Investigate/Design SSL with ALPN Netty

[isaacrivriv]

For HTTP2 encrypted traffic (h2), ALPN is required. In Netty we are able to use ALPN through OpenSSL (requires to be configured) or through the JDK see here. As stated in the Netty page, not all JDKs have ALPN only starting from a release in Java 8.

In Open Liberty for h2 traffic we use various implementations of ALPN with order of preference as seen here.

1. JDK9 has native support for ALPN in javax.net.ssl
2. IBM JDK8 sr5 fp15+ provides ALPN support via com.ibm.jsse2.ext.ALPNJSSEExt
3. jetty-alpn can be put on the bootclasspath - alpn-boot-*.jar
4. grizzly-npn can be put on the bootclasspath - grizzly-npn-bootstrap-1.*.jar

Netty has it's own set of implementations of ALPN and with an order of preference as well as seen here which seems to be consumed creating a JDKSSLContext here. Perhaps we could expand on these classes in our Netty TLS bundle and build similar implementations but with Open Liberty's implementations.

We need to discuss an approach for this.

[isaacrivriv]

The order of preference for Netty's SSL implementations according to the implementation here

1. Conscrypt
2. Bouncy Castle
3. JDK ALPN
4. Jetty ALPN

After discussing this with the team, we need to keep the same behavior as our current implementation in Liberty. This means that possibly we need to expand on Netty's ALPN negotiator and add our already established implementations of ALPN on Liberty on top of Netty and test to ensure behavior stays the same.

[isaacrivriv]

The different ALPN implementations were added due to missing ALPN functionality in the various JDKs as discussed here

As of today it seems like all the major JDKs have added/back ported ALPN functionality to Java 8

• OpenJDK seems to have back ported ALPN to Java 8 as discussed in part here https://groups.google.com/g/netty/c/ehSjsBxnyNY and https://bugs.openjdk.org/browse/JDK-8230977
• Oracle JDK seems to have ALPN support also https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html (should have the necessary methods we need/use for ALPN support)
• IBM JDK also seems to have ALPN support https://www.ibm.com/support/pages/apar/IJ24011 (looked in the jars and seeing the methods the we use on lookup to decide how ALPN should be done)

For a start we should provide basic JDK support for ALPN and then discuss on the other implementations.