Expose tlsNegotiationTimeout for netty client (#2806)

* Expose tlsNegotiationTimeout for netty client

* Fix javadocs

Author: zoewangg

.changes/next-release/feature-NettyNIOHTTPClient-9406031.json

@@ -0,0 +1,6 @@
+{
+    "category": "Netty NIO HTTP Client", 
+    "contributor": "", 
+    "type": "feature", 
+    "description": "Allow users to configure tlsNegotiationTimeout on NettyNioAsyncHttpClient"
+}

http-client-spi/src/main/java/software/amazon/awssdk/http/SdkHttpConfigurationOption.java

@@ -121,12 +121,20 @@ public final class SdkHttpConfigurationOption<T> extends AttributeMap.Key<T> {
     public static final SdkHttpConfigurationOption<TlsTrustManagersProvider> TLS_TRUST_MANAGERS_PROVIDER =
         new SdkHttpConfigurationOption<>("TlsTrustManagersProvider", TlsTrustManagersProvider.class);
 
+    /**
+     * The maximum amount of time that a TLS handshake is allowed to take from the time the CLIENT HELLO
+     * message is sent to the time the client and server have fully negotiated ciphers and exchanged keys.
+     */
+    public static final SdkHttpConfigurationOption<Duration> TLS_NEGOTIATION_TIMEOUT =
+        new SdkHttpConfigurationOption<>("TlsNegotiationTimeout", Duration.class);
+
     private static final Duration DEFAULT_SOCKET_READ_TIMEOUT = Duration.ofSeconds(30);
     private static final Duration DEFAULT_SOCKET_WRITE_TIMEOUT = Duration.ofSeconds(30);
     private static final Duration DEFAULT_CONNECTION_TIMEOUT = Duration.ofSeconds(2);
     private static final Duration DEFAULT_CONNECTION_ACQUIRE_TIMEOUT = Duration.ofSeconds(10);
     private static final Duration DEFAULT_CONNECTION_MAX_IDLE_TIMEOUT = Duration.ofSeconds(60);
     private static final Duration DEFAULT_CONNECTION_TIME_TO_LIVE = Duration.ZERO;
+    private static final Duration DEFAULT_TLS_HANDSHAKE_TIMEOUT = Duration.ofSeconds(10);
     private static final Boolean DEFAULT_REAP_IDLE_CONNECTIONS = Boolean.TRUE;
     private static final int DEFAULT_MAX_CONNECTIONS = 50;
     private static final int DEFAULT_MAX_CONNECTION_ACQUIRES = 10_000;
@@ -154,6 +162,7 @@ public final class SdkHttpConfigurationOption<T> extends AttributeMap.Key<T> {
             .put(TCP_KEEPALIVE, DEFAULT_TCP_KEEPALIVE)
             .put(TLS_KEY_MANAGERS_PROVIDER, DEFAULT_TLS_KEY_MANAGERS_PROVIDER)
             .put(TLS_TRUST_MANAGERS_PROVIDER, DEFAULT_TLS_TRUST_MANAGERS_PROVIDER)
+            .put(TLS_NEGOTIATION_TIMEOUT, DEFAULT_TLS_HANDSHAKE_TIMEOUT)
             .build();
 
     private final String name;

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/NettyNioAsyncHttpClient.java

@@ -306,6 +306,18 @@ public interface Builder extends SdkAsyncHttpClient.Builder<NettyNioAsyncHttpCli
          */
         Builder connectionMaxIdleTime(Duration maxIdleConnectionTimeout);
 
+        /**
+         * Configure the maximum amount of time that a TLS handshake is allowed to take from the time the CLIENT HELLO
+         * message is sent to the time the client and server have fully negotiated ciphers and exchanged keys.
+         * @param tlsNegotiationTimeout the timeout duration
+         *
+         * <p>
+         * By default, it's 10 seconds.
+         *
+         * @return this builder for method chaining.
+         */
+        Builder tlsNegotiationTimeout(Duration tlsNegotiationTimeout);
+
         /**
          * Configure whether the idle connections in the connection pool should be closed.
          * <p>
@@ -582,6 +594,17 @@ public void setUseIdleConnectionReaper(Boolean useIdleConnectionReaper) {
             useIdleConnectionReaper(useIdleConnectionReaper);
         }
 
+        @Override
+        public Builder tlsNegotiationTimeout(Duration tlsNegotiationTimeout) {
+            Validate.isPositive(tlsNegotiationTimeout, "tlsNegotiationTimeout");
+            standardOptions.put(SdkHttpConfigurationOption.TLS_NEGOTIATION_TIMEOUT, tlsNegotiationTimeout);
+            return this;
+        }
+
+        public void setTlsNegotiationTimeout(Duration tlsNegotiationTimeout) {
+            tlsNegotiationTimeout(tlsNegotiationTimeout);
+        }
+
         @Override
         public Builder eventLoopGroup(SdkEventLoopGroup eventLoopGroup) {
             this.eventLoopGroup = eventLoopGroup;

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/AwaitCloseChannelPoolMap.java

@@ -138,7 +138,7 @@ protected SimpleChannelPoolAwareChannelPool newPool(URI key) {
             tcpChannelPool = new BetterSimpleChannelPool(bootstrap, NOOP_HANDLER);
             baseChannelPool = new Http1TunnelConnectionPool(bootstrap.config().group().next(), tcpChannelPool, sslContext,
                                             proxyAddress(key), proxyConfiguration.username(), proxyConfiguration.password(),
-                                            key, pipelineInitializer);
+                                            key, pipelineInitializer, configuration);
         } else {
             tcpChannelPool = new BetterSimpleChannelPool(bootstrap, pipelineInitializer);
             baseChannelPool = tcpChannelPool;

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/ChannelPipelineInitializer.java

@@ -92,7 +92,8 @@ public void channelCreated(Channel ch) {
         ChannelPipeline pipeline = ch.pipeline();
         if (sslCtx != null) {
 
-            SslHandler sslHandler = newSslHandler(sslCtx, ch.alloc(), poolKey.getHost(), poolKey.getPort());
+            SslHandler sslHandler = newSslHandler(sslCtx, ch.alloc(), poolKey.getHost(), poolKey.getPort(),
+                                                  configuration.tlsHandshakeTimeout());
 
             pipeline.addLast(sslHandler);
             pipeline.addLast(SslCloseCompletionEventHandler.getInstance());

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/Http1TunnelConnectionPool.java

@@ -54,27 +54,30 @@ public class Http1TunnelConnectionPool implements ChannelPool {
     private final URI remoteAddress;
     private final ChannelPoolHandler handler;
     private final InitHandlerSupplier initHandlerSupplier;
+    private final NettyConfiguration nettyConfiguration;
 
     public Http1TunnelConnectionPool(EventLoop eventLoop, ChannelPool delegate, SslContext sslContext,
                                      URI proxyAddress, String proxyUsername, String proxyPassword,
-                                     URI remoteAddress, ChannelPoolHandler handler) {
+                                     URI remoteAddress, ChannelPoolHandler handler, NettyConfiguration nettyConfiguration) {
         this(eventLoop, delegate, sslContext,
-                proxyAddress, proxyUsername, proxyPassword, remoteAddress, handler,
-                ProxyTunnelInitHandler::new);
+             proxyAddress, proxyUsername, proxyPassword, remoteAddress, handler,
+             ProxyTunnelInitHandler::new, nettyConfiguration);
     }
 
     public Http1TunnelConnectionPool(EventLoop eventLoop, ChannelPool delegate, SslContext sslContext,
-                                     URI proxyAddress, URI remoteAddress, ChannelPoolHandler handler) {
+                                     URI proxyAddress, URI remoteAddress, ChannelPoolHandler handler,
+                                     NettyConfiguration nettyConfiguration) {
         this(eventLoop, delegate, sslContext,
-                proxyAddress, null, null, remoteAddress, handler,
-                ProxyTunnelInitHandler::new);
+             proxyAddress, null, null, remoteAddress, handler,
+             ProxyTunnelInitHandler::new, nettyConfiguration);
 
     }
 
     @SdkTestInternalApi
     Http1TunnelConnectionPool(EventLoop eventLoop, ChannelPool delegate, SslContext sslContext,
                               URI proxyAddress, String proxyUser, String proxyPassword, URI remoteAddress,
-                              ChannelPoolHandler handler, InitHandlerSupplier initHandlerSupplier) {
+                              ChannelPoolHandler handler, InitHandlerSupplier initHandlerSupplier,
+                              NettyConfiguration nettyConfiguration) {
         this.eventLoop = eventLoop;
         this.delegate = delegate;
         this.sslContext = sslContext;
@@ -84,6 +87,7 @@ public Http1TunnelConnectionPool(EventLoop eventLoop, ChannelPool delegate, SslC
         this.remoteAddress = remoteAddress;
         this.handler = handler;
         this.initHandlerSupplier = initHandlerSupplier;
+        this.nettyConfiguration = nettyConfiguration;
     }
 
     @Override
@@ -164,7 +168,8 @@ private SslHandler createSslHandlerIfNeeded(ByteBufAllocator alloc) {
             return null;
         }
 
-        return newSslHandler(sslContext, alloc, proxyAddress.getHost(), proxyAddress.getPort());
+        return newSslHandler(sslContext, alloc, proxyAddress.getHost(), proxyAddress.getPort(),
+                             nettyConfiguration.tlsHandshakeTimeout());
     }
 
     private static boolean isTunnelEstablished(Channel ch) {

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/NettyConfiguration.java

@@ -23,6 +23,7 @@
 import static software.amazon.awssdk.http.SdkHttpConfigurationOption.TRUST_ALL_CERTIFICATES;
 import static software.amazon.awssdk.utils.NumericUtils.saturatedCast;
 
+import java.time.Duration;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.http.SdkHttpConfigurationOption;
 import software.amazon.awssdk.http.TlsKeyManagersProvider;
@@ -102,4 +103,8 @@ public boolean trustAllCertificates() {
     public boolean tcpKeepAlive() {
         return configuration.get(TCP_KEEPALIVE);
     }
+
+    public Duration tlsHandshakeTimeout() {
+        return configuration.get(SdkHttpConfigurationOption.TLS_NEGOTIATION_TIMEOUT);
+    }
 }

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/utils/NettyUtils.java

@@ -25,7 +25,9 @@
 import io.netty.util.concurrent.GenericFutureListener;
 import io.netty.util.concurrent.Promise;
 import io.netty.util.concurrent.SucceededFuture;
+import java.time.Duration;
 import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.TimeUnit;
 import java.util.function.BiConsumer;
 import java.util.function.Function;
 import javax.net.ssl.SSLEngine;
@@ -196,10 +198,12 @@ public static <T> AttributeKey<T> getOrCreateAttributeKey(String attr) {
     /**
      * @return a new {@link SslHandler} with ssl engine configured
      */
-    public static SslHandler newSslHandler(SslContext sslContext, ByteBufAllocator alloc,  String peerHost, int peerPort) {
+    public static SslHandler newSslHandler(SslContext sslContext, ByteBufAllocator alloc,  String peerHost, int peerPort,
+                                           Duration handshakeTimeout) {
         // Need to provide host and port to enable SNI
         // https://github.com/netty/netty/issues/3801#issuecomment-104274440
         SslHandler sslHandler = sslContext.newHandler(alloc, peerHost, peerPort);
+        sslHandler.setHandshakeTimeout(handshakeTimeout.toMillis(), TimeUnit.MILLISECONDS);
         configureSslEngine(sslHandler.engine());
         return sslHandler;
     }

http-clients/netty-nio-client/src/test/java/software/amazon/awssdk/http/nio/netty/NettyNioAsyncHttpClientWireMockTest.java

@@ -681,6 +681,21 @@ public void createNettyClient_ReadWriteTimeoutCanBeZero() throws Exception {
         customClient.close();
     }
 
+    @Test
+    public void createNettyClient_tlsNegotiationTimeoutNotPositive_shouldThrowException() throws Exception {
+        assertThatThrownBy(() -> NettyNioAsyncHttpClient.builder()
+                                                        .tlsNegotiationTimeout(Duration.ZERO)
+                                                        .build())
+            .isInstanceOf(IllegalArgumentException.class)
+            .hasMessageContaining("must be positive");
+        assertThatThrownBy(() -> NettyNioAsyncHttpClient.builder()
+                                                        .tlsNegotiationTimeout(Duration.ofSeconds(-1))
+                                                        .build())
+            .isInstanceOf(IllegalArgumentException.class)
+            .hasMessageContaining("must be positive");
+    }
+
+
     @Test
     public void metricsAreCollectedWhenMaxPendingConnectionAcquisitionsAreExceeded() throws Exception {
         SdkAsyncHttpClient customClient = NettyNioAsyncHttpClient.builder()

http-clients/netty-nio-client/src/test/java/software/amazon/awssdk/http/nio/netty/internal/Http1TunnelConnectionPoolTest.java

@@ -25,6 +25,7 @@
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static software.amazon.awssdk.http.nio.netty.internal.Http1TunnelConnectionPool.TUNNEL_ESTABLISHED_KEY;
+
 import io.netty.buffer.ByteBufAllocator;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandler;
@@ -43,7 +44,6 @@
 import java.io.IOException;
 import java.net.URI;
 import java.util.List;
-import java.util.Map;
 import java.util.concurrent.CountDownLatch;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
@@ -55,7 +55,7 @@
 import org.mockito.ArgumentCaptor;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
-import org.testng.collections.Maps;
+import software.amazon.awssdk.http.SdkHttpConfigurationOption;
 
 /**
  * Unit tests for {@link Http1TunnelConnectionPool}.
@@ -95,6 +95,8 @@ public class Http1TunnelConnectionPoolTest {
     @Mock
     public ChannelId mockId;
 
+    public NettyConfiguration configuration;
+
     @Before
     public void methodSetup() {
         Future<Channel> channelFuture = GROUP.next().newSucceededFuture(mockChannel);
@@ -106,6 +108,7 @@ public void methodSetup() {
         when(mockChannel.attr(eq(TUNNEL_ESTABLISHED_KEY))).thenReturn(mockAttr);
         when(mockChannel.id()).thenReturn(mockId);
         when(mockChannel.pipeline()).thenReturn(mockPipeline);
+        configuration = new NettyConfiguration(SdkHttpConfigurationOption.GLOBAL_HTTP_DEFAULTS);
     }
 
     @AfterClass
@@ -116,7 +119,7 @@ public static void teardown() {
     @Test
     public void tunnelAlreadyEstablished_doesNotAddInitHandler() {
         Http1TunnelConnectionPool tunnelPool = new Http1TunnelConnectionPool(GROUP.next(), delegatePool, null,
-                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler);
+                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler, configuration);
 
         when(mockAttr.get()).thenReturn(true);
 
@@ -128,7 +131,7 @@ public void tunnelAlreadyEstablished_doesNotAddInitHandler() {
     @Test(timeout = 1000)
     public void tunnelNotEstablished_addsInitHandler() throws InterruptedException {
         Http1TunnelConnectionPool tunnelPool = new Http1TunnelConnectionPool(GROUP.next(), delegatePool, null,
-                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler);
+                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler, configuration);
 
         when(mockAttr.get()).thenReturn(false);
 
@@ -150,7 +153,7 @@ public void tunnelInitFails_acquireFutureFails() {
         };
 
         Http1TunnelConnectionPool tunnelPool = new Http1TunnelConnectionPool(GROUP.next(), delegatePool, null,
-                HTTP_PROXY_ADDRESS,null, null, REMOTE_ADDRESS, mockHandler, supplier);
+                HTTP_PROXY_ADDRESS,null, null, REMOTE_ADDRESS, mockHandler, supplier, configuration);
 
         Future<Channel> acquireFuture = tunnelPool.acquire();
 
@@ -165,7 +168,7 @@ public void tunnelInitSucceeds_acquireFutureSucceeds() {
         };
 
         Http1TunnelConnectionPool tunnelPool = new Http1TunnelConnectionPool(GROUP.next(), delegatePool, null,
-                HTTP_PROXY_ADDRESS, null, null, REMOTE_ADDRESS, mockHandler, supplier);
+                HTTP_PROXY_ADDRESS, null, null, REMOTE_ADDRESS, mockHandler, supplier, configuration);
 
         Future<Channel> acquireFuture = tunnelPool.acquire();
 
@@ -175,7 +178,7 @@ public void tunnelInitSucceeds_acquireFutureSucceeds() {
     @Test
     public void acquireFromDelegatePoolFails_failsFuture() {
         Http1TunnelConnectionPool tunnelPool = new Http1TunnelConnectionPool(GROUP.next(), delegatePool, null,
-                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler);
+                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler, configuration);
 
         when(delegatePool.acquire(any(Promise.class))).thenReturn(GROUP.next().newFailedFuture(new IOException("boom")));
 
@@ -198,7 +201,7 @@ public void sslContextProvided_andProxyUsingHttps_addsSslHandler() {
         };
 
         Http1TunnelConnectionPool tunnelPool = new Http1TunnelConnectionPool(GROUP.next(), delegatePool, mockSslCtx,
-                HTTPS_PROXY_ADDRESS, null, null, REMOTE_ADDRESS, mockHandler, supplier);
+                HTTPS_PROXY_ADDRESS, null, null, REMOTE_ADDRESS, mockHandler, supplier, configuration);
 
         tunnelPool.acquire().awaitUninterruptibly();
 
@@ -219,7 +222,7 @@ public void sslContextProvided_andProxyNotUsingHttps_doesNotAddSslHandler() {
         };
 
         Http1TunnelConnectionPool tunnelPool = new Http1TunnelConnectionPool(GROUP.next(), delegatePool, mockSslCtx,
-                HTTP_PROXY_ADDRESS, null, null, REMOTE_ADDRESS, mockHandler, supplier);
+                HTTP_PROXY_ADDRESS, null, null, REMOTE_ADDRESS, mockHandler, supplier, configuration);
 
         tunnelPool.acquire().awaitUninterruptibly();
 
@@ -232,15 +235,15 @@ public void sslContextProvided_andProxyNotUsingHttps_doesNotAddSslHandler() {
     @Test
     public void release_releasedToDelegatePool() {
         Http1TunnelConnectionPool tunnelPool = new Http1TunnelConnectionPool(GROUP.next(), delegatePool, null,
-                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler);
+                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler, configuration);
         tunnelPool.release(mockChannel);
         verify(delegatePool).release(eq(mockChannel), any(Promise.class));
     }
 
     @Test
     public void release_withGivenPromise_releasedToDelegatePool() {
         Http1TunnelConnectionPool tunnelPool = new Http1TunnelConnectionPool(GROUP.next(), delegatePool, null,
-                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler);
+                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler, configuration);
         Promise mockPromise = mock(Promise.class);
         tunnelPool.release(mockChannel, mockPromise);
         verify(delegatePool).release(eq(mockChannel), eq(mockPromise));
@@ -249,7 +252,7 @@ public void release_withGivenPromise_releasedToDelegatePool() {
     @Test
     public void close_closesDelegatePool() {
         Http1TunnelConnectionPool tunnelPool = new Http1TunnelConnectionPool(GROUP.next(), delegatePool, null,
-                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler);
+                HTTP_PROXY_ADDRESS, REMOTE_ADDRESS, mockHandler, configuration);
         tunnelPool.close();
         verify(delegatePool).close();
     }
@@ -266,7 +269,7 @@ public void proxyAuthProvided_addInitHandler_withAuth(){
         };
 
         Http1TunnelConnectionPool tunnelPool = new Http1TunnelConnectionPool(GROUP.next(), delegatePool, null,
-                HTTP_PROXY_ADDRESS, PROXY_USER, PROXY_PASSWORD, REMOTE_ADDRESS, mockHandler, supplier);
+                HTTP_PROXY_ADDRESS, PROXY_USER, PROXY_PASSWORD, REMOTE_ADDRESS, mockHandler, supplier, configuration);
 
         tunnelPool.acquire().awaitUninterruptibly();
 

http-clients/netty-nio-client/src/test/java/software/amazon/awssdk/http/nio/netty/internal/utils/NettyUtilsTest.java

@@ -28,6 +28,7 @@
 import io.netty.handler.ssl.SslHandler;
 import io.netty.util.AttributeKey;
 import io.netty.util.concurrent.EventExecutor;
+import java.time.Duration;
 import javax.net.ssl.SSLEngine;
 import org.junit.Test;
 import software.amazon.awssdk.http.nio.netty.internal.MockChannel;
@@ -46,7 +47,10 @@ public void newSslHandler_sslEngineShouldBeConfigured() throws Exception {
         Channel channel = null;
         try {
             channel = new MockChannel();
-            SslHandler sslHandler = NettyUtils.newSslHandler(sslContext, channel.alloc(), "localhost", 80);
+            SslHandler sslHandler = NettyUtils.newSslHandler(sslContext, channel.alloc(), "localhost", 80,
+                                                             Duration.ofMillis(1000));
+
+            assertThat(sslHandler.getHandshakeTimeoutMillis()).isEqualTo(1000);
             SSLEngine engine = sslHandler.engine();
             assertThat(engine.getSSLParameters().getEndpointIdentificationAlgorithm()).isEqualTo("HTTPS");
         } finally {

http-clients/url-connection-client/src/main/java/software/amazon/awssdk/http/urlconnection/UrlConnectionHttpClient.java

@@ -152,7 +152,6 @@ private HttpURLConnection createDefaultConnection(URI uri, SSLSocketFactory sock
             if (options.get(SdkHttpConfigurationOption.TRUST_ALL_CERTIFICATES)) {
                 httpsConnection.setHostnameVerifier(NoOpHostNameVerifier.INSTANCE);
             }
-
             httpsConnection.setSSLSocketFactory(socketFactory);
         }