Open dwijnand opened 6 years ago
Here's what I came up with to adapt https://github.com/playframework/akka-grpc-play-quickstart-scala/blob/master/ssl-play:
## Derived from https://github.com/playframework/play-scala-tls-example/edit/2.5.x/play
# Turn on HTTPS, turn off HTTP.
# This should be https://example.com:9443
-Dhttp.port=disabled
-Dhttps.port=9443
# Note that using the HTTPS port by itself doesn't set rh.secure=true.
# rh.secure will only return true if the "X-Forwarded-Proto" header is set, and
# if the value in that header is "https", if either the local address is 127.0.0.1, or if
# trustxforwarded is configured to be true in the application configuration file.
# Define the SSLEngineProvider in our own class.
#-Dplay.http.sslengineprovider=https.CustomSSLEngineProvider
# Enable this if you want to turn on client authentication
#-Dplay.ssl.needClientAuth=true
# Enable the handshake parameter to be extended for better protection.
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys
# Only relevant for "DHE_RSA", "DHE_DSS", "DH_ANON" algorithms, in ServerHandshaker.java.
-Djdk.tls.ephemeralDHKeySize=2048
# Don't allow client to dictate terms - this can also be used for DoS attacks.
# Undocumented, defined in sun.security.ssl.Handshaker.java:205
-Djdk.tls.rejectClientInitiatedRenegotiation=true
# Add more details to the disabled algorithms list
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms
# and http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7133344
-Djava.security.properties=disabledAlgorithms.properties
# Fix a version number problem in SSLv3 and TLS version 1.0.
# http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
-Dcom.sun.net.ssl.rsaPreMasterSecretFix=true
# Tighten the TLS negotiation issue.
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2
# Defined in JDK 1.8 sun.security.ssl.Handshaker.java:194
-Dsun.security.ssl.allowUnsafeRenegotiation=false
-Dsun.security.ssl.allowLegacyHelloMessages=false
# Enable this if you need to use OCSP or CRL
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC
#-Dcom.sun.security.enableCRLDP=true
#-Dcom.sun.net.ssl.checkRevocation=true
# Enable this if you need TLS debugging
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug
#-Djavax.net.debug=ssl:handshake
# Change this if you need X.509 certificate debugging
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html
#-Djava.security.debug=certpath:x509:ocsp
# If this bombs ("error opening zip file [..] jetty-alpn-agent")
# then run `sbt stage` and then `find target -name 'jetty-alpn-agent-*.jar' | head -1`
# pass it below
-javaagent:target/universal/stage/jetty-alpn-agent/jetty-alpn-agent-2.0.7.jar
@ignasi35 notes that basically only you normally only need
-Dhttp.port=disabled
-Dhttps.port=9443
-javaagent:target/universal/stage/jetty-alpn-agent/jetty-alpn-agent-2.0.7.jar
in 99% of cases, so perhaps we should move this info from any bash script / .jvmopts
to the docs or README.
A recent improvement on ssl-play
is to also detect when the ALPN agent hasn't been downloaded yet and run an sbt stage
to force the download.
It's quite a hack but it'd be great if we can find an sbt
-ish way to avoid it too.
You don't like my solution? 😄
# If this bombs ("error opening zip file [..] jetty-alpn-agent")
# then run `sbt stage` and then `find target -name 'jetty-alpn-agent-*.jar' | head -1`
# pass it below
-javaagent:target/universal/stage/jetty-alpn-agent/jetty-alpn-agent-2.0.7.jar
/am impressed
You don't like my solution?
Oh, I didn't know that #
DSL. Love it.
We could even consider adding jetty-alpn-agent-2.0.7.jar
(if license allows) like we include gradlew
. 🤷♂️
Instead of defining a bash script over sbt, why not use
.jvmopts
?