Skip to content

[#2132] Migrate SSL support away from ThreadLocal, support key alias and default to pkcs12#2133

Open
mattrpav wants to merge 5 commits into
apache:mainfrom
mattrpav:gh-2132-ssl-reload-alias
Open

[#2132] Migrate SSL support away from ThreadLocal, support key alias and default to pkcs12#2133
mattrpav wants to merge 5 commits into
apache:mainfrom
mattrpav:gh-2132-ssl-reload-alias

Conversation

@mattrpav

@mattrpav mattrpav commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

All wiring of transports now takes SslContext as a parameter, instead of 'magically' showing up as a ThreadLocal when needed.

This unlocks a lot of capabilities, including per-transportConnector SSLContext, per-networkConnector SSLContext and eventually auto-reloading of SSLContext.

  • DefaultSslContext (remove active usage of ThreadContextSslContext)
  • Default to stronger and now JDK-default keystore type: 'pkcs12'
  • Add support for keyAlias
  • Add per-connector sslContect
  • Add per-networkConnector sslContext
  • Add ComptibleSslContext to bridge Spring for a non-ThreadLocalSslContext
  • Retain a ThreadContextSslContext class in case someone extended some part of the broker or client (add'l transport connector, etc) and needs a way to transition
  • Unit test refactors

Merge plan: Squash all commits to one for v6.3.0 only (no backport)

@mattrpav mattrpav self-assigned this Jun 22, 2026
@mattrpav
mattrpav force-pushed the gh-2132-ssl-reload-alias branch 2 times, most recently from 83e22b7 to b458792 Compare June 22, 2026 13:12
@mattrpav mattrpav changed the title [#2132] Support SSL reload and using a key alias WIP: [#2132] Support SSL reload and using a key alias Jun 22, 2026
@jbonofre
jbonofre self-requested a review June 22, 2026 14:18
@mattrpav mattrpav changed the title WIP: [#2132] Support SSL reload and using a key alias WIP: [#2132] Migrate SSL support away from ThreadLocal, support key alias and prepare for reload support Jun 22, 2026
@mattrpav mattrpav changed the title WIP: [#2132] Migrate SSL support away from ThreadLocal, support key alias and prepare for reload support WIP: [#2132] Migrate SSL support away from ThreadLocal, support key alias and default to pkcs12 Jun 22, 2026
@mattrpav mattrpav changed the title WIP: [#2132] Migrate SSL support away from ThreadLocal, support key alias and default to pkcs12 [#2132] Migrate SSL support away from ThreadLocal, support key alias and default to pkcs12 Jun 22, 2026
@mattrpav
mattrpav force-pushed the gh-2132-ssl-reload-alias branch from 02cb65e to 20a8b36 Compare June 22, 2026 21:25
@cshannon

Copy link
Copy Markdown
Contributor

This is a pretty major refactor and needs to be reviewed carefully before merging. I assume this will not be backported and only be targeted for 6.3.0 due to the major changes.

@mattrpav - are there breaking API changes here? a quick look showed old methods delegating to the new ones so I don't think so but we don't want to break anyone who upgrades

@mattrpav

Copy link
Copy Markdown
Contributor Author

@cshannon correct, this is only for 6.3.0.

The original SslContext is renamed ThreadLocalSslContext and remains if anyone needs previous behavior exactly.

The ComaptibleSslContext provides same method signature as the ThreadLocalSslContexr for historical compatibility for wiring of arrays v lists, but removes the ThreadLocal usage.

The DefaultThreadLocalContext becomes the new default.

This change removes all ThreadLocalSslContext usage and updates transportConnectors and networkConnectors to support having independent SSLContexts as needed. They all fall back to the broker-wide one as before, if an independent sslcontext is not configured.

@mattrpav mattrpav moved this from Backlog to In progress in Apache ActiveMQ v6.3.0 Jul 12, 2026
mattrpav added 4 commits July 14, 2026 20:58
 - DefaultSslContext (remove active usage of ThreadContextSslContext)
 - Add per-connector sslContect
 - Add per-networkConnector sslContext
 - Add ComptibleSslContext to bridge Spring for a non-ThreadLocalSslContext
@mattrpav
mattrpav force-pushed the gh-2132-ssl-reload-alias branch from 20a8b36 to 8883f00 Compare July 15, 2026 01:58
@mattrpav mattrpav moved this from In progress to In review in Apache ActiveMQ v6.3.0 Jul 15, 2026
@mattrpav
mattrpav requested a review from cshannon July 15, 2026 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: In review

Development

Successfully merging this pull request may close these issues.

2 participants