimpleServerApp.class.getClassLoader().getResourceAsStream("httpsDemoKeys/keys/server.p12"); + if (keystore == null) { + throw new RuntimeException("Keystore required!"); + } + ks.load(keystore, password); + + final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509"); + keyManagerFactory.init(ks, password); + + final TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); + tmf.init(ks); + + final SSLContext sslContext = SSLContext.getInstance("TLS"); + sslContext.init(keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), SecureRandom.getInstanceStrong()); + + https = ConnectionContext.https(sslContext); + + } catch (NoSuchAlgorithmException | KeyManagementException e) { + system.log().error("Exception while configuring HTTPS.", e); + } catch (CertificateException | KeyStoreException | UnrecoverableKeyException | IOException e) { + system.log().error("Exception while ", e); + } + + http.setDefaultServerHttpContext(https); } + } - @Override - public Route createRoute() { - Handler addHandler = new Handler() { - @Override - public RouteResult apply(RequestContext ctx) { - int xVal = x.get(ctx); - int yVal = y.get(ctx); - int result = xVal + yVal; - return ctx.complete(String.format("%d + %d = %d", xVal, yVal, result)); - } - }; - Handler2 subtractHandler = new Handler2() { - public RouteResult apply(RequestContext ctx, Integer xVal, Integer yVal) { - int result = xVal - yVal; - return ctx.complete(String.format("%d - %d = %d", xVal, yVal, result)); - } - }; - Handler1 helloPostHandler = - new Handler1() { - @Override - public RouteResult apply(RequestContext ctx, String s) { - return ctx.complete("Hello " + s + "!"); - } - }; - return - route( - // matches the empty path - pathSingleSlash().route( - getFromResource("web/calculator.html") - ), - // matches paths like this: /add?x=42&y=23 - path("add").route( - handleWith(addHandler, x, y) - ), - path("subtract").route( - handleWith2(x, y, subtractHandler) - ), - // matches paths like this: /multiply/{x}/{y} - path("multiply", xSegment, ySegment).route( - // bind handler by reflection - handleReflectively(SimpleServerApp.class, "multiply", xSegment, ySegment) - ), - path("multiplyAsync", xSegment, ySegment).route( - // bind async handler by reflection - handleReflectively(SimpleServerApp.class, "multiplyAsync", xSegment, ySegment) - ), - post( - path("hello").route( - handleWith1(bodyAsName, helloPostHandler) - ) - ) - ); - } - - public static void main(String[] args) throws IOException { - ActorSystem system = ActorSystem.create(); - new SimpleServerApp().bindRoute("localhost", 8080, system); - System.out.println("Type RETURN to exit"); - System.in.read(); - system.terminate(); - } -} \ No newline at end of file +} +//# \ No newline at end of file diff --git a/akka-http-tests/src/main/resources/httpsDemoKeys/keys/README.md b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/README.md new file mode 100644 index 0000000000..1353642d4e --- /dev/null +++ b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/README.md @@ -0,0 +1,57 @@ +Keys for running Tls tests using the `ExampleHttpContexts` +---------------------------------------------------------- + +Instructions adapted from + + * http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/ + * http://security.stackexchange.com/questions/9600/how-to-use-openssl-generated-keys-in-java + + +# Create a rootCA key: + +``` +openssl genrsa -out rootCA.key 2048 +``` + +# Self-sign CA: + +``` +openssl req -x509 -new -nodes -key rootCA.key -days 3560 -out rootCA.crt +``` + +# Create server key: + +``` +openssl genrsa -out server.key 2048 +``` + +# Create server CSR (you need to set the common name CN to "akka.example.org"): + +``` +openssl req -new -key server.key -out server.csr +``` + +# Create server certificate: + +``` +openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 3560 +``` + +# Create certificate chain: + +``` +cat server.crt rootCA.crt > chain.pem +``` + +# Convert certificate and key to pkcs12 (you need to provide a password manually, `ExampleHttpContexts` +# expects the password to be "abcdef"): + +``` +openssl pkcs12 -export -name servercrt -in chain.pem -inkey server.key -out server.p12 +``` + +# For investigating remote certs use: + +``` +openssl s_client -showcerts -connect 54.173.126.144:443 +``` diff --git a/akka-http-tests/src/main/resources/httpsDemoKeys/keys/chain.pem b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/chain.pem new file mode 100644 index 0000000000..766871eba2 --- /dev/null +++ b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/chain.pem @@ -0,0 +1,40 @@ +-----BEGIN CERTIFICATE----- +MIIDITCCAgkCCQCo8H6OcPrArzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB +VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMB4XDTE1MDcyMzA5NTEyMloXDTI1MDQyMTA5NTEyMlowYDELMAkG +A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 +IFdpZGdpdHMgUHR5IEx0ZDEZMBcGA1UEAwwQYWtrYS5leGFtcGxlLm9yZzCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMy/wgrSYVhVtu9OGbo2rSKauiz +5V56X4uCqtCHF9UeHtnVtFLCBMa+pimOS+UyUAT4mbBsxW22BhoNUBZ15KPxltyD +yEsqNCKwWGxL3r8AXQtze2MEpTl22Lvp/iCTXO1vbML/+9r3uqUjw/AAP9HwF9Wd +j/yOrs6q8WE4sfc48iOj6N60/h2pRfn2WNJmo9W9FLC53NznixfsG5oN6Jmb9RM+ +fMHYXLfL/Vt6NrgVX1uqHt9HvuoxfNKhhXE5VU8bNfFfzPYvIt4aZXGxO15vEqsq +OaZ7YJyKr1oFfJC8LmE5xPa3GHToCqmkdMXQK38mpslMQWlQLYnmkS5Qzv8CAwEA +ATANBgkqhkiG9w0BAQsFAAOCAQEAEPDd1gAF9q2LtoZqTdcwmeBjdbT7n0WDRSuI +BzQ/qKjvymwpFKQ0pZSPUyaw2qfRRiTQ/QTbqYep2mhvl5n+gW3ifTp83zgTGKH/ +3sDlX0HPSCBYCDy2gP/AOIgV/57ADMpEkTlz8yyLMH+pLDAoNFIPwy7blAkq+ULQ +y6TfEBmZXoemSaIh5tRnexCD+pTvL4MRrGlBEoxdejDnIAt4n6BxmF0b4hKg8uta +UvivA85lBKzWUoR/Vam5/SC8jtcyLt9RThRcNSj6zP6s5d+o+8PLznrSEadAtfD9 +0q+t4TYF81tClEEgGruVPNL4WIpDniOfw9AJgQNVJGfy5TKY1Q== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIJANYwx08wP3STMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTUwNzIzMDk0ODI2WhcNMjUwNDIxMDk0ODI2WjBF +MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEArk0K/Rn7uND2YGFBks5Sok1WvNdHQccPESEw2hNVF32ExAhbBXCrFaIl +Io0q4eYSbypeauEjDXB/NJXurEefL8ONXK62erJDKKQ0aTTYqsVifoNYA9ORWoGE +XhtAfOx4xvzr6vF1e3kz0PB/A4ftn0vvVygYnf/2E2bQZgaw8dXP5lIGasEzzigB +LX/qTEW/vBOL98Rxp6JvjwvYMbPSZGwNwSz+tI5W2psdE1Mga2Qnsv3j+STWlD9v ++JlgdN8r3PyR1sl3jC7gCj3AaOhv4RbAbqjwnZ9nrckx16PFiMtJiVRea7CQXN7g +191EVujQnlg1LOhiSMKwVsuoXr08ywIDAQABo1AwTjAdBgNVHQ4EFgQU2THI/ilU +M0xds3vZlV4CvhAZ1d8wHwYDVR0jBBgwFoAU2THI/ilUM0xds3vZlV4CvhAZ1d8w +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAK9LO0HyIi0xbTISsc+A5 +LQyZowgRAGqsNNmni7NKDXauPLZrCfDVhvo/FPP1XSFShXo7ARvro9lul4AJlkNN +VgX0gbWtkiAx0uLqlbMsC6imj2L9boRse7mzI/Ymem5SNTn9GUnlMiZ74rca9UT4 +Dk9YytrT4FSpomiL6z8Xj604W3RuLSdEfpfcn3Jh2tFSZ9hyLwB7ATUTA/yuj1SU +G1gmoPMvlnPzNj2lIqyIdQxGdxt+L3mFO20CxBkeieWqQuNptpjwptliFjkZJJZP +wQlx9qLLvs/eFC2AUWj+hbsl37PuARR9hoeqbKRcUjwGtaXOqikrvX1qzPc2+ij9 +/w== +-----END CERTIFICATE----- diff --git a/akka-http-tests/src/main/resources/httpsDemoKeys/keys/rootCA.crt b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/rootCA.crt new file mode 100644 index 0000000000..6ba9fb756c --- /dev/null +++ b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/rootCA.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIJANYwx08wP3STMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTUwNzIzMDk0ODI2WhcNMjUwNDIxMDk0ODI2WjBF +MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEArk0K/Rn7uND2YGFBks5Sok1WvNdHQccPESEw2hNVF32ExAhbBXCrFaIl +Io0q4eYSbypeauEjDXB/NJXurEefL8ONXK62erJDKKQ0aTTYqsVifoNYA9ORWoGE +XhtAfOx4xvzr6vF1e3kz0PB/A4ftn0vvVygYnf/2E2bQZgaw8dXP5lIGasEzzigB +LX/qTEW/vBOL98Rxp6JvjwvYMbPSZGwNwSz+tI5W2psdE1Mga2Qnsv3j+STWlD9v ++JlgdN8r3PyR1sl3jC7gCj3AaOhv4RbAbqjwnZ9nrckx16PFiMtJiVRea7CQXN7g +191EVujQnlg1LOhiSMKwVsuoXr08ywIDAQABo1AwTjAdBgNVHQ4EFgQU2THI/ilU +M0xds3vZlV4CvhAZ1d8wHwYDVR0jBBgwFoAU2THI/ilUM0xds3vZlV4CvhAZ1d8w +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAK9LO0HyIi0xbTISsc+A5 +LQyZowgRAGqsNNmni7NKDXauPLZrCfDVhvo/FPP1XSFShXo7ARvro9lul4AJlkNN +VgX0gbWtkiAx0uLqlbMsC6imj2L9boRse7mzI/Ymem5SNTn9GUnlMiZ74rca9UT4 +Dk9YytrT4FSpomiL6z8Xj604W3RuLSdEfpfcn3Jh2tFSZ9hyLwB7ATUTA/yuj1SU +G1gmoPMvlnPzNj2lIqyIdQxGdxt+L3mFO20CxBkeieWqQuNptpjwptliFjkZJJZP +wQlx9qLLvs/eFC2AUWj+hbsl37PuARR9hoeqbKRcUjwGtaXOqikrvX1qzPc2+ij9 +/w== +-----END CERTIFICATE----- diff --git a/akka-http-tests/src/main/resources/httpsDemoKeys/keys/rootCA.key b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/rootCA.key new file mode 100644 index 0000000000..119caf0dd1 --- /dev/null +++ b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/rootCA.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEArk0K/Rn7uND2YGFBks5Sok1WvNdHQccPESEw2hNVF32ExAhb +BXCrFaIlIo0q4eYSbypeauEjDXB/NJXurEefL8ONXK62erJDKKQ0aTTYqsVifoNY +A9ORWoGEXhtAfOx4xvzr6vF1e3kz0PB/A4ftn0vvVygYnf/2E2bQZgaw8dXP5lIG +asEzzigBLX/qTEW/vBOL98Rxp6JvjwvYMbPSZGwNwSz+tI5W2psdE1Mga2Qnsv3j ++STWlD9v+JlgdN8r3PyR1sl3jC7gCj3AaOhv4RbAbqjwnZ9nrckx16PFiMtJiVRe +a7CQXN7g191EVujQnlg1LOhiSMKwVsuoXr08ywIDAQABAoIBAQCSXAEpLMNRmq33 +mlMMqhF7VcPKyF5+Xl9Je/xgcjFWi0CLt5Ruyf/vJ3tVOwLSM3YxQHuN9cSQSXGX +P3rt0SpbWjJ+q/pwpvV7z/5uhUCWjS46m6GxfNsmC3GR8AJDo/F67fBQFTcYWlrn +TLrqxR4EUCgGoJWjPsZr3j6KHX5BYmzyTuJFBzxxipK42hnJQ7tMB8l6/5r4nRka +d6SGFpJDkyhO+Wl0sBXjxHu1E4g8asI061jEOhcROV1Dk4hp1CYhd8TBj//6FSBC +ttsIe2gxT0fk8bnNC78FuO0CUTCj4hFOWP7apr/NhLlxypu+4hj17NMhlptRvGxz +6pPlMVDJAoGBANPVTS5nkJpMyczA5vaHsyTF/nwunogwHVeVYsQQ3Bed28Ldp7gr +Dr4hgYFvGkEmlLvWOleHvGISuD3lHLd112LcPyLFMRrs8wX9vWTueZGYj5KDLS3C +i3GaYMqqYbuiFY1QYprF36zRQkLMKUiOomE2+baCasbhluAqqx32KEKvAoGBANKk +cG0X0svJ/TTQIE5nfDtKePDUA7wEPYGrQOO4vKKZUlytVhf+gEcYr575bPjkTl1h +5jrrhr4OWpFDmRyBpi7wB95Fe93Df+0o4KmiNtsioZsi/MA5Tga2rAZPBBuZ9+5l +alYl0fTo5PR3fOXJJoJ+w7+QI4N/9TGuBJoiEl6lAoGBAM8XapsBOIcApxB7TdCa +HXLH9eDlmqq9jxH+w022xdR4yU2acMtFnOYXz4oAWgRzeVihOOw1kN+4OVKZWBer +JuRJOZf+e+E84OFsjOnNkh/arBGqGFLyLGzlZdb79wv+i19ZxOxWojNLaKHxAjMi +7nBn1Hyux0CjbmK8lAl4iyeVAoGAT6r4BprTFFaiGN56yYykVPx2v4dAnlTwOmHe +GgLd/ZWFrB23CT4toDY6/iKST5Rx+ymy3SgFf06IfJaXi0uR4gDQyQV4sshlUvp5 +9k6u9rSjcLyL4dwKoclnSL+L6zCRsC3VSR3myf1n0vp6V6J7mTF+sa4/cFXuE8sg +XHd0gS0CgYAXNDcF+zYoSmbfdG7uM7qOPQwNRbr0pHvAg0NmtM9JOj8gZPoaeAy3 +3jEk9AMQrK0MNsRynAoMkhy+7WOU6TNLvyxXAKGZffOmABzSB9LEFgHkVPutl5/i +wL2pE1SoG2QwSqFYGv+rHgIpREJzDTNwbmSbl/Za50JrIZ3OFfTMDQ== +-----END RSA PRIVATE KEY----- diff --git a/akka-http-tests/src/main/resources/httpsDemoKeys/keys/server.crt b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/server.crt new file mode 100644 index 0000000000..4395b589d5 --- /dev/null +++ b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/server.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDITCCAgkCCQCo8H6OcPrArzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB +VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMB4XDTE1MDcyMzA5NTEyMloXDTI1MDQyMTA5NTEyMlowYDELMAkG +A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 +IFdpZGdpdHMgUHR5IEx0ZDEZMBcGA1UEAwwQYWtrYS5leGFtcGxlLm9yZzCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMy/wgrSYVhVtu9OGbo2rSKauiz +5V56X4uCqtCHF9UeHtnVtFLCBMa+pimOS+UyUAT4mbBsxW22BhoNUBZ15KPxltyD +yEsqNCKwWGxL3r8AXQtze2MEpTl22Lvp/iCTXO1vbML/+9r3uqUjw/AAP9HwF9Wd +j/yOrs6q8WE4sfc48iOj6N60/h2pRfn2WNJmo9W9FLC53NznixfsG5oN6Jmb9RM+ +fMHYXLfL/Vt6NrgVX1uqHt9HvuoxfNKhhXE5VU8bNfFfzPYvIt4aZXGxO15vEqsq +OaZ7YJyKr1oFfJC8LmE5xPa3GHToCqmkdMXQK38mpslMQWlQLYnmkS5Qzv8CAwEA +ATANBgkqhkiG9w0BAQsFAAOCAQEAEPDd1gAF9q2LtoZqTdcwmeBjdbT7n0WDRSuI +BzQ/qKjvymwpFKQ0pZSPUyaw2qfRRiTQ/QTbqYep2mhvl5n+gW3ifTp83zgTGKH/ +3sDlX0HPSCBYCDy2gP/AOIgV/57ADMpEkTlz8yyLMH+pLDAoNFIPwy7blAkq+ULQ +y6TfEBmZXoemSaIh5tRnexCD+pTvL4MRrGlBEoxdejDnIAt4n6BxmF0b4hKg8uta +UvivA85lBKzWUoR/Vam5/SC8jtcyLt9RThRcNSj6zP6s5d+o+8PLznrSEadAtfD9 +0q+t4TYF81tClEEgGruVPNL4WIpDniOfw9AJgQNVJGfy5TKY1Q== +-----END CERTIFICATE----- diff --git a/akka-http-tests/src/main/resources/httpsDemoKeys/keys/server.key b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/server.key new file mode 100644 index 0000000000..117cb40355 --- /dev/null +++ b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEA0zL/CCtJhWFW2704ZujatIpq6LPlXnpfi4Kq0IcX1R4e2dW0 +UsIExr6mKY5L5TJQBPiZsGzFbbYGGg1QFnXko/GW3IPISyo0IrBYbEvevwBdC3N7 +YwSlOXbYu+n+IJNc7W9swv/72ve6pSPD8AA/0fAX1Z2P/I6uzqrxYTix9zjyI6Po +3rT+HalF+fZY0maj1b0UsLnc3OeLF+wbmg3omZv1Ez58wdhct8v9W3o2uBVfW6oe +30e+6jF80qGFcTlVTxs18V/M9i8i3hplcbE7Xm8Sqyo5pntgnIqvWgV8kLwuYTnE +9rcYdOgKqaR0xdArfyamyUxBaVAtieaRLlDO/wIDAQABAoIBADfqTXkVNM7aWYut +yiv8xEJ+TxWy4ywjS/58psq0qYukANj9alNqyKbxvL5NzSwuKN9YDiCWe6KzSWRG +WAjKR7Fb+ewB+9pinxD8DT0GzT9WUkwA1A8AINpY68K8jaqEOVsnX+00prJvWfv0 +vyBggIUNgtHseD2ObRuMSIHL59oivxoBKmeRqFl26PCq+m6Dp1SsMwL8NE02rfUu +uVW0zSz0/A5ZK90l8St3N78Puw/qicvfrI4PrGi4kLKW9UKJKP5FzfPF7Kf9itVA +1VB3gd8Gs98vRnzHwZlwgjyAQkePzS/iEQid9uRA/Xys5ozcT1arYM00t3I7ZEUg +GJTKHBECgYEA+K/M6smzPrTAi0BEuI1NCb3zfxkjbBhC0cco9U4VIuhYVU+7Ukre +zi5yI+BQR8MPbftSeeosXV6eQaq04pKCrHWF+ql+3Io9Hojghd/EnNCOtGxjTGmI +Px8G7byeIr4+QyP+JSEdsVBfIEEQ9BJ8Up84RibsMfWcKe6ntzAMEmkCgYEA2Wj6 +DqPisPp4WwGi8bSvSRZsF3h3xu0saml+ug28j+b3kOa99Uz49kCi99sacJArYOWv +Dn+DPl2K2/lwYO0bfyXwWaLp8pd/MAmwhKZ2+qvoUnkZJFRU3yrUoPp7CURZSbcG +aD7IKotFH7wutqj8pZ50y8VGqKVACenhRSAH2ScCgYAuX7IJslUfg1tIXFK0S30r +LOXENK7bUGbdcZMcs1PTr5oRRo362YVU02prcD/oMeKlsrD9lQJy4tsGCcwzV/jQ +KhYy2PqUK58cG5AqxsCGMYn68R9PN3q1spZ7LKocdndr08FnsRY1Y3Rpslhz+yJ9 +0b0Pr+BprJBTbXKPAYGuyQKBgAJFu59djSgGZi2lVburBM4Bwv13z+CvZ/Bwy9dL +/3WNl3bXQpMGy+9e+5UVoDAfAaUQoYTIRmnndmUYNVl+APSSQ/Hb5xAXD0hEQakR +SFsUYuhBxcaAbyap/vDzzUdqhHhlxlZemZ8AN6e+Qsq793APuO7MUBHBMGsqG6Wq +UQqvAoGAINEINXhFXp2qVRDBUY57rRtpjQHajeNTMChgWTg30owfVNBY4evjRj8f +9XDuUkTumYcDcnOKmX3L6n9rg4noHlfNvxmn9pmG9vP0mG0MEOOxSxXFHVIuBw10 +wdTb0WE/i3FhyufdaRHLGhPAMQjaCeFSV3sMxMHuNePvCxnKD3E= +-----END RSA PRIVATE KEY----- diff --git a/akka-http-tests/src/main/resources/httpsDemoKeys/keys/server.p12 b/akka-http-tests/src/main/resources/httpsDemoKeys/keys/server.p12 new file mode 100644 index 0000000000000000000000000000000000000000..d72cc9f3d4ecb9ee14918145b1a506a06b642054 GIT binary patch literal 3384 zcmXqL;x%DnWHxBx`NhVm)#lOmotKfFaX}N$YnCRS=LStYj}4mG%Mns+3!2z744T+e zm>3xhn%H9zGK>Z?Y+O(ico^9X_*gi03#?`7iZSbEV&Y(EXks@o%-VmOSKT$$_dw{` zhHE#b8?BvkWX?xfPKG0AoK*H-yK=Q*@|}|8`j}4w%=P#3-aVLnVg1X+nLOr;?##3L zbKgd~C27XDm{q+Q)33Wf?=tzWRGr8)>9Pp-2Ie!2M`x{Xh`jfOvtU}^2Gt#3)0)J2 zdRFtb7%6OAI8QxS!BkWE&b)x#vHv;N&uhuu>Ha3}R@US{&%6F}6jjum-!CTFmS~@I z?yB=oAKAH+-NWB62rNw&xzW0FYt-!|)r?i`8og!*I<7XUMLWeklQ1`u`O3cALF|84 zeCv~x3r@Nd_O0AD>1)X;J#xPHVCe&gmG>-jZU+C}CH3f@ z`~s8DYtofpDXmIy&wg8MzD~Sq*|J?P?G7sygb7bOtvvbK%(#QE9hN)U=hb`s54m;D z{>*ias)xZYrxzOLKU{l0^z7X9{XX7H@5Mf0z2{8czySMQ{!n>w39npRFJDP9gn z_17d}<)6tj!;3ugEuLsPe#m`qt3KIu)BlJ5Yz=9?R?h`=W;U4C!Efjhh$*7?F-<*)r8Yo@X(uPeH)caSmUPnuuz ze@XqSqWyCwZwq*KG=}B#(zuJ~#1`dvL=^})zMfrNVQ@-3nTcP`$S-d9nu*NCb_Mgz zE&m*HUB68x5e!I>uU$;W8Wa_f*MFksr|DXEn`^w_pj56jo zd{s>owLiqgw+iVzabi*1P{O9qqS92irgwR^)=suB-Q_DM^)3@nINW}4a~E%L@Qy8# z0%sO2+@pM^P+3FxUZej zH=Ne)sI%zlvYMHpEWLJ}$DaS)=6xwC^7%R25W8guHZT7wwJhNOZ2?smS0*>+zR2$M zSuIKrOqEaE$*fi1Y#~xDBO=^ex8c}Ht;ZK16!U$Z<2fZfrB3E!M_4MiXt?}`m4`*< zML9%Ve)d0G*n+2iYjNzhb6>?Hlbw%TQxrD5R<9wkPVa5mwteU87O3(56f z?9OEwmtWlYq0~^RbFR z=MS!1H0_tyUzHTO_OC$)-`B_0)F|9|#3kVH?Y&miEj!zz+>J_hyiC)tXfK|bZtY&W zCq!s|h1hBjBgd2^`yKK}Z%o{t|MyV+`(XYJJ2or*etl2vxcQb}ij2MjS|17?#;`5g z>w58`Sku2Qi+e9733qI3;hXdG^8RoAVs*+c(sngsT*;hbNU6K8vP!-`XP8H_vml^wh`nyH=aGW@qpzIe^Nrs*}@ z5y7dEm2VbgUlC!bU^kB5apeVhj#uw^gMm9hKOW4)?KPT;IZgB0lvf;7i z<`Op#ljYfcm!+^?O?W{p->vYk%ipA2TFi8+AYtA?o5KtBPJWf$qPD8$y78usr+<9i zc-2m>>f+p-)$>%_k9s}0@F{MQLHC61{5Fqjj`}v+och0Q!!4nec7|&c&Oa$@i+#qH zb+07B^S$!JmA&bEYS+Bq^0$k>L}d5H6|75ooLarUymY-T*3VNFuUecXWYrSoWPjhX zY0cmD>DO~NsOewle>3;a3dQEQU1{CRPO7eFo${#Y4zGH5mGYw26#|SB?K~H%zu#}@ z|JO3d|3W;YqyLAzPKl6M-++MIXW5qi{_;fX_xZQ&(Js2Tb{_3~^t)xbOZ~|?ytf2O zJJtznD7^PM8SZWPCftbY$O4()G3&fkysylvZ2x@xr;@7K&Ns`>zF%`C??zg&MQp+E zR!4&-))b@)c0m(sC`%J-pg|L>uR#;5CmT1cy5(YITF}Ju&Y+3q6-q744623ytDd-i zC%G^fR132-v7DH6+g2=M)71t1<)tMl)1nlQ)qI$nxUO6CY4kzIkLB}w`d>{ucGaeR zu|k)X>kFliXJ?5&IbM}##>lK(oVv%`b*ZA+a<2#p^9OIZtCwCbf8;)6Qqjb$k`D^) zo6>j~m({i=t==K6^qY&0`L8!= z_Pw}O+E8@YHZ-L$Wuy4^lSZ3F&ooFmB{a-cEQ!2r{#hjVVMI8mTB*48Um4}5uwI?D z&X51NtozCS?+5EMkB*gVl(%tnFJHn@D`YKyj@36;?V<1X_tzwaPHC#oaq?KGber$L zV1RAO!Vg!jdiU0ew^sJ8+u`3?z#j8_?+aUYnI4AS+PpcOZr5gJSgtqH{&0j{examQ zZe)Vcqm+rY(FZ=}tFFvY2@0S0sYHqSPSn4hmu_uj6gs=7Jp4|z(#@y*bv&=1u3#|R z^i)Ll>{zZ)YDLK6{nQ_Ki%Zu z!VaZI|CD&Q%75C~Y7HxQFEyUHwQ(o^`n}Cp6jnxya;UMcniN_$a6-sc~`EqC)MvAkr>N$lOL_sC4hQ|{8~?>T3mTnc|z zc5|IuzS+l?_krm<@6TnF;yL{0`{8Fc^A6=7uDQu@ciB4DjZ2QkU%6oPYE`lPx{v_= z$&1SWo|T;%eceYV*g<{s-qy4vjx4>|;YzjH?6+bjzInA$>^^UQq()(uQ^n`*l!a|+ zTdL1aJGUoJ?m@>b>-3B3KCSar|C;mt^sd~?A6BlNxjo2j=XT2lDX~V2IX-VsV?Wi` zWVim>Q7);6D~w*8`|Xo?cDE}FMzo3zjsmsgt+y-ui6jrkKSuf5-ZaJH)!7%dShPO+3JFbEalYo7#LB>3+yCvJAQGw(yWYjruwS>4YbR4bP)xV5EP z_(4fK@AVEp*$hr_*Is{@xu z{>{kxxo)M%RCTFzow75zea@E-Y@nXl;@89Vd=l%NyH1DL>3!8)Te@5>% Seq( + // #20371, missing method and typo in another one making it impossible to use HTTPs via setting default HttpsConnectionContext + ProblemFilters.exclude[IncompatibleMethTypeProblem]("akka.http.scaladsl.HttpExt.setDefaultClientHttpsContext"), + ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.DefaultSSLContextCreation.createServerHttpsContext"), + // #20342 HttpEntity scaladsl overrides ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.model.HttpEntity.withoutSizeLimit"), ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.scaladsl.model.HttpEntity.withSizeLimit"),