marianobarrios / tls-channel

A Java library that implements a ByteChannel interface over SSLEngine, enabling easy-to-use (socket-like) TLS for Java applications.
MIT License
192 stars 50 forks source link
java java-library library networking non-blocking openssl sni socket ssl sslengine tls

TLS Channel

TLS Channel is a library that implements a ByteChannel interface over a TLS (Transport Layer Security) connection. It delegates all cryptographic operations to the standard Java TLS implementation: SSLEngine; effectively hiding it behind an easy-to-use streaming API, that allows to secure JVM applications with minimal added complexity.

In other words, a simple library that allows the programmer to implement TLS using the same standard socket API used for plaintext, just like OpenSSL does for C, only for Java, filling a specially painful missing feature of the standard library.

Build Status

Maven Central Javadoc

Main features

Non-features

Being an API layer, TLS Channel delegates all cryptographic operations to SSLEngine, leveraging it 100%. This implies that:

Rationale

The world's most used encryption protocol is TLS. Created by Netscape in 1994 as SSL (Secure Socket Layer), it experimented widespread adoption, which eventually let to its standardization. TLS works on top of the Transport Control Protocol (TCP), maintaining its core abstractions: two independent byte streams, one in each direction, with ordered at-most-once delivery. It can be argued that part of the success of TLS was due to its convenient programming interface, similar to the highly successful and familiar Berkeley Sockets. Currently, there exist a few widely-used implementations:

And many more. As noted, all these libraries implement a streaming interface, and most also let the user switch freely between blocking and non-blocking behavior. But in Java the history, unfortunately, is not so simple.

The Java TLS problem

In Java, support for TLS (then SSL) was added in version 1.2 (as an optional package) in the form of a subclass of the Socket class: SSLSocket. Being a subclass, once instantiated, the way of using it was exactly the same as the unencrypted original. That worked (and still works) well enough. Nevertheless, the java I/O API already had some limitations, and an update was due.

java.nio

In version 1.4, a new I/O API was launched (java.nio). It superseded the old I/O API, starting an implicit (and very long) deprecation cycle. New features include:

But no TLS support, which was only available in old-style sockets.

SSLEngine

Version 1.5 saw the advent of SSLEngine as the official way of doing TLS over NIO sockets. This API has been the official option for more than a decade. However, it has severe shortcomings:

What to do

Of course, many programmers don't manipulate TCP or TLS streams directly, but use protocol libraries (e.g., Apache HttpClient, or the newer java.net.http). However, in the case that direct socket-like access is needed, the programmer has essentially three alternatives:

  1. Use the old (implicitly deprecated) socket API. This implies being subject to its limitations, which means, among other things, only blocking behavior.
  2. Use SSLEngine directly. As said, this is a hard task, which is very difficult to accomplish correctly, and in most cases completely out of proportion to the effort of writing the application code.
  3. Use some higher-level I/O library, like Netty, Project Grizzly, Apache Mina or JBoss XNIO. They supply event architectures that intend to ease the task of writing programs that use non-blocking I/O. They are usually big framework-like libraries, sometimes themselves with dependencies. Using one of these is the path chosen by many, but it is not an option if the programmer cannot commit to a particular event architecture, couple the application code to an idiosyncratic library, or include a big dependency.

All three alternatives have been taken by many Java libraries and applications, with no clear preference among leading open-source Java projects. Even though these options can work reasonable well, there was still no clear and standard solution.

Non-SSLEngine TLS in Java

There is actually no strict need to use SSLEngine. The two most common alternatives are:

Of course, these options imply using an alternative cryptographic implementation, which may not be desired.

Existing open-source SSLEngine users

The feat of using SSLEngine directly is indeed performed by several projects, both general purpose I/O libraries and implementation of particular protocols. Below is an inevitably incomplete list of open-source examples. Every one in the list contains essentially the same general-purpose, SSLEngine-calling code, only embedded in custom types and semantics. That said, these examples, while not really suited for reuse, have been invaluable for both appreciating the difficulty of the task, and also as a source of ideas.

Type Project Package/class
I/O framework Grizzly org.glassfish.grizzly.ssl
I/O framework Netty io.netty.handler.ssl.SslHandler
I/O framework Apache Mina org.apache.mina.filter.ssl.SslHandler
I/O framework XNIO org.xnio.ssl.JsseStreamConduit
HTTP server Tomcat org.apache.tomcat.util.net.SecureNio2Channel
HTTP server OpenJDK sun.net.httpserver.SSLStreams
HTTP client/server Apache HttpComponents org.apache.http.impl.nio.reactor.SSLIOSession
HTTP server Jetty org.eclipse.jetty.io.ssl.SslConnection
Distributed file system XtreemFS org.xtreemfs.foundation.pbrpc.channels.SSLChannelIO
Tor client Orchid com.subgraph.orchid.sockets.sslengine.SSLEngineManager

Usage

Being an instance of ByteChannel, normal I/O operations are just done in the usual way. For instantiation of both client and server connections, builders are used:

ByteChannel rawChannel = ...
SSLContext sslContext = ...
TlsChannel tlsChannel = ClientTlsChannel
    .newBuilder(rawChannel, sslContext)
    .build();
ByteChannel rawChannel = ...
SSLContext sslContext = ...
TlsChannel tlsChannel = ServerTlsChannel
    .newBuilder(rawChannel, sslContext)
    .build();

Typical usage involved creating either a ClientTlsChannel or a ServerTlsChannel, for client and server connections respectively. Both classes implement TlsChannel, where most of the methods are defined.

Complete examples:

Non-blocking

Standard ByteChannel instances communicate the fact that operations would block—and so that they should be retried when the channel is ready—returning zero. However, as TLS handshakes happen transparently and involve multiple messages from each side, both a read and a write operation could be blocked waiting for either a read (byte available) or a write (buffer space available) in the underlying socket. That is, some way to distinguish between read- or write-related blocking is needed.

Ideally, a more complex return type would suffice—not merely an int but some object including more information. For instance, OpenSSL uses special error codes for these conditions: SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE.

In the case of TLS Channel, it is in practice necessary to maintain compatibility with the existing ByteChannel interface. That's why a somewhat unorthodox approach is used: when the operation would block, special exceptions are thrown: NeedsReadException and NeedsWriteException, meaning that the operation should be retried when the underlying channel is ready for reading or writing, respectively.

Typical usage inside a selector loop looks like this:

try {
    int c = tlsChannel.read(buffer);
    ...
} catch (NeedsReadException e) {
    key.interestOps(SelectionKey.OP_READ);
} catch (NeedsWriteException e) {
    key.interestOps(SelectionKey.OP_WRITE);
}

Complete examples:

Off-loop tasks

Selector loops work under the assumption that they don't (mostly) block. This is enough when it is possible to have as many loops as CPU cores. However, Java selectors don't work very well with multiple threads, requiring complicated synchronization; this leads to them being used almost universally from a single thread.

A single I/O thread is in general enough for plaintext connections. But TLS can be CPU-intensive, in particular asymmetric cryptography when establishing sessions. Fortunately, SSLEngine encapsulates those, returning Runnable objects that the client code can run in any thread. TLS Channel can be configured to either run those as part of I/O operations (that is, in-thread)—the default behavior—or not, letting the calling code handle them. The latter option should be enabled at construction time:

TlsChannel tlsChannel = ServerTlsChannel
    .newBuilder(rawChannel, sslContext)
    .withRunTasks(false)
    .build();

An exception (NeedsTaskException) is then used to communicate that a task is ready to run. (Using an exception is needed for the same reasons explained in the previous section):

try {
    int c = tlsChannel.read(buffer);
    ...
} catch ...
} catch (NeedsTaskException e) {
    taskExecutor.execute(() -> {
        e.getTask().run();
        // when the task finished, add it to the ready-set
        // taskReadyKeys should be a concurrent set that should be checked
        // and emptied as part of the selector loop
        taskReadyKeys.add(key);
        selector.wakeup(); // unblock the selector
    });
}

Complete example: non-blocking server with off-loop tasks

Server Name Indication – server side

The Server Name Indication (SNI) is a special TLS extension designed to solve a chicken-and-egg situation between the certificate offered by the server (depending on the host required by the client for multi-host servers) and the host name sent by client in HTTP request headers (necessarily after the connection is established). The SNI extension allows the client to anticipate the required host name in the ClientHello message.

Java added support for SNI in version 7. The feature can be accessed using the SSLParameters class. Sadly, this only works on the client side. For the server, the class allows only to accept or reject connections based on the host name, not to choose the certificate offered.

In TLS Channel, to use SNI-based selection of the SSLContext, a different builder factory method exists, receiving instances of SniSslContextFactory.

SniSslContextFactory contextFactory = (Optional<SNIServerName> sniServerName) -> {
    Optional<SSLContext> ret = ...
    return ret;
};
TlsChannel tlsChannel = ServerTlsChannel
    .newBuilder(rawChannel, contextFactory)
    .build();

Complete example: SNI-aware server

AsynchronousByteChannel

Java 1.7 introduced "asynchronous" byte channels. This infrastructure offers a higher level API for non-blocking I/O, using callbacks and futures. Again, TLS is not supported by the standard API. TLSChannel offers complete support for this programming style using the async package.

// build a singleton-like channel group
AsynchronousTlsChannelGroup channelGroup = new AsynchronousTlsChannelGroup();

// build asynchronous channel, based in an existing TLS channel and the group
AsynchronousTlsChannel asyncTlsChannel = new AsynchronousTlsChannel(channelGroup, tlsChannel, rawChannel);

// use as any other AsynchronousByteChannel
asyncTlsChannel.read(res, null, new CompletionHandler<Integer, Object>() {
    ...
};

Complete example: Asynchronous channel server

Buffers

TLS Channel uses buffers for its operation. Every channel uses at least two ciphertext buffers that hold ciphertext, one for reading from the underlying channel and the other for writing to it. Additionally, a third plaintext buffer may be needed for read operations when the user-supplied buffer is smaller than the minimum SSLEngine needs for placing the decrypted bytes.

All buffers are created from optionally user-supplied factories (instances of BufferAllocator). It is also possible to supply different allocators for plain and ciphertext; for example:

TlsChannel tlsChannel = ServerTlsChannel
    .newBuilder(rawChannel, sslContext)
    .withPlainBufferAllocator(new HeapBufferAllocator())
    .withEncryptedBufferAllocator(new DirectBufferAllocator())
    .build();

The rationale for using direct ciphertext buffers is that, in the most common use case, the underlying channel is a SocketChannel. This channel actually does native I/O operations, which are generally faster using direct buffers.

As default, heap buffers are used to maximize compatibility with different virtual machines, as direct ones are implementation dependent.

Zeroing

Buffers containing plain text are always immediately zeroed after the bytes are returned. This feature is intended as a mitigation against some other security vulnerability that may appear (like, for example, CVE-2014-0160). This is present in boringssl too, Google's fork of OpenSSL.

Due to the minuscule performance penalty and significant security benefits, zeroing cannot be disabled.

Buffer release

TLS Channel supports opportunistic buffer release, a similar feature to OpenSSL's SSL_MODE_RELEASE_BUFFERS option. If, after any operation, a buffer does not contain any bytes pending, it is released back to the pool. This feature can reduce memory consumption dramatically in the case of long-lived idle connections, which tend to happen when implementing server-side HTTPS.

This option is enabled by default, and could be disabled if desired:

TlsChannel tlsChannel = ServerTlsChannel
    .newBuilder(rawChannel, sslContext)
    .withReleaseBuffers(false)
    .build();

Compatibility and certificate validation

Because the protocol implementation is fully delegated to SSLEngine, there are no limitations regarding TLS versions: whatever is supported by the Java implementation used will work.

The same applies to certificate validation. All configuration is done using the SSLContext object, which TLS Channel takes as is.

Implementation

Requirements

TLS Channel requires Java 8 or newer.

Size and Dependencies

The library has no dependencies. The main jar file size is below 65 KiB.

Logging

The library uses Java Logging. As a policy, all logging events emitted by the core package are at FINEST level, which is below the default threshold in most logging implementations and thus completely silent by default. The optional tlschannel.async package can log with higher severity in exceptional circumstances, as it manages threads internally.

Similar efforts

Credits

This work is based on a preliminary implementation by Claudio Martinez and Mariano Barrios at Despegar.