feat: support TLS server #565
Conversation
|
还有些代码优化还没做, 有空看看实现思路和代码可不可行 |
There are still some code optimizations that haven't been done yet. I'll see if the implementation ideas and codes are feasible when I have time. |
|
gnet_test添加了tls的单元测试 |
gnet_test adds unit testing for tls |
|
PING |
|
There seems to be a lot of CI failures, please fix that. |
由于tls包是引用了golang1.22的tls包进行修改,他的代码风格不符合CI的代码风格验证,能把这个包的代码风格验证跳过吗,我在gnet_test加入了gnet tls的server用例,用gnet 启动TLS server,client用的golang的TLS client,能够跑过测试完成包的收发握手和编解码 |
|
Thanks for the efforts, I'll find some time next week to look into this PR. |
… for TLS as it is no longer applicable since switching to non-blocking
|
Sorry for the delay, I'm still trying to spare some time for this, but got no luck, I expect to come back in a few days. Keep up the good work! |
OK |
|
This PR is quite large and contains a lot of code. I could use your help. My idea is to minimize changes to the original code structure and wrap the original connection implementation to provide TLS functionality within TLS support. |
|
@leslie-fei can i ask some questions about this tls? can you put up an issue here? would like to use it now and help with testing |
|
@kolinfluence Sure, I'm glad to have you help test the TLS-related module functions. I have enabled the issue tracker for you. |
|
@leslie-fei asked. would really like to test it on my end. been waiting for tls for gnet for 4 years. pls check the question on the issue tracker. thx for the work not sure if u have seen this repo even the http2 is working but i cant seem to get so-reuseport to work. no idea why even when i set it to true. can you see if there's anything useful from there too? thx |
…prevent conflicts during code merges.
# Conflicts: # gnet.go # options.go
|
@panjf2000 有时间的话可以看看 leslie-fei#1 用tls功能实现了一个简单的HTTPs, 并且WRK测试过, 也跑过gnet_test用例 |
@panjf2000 If you have time, you can take a look at leslie-fei#1 A simple HTTPs is implemented using the tls function, and has been tested by WRK |
|
there are some issue with wrk if you try a few times with GOMAXPROCS=1. it's not tested complete. there are issues. pls dont pull yet. |
|
Thanks all for the efforts here! I've been examining this TLS support lately, and I wonder if we can implement this feature outside the core |
|
@panjf2000 sounds like a "good" idea for the moment but eventually hope it can be part of gnet. or gnet's own version of tls for use with gnet like ktls etc. how about supporting ktls then? :D i'm ok with it actually. and for the moment i think you are right. until u think it's ready then maybe can merge but still, u have a very good point for now. however i dont think adding ktls will be a very huge overhead / more work than porting std crypto tls to this one. maybe someone can look into ktls then. there's a half done https://github.com/0-haha/gnet-tls-go1-20 here. not sure why it's not continued further. p.s. : after serious consideration, you point is very valid and i totally agree with your suggestion. however, if you think tls codebase is too large. i do hope you can at least look at ktls and see if it's possible to integrate this. it shld run faster with ktls though with 2 alloc / op that's all. |
I want to make more time for the TLS support of |
@panjf2000 My modifications will not affect the original gnet code. I have not made any changes to gnet's external interfaces or internal code. Simply adding WithTLSConfig during Run enables TLS send and receive. In case of issues, it will only affect the TLS part and not impact existing users. I think it's also possible to put TLS support in gnet-io |
|
@panjf2000 i've tested the code program, pls look into the code and review. it's working fine. u shld be able to pull into gnet as part of it without needing to make it separate (at your pleasure) but do check out the code, i'm so amazed at the performance i think it's hard to believe. but it does match the overall expectation. performance of non tls version is 165k req/s on my AMD Ryzen 5 7640HS w/ Radeon 760M Graphic, (both results on a single core with GOMAXPROCS=1) very good. thx @leslie-fei update : verified to work. @panjf2000 pls mention when an eta can be expected for this to be pulled into main repo. thx |
| @@ -127,6 +128,9 @@ type Options struct { | |||
| // Don't enable it unless you are 100% sure what you are doing. | |||
| // Note that this option is only available for stream-oriented protocol. | |||
| EdgeTriggeredIO bool | |||
|
|
|||
| // TLSConfig support TLS | |||
| TLSConfig *tls.Config | |||
There was a problem hiding this comment.
Make this an interface instead of a pointer of a specific struct, that way we can implement TLS outside the gnet and pass the interface to the gnet. Decoupling the TLS from gnet also enables the users to use other TLS implementations that implement the interface of gnet TLS.
There was a problem hiding this comment.
Make this an interface instead of a pointer of a specific struct, that way we can implement TLS outside the
gnetand pass the interface to thegnet. Decoupling the TLS fromgnetalso enables the users to use other TLS implementations that implement the interface ofgnetTLS.
Looking forward to this merge. This pr is great ! @leslie-fei ,Could you please modify this according to @panjf2000 's requirements?
As I said before, copying the whole Go std TLS into |
|
@panjf2000 can u pull into gnet-io as u mentioned then? hope to use it as endorsed "officially" by you. so how long more u need to assess the repo? i understand the importance of doing due diligence. no rush for quality. when can you get this done? pull into gnet-io |
I've created a new repository: tls where I expect to put the TLS implementation for |
@panjf2000 gnet-io/tls#1 I have merged my relevant code into this TLS library, I hope you have the opportunity to review it. |
|
@panjf2000 possible to look at this? it's been many months. |
|
@leslie-fei 还能支持吗 |
@leslie-fei Can you still support me? |
功能
gnet添加TLS Server支持, TLS库从golang官方库修改非阻塞版本, 改动golang tls源码部分并不算太多, tls库主要改动握手部分代码和编解码tls包
魔改TLS库部分
原来tls库等待client ack包是阻塞等待, 这里支持非阻塞需要拆分握手步骤
tls读取包之前需要先预读是否是一个完成的tls包, 如果不足就抛出ErrNotEnough, 等待下次包够了再去处理, 要么读完整包, 要么不读, 这样可以保证后面去conn中读取不会有半包情况
添加tlsConn实现gnet.Conn接口和tlsEventHandler
实现gnet的tls server 主要通过将原始gnet.Conn和EventHandler进行代理包装成tlsConn和tlsEventHandler, Engine Options添加WithTLSConfig
用户代码块
用户只要Run的时候WithTLSConfig 就可以实现TLS Server
