benchmarks: Modernize TLS configuration

NIO does not mean to use Jetty ALPN; the only reason to use Jetty ALPN
is to test OkHttp. We don't need to disable ciphers to test Java 7
(except for OkHttp, which we don't care about on Java 7 and it wasn't
plumbed already) and we _really_ don't want people to copy the code to
do so. useTransportSecurity()/usePlaintext() are preferred over the
transport-specific NegotiationType.

benchmarks/build.gradle

@@ -72,7 +72,6 @@ task openloop_client(type: CreateStartScripts) {
 task qps_server(type: CreateStartScripts) {
     mainClassName = "io.grpc.benchmarks.qps.AsyncServer"
     applicationName = "qps_server"
-    defaultJvmOpts = ["-javaagent:" + configurations.alpnagent.asPath] + vmArgs
     outputDir = new File(project.buildDir, 'tmp')
     classpath = jar.outputs.files + project.configurations.runtime
 }

benchmarks/src/main/java/io/grpc/benchmarks/Utils.java

@@ -27,10 +27,8 @@ import io.grpc.benchmarks.proto.Messages;
 import io.grpc.benchmarks.proto.Messages.Payload;
 import io.grpc.benchmarks.proto.Messages.SimpleRequest;
 import io.grpc.benchmarks.proto.Messages.SimpleResponse;
-import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.testing.TestUtils;
 import io.grpc.netty.GrpcSslContexts;
-import io.grpc.netty.NegotiationType;
 import io.grpc.netty.NettyChannelBuilder;
 import io.grpc.okhttp.OkHttpChannelBuilder;
 import io.grpc.okhttp.internal.Platform;
@@ -40,9 +38,6 @@ import io.netty.channel.epoll.EpollSocketChannel;
 import io.netty.channel.nio.NioEventLoopGroup;
 import io.netty.channel.socket.nio.NioSocketChannel;
 import io.netty.channel.unix.DomainSocketAddress;
-import io.netty.handler.ssl.SslContext;
-import io.netty.handler.ssl.SslContextBuilder;
-import io.netty.handler.ssl.SslProvider;
 import io.netty.util.concurrent.DefaultThreadFactory;
 import java.io.File;
 import java.io.FileOutputStream;
@@ -57,7 +52,6 @@ import java.util.concurrent.ForkJoinPool.ForkJoinWorkerThreadFactory;
 import java.util.concurrent.ForkJoinWorkerThread;
 import java.util.concurrent.atomic.AtomicInteger;
 import javax.annotation.Nullable;
-import javax.net.ssl.SSLSocketFactory;
 import org.HdrHistogram.Histogram;
 
 /**
@@ -117,59 +111,35 @@ public final class Utils {
     }
   }
 
-  private static OkHttpChannelBuilder newOkhttpClientChannel(
+  private static OkHttpChannelBuilder newOkHttpClientChannel(
-      SocketAddress address, boolean tls, boolean testca, @Nullable String authorityOverride) {
+      SocketAddress address, boolean tls, boolean testca) {
     InetSocketAddress addr = (InetSocketAddress) address;
     OkHttpChannelBuilder builder =
         OkHttpChannelBuilder.forAddress(addr.getHostName(), addr.getPort());
-    if (tls) {
+    if (!tls) {
-      builder.negotiationType(io.grpc.okhttp.NegotiationType.TLS);
+      builder.usePlaintext();
-      SSLSocketFactory factory;
+    } else if (testca) {
-      if (testca) {
+      try {
-        builder.overrideAuthority(
+        builder.sslSocketFactory(TestUtils.newSslSocketFactoryForCa(
-            GrpcUtil.authorityFromHostAndPort(authorityOverride, addr.getPort()));
+            Platform.get().getProvider(),
-        try {
+            TestUtils.loadCert("ca.pem")));
-          factory = TestUtils.newSslSocketFactoryForCa(
+      } catch (Exception e) {
-              Platform.get().getProvider(),
+        throw new RuntimeException(e);
-              TestUtils.loadCert("ca.pem"));
-        } catch (Exception e) {
-          throw new RuntimeException(e);
-        }
-      } else {
-        factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
       }
-      builder.sslSocketFactory(factory);
-    } else {
-      builder.negotiationType(io.grpc.okhttp.NegotiationType.PLAINTEXT);
     }
     return builder;
   }
 
   private static NettyChannelBuilder newNettyClientChannel(Transport transport,
-      SocketAddress address, boolean tls, boolean testca, int flowControlWindow,
+      SocketAddress address, boolean tls, boolean testca, int flowControlWindow)
-      boolean useDefaultCiphers) throws IOException {
+      throws IOException {
     NettyChannelBuilder builder =
         NettyChannelBuilder.forAddress(address).flowControlWindow(flowControlWindow);
-    if (tls) {
+    if (!tls) {
-      builder.negotiationType(NegotiationType.TLS);
+      builder.usePlaintext();
-      SslContext sslContext = null;
+    } else if (testca) {
-      if (testca) {
+      File cert = TestUtils.loadCert("ca.pem");
-        File cert = TestUtils.loadCert("ca.pem");
+      builder.sslContext(GrpcSslContexts.forClient().trustManager(cert).build());
-        SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient().trustManager(cert);
-        if (transport == Transport.NETTY_NIO) {
-          sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder, SslProvider.JDK);
-        } else {
-          // Native transport with OpenSSL
-          sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder, SslProvider.OPENSSL);
-        }
-        if (useDefaultCiphers) {
-          sslContextBuilder.ciphers(null);
-        }
-        sslContext = sslContextBuilder.build();
-      }
-      builder.sslContext(sslContext);
-    } else {
-      builder.negotiationType(NegotiationType.PLAINTEXT);
     }
 
     DefaultThreadFactory tf = new DefaultThreadFactory("client-elg-", true /*daemon */);
@@ -225,15 +195,14 @@ public final class Utils {
    * Create a {@link ManagedChannel} for the given parameters.
    */
   public static ManagedChannel newClientChannel(Transport transport, SocketAddress address,
-        boolean tls, boolean testca, @Nullable String authorityOverride, boolean useDefaultCiphers,
+        boolean tls, boolean testca, @Nullable String authorityOverride,
         int flowControlWindow, boolean directExecutor) {
     ManagedChannelBuilder<?> builder;
     if (transport == Transport.OK_HTTP) {
-      builder = newOkhttpClientChannel(address, tls, testca, authorityOverride);
+      builder = newOkHttpClientChannel(address, tls, testca);
     } else {
       try {
-        builder = newNettyClientChannel(
+        builder = newNettyClientChannel(transport, address, tls, testca, flowControlWindow);
-            transport, address, tls, testca, flowControlWindow, useDefaultCiphers);
       } catch (Exception e) {
         throw new RuntimeException(e);
       }

benchmarks/src/main/java/io/grpc/benchmarks/driver/LoadClient.java

@@ -88,7 +88,6 @@ class LoadClient {
               config.hasSecurityParams()
                   ? config.getSecurityParams().getServerHostOverride()
                   : null,
-              true,
               Utils.DEFAULT_FLOW_CONTROL_WINDOW,
               false);
     }

benchmarks/src/main/java/io/grpc/benchmarks/qps/AsyncClient.java

@@ -32,7 +32,6 @@ import static io.grpc.benchmarks.qps.ClientConfiguration.ClientParam.STREAMING_R
 import static io.grpc.benchmarks.qps.ClientConfiguration.ClientParam.TESTCA;
 import static io.grpc.benchmarks.qps.ClientConfiguration.ClientParam.TLS;
 import static io.grpc.benchmarks.qps.ClientConfiguration.ClientParam.TRANSPORT;
-import static io.grpc.benchmarks.qps.ClientConfiguration.ClientParam.USE_DEFAULT_CIPHERS;
 import static io.grpc.benchmarks.qps.ClientConfiguration.ClientParam.WARMUP_DURATION;
 
 import com.google.common.base.Preconditions;
@@ -308,7 +307,7 @@ public class AsyncClient {
   public static void main(String... args) throws Exception {
     ClientConfiguration.Builder configBuilder = ClientConfiguration.newBuilder(
         ADDRESS, CHANNELS, OUTSTANDING_RPCS, CLIENT_PAYLOAD, SERVER_PAYLOAD,
-        TLS, TESTCA, USE_DEFAULT_CIPHERS, TRANSPORT, DURATION, WARMUP_DURATION, DIRECTEXECUTOR,
+        TLS, TESTCA, TRANSPORT, DURATION, WARMUP_DURATION, DIRECTEXECUTOR,
         SAVE_HISTOGRAM, STREAMING_RPCS, FLOW_CONTROL_WINDOW);
     ClientConfiguration config;
     try {

benchmarks/src/main/java/io/grpc/benchmarks/qps/AsyncServer.java

@@ -24,7 +24,6 @@ import io.grpc.benchmarks.Utils;
 import io.grpc.benchmarks.proto.BenchmarkServiceGrpc;
 import io.grpc.benchmarks.proto.Messages;
 import io.grpc.internal.testing.TestUtils;
-import io.grpc.netty.GrpcSslContexts;
 import io.grpc.netty.NettyServerBuilder;
 import io.grpc.stub.ServerCallStreamObserver;
 import io.grpc.stub.StreamObserver;
@@ -33,9 +32,6 @@ import io.netty.channel.EventLoopGroup;
 import io.netty.channel.ServerChannel;
 import io.netty.channel.nio.NioEventLoopGroup;
 import io.netty.channel.socket.nio.NioServerSocketChannel;
-import io.netty.handler.ssl.SslContext;
-import io.netty.handler.ssl.SslContextBuilder;
-import io.netty.handler.ssl.SslProvider;
 import io.netty.util.concurrent.DefaultThreadFactory;
 import java.io.File;
 import java.io.IOException;
@@ -94,26 +90,6 @@ public class AsyncServer {
 
   @SuppressWarnings("LiteralClassName") // Epoll is not available on windows
   static Server newServer(ServerConfiguration config) throws IOException {
-    SslContext sslContext = null;
-    if (config.tls) {
-      System.out.println("Using fake CA for TLS certificate.\n"
-          + "Run the Java client with --tls --testca");
-
-      File cert = TestUtils.loadCert("server1.pem");
-      File key = TestUtils.loadCert("server1.key");
-      SslContextBuilder sslContextBuilder = GrpcSslContexts.forServer(cert, key);
-      if (config.transport == ServerConfiguration.Transport.NETTY_NIO) {
-        sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder, SslProvider.JDK);
-      } else {
-        // Native transport with OpenSSL
-        sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder, SslProvider.OPENSSL);
-      }
-      if (config.useDefaultCiphers) {
-        sslContextBuilder.ciphers(null);
-      }
-      sslContext = sslContextBuilder.build();
-    }
-
     final EventLoopGroup boss;
     final EventLoopGroup worker;
     final Class<? extends ServerChannel> channelType;
@@ -183,8 +159,15 @@ public class AsyncServer {
         .workerEventLoopGroup(worker)
         .channelType(channelType)
         .addService(new BenchmarkServiceImpl())
-        .sslContext(sslContext)
         .flowControlWindow(config.flowControlWindow);
+    if (config.tls) {
+      System.out.println("Using fake CA for TLS certificate.\n"
+          + "Run the Java client with --tls --testca");
+
+      File cert = TestUtils.loadCert("server1.pem");
+      File key = TestUtils.loadCert("server1.key");
+      builder.useTransportSecurity(cert, key);
+    }
     if (config.directExecutor) {
       builder.directExecutor();
     } else {

benchmarks/src/main/java/io/grpc/benchmarks/qps/ClientConfiguration.java

@@ -67,7 +67,7 @@ public class ClientConfiguration implements Configuration {
 
   public ManagedChannel newChannel() throws IOException {
     return Utils.newClientChannel(transport, address, tls, testca, authorityOverride,
-        useDefaultCiphers, flowControlWindow, directExecutor);
+        flowControlWindow, directExecutor);
   }
 
   public Messages.SimpleRequest newRequest() {
@@ -176,13 +176,6 @@ public class ClientConfiguration implements Configuration {
         config.testca = parseBoolean(value);
       }
     },
-    USE_DEFAULT_CIPHERS("", "Use the default JDK ciphers for TLS (Used to support Java 7).",
-            "" + DEFAULT.useDefaultCiphers) {
-      @Override
-      protected void setClientValue(ClientConfiguration config, String value) {
-        config.useDefaultCiphers = parseBoolean(value);
-      }
-    },
     TRANSPORT("STR", Transport.getDescriptionString(), DEFAULT.transport.name().toLowerCase()) {
       @Override
       protected void setClientValue(ClientConfiguration config, String value) {

benchmarks/src/main/java/io/grpc/benchmarks/qps/OpenLoopClient.java

@@ -30,7 +30,6 @@ import static io.grpc.benchmarks.qps.ClientConfiguration.ClientParam.TARGET_QPS;
 import static io.grpc.benchmarks.qps.ClientConfiguration.ClientParam.TESTCA;
 import static io.grpc.benchmarks.qps.ClientConfiguration.ClientParam.TLS;
 import static io.grpc.benchmarks.qps.ClientConfiguration.ClientParam.TRANSPORT;
-import static io.grpc.benchmarks.qps.ClientConfiguration.ClientParam.USE_DEFAULT_CIPHERS;
 
 import io.grpc.Channel;
 import io.grpc.ManagedChannel;
@@ -66,7 +65,7 @@ public class OpenLoopClient {
   public static void main(String... args) throws Exception {
     ClientConfiguration.Builder configBuilder = ClientConfiguration.newBuilder(
         ADDRESS, TARGET_QPS, CLIENT_PAYLOAD, SERVER_PAYLOAD, TLS,
-        TESTCA, USE_DEFAULT_CIPHERS, TRANSPORT, DURATION, SAVE_HISTOGRAM, FLOW_CONTROL_WINDOW);
+        TESTCA, TRANSPORT, DURATION, SAVE_HISTOGRAM, FLOW_CONTROL_WINDOW);
     ClientConfiguration config;
     try {
       config = configBuilder.build(args);

benchmarks/src/main/java/io/grpc/benchmarks/qps/ServerConfiguration.java

@@ -38,7 +38,6 @@ class ServerConfiguration implements Configuration {
 
   Transport transport = Transport.NETTY_NIO;
   boolean tls;
-  boolean useDefaultCiphers;
   boolean directExecutor;
   SocketAddress address;
   int flowControlWindow = NettyChannelBuilder.DEFAULT_FLOW_CONTROL_WINDOW;
@@ -159,13 +158,6 @@ class ServerConfiguration implements Configuration {
         config.tls = parseBoolean(value);
       }
     },
-    USE_DEFAULT_CIPHERS("", "Use the default JDK ciphers for TLS (Used to support Java 7).",
-            "false") {
-      @Override
-      protected void setServerValue(ServerConfiguration config, String value) {
-        config.useDefaultCiphers = parseBoolean(value);
-      }
-    },
     TRANSPORT("STR", Transport.getDescriptionString(), DEFAULT.transport.name().toLowerCase()) {
       @Override
       protected void setServerValue(ServerConfiguration config, String value) {