SECURITY.md - OpenGrok cross reference for /external/grpc-grpc-java/SECURITY.md

Lines Matching +full:google +full:- +full:java +full:- +full:format +full:- +full:eclipse +full:- +full:plugin +full:-
3 …ting how to provide SSL/TLS encryption support and identity assertions in Java, as well as passing…
7 …-ietf-tls-applayerprotoneg-05) to negotiate the use of the h2 protocol. ALPN is a fairly new stand…
9 …ndroid, use the [Play Services Provider](#tls-on-android). For non-Android systems, use [OpenSSL](…
14 Provider](https://www.appfoundry.be/blog/2014/11/18/Google-Play-Services-Dynamic-Security-Provider/)
15 to ensure your application has an up-to-date OpenSSL library with the necessary
16 ciper-suites and a reliable ALPN implementation. This requires [updating the
18 runtime](https://developer.android.com/training/articles/security-gms-provider.html).
32 Central](https://search.maven.org/#search%7Cga%7C1%7Cg%3Aorg.conscrypt%20a%3Aconscrypt-android).
37 ```java
39 import java.security.Security;
47 This is currently the recommended approach for using gRPC over TLS (on non-Android systems).
51 …he JDK. GCM, which is used by the only cipher suite required by the HTTP/2 spec, is 10-500x faster.
52 …n ciphers and is not dependent on the limitations of the JDK. This allows supporting GCM on Java 7.
56 …SSL is only provided for the Netty transport via [netty-tcnative](https://github.com/netty/netty-t…
57 [Apache Tomcat's tcnative](http://tomcat.apache.org/native-doc/), a JNI wrapper around OpenSSL.
61 As of version `1.1.33.Fork14`, netty-tcnative provides two options for usage: statically or dynamic…
62 we recommend that users first look at `netty-tcnative-boringssl-static`, which is statically linked…
68 …time. A better solution in this case is to use the dynamically linked `netty-tcnative` artifact, w…
69 to easily upgrade OpenSSL in the standard way (e.g. apt-get) without relying on any new builds from…
71 ### OpenSSL: Statically Linked (netty-tcnative-boringssl-static)
73 …transport for OpenSSL. You just need to add the appropriate `netty-tcnative-boringssl-static` arti…
75 …le on [Maven Central](http://repo1.maven.org/maven2/io/netty/netty-tcnative-boringssl-static/) for…
78 ---------------- | -----------
79 windows-x86_64 | Windows distribution
80 osx-x86_64 | Mac distribution
81 linux-x86_64 | Linux distribution
83 ##### Getting netty-tcnative-boringssl-static from Maven
85 In Maven, you can use the [os-maven-plugin](https://github.com/trustin/os-maven-plugin) to help sim…
92       <artifactId>netty-tcnative-boringssl-static</artifactId>
99 ##### Getting netty-tcnative-boringssl-static from Gradle
101 …use the [osdetector-gradle-plugin](https://github.com/google/osdetector-gradle-plugin), which is a…
111     compile 'io.netty:netty-tcnative-boringssl-static:2.0.7.Final'
115 ### OpenSSL: Dynamically Linked (netty-tcnative)
117 …. you need control over the version of OpenSSL), you can instead use the `netty-tcnative` artifact.
122 2. [Apache APR library (libapr-1)](https://apr.apache.org/) version >= 1.5.2.
123 …ty-tcnative](https://github.com/netty/netty-tcnative) version >= 1.1.33.Fork7 must be on classpath…
125 Artifacts are available on [Maven Central](http://repo1.maven.org/maven2/io/netty/netty-tcnative/) …
128 ---------------- | -----------
129 windows-x86_64 | Windows distribution
130 osx-x86_64 | Mac distribution
131 linux-x86_64 | Used for non-Fedora derivatives of Linux
132 linux-x86_64-fedora | Used for Fedora derivatives
134 …derivatives than other Linux releases. To work around this limitation, netty-tcnative deploys two …
136 ##### Getting netty-tcnative from Maven
138 In Maven, you can use the [os-maven-plugin](https://github.com/trustin/os-maven-plugin) to help sim…
145       <artifactId>netty-tcnative</artifactId>
153       <!-- Use os-maven-plugin to initialize the "os.detected" properties -->
156         <artifactId>os-maven-plugin</artifactId>
161       <!-- Use Ant to configure the appropriate "tcnative.classifier" property -->
162       <plugin>
164         <artifactId>maven-antrun-plugin</artifactId>
172                            value="${os.detected.classifier}-fedora"
183       </plugin>
189 ##### Getting netty-tcnative from Gradle
191 …use the [osdetector-gradle-plugin](https://github.com/google/osdetector-gradle-plugin), which is a…
199     classpath 'com.google.gradle:osdetector-gradle-plugin:1.4.0'
203 // Use the osdetector-gradle-plugin
204 apply plugin: "com.google.osdetector"
208 // (see http://netty.io/wiki/forked-tomcat-native.html).
210   tcnative_classifier += "-fedora";
214     compile 'io.netty:netty-tcnative:2.0.7.Final:' + tcnative_classifier
222 *For non-Android systems, the recommended approach is to use [OpenSSL](#tls-with-openssl). Using th…
224 *Jetty ALPN brings its own baggage in that the Java bootclasspath needs to be modified, which may n…
228 ---
232 …Java release has built-in support for ALPN today ([there is a tracking issue](https://bugs.openjdk…
235 java -Xbootclasspath/p:/path/to/jetty/alpn/extension.jar ...
238 …-ALPN jar](http://www.eclipse.org/jetty/documentation/current/alpn-chapter.html#alpn-versions) spe…
241 java -javaagent:/path/to/jetty-alpn-agent.jar ...
246 Java 7 does not support [the cipher suites recommended](https://tools.ietf.org/html/draft-ietf-http…
248 …) before Java 8u60. With Java 8u60 GCM is 10x faster (10-20 MB/s), but that is still slow compared…
252 …eclipse.org/jetty/documentation/current/jetty-classloading.html) restrict access to server classes…
255 <?xml version="1.0"  encoding="ISO-8859-1"?>
256 <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jett…
257 <Configure class="org.eclipse.jetty.webapp.WebAppContext">
258     <!-- Must be done in jetty-env.xml, since jetty-web.xml is loaded too late.   -->
259     <!-- Removing ALPN from the blacklisted server classes (using "-" to remove). -->
260     <!-- Must prepend to the blacklist since order matters.                       -->
262         <Arg>-org.eclipse.jetty.alpn.</Arg>
269 specified in PEM format. The standard TLS port is 443, but we use 8443 below to
272 ```java
287 [Mutual authentication][] (or "client-side authentication") configuration is similar to the server …
289 ```java
297 …ttribute of <a href="https://github.com/grpc/grpc-java/blob/master/core/src/main/java/io/grpc/Grpc…
299 ```java
314 [Mutual authentication]: http://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated…
319  - ALPN related dependencies are either not present in the classpath
320  - or that there is a classpath conflict
321  - or that a wrong version is used due to dependency management
322 …- or you are on an unsupported platform (e.g., 32-bit OS, Alpine with `musl` libc). See [Transport…
325 If you aren't using gRPC on Android devices, you are most likely using `grpc-netty` transport.
327 …roid and have a dependency on `grpc-netty`, you should remove it as `grpc-netty` is unsupported on…
329 …-bit operating system, or not on a [Transport Security supported platform](#transport-security-tls…
332 `netty-tcnative-boringssl-static` won't work. There are several alternatives:
333  - Use [netty-tcnative-alpine](https://github.com/pires/netty-tcnative-alpine)
334  - Use a distribution with `glibc`
337 then some versions of `netty-tcnative-boringssl-static` will have conflicts and
341 `io.grpc:grpc-netty-shaded` instead of `io.grpc:grpc-netty`, although this also
342 limits your usage of the Netty-specific APIs. `io.grpc:grpc-netty-shaded`
343 includes the proper version of Netty and `netty-tcnative-boringssl-static` in a
347  - `io.grpc:grpc-netty`
348  - `io.netty:netty-handler` (really, make sure all of io.netty except for
349    netty-tcnative has the same version)
350  - `io.netty:netty-tcnative-boringssl-static:jar` 
352 If `netty-tcnative-boringssl-static` is missing, then you either need to add it as a dependency, or…
354 If you have both `netty-handler` and `netty-tcnative-boringssl-static` dependencies, then check the…
356 If you have other `netty` dependencies, such as `netty-all`, that are pulled in from other librarie…
359  - Remove `io.grpc:grpc-netty` dependency
360  - Add `io.grpc:grpc-netty-shaded` dependency
364 grpc-netty version | netty-handler version | netty-tcnative-boringssl-static version
365 ------------------ | --------------------- | ---------------------------------------
366 1.0.0-1.0.1        | 4.1.3.Final           | 1.1.33.Fork19
367 1.0.2-1.0.3        | 4.1.6.Final           | 1.1.33.Fork23
368 1.1.x-1.3.x        | 4.1.8.Final           | 1.1.33.Fork26
372 1.7.x-1.8.x        | 4.1.16.Final          | 2.0.6.Final
373 1.9.x-1.10.x       | 4.1.17.Final          | 2.0.7.Final
374 1.11.x-1.12.x      | 4.1.22.Final          | 2.0.7.Final
376 1.14.x-1.15.x      | 4.1.27.Final          | 2.0.12.Final
377 1.16.x-            | 4.1.30.Final          | 2.0.17.Final
379 _(grpc-netty-shaded avoids issues with keeping these versions in sync.)_
382 If you are using gRPC on Android devices, you are most likely using `grpc-okhttp` transport.
385  - `io.grpc:grpc-okhttp`
386  - `com.squareup.okhttp:okhttp`
388 If you don't have `grpc-okhttp`, you should add it as a dependency.
390 If you have both `io.grpc:grpc-netty` and `io.grpc:grpc-okhttp`, you may also have issues. Remove `…
402 …Google Cloud PubSub API using gRPC with a service account. The credentials are loaded from a key s…
404 ```java
410 // Down-scope the credential to just the scopes required by the service