Working Group - Enhanced TLS support

[cescoffier]

Hello,

We recently merged an ancient issue (3y old) to centralize the TLS configuration. Extensions should now be able to use this centralized registry to configure TLS. It avoids heterogeneous and incomplete configuration.

This was a significant effort to simplify and improve TLS management. Typically, with this registry, we can homogenize the TLS configuration, add support for certificate reloading, integrate certificate providers like Let's Encrypt or Cert-Manager, and improve the local experience.

This effort is now tracked using a "Focus Group" (temporary wording) project: WG - Enhanced TLS support.

I'm creating this discussion to raise awareness and as a place to discuss ideas, challenges, progress...

[emattheis]

@cescoffier I have some specialized requirements for setting up TLS using a private CA and I'm looking for a way to configure and periodically reload certificates and keys for the vert.x https server managed by Quarkus. I found this post showing how to set things up at configuration time and it works well, but there's no obvious way to introduce new certificates as Quarkus doesn't expose the resulting HttpServer.

I came up with a hacky solution using a custom KeyCertOptions implementation in conjunction with the built-in quarkus.http.ssl.certificate.reload-period functionality.

import io.netty.handler.ssl.util.SelfSignedCertificate;
import io.quarkus.vertx.http.HttpServerOptionsCustomizer;
import io.vertx.core.Vertx;
import io.vertx.core.http.HttpServerOptions;
import io.vertx.core.net.KeyCertOptions;
import io.vertx.core.net.PemKeyCertOptions;
import jakarta.enterprise.context.ApplicationScoped;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.KeyManagerFactory;
import java.security.cert.CertificateException;
import java.time.Duration;
import java.time.Instant;
import java.util.Date;
import java.util.function.Function;

@ApplicationScoped
public class CertificateManager implements HttpServerOptionsCustomizer {

    private static final Logger log = LoggerFactory.getLogger(CertificateManager.class);

    private final Duration certificateReloadPeriod;

    private volatile PemKeyCertOptions keyCertOptions = null;
    private volatile Instant keyCertOptionsExpiration = Instant.now();

    public CertificateManager(@ConfigProperty(name = "quarkus.http.ssl.certificate.reload-period") Duration certificateReloadPeriod) {
        this.certificateReloadPeriod = certificateReloadPeriod;
    }

    @Override
    public void customizeHttpsServer(HttpServerOptions options) {
        options.setKeyCertOptions(keyCertOptions());
    }

    private void generateCertificatesIfNecessary() {
        var nextReloadTime = Instant.now().plus(certificateReloadPeriod);
        if (keyCertOptionsExpiration.isBefore(nextReloadTime)) {
            var keyCertOptions = new PemKeyCertOptions();
            var padding = certificateReloadPeriod.dividedBy(2);
            var keyCertOptionsExpiration = Instant.now().plus(certificateReloadPeriod).plus(padding);
            var host = "localhost";
            var ecBits = 256;
            var rsaBits = 2048;
            var notBefore = Date.from(Instant.now().minus(padding));
            var notAfter = Date.from(keyCertOptionsExpiration);
            try {
                var ecCert = new SelfSignedCertificate(host, notBefore, notAfter, "EC", ecBits);
                var rsaCert = new SelfSignedCertificate(host, notBefore, notAfter, "RSA", rsaBits);
                log.info("generated self-signed certificates");
                keyCertOptions
                        .addCertPath(ecCert.certificate().getAbsolutePath())
                        .addKeyPath(ecCert.privateKey().getAbsolutePath())
                        .addCertPath(rsaCert.certificate().getAbsolutePath())
                        .addKeyPath(rsaCert.privateKey().getAbsolutePath());
            } catch (CertificateException e) {
                log.error("error generating self-signed certificates", e);
            }
            this.keyCertOptions = keyCertOptions;
            this.keyCertOptionsExpiration = keyCertOptionsExpiration;
        }
    }

    private KeyCertOptions keyCertOptions() {
        return new KeyCertOptions() {
            @Override
            public KeyCertOptions copy() {
                return keyCertOptions();
            }

            @Override
            public KeyManagerFactory getKeyManagerFactory(Vertx vertx) throws Exception {
                generateCertificatesIfNecessary();
                return keyCertOptions.getKeyManagerFactory(vertx);
            }

            @Override
            public Function<String, KeyManagerFactory> keyManagerFactoryMapper(Vertx vertx) throws Exception {
                generateCertificatesIfNecessary();
                return keyCertOptions.keyManagerFactoryMapper(vertx);
            }
        };
    }
}

It would be nice to be able to use the tls registry for this and take advantage of the in-built reload mechanism, but I can't see a way to register a TlsConfiguration programmatically that can be used by the built-in HttpServer. Am I missing something?

[emattheis]

Here are the changes: emattheis@7465ebb

[cescoffier]

Awesome! Can you open a PR? It will make reviewing smoother!

[emattheis]

My pleasure! #45937

[emattheis]

@cescoffier Thanks for the feedback. I didn't want to go too deep without a first review, but now that I know it's acceptable I'll work on some documentation.

[cescoffier]

Awesome, thank you so much. It's a great contribution.