TLS Support

[manderson202]

I have a project that uses this library and it has wire-level encryption as a requirement and I would like to request TLS support be added. I have started work on this with the goal of submitting it as a PR, however I have been running into issues. My hope is that someone may be able to point me in the right direction. Totally understand if this is not in scope for this project and feel free to close this if so, but wanted to give it a shot...

I have been able to get this to work in a test Scala project, but so far my attempts to translate this to Clojure have been in vain. Below is what I have so far (I'm basing my implementation off the TLS tests in Finagle):

Thrift File

namespace java example.thrift

service TestService {
    string ping(1: string name)
}

Service

(ns finagle-clj-tls.service
  (:import [example.thrift TestService]
           [com.twitter.finagle.transport Transport$TLSServerEngine]
           [com.twitter.finagle Service Thrift]
           [com.twitter.finagle.ssl Ssl]
           [com.twitter.finagle Service Stack$Param]
           [scala Tuple2 Option]
           [java.net InetSocketAddress InetAddress])
  (:require [finagle-clojure.futures :as f]
            [finagle-clojure.thrift :as thrift]
            [finagle-clojure.options :as options]
            [finagle-clojure.scala :as scala])
  (:gen-class))

(def cert-path "/path/to/cert.pem")

(def key-path "/path/to/private.key")

(defn make-service
  []
  (thrift/service TestService
    (ping [n] (f/value (str "Hello, " n "!")))))

(defn ^Stack$Param param [p]
  (reify Stack$Param
    (default [this] p)))

(defn ^Option optional-fn [v]
  (options/option (scala/Function0 v)))

(defn serve-tls [^InetSocketAddress addr ^Service service]
  (let [tls-engine (Transport$TLSServerEngine. (optional-fn (Ssl/server cert-path key-path nil nil nil)))]
    (->
      (Thrift/server)
      (.configured (Tuple2. tls-engine (param tls-engine)))
      (.serveIface addr service))))

Client

(ns finagle-clj-tls.client
  (:import [example.thrift TestService TestService$ServiceIface]
           [com.twitter.finagle Stack$Param Thrift]
           [com.twitter.finagle.transport Transport$TLSClientEngine]
           [java.net InetSocketAddress]
           [com.twitter.finagle.ssl Ssl]
           [scala Tuple2])
  (:require [finagle-clojure.futures :as f]
            [finagle-clojure.thrift :as thrift]
            [finagle-clojure.options :as options]
            [finagle-clojure.scala :as scala]))

(defn ^Stack$Param param [p]
  (reify Stack$Param
    (default [this] p)))

(defn get-tls-engine []
  (Transport$TLSClientEngine.
    (options/option
      (scala/Function [inet]
        (if (instance? InetSocketAddress inet)
          (Ssl/clientWithoutCertificateValidation (.getHostName inet) (.getPort inet))
          (Ssl/clientWithoutCertificateValidation))))))

(defn get-tls-client [host port]
  (let [tls-client (get-tls-engine)]
    (->
      (Thrift/client)
      (.configured (Tuple2. tls-client (param tls-client)))
      (.newIface (str host ":" port) ^Class TestService$ServiceIface))))

This actually runs fine and I'm able to get responses, the problem is that they are not encrypted. If you set up a packet capture (I'm using WireShark) you can see everything in plain text, however, with the Scala example I set up, the bytes are encrypted.

Thanks in advance.

[manderson202]

I found my issue... It was how I was passing the parameters to .configured. So now:

Service: (.configured (.mk tls-engine))

Client: (.configured (.mk tls-client))

I'll try to get a PR put together sometime this week in case you're interested.

[samn]

Glad you got it working @manderson202!
i haven't played around with TLS support, very cool that you figured it out.

A PR would be greatly appreciated :)