New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use JDK default security provider when Conscrypt isn't available #12938
Use JDK default security provider when Conscrypt isn't available #12938
Conversation
- fixes issue with ARM64 platform where Conscrypt isn't available
@lhotari:Thanks for your contribution. For this PR, do we need to update docs? |
@lhotari:Thanks for providing doc info! |
) - fixes issue with ARM64 platform where Conscrypt isn't available (cherry picked from commit 4f2d52e)
…che#12938) - fixes issue with ARM64 platform where Conscrypt isn't available
…che#12938) - fixes issue with ARM64 platform where Conscrypt isn't available
) - fixes issue with ARM64 platform where Conscrypt isn't available (cherry picked from commit 4f2d52e)
@lhotari Hi, is it expected to log stack trace for the warning message when Conscrypt class is not found? Thanks. |
@ladhadeepak yes |
@lhotari Can you please explain why a warning should accompany a stack trace? Logging such an exception misleads into believing that something is wrong in the deployment but then it is not the case else it would not have been just WARNING. Isn't it ? |
@ladhadeepak The log message is pretty clear about the warning: "Conscrypt isn't available. Using JDK default security provider." Please explain the scenario where you think that it's misleading to log the stack trace. Who is being mislead? :) What is the impact? |
@ladhadeepak Are you running on ARM64 platform? |
@lhotari My QA engineer is misled into believing that there is an error in the system and hence he has raised a ticket/defect :( |
It is x86_64 |
Why do you want to disable Conscrypt? |
Oh well, we are in enterprise application development space and not in the mobile app or android space. |
Unfortunately Conscrypt isn't related to mobile apps or android space in Pulsar. Conscrypt is used in Pulsar to improve the performance of Jetty TLS layer. #10372 explains the rationale. The official Jetty documentation recommends to use Conscrypt to achieve good performance with TLS. Embedded Jetty is used as the http server for the Pulsar broker and Pulsar proxy. |
Sure, we can evaluate this in our context. Thanks for the detailed info. |
Fixes #12907
Motivation
Modifications
Call
org.conscrypt.Conscrypt.checkAvailability()
method using reflection to verify that Conscrypt can be loaded successfully. In a failure case, log the error and fallback to JDK default security provider.