Netty搭建Http2服务端并支持TLS传输加密

@Slf4j
public class SslUtil {public static SslContext sslContext() {SslProvider provider = SslProvider.isAlpnSupported(SslProvider.OPENSSL) ? SslProvider.OPENSSL : SslProvider.JDK;log.info("provider:{}", provider);SelfSignedCertificate ssc = null;try {ssc = new SelfSignedCertificate();} catch (CertificateException e) {throw new RuntimeException(e);}ApplicationProtocolConfig applicationProtocolConfig = new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN,ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,ApplicationProtocolNames.HTTP_2,ApplicationProtocolNames.HTTP_1_1);SslContext sslContext = null;try {sslContext = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()).sslProvider(provider).ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE).applicationProtocolConfig(applicationProtocolConfig).build();} catch (SSLException e) {throw new RuntimeException(e);}return sslContext;}}

注意：io.netty.handler.ssl.util.SelfSignedCertificate 只用于测试，不要用于生产环境！！！

public class Http2ServerResponseHandler extends ChannelDuplexHandler {static final ByteBuf RESPONSE_BYTES = Unpooled.unreleasableBuffer(Unpooled.copiedBuffer("Hello World", CharsetUtil.UTF_8));@Overridepublic void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {if (msg instanceof Http2HeadersFrame) {Http2HeadersFrame msgHeader = (Http2HeadersFrame) msg;if (msgHeader.isEndStream()) {ByteBuf content = ctx.alloc().buffer();content.writeBytes(RESPONSE_BYTES.duplicate());Http2Headers headers = new DefaultHttp2Headers().status(HttpResponseStatus.OK.codeAsText());ctx.write(new DefaultHttp2HeadersFrame(headers).stream(msgHeader.stream()));ctx.write(new DefaultHttp2DataFrame(content, true).stream(msgHeader.stream()));}} else {super.channelRead(ctx, msg);}}}

/*** Created by bruce on 2021/12/10 15:13*/
@Slf4j
public class Http2Server {private NioEventLoopGroup bossGroup;private NioEventLoopGroup workerGroup;public synchronized void start(int port) {bossGroup = new NioEventLoopGroup(1);workerGroup = new NioEventLoopGroup();try {ServerBootstrap bootstrap = new ServerBootstrap();bootstrap.option(ChannelOption.SO_BACKLOG, 1024).group(bossGroup, workerGroup).channel(NioServerSocketChannel.class).handler(new LoggingHandler(LogLevel.INFO)).childHandler(new Http2ServerInitializer());//ChannelFuture channelFuture = bootstrap.bind(port).sync();log.info("http2 server started on port:{}", port);} catch (Exception e) {log.error("Http2ServerBootstrap-->", e);close();}}public static class Http2ServerInitializer extends ChannelInitializer<SocketChannel> {@Overrideprotected void initChannel(SocketChannel channel) throws Exception {ChannelPipeline pipeline = channel.pipeline();SslHandler sslHandler = SslUtil.sslContext().newHandler(channel.alloc());pipeline.addLast("sslHandler", sslHandler);pipeline.addLast("applicationProtocolNegotiationHandler", new MyAppProtocolNegotiationHandler());}}//根据请求的协议添加对应的处理器public static class MyAppProtocolNegotiationHandler extends ApplicationProtocolNegotiationHandler {public MyAppProtocolNegotiationHandler() {super(ApplicationProtocolNames.HTTP_2);}protected void configurePipeline(ChannelHandlerContext ctx, String protocol) {if (ApplicationProtocolNames.HTTP_2.equals(protocol)) {Http2FrameCodec http2FrameCodec = Http2FrameCodecBuilder.forServer().build();ctx.pipeline().addLast(http2FrameCodec);ctx.pipeline().addLast(new Http2ServerResponseHandler());} else {throw new IllegalStateException("Protocol: " + protocol + " not supported");}}}public synchronized void close() {if (bossGroup != null) {bossGroup.shutdownGracefully();}if (workerGroup != null) {workerGroup.shutdownGracefully();}log.info("destroy netty server thread");}}

public static void main(String[] args) {Http2Server http2Server = new Http2Server();http2Server.start(8443);
}

测试http2服务

curl -k -v --http2 https://127.0.0.1:8443

测试http1.1服务

curl -k -v --http1.1 https://127.0.0.1:8443

使用 jdk 提供的SslProvider

使用jdk提供的SslProvider，但是jdk8不支持ALPN，出现如下异常，只能使用高版本的jdk。

示例使用的是jdk17可以支持ALPN，但是运行时会出现如下异常

Caused by: java.security.cert.CertificateException: No provider succeeded to generate a self-signed certificate. See debug log for the root cause.at io.netty.handler.ssl.util.SelfSignedCertificate.<init>(SelfSignedCertificate.java:249) ~[netty-handler-4.1.70.Final.jar:4.1.70.Final]at io.netty.handler.ssl.util.SelfSignedCertificate.<init>(SelfSignedCertificate.java:166) ~[netty-handler-4.1.70.Final.jar:4.1.70.Final]at io.netty.handler.ssl.util.SelfSignedCertificate.<init>(SelfSignedCertificate.java:115) ~[netty-handler-4.1.70.Final.jar:4.1.70.Final]at io.netty.handler.ssl.util.SelfSignedCertificate.<init>(SelfSignedCertificate.java:90) ~[netty-handler-4.1.70.Final.jar:4.1.70.Final]at com.bruce.netty.http2.handler.SslUtil.sslContext(SslUtil.java:24) ~[classes/:na]... 21 common frames omittedSuppressed: java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProviderat io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator.<clinit>(BouncyCastleSelfSignedCertGenerator.java:43) ~[netty-handler-4.1.70.Final.jar:4.1.70.Final]at io.netty.handler.ssl.util.SelfSignedCertificate.<init>(SelfSignedCertificate.java:240) ~[netty-handler-4.1.70.Final.jar:4.1.70.Final]... 25 common frames omittedCaused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProviderat java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)... 27 common frames omitted
Caused by: java.lang.IllegalAccessError: class io.netty.handler.ssl.util.OpenJdkSelfSignedCertGenerator (in unnamed module @0x5e316c74) cannot access class sun.security.x509.X509CertInfo (in module java.base) because module java.base does not export sun.security.x509 to unnamed module @0x5e316c74at io.netty.handler.ssl.util.OpenJdkSelfSignedCertGenerator.generate(OpenJdkSelfSignedCertGenerator.java:52) ~[netty-handler-4.1.70.Final.jar:4.1.70.Final]at io.netty.handler.ssl.util.SelfSignedCertificate.<init>(SelfSignedCertificate.java:246) ~[netty-handler-4.1.70.Final.jar:4.1.70.Final]... 25 common frames omitted

该问题乍一看以为是缺少org.bouncycastle.jce.provider.BouncyCastleProvider导致的异常，当添加了如下依赖后确实也可以解决问题。

<dependency><groupId>org.bouncycastle</groupId><artifactId>bcpkix-jdk15on</artifactId><version>1.70</version>
</dependency>

但实际原因并不是缺少该依赖导致的，看最后一个Caused by:
because module java.base does not export sun.security.x509 to unnamed module @0x5e316c74

实际原因：jdk17因为模块化并没有在 java.base中导出sun.security.x509包，没有权限访问sun.security.x509.X509CertInfo导致无法实例化。

解决办法：不需要org.bouncycastle:bcpkix-jdk15on依赖，在启动时添加如下参数即可

--add-opens java.base/sun.security.x509=ALL-UNNAMED

使用OPENSSL提供的SslProvider

添加如下依赖依赖，OPENSSL不需要依赖jdk提供了ALPN支持，因此在jdk8，jdk17上同样可以运行。

<dependency><groupId>io.netty</groupId><artifactId>netty-tcnative-boringssl-static</artifactId>
</dependency>

当切换到jdk17时，再次执行则会出现上面所提到的异常，具体原因及解决方案上面已经说明

Caused by: java.lang.IllegalAccessError: class io.netty.handler.ssl.util.OpenJdkSelfSignedCertGenerator (in unnamed module @0x5e316c74) cannot access class sun.security.x509.X509CertInfo (in module java.base) because module java.base does not export sun.security.x509 to unnamed module @0x5e316c74at io.netty.handler.ssl.util.OpenJdkSelfSignedCertGenerator.generate(OpenJdkSelfSignedCertGenerator.java:52) ~[netty-handler-4.1.70.Final.jar:4.1.70.Final]at io.netty.handler.ssl.util.SelfSignedCertificate.<init>(SelfSignedCertificate.java:246) ~[netty-handler-4.1.70.Final.jar:4.1.70.Final]... 25 common frames omitted

但为什么加了org.bouncycastle:bcpkix-jdk15on依赖同样可以解决问题呢?
源码见：io.netty.handler.ssl.util.SelfSignedCertificate#SelfSignedCertificate(String, java.security.SecureRandom, int, Date, Date, String)
原因是Netty优先使用的使用Bouncy Castle生成自签名证书。当不存在时再使用OpenJDK提供的sun.security.x509生成自签名证书。所以使用Bouncy Castle之后就不会走到下面逻辑，不会访问创建X509CertInfo对象，所以正常执行.