Direct use of the ALPN API

Tomcat 10 will now require at least Java 8_251, which was released in
April 2020, for TLS support. Any Java 9+ JVM will work too.
This will not be backported to Tomcat 9.0 as it slightly changes the
APIs, although the changes are trivial.

Author: rmaucher

java/org/apache/tomcat/util/compat/JreCompat.java

@@ -19,18 +19,11 @@
 import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.AccessibleObject;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
 import java.net.URL;
 import java.net.URLConnection;
 import java.util.Deque;
 import java.util.jar.JarFile;
 
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLParameters;
-
-import org.apache.tomcat.util.res.StringManager;
-
 /**
  * This is the base implementation class for JRE compatibility and provides an
  * implementation based on Java 8. Sub-classes may extend this class and provide
@@ -44,10 +37,6 @@ public class JreCompat {
     private static final boolean graalAvailable;
     private static final boolean jre11Available;
     private static final boolean jre9Available;
-    private static final StringManager sm = StringManager.getManager(JreCompat.class);
-
-    protected static final Method setApplicationProtocolsMethod;
-    protected static final Method getApplicationProtocolMethod;
 
     static {
         // This is Tomcat 9 with a minimum Java version of Java 8.
@@ -66,17 +55,6 @@ public class JreCompat {
             jre9Available = false;
         }
         jre11Available = instance.jarFileRuntimeMajorVersion() >= 11;
-
-        Method m1 = null;
-        Method m2 = null;
-        try {
-            m1 = SSLParameters.class.getMethod("setApplicationProtocols", String[].class);
-            m2 = SSLEngine.class.getMethod("getApplicationProtocol");
-        } catch (ReflectiveOperationException | IllegalArgumentException e) {
-            // Only the newest Java 8 have the ALPN API, so ignore
-        }
-        setApplicationProtocolsMethod = m1;
-        getApplicationProtocolMethod = m2;
     }
 
 
@@ -90,11 +68,6 @@ public static boolean isGraalAvailable() {
     }
 
 
-    public static boolean isAlpnSupported() {
-        return setApplicationProtocolsMethod != null && getApplicationProtocolMethod != null;
-    }
-
-
     public static boolean isJre9Available() {
         return jre9Available;
     }
@@ -122,48 +95,6 @@ public boolean isInstanceOfInaccessibleObjectException(Throwable t) {
     }
 
 
-    /**
-     * Set the application protocols the server will accept for ALPN
-     *
-     * @param sslParameters The SSL parameters for a connection
-     * @param protocols     The application protocols to be allowed for that
-     *                      connection
-     */
-    public void setApplicationProtocols(SSLParameters sslParameters, String[] protocols) {
-        if (setApplicationProtocolsMethod != null) {
-            try {
-                setApplicationProtocolsMethod.invoke(sslParameters, (Object) protocols);
-            } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
-                throw new UnsupportedOperationException(e);
-            }
-        } else {
-            throw new UnsupportedOperationException(sm.getString("jreCompat.noApplicationProtocols"));
-        }
-    }
-
-
-    /**
-     * Get the application protocol that has been negotiated for connection
-     * associated with the given SSLEngine.
-     *
-     * @param sslEngine The SSLEngine for which to obtain the negotiated
-     *                  protocol
-     *
-     * @return The name of the negotiated protocol
-     */
-    public String getApplicationProtocol(SSLEngine sslEngine) {
-        if (getApplicationProtocolMethod != null) {
-            try {
-                return (String) getApplicationProtocolMethod.invoke(sslEngine);
-            } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
-                throw new UnsupportedOperationException(e);
-            }
-        } else {
-            throw new UnsupportedOperationException(sm.getString("jreCompat.noApplicationProtocol"));
-        }
-    }
-
-
     /**
      * Disables caching for JAR URL connections. For Java 8 and earlier, this also disables
      * caching for ALL URL connections.

java/org/apache/tomcat/util/compat/LocalStrings.properties

@@ -16,6 +16,3 @@
 jre9Compat.invalidModuleUri=The module URI provided [{0}] could not be converted to a URL for the JarScanner to process
 jre9Compat.javaPre9=Class not found so assuming code is running on a pre-Java 9 JVM
 jre9Compat.unexpected=Failed to create references to Java 9 classes and methods
-
-jreCompat.noApplicationProtocol=Java Runtime does not support SSLEngine.getApplicationProtocol(). You must use Java 9 to use this feature.
-jreCompat.noApplicationProtocols=Java Runtime does not support SSLParameters.setApplicationProtocols(). You must use Java 9 to use this feature.

java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java

@@ -28,7 +28,6 @@
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 
-import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
 
 public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
@@ -123,7 +122,7 @@ protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientReque
 
         SSLParameters sslParameters = engine.getSSLParameters();
         sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
-        if (JreCompat.isAlpnSupported() && clientRequestedApplicationProtocols != null
+        if (clientRequestedApplicationProtocols != null
                 && clientRequestedApplicationProtocols.size() > 0
                 && negotiableProtocols.size() > 0) {
             // Only try to negotiate if both client and server have at least
@@ -134,7 +133,7 @@ protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientReque
             commonProtocols.retainAll(clientRequestedApplicationProtocols);
             if (commonProtocols.size() > 0) {
                 String[] commonProtocolsArray = commonProtocols.toArray(new String[0]);
-                JreCompat.getInstance().setApplicationProtocols(sslParameters, commonProtocolsArray);
+                sslParameters.setApplicationProtocols(commonProtocolsArray);
             }
         }
         switch (sslHostConfig.getCertificateVerification()) {
@@ -193,20 +192,7 @@ private SSLHostConfigCertificate selectCertificate(
     @Override
     public boolean isAlpnSupported() {
         // ALPN requires TLS so if TLS is not enabled, ALPN cannot be supported
-        if (!isSSLEnabled()) {
-            return false;
-        }
-
-        // Depends on the SSLImplementation.
-        SSLImplementation sslImplementation;
-        try {
-            sslImplementation = SSLImplementation.getInstance(getSslImplementationName());
-        } catch (ClassNotFoundException e) {
-            // Ignore the exception. It will be logged when trying to start the
-            // end point.
-            return false;
-        }
-        return sslImplementation.isAlpnSupported();
+        return isSSLEnabled();
     }
 
 

java/org/apache/tomcat/util/net/SSLImplementation.java

@@ -68,5 +68,4 @@ public static SSLImplementation getInstance(String className)
 
     public abstract SSLUtil getSSLUtil(SSLHostConfigCertificate certificate);
 
-    public abstract boolean isAlpnSupported();
 }

java/org/apache/tomcat/util/net/SSLUtil.java

@@ -67,16 +67,4 @@ public interface SSLUtil {
      */
     public String[] getEnabledCiphers() throws IllegalArgumentException;
 
-    /**
-     * Optional interface that can be implemented by
-     * {@link javax.net.ssl.SSLEngine}s to indicate that they support ALPN and
-     * can provided the protocol agreed with the client.
-     */
-    public interface ProtocolInfo {
-        /**
-         * ALPN information.
-         * @return the protocol selected using ALPN
-         */
-        public String getNegotiatedProtocol();
-    }
 }

java/org/apache/tomcat/util/net/SecureNio2Channel.java

@@ -38,7 +38,6 @@
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.buf.ByteBufferUtils;
-import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.TLSClientHelloExtractor.ExtractorResult;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
 import org.apache.tomcat.util.res.StringManager;
@@ -242,13 +241,7 @@ protected int handshakeInternal(boolean async) throws IOException {
                 }
                 case FINISHED: {
                     if (endpoint.hasNegotiableProtocols()) {
-                        if (sslEngine instanceof SSLUtil.ProtocolInfo) {
-                            socketWrapper.setNegotiatedProtocol(
-                                    ((SSLUtil.ProtocolInfo) sslEngine).getNegotiatedProtocol());
-                        } else if (JreCompat.isAlpnSupported()) {
-                            socketWrapper.setNegotiatedProtocol(
-                                    JreCompat.getInstance().getApplicationProtocol(sslEngine));
-                        }
+                        socketWrapper.setNegotiatedProtocol(sslEngine.getApplicationProtocol());
                     }
                     //we are complete if we have delivered the last package
                     handshakeComplete = !netOutBuffer.hasRemaining();

java/org/apache/tomcat/util/net/SecureNioChannel.java

@@ -35,7 +35,6 @@
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.buf.ByteBufferUtils;
-import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.NioEndpoint.NioSocketWrapper;
 import org.apache.tomcat.util.net.TLSClientHelloExtractor.ExtractorResult;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
@@ -167,13 +166,7 @@ public int handshake(boolean read, boolean write) throws IOException {
                     throw new IOException(sm.getString("channel.nio.ssl.notHandshaking"));
                 case FINISHED:
                     if (endpoint.hasNegotiableProtocols()) {
-                        if (sslEngine instanceof SSLUtil.ProtocolInfo) {
-                            socketWrapper.setNegotiatedProtocol(
-                                    ((SSLUtil.ProtocolInfo) sslEngine).getNegotiatedProtocol());
-                        } else if (JreCompat.isAlpnSupported()) {
-                            socketWrapper.setNegotiatedProtocol(
-                                    JreCompat.getInstance().getApplicationProtocol(sslEngine));
-                        }
+                        socketWrapper.setNegotiatedProtocol(sslEngine.getApplicationProtocol());
                     }
                     //we are complete if we have delivered the last package
                     handshakeComplete = !netOutBuffer.hasRemaining();

java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java

@@ -18,7 +18,6 @@
 
 import javax.net.ssl.SSLSession;
 
-import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
 import org.apache.tomcat.util.net.SSLImplementation;
 import org.apache.tomcat.util.net.SSLSupport;
@@ -50,8 +49,4 @@ public SSLUtil getSSLUtil(SSLHostConfigCertificate certificate) {
         return new JSSEUtil(certificate);
     }
 
-    @Override
-    public boolean isAlpnSupported() {
-        return JreCompat.isAlpnSupported();
-    }
 }

java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java

@@ -46,7 +46,6 @@
 import org.apache.tomcat.jni.SSLContext;
 import org.apache.tomcat.util.buf.ByteBufferUtils;
 import org.apache.tomcat.util.net.Constants;
-import org.apache.tomcat.util.net.SSLUtil;
 import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -55,7 +54,7 @@
  * <a href="https://www.openssl.org/docs/crypto/BIO_s_bio.html#EXAMPLE">OpenSSL
  * BIO abstractions</a>.
  */
-public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolInfo {
+public final class OpenSSLEngine extends SSLEngine {
 
     private static final Log logger = LogFactory.getLog(OpenSSLEngine.class);
     private static final StringManager sm = StringManager.getManager(OpenSSLEngine.class);
@@ -209,7 +208,7 @@ private enum Accepted { NOT, IMPLICIT, EXPLICIT }
     }
 
     @Override
-    public String getNegotiatedProtocol() {
+    public String getApplicationProtocol() {
         return selectedProtocol;
     }
 

java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java

@@ -36,9 +36,4 @@ public SSLUtil getSSLUtil(SSLHostConfigCertificate certificate) {
         return new OpenSSLUtil(certificate);
     }
 
-    @Override
-    public boolean isAlpnSupported() {
-        // OpenSSL supported ALPN
-        return true;
-    }
 }