Lift ssl-context coercion to connection-pool fn

As suggested by @DerGuteMoritz in #728. This fixes the issue and makes
the test added in the previous commit pass.

To avoid a repeated coercion *also* in `http-connection` fn (which is an
internal fn called only from `connection-pool` fn indirectly), the coercion
is being removed from it. As a result, we have to rely solely on
`connection-pool` fn for the coercion, where we don't know whether SSL
context will be required or not. This includes a situation when a user hasn't
supplied any `ssl-context` options, and we are still building an
`SslContext`, not knowing whether actual requests will require it or not.
This might look like a bit of potentially unnecessary work, but this
hopefully won't affect anyone performance-wise, as it would be unusual to run
`connection-pool` fn in a tight loop. On the positive side, all users will
profit from the elimination of repeated `SslContext` building, whether they
supply `ssl-context` options or not. Above all, having consistent code paths
in both situations is nice.

Notes:
- `http-connection` fn has now always some `ssl-context` available regardless
  of `ssl?` flag, but the only place where it matters
  (`client/make-pipeline-builder`) already checks `ssl?` flag before making
  use of `ssl-context`, so this makes no difference.
- All rich comments exercising `http-connection` fn with `ssl?` flag were
  updated, as now the caller has to supply `ssl-context` in that case.

Author: PawelStroinski

src/aleph/http.clj

@@ -231,7 +231,10 @@
     (when (and force-h2c? (not-any? #{:http2} http-versions))
       (throw (IllegalArgumentException. "force-h2c? may only be true when HTTP/2 is enabled."))))
 
-  (let [log-activity (:log-activity connection-options)
+  (let [{:keys [log-activity
+                http-versions
+                insecure?]
+         :or   {http-versions [:http1]}} connection-options
         dns-options' (if-not (and (some? dns-options)
                                   (not (or (contains? dns-options :transport)
                                            (contains? dns-options :epoll?))))
@@ -244,7 +247,10 @@
                               (assoc :name-resolver (netty/dns-resolver-group dns-options'))
 
                               (some? log-activity)
-                              (assoc :log-activity (netty/activity-logger "aleph-client" log-activity)))
+                              (assoc :log-activity (netty/activity-logger "aleph-client" log-activity))
+
+                              true
+                              (update :ssl-context #(client/ssl-context % http-versions insecure?)))
         p (promise)
         create-pool-fn (or pool-builder-fn
                            flow/instrumented-pool)

src/aleph/http/client.clj

@@ -689,22 +689,6 @@
 
         resp))))
 
-(defn- client-ssl-context
-  "Returns a client SslContext, or nil if none is requested.
-   Validates the ALPN setup."
-  ^SslContext
-  [ssl? ssl-context http-versions insecure?]
-  (if ssl?
-    (if ssl-context
-      (-> ssl-context
-          (common/ensure-consistent-alpn-config http-versions)
-          (netty/coerce-ssl-client-context))
-      (let [ssl-ctx-opts {:application-protocol-config (netty/application-protocol-config http-versions)}]
-        (if insecure?
-          (netty/insecure-ssl-client-context ssl-ctx-opts)
-          (netty/ssl-client-context ssl-ctx-opts))))
-    nil))
-
 (defn- setup-http1-client
   [{:keys [on-closed response-executor]
     :as   opts}]
@@ -761,16 +745,13 @@
            bootstrap-transform
            name-resolver
            keep-alive?
-           insecure?
-           ssl-context
            ssl-endpoint-id-alg
            response-buffer-size
            epoll?
            transport
            proxy-options
            pipeline-transform
            log-activity
-           http-versions
            force-h2c?
            on-closed
            connect-timeout]
@@ -784,7 +765,6 @@
            epoll?               false
            name-resolver        :default
            log-activity         :debug
-           http-versions        [:http1]
            force-h2c?           false}
     :as   opts}]
 
@@ -798,8 +778,6 @@
                                                 (get proxy-options :keep-alive? true))))
         authority (str host (when explicit-port? (str ":" port)))
 
-        ssl-context (client-ssl-context ssl? ssl-context http-versions insecure?)
-
         logger (cond
                  (instance? LoggingHandler log-activity) log-activity
                  (some? log-activity) (netty/activity-logger "aleph-client" log-activity)
@@ -810,7 +788,6 @@
                           (assoc opts
                                  :proxy-connected proxy-connected
                                  :ssl? ssl?
-                                 :ssl-context ssl-context
                                  :ssl-endpoint-id-alg ssl-endpoint-id-alg
                                  :remote-address remote-address
                                  :raw-stream? raw-stream?
@@ -868,7 +845,6 @@
                                            :raw-stream? raw-stream?
                                            :remote-address remote-address
                                            :response-buffer-size response-buffer-size
-                                           :ssl-context ssl-context
                                            :ssl? ssl?)]
 
                      (log/debug (str "Using HTTP protocol: " protocol)
@@ -935,6 +911,19 @@
                                                :response-buffer-size response-buffer-size
                                                :t0                   t0})))))))))))))))
 
+(defn ssl-context
+  "Coerces a client SSL context, including enforcement of its ALPN setup."
+  (^SslContext [http-versions] (ssl-context nil http-versions false))
+  (^SslContext [ssl-ctx http-versions insecure?]
+   (if ssl-ctx
+     (-> ssl-ctx
+         (common/ensure-consistent-alpn-config http-versions)
+         (netty/coerce-ssl-client-context))
+     (let [ssl-ctx-opts {:application-protocol-config (netty/application-protocol-config http-versions)}]
+       (if insecure?
+         (netty/insecure-ssl-client-context ssl-ctx-opts)
+         (netty/ssl-client-context ssl-ctx-opts))))))
+
 
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -970,7 +959,7 @@
                  (InetSocketAddress/createUnresolved "www.google.com" (int 443))
                  true
                  {:on-closed #(println "http conn closed")
-                  :http-versions  [:http1]}))
+                  :ssl-context (ssl-context [:http1])}))
 
     (conn {:request-method :get}))
   )

src/aleph/http/http2.clj

@@ -1426,7 +1426,7 @@
                  (InetSocketAddress. "postman-echo.com" (int 443))
                  true
                  {:on-closed #(log/debug "http conn closed")
-                  :http-versions [:http2]}))
+                  :ssl-context (aleph.http.client/ssl-context [:http2])}))
 
     (def result @(conn {:request-method :get
                         ;;:raw-stream?    true
@@ -1438,7 +1438,7 @@
                  (InetSocketAddress. "postman-echo.com" (int 443))
                  true
                  {:on-closed #(log/debug "http conn closed")
-                  :http-versions [:http2]}))
+                  :ssl-context (aleph.http.client/ssl-context [:http2])}))
 
     (let [body-string "Body test"
           fpath (Files/createTempFile "test" ".txt" (into-array FileAttribute []))
@@ -1482,7 +1482,7 @@
                  (InetSocketAddress. "postman-echo.com" (int 443))
                  true
                  {:on-closed #(log/debug "http conn closed")
-                  :http-versions  [:http2]}))
+                  :ssl-context (aleph.http.client/ssl-context [:http2])}))
 
     (def result
       @(conn {:request-method :post
@@ -1504,7 +1504,7 @@
                  (InetSocketAddress. "postman-echo.com" (int 443))
                  true
                  {:on-closed #(log/debug "http conn closed")
-                  :http-versions [:http2]}))
+                  :ssl-context (aleph.http.client/ssl-context [:http2])}))
 
     (let [req {:request-method :post
                :uri            "/post"
@@ -1521,7 +1521,7 @@
                  (InetSocketAddress. "postman-echo.com" (int 443))
                  true
                  {:on-closed #(log/debug "http conn closed")
-                  :http-versions [:http1]}))
+                  :ssl-context (aleph.http.client/ssl-context [:http1])}))
 
     (def result @(conn {:request-method :get
                         :uri           "/gzip" #_ "/deflate"

src/aleph/http/server.clj

@@ -885,7 +885,7 @@
                    (InetSocketAddress. "127.0.0.1" (int port))
                    true
                    {:on-closed     #(log/debug "http conn closed")
-                    :http-versions [:http2]}))
+                    :ssl-context   (aleph.http.client/ssl-context [:http2])}))
 
       (def result @(d/timeout! (conn {:request-method :get})
                                2000
@@ -906,8 +906,7 @@
                  (InetSocketAddress. "aleph.localhost" (int port))
                  true
                  {:on-closed     #(log/debug "http conn closed")
-                  :http-versions [:http2]
-                  :insecure? true}))
+                  :ssl-context   (aleph.http.client/ssl-context nil [:http2] true)}))
 
     (def result @(d/timeout! (conn {:request-method :get})
                              2000