Add TLS compatibility mode configuration for HTTP senders#8599
Open
adhamahmad wants to merge 5 commits into
Open
Conversation
Add a TLS compatibility mode option to HttpSenderConfig and expose it through OTLP HTTP exporter configuration. Implement support in the OkHttp sender by allowing compatible TLS negotiation for legacy TLS servers while keeping modern TLS as the default. Add tests covering modern TLS failure and compatible TLS success against a legacy TLSv1/TLSv1.1-only server.
|
|
Contributor
|
Replace runtime TLS security property mutations with a `java.security.properties` override for `OkHttpHttpSenderTlsCompatibilityTest`. Applying the configuration at JVM bootstrap avoids test-order dependencies caused by JDK caching of TLS security properties and allows removal of `@Isolated` and runtime property manipulation logic.
Member
|
Hey I gave this issue some thought and shared my analysis here: #7573 (comment) I think we should go in a different direction with this: #8610, which embodies option d in the comment. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for configuring TLS compatibility mode for HTTP senders (OkHttp only for now), allowing clients to optionally connect to endpoints that require legacy TLS protocol versions.
Fixes #7573
Motivation
Some users running on legacy environments, may be unable to connect to endpoints that only support older TLS protocol versions. The current HTTP sender configuration only supports modern TLS negotiation, preventing connections to these legacy endpoints.
Changes
Added
TlsCompatibilityModeconfiguration toHttpSenderConfigwithMODERNas the default behaviorAdded
HttpExporterBuilder.setTlsCompatibilityMode(TlsCompatibilityMode)to allow OTLP HTTP exporters to configure TLS compatibility behaviorUpdated
ImmutableHttpSenderConfigto carry the TLS compatibility mode configurationUpdated
OkHttpHttpSenderto mapTlsCompatibilityMode.COMPATIBLEto OkHttp'sConnectionSpec.COMPATIBLE_TLSKept existing behavior unchanged by defaulting all senders to modern TLS configuration
Added
TlsCompatibilityModeas a public API for implementation-neutral TLS compatibility configurationUpdated public API diff documentation with the new configuration method and enum
Testing
Added
OkHttpHttpSenderTlsCompatibilityTestVerified
MODERNmode cannot connect to a server restricted to TLSv1/TLSv1.1 protocolsVerified
COMPATIBLEmode can negotiate a connection with a legacy TLS-only server