Skip to content

[#2132] Migrate SSL support away from ThreadLocal, support key alias and default to pkcs12#2133

Open
mattrpav wants to merge 5 commits into
apache:mainfrom
mattrpav:gh-2132-ssl-reload-alias
Open

[#2132] Migrate SSL support away from ThreadLocal, support key alias and default to pkcs12#2133
mattrpav wants to merge 5 commits into
apache:mainfrom
mattrpav:gh-2132-ssl-reload-alias

Conversation

@mattrpav

@mattrpav mattrpav commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

All wiring of transports now takes SslContext as a parameter, instead of 'magically' showing up as a ThreadLocal when needed.

This unlocks a lot of capabilities, including per-transportConnector SSLContext, per-networkConnector SSLContext and eventually auto-reloading of SSLContext.

  • DefaultSslContext (remove active usage of ThreadContextSslContext)
  • Default to stronger and now JDK-default keystore type: 'pkcs12'
  • Add support for keyAlias
  • Add per-connector sslContect
  • Add per-networkConnector sslContext
  • Add ComptibleSslContext to bridge Spring for a non-ThreadLocalSslContext
  • Retain a ThreadContextSslContext class in case someone extended some part of the broker or client (add'l transport connector, etc) and needs a way to transition
  • Unit test refactors

Merge plan: Squash all commits to one for v6.3.0 only (no backport)

@mattrpav mattrpav self-assigned this Jun 22, 2026
@mattrpav
mattrpav force-pushed the gh-2132-ssl-reload-alias branch 2 times, most recently from 83e22b7 to b458792 Compare June 22, 2026 13:12
@mattrpav mattrpav changed the title [#2132] Support SSL reload and using a key alias WIP: [#2132] Support SSL reload and using a key alias Jun 22, 2026
@jbonofre
jbonofre self-requested a review June 22, 2026 14:18
@mattrpav mattrpav changed the title WIP: [#2132] Support SSL reload and using a key alias WIP: [#2132] Migrate SSL support away from ThreadLocal, support key alias and prepare for reload support Jun 22, 2026
@mattrpav mattrpav changed the title WIP: [#2132] Migrate SSL support away from ThreadLocal, support key alias and prepare for reload support WIP: [#2132] Migrate SSL support away from ThreadLocal, support key alias and default to pkcs12 Jun 22, 2026
@mattrpav mattrpav changed the title WIP: [#2132] Migrate SSL support away from ThreadLocal, support key alias and default to pkcs12 [#2132] Migrate SSL support away from ThreadLocal, support key alias and default to pkcs12 Jun 22, 2026
@mattrpav
mattrpav force-pushed the gh-2132-ssl-reload-alias branch from 02cb65e to 20a8b36 Compare June 22, 2026 21:25
@cshannon

Copy link
Copy Markdown
Contributor

This is a pretty major refactor and needs to be reviewed carefully before merging. I assume this will not be backported and only be targeted for 6.3.0 due to the major changes.

@mattrpav - are there breaking API changes here? a quick look showed old methods delegating to the new ones so I don't think so but we don't want to break anyone who upgrades

@mattrpav

Copy link
Copy Markdown
Contributor Author

@cshannon correct, this is only for 6.3.0.

The original SslContext is renamed ThreadLocalSslContext and remains if anyone needs previous behavior exactly.

The ComaptibleSslContext provides same method signature as the ThreadLocalSslContexr for historical compatibility for wiring of arrays v lists, but removes the ThreadLocal usage.

The DefaultThreadLocalContext becomes the new default.

This change removes all ThreadLocalSslContext usage and updates transportConnectors and networkConnectors to support having independent SSLContexts as needed. They all fall back to the broker-wide one as before, if an independent sslcontext is not configured.

@mattrpav mattrpav moved this from Backlog to In progress in Apache ActiveMQ v6.3.0 Jul 12, 2026
mattrpav added 4 commits July 14, 2026 20:58
 - DefaultSslContext (remove active usage of ThreadContextSslContext)
 - Add per-connector sslContect
 - Add per-networkConnector sslContext
 - Add ComptibleSslContext to bridge Spring for a non-ThreadLocalSslContext
@mattrpav
mattrpav force-pushed the gh-2132-ssl-reload-alias branch from 20a8b36 to 8883f00 Compare July 15, 2026 01:58
@mattrpav mattrpav moved this from In progress to In review in Apache ActiveMQ v6.3.0 Jul 15, 2026
@mattrpav
mattrpav requested a review from cshannon July 15, 2026 17:24
"You must specify the brokerService property. Maybe this connector should be added to a broker?");
}
return TransportFactorySupport.bind(brokerService, uri);
SslContext ctx = sslContext != null ? sslContext : brokerService.getSslContext();

@cshannon cshannon Jul 17, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These comments fall into the "nit" category and aren't required but I was just thinking this might be a good time to use Optional. This is not on a hot path so it won't create a lot of extra objects to clean up so it might make it a bit cleaner (this comment applies for all the places looking up the ssl context is used with a ternary operator.)

return TransportFactorySupport.bind(brokerService, uri,
    Optional.ofNullable(sslContext).orElseGet(() -> brokerService.getSslContext()));

or

return TransportFactorySupport.bind(brokerService, uri,
                Optional.ofNullable(sslContext).orElse(brokerService.getSslContext()));

Using a helper method:

public SslContext getAppliedSslContext() {
   return sslContext != null ? sslContext : brokerService.getSslContext();
}

}

@Override
public SSLContext getSSLContext() throws NoSuchProviderException, NoSuchAlgorithmException, KeyManagementException {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to look at this more but this likely needs to be tweaked because sslContext isn't volatile

@cshannon

Copy link
Copy Markdown
Contributor

I did a quick browse of this and it makes sense to get rid of the thread local if possible but I need to do a deeper dive and try it out. I think there might be a couple things to tweak but overall I think this makes sense. The less thread locals we have the better and as you pointed out it gives us more flexibility in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: In review

Development

Successfully merging this pull request may close these issues.

2 participants