By default, Jetty uses the JSSE provider from the JVM for SSL, which has three significant problems:

  • It’s slow!
  • It doesn’t support ALPN in Java 8, which is needed for HTTP/2
  • It’s REALLY slow!

There are workarounds for both problems: using SSL offloading and/or using our boot path patched JSSE for ALPN. Neither approach is optimal, however, especially as the interest in having connections secure within the data center continues to rise.
We have previously looked at JNI native integration with a library like OpenSSL, but it was simply too much work to integrate and maintain. Having a well-maintained SSL integration is important as ciphers do change and exploits are found, so it is vital that updates are available as soon as the base library is updated.
Luckily, all that hard work is now done by others and we are able to stand on the shoulders of taller giants! Google maintains BoringSSL as a fork of the OpenSSL project that is used in their Chrome and Android products, thus it is an excellent well maintained library with good security and performance. Google have also built on the work of the Netty project to develop Conscrypt as the Java library that maps the native BoringSSL API to be a compliant JSSE SecurityProvider.
So how do you implement Conscrypt in Jetty? It is actually quite easy: instantiate an instance of Conscrypt’s OpenSslProvider; add it as a provider in the JVM’s Security class; set “Conscrypt” as the provider name on Jetty’s SslContextFactory.
Using the Jetty distribution? Since Jetty-9.4.7, these steps can all be done by enabling the “conscrypt” module:

java -jar $JETTY_HOME/start.jar --add-to-start=conscrypt

The integration with ALPN required a bit more work and some collaboration with the Conscrypt team. This will be included in the 9.4.8 release of Jetty as part of the conscrypt module enabled above.
So far, we’ve had reports of almost a 10 times increase in throughput with Conscrypt! It also provides ALPN support on both Java 8 and Java 9 without the need to amend the boot path.  Try it out!

Categories: Uncategorized


Gagandeep Singh · 24/05/2019 at 12:03

Can you provide a more complete example on github ? THat would really help.

vlad · 25/05/2019 at 18:07

Are there options, besides conscript that would still be fast, work with jetty on JDK11, and support TLS V1.3 (as well as TLS 1.2)
(problem with conscript is that the release/fix cycle/platform support is very Google centric)

    simon · 26/05/2019 at 09:46

    JDK 11 supports TLS 1.3 (as well as TLS 1.2), so you can use just OpenJDK to have TLS 1.3 support.

Comments are closed.