Using .jvmopts instead of wrapping sbt with a bash script

[dwijnand]

Instead of defining a bash script over sbt, why not use .jvmopts?

[dwijnand]

Here's what I came up with to adapt https://github.com/playframework/akka-grpc-play-quickstart-scala/blob/master/ssl-play:

## Derived from https://github.com/playframework/play-scala-tls-example/edit/2.5.x/play

# Turn on HTTPS, turn off HTTP.
# This should be https://example.com:9443
-Dhttp.port=disabled
-Dhttps.port=9443

# Note that using the HTTPS port by itself doesn't set rh.secure=true.
# rh.secure will only return true if the "X-Forwarded-Proto" header is set, and
# if the value in that header is "https", if either the local address is 127.0.0.1, or if
# trustxforwarded is configured to be true in the application configuration file.

# Define the SSLEngineProvider in our own class.
#-Dplay.http.sslengineprovider=https.CustomSSLEngineProvider

# Enable this if you want to turn on client authentication
#-Dplay.ssl.needClientAuth=true

# Enable the handshake parameter to be extended for better protection.
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys
# Only relevant for "DHE_RSA", "DHE_DSS", "DH_ANON" algorithms, in ServerHandshaker.java.
-Djdk.tls.ephemeralDHKeySize=2048

# Don't allow client to dictate terms - this can also be used for DoS attacks.
# Undocumented, defined in sun.security.ssl.Handshaker.java:205
-Djdk.tls.rejectClientInitiatedRenegotiation=true

# Add more details to the disabled algorithms list
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms
# and http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7133344
-Djava.security.properties=disabledAlgorithms.properties

# Fix a version number problem in SSLv3 and TLS version 1.0.
# http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
-Dcom.sun.net.ssl.rsaPreMasterSecretFix=true

# Tighten the TLS negotiation issue.
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2
# Defined in JDK 1.8 sun.security.ssl.Handshaker.java:194
-Dsun.security.ssl.allowUnsafeRenegotiation=false
-Dsun.security.ssl.allowLegacyHelloMessages=false

# Enable this if you need to use OCSP or CRL
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC
#-Dcom.sun.security.enableCRLDP=true
#-Dcom.sun.net.ssl.checkRevocation=true

# Enable this if you need TLS debugging
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug
#-Djavax.net.debug=ssl:handshake

# Change this if you need X.509 certificate debugging
# http://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html
#-Djava.security.debug=certpath:x509:ocsp

# If this bombs ("error opening zip file [..] jetty-alpn-agent")
# then run `sbt stage` and then `find target -name 'jetty-alpn-agent-*.jar' | head -1`
# pass it below
-javaagent:target/universal/stage/jetty-alpn-agent/jetty-alpn-agent-2.0.7.jar

[dwijnand]

@ignasi35 notes that basically only you normally only need

-Dhttp.port=disabled
-Dhttps.port=9443
-javaagent:target/universal/stage/jetty-alpn-agent/jetty-alpn-agent-2.0.7.jar

in 99% of cases, so perhaps we should move this info from any bash script / .jvmopts to the docs or README.

[ignasi35]

A recent improvement on ssl-play is to also detect when the ALPN agent hasn't been downloaded yet and run an sbt stage to force the download.

It's quite a hack but it'd be great if we can find an sbt-ish way to avoid it too.

[dwijnand]

You don't like my solution? 😄

# If this bombs ("error opening zip file [..] jetty-alpn-agent")
# then run `sbt stage` and then `find target -name 'jetty-alpn-agent-*.jar' | head -1`
# pass it below
-javaagent:target/universal/stage/jetty-alpn-agent/jetty-alpn-agent-2.0.7.jar

[wsargent]

/am impressed

[ignasi35]

You don't like my solution?

Oh, I didn't know that # DSL. Love it.

[ignasi35]

We could even consider adding jetty-alpn-agent-2.0.7.jar (if license allows) like we include gradlew. 🤷‍♂️