Skip to content

Using a JDK SSL provider

Jump to bottom
Jon Chambers edited this page Apr 3, 2017 · 2 revisions

As of Pushy v0.9.3, Pushy depends directly on netty-tcnative as an SSL provider. This should work well for nearly all users, but if you're using a platform not supported by netty-tcnative (or have some other reason for wanting to use something else), you can use a JDK SSL provider instead. Please note that this is not recommended unless you have no other options.

If you plan to use a JDK SSL provider, you should exclude netty-tcnative as a Pushy dependency. If you're using Maven, for example:

<dependency>
    <groupId>com.relayrides</groupId>
    <artifactId>pushy</artifactId>
    <version>0.9.2</version>
    <exclusions>
        <exclusion>
            <groupId>io.netty</groupId>
            <artifactId>netty-tcnative-boringssl-static</artifactId>
        </exclusion>
    </exclusions> 
</dependency>

Users who aren't using netty-tcnative will need to fulfill two main system requirements by other means: ALPN and ciphers.

ALPN

The APNs protocol is built on HTTP/2, which depends on ALPN, a TLS extension for protocol negotiation. No released version of Java has native ALPN support at this time (though it's scheduled for inclusion in Java 9).

To "add" ALPN to your project, you may use Jetty's ALPN implementation. We recommend using jetty-alpn-agent, which will automatically modify classes in your JVM to add ALPN support. Note that just adding jetty-alpn-agent to your classpath is not sufficient. You'll need to explicitly add a javaagent argument when launching your JVM; please see the jetty-alpn-agent documentation for details.

Ciphers

HTTP/2 also requires the use of ciphers that weren't introduced in Java until Java 8. If you're using Java 8, you probably don't need to worry about this (although the included ciphers may vary by JDK vendor). If you're using Java 7, you'll need to use a security provider (like Bouncy Castle) that can provide the necessary ciphers. Setting up an alternative security provider is beyond the scope of this document; please see your security provider's documentation for details.

Clone this wiki locally