Address Netty 4.2 migration guide items: TLS endpoint validation and NioEventLoopGroup deprecation

Co-authored-by: akrherz <210858+akrherz@users.noreply.github.com>

Author: 2 people

xmppserver/src/main/java/org/jivesoftware/openfire/nio/NettySessionInitializer.java

@@ -18,7 +18,8 @@
 
 import io.netty.bootstrap.Bootstrap;
 import io.netty.channel.*;
-import io.netty.channel.nio.NioEventLoopGroup;
+import io.netty.channel.MultiThreadIoEventLoopGroup;
+import io.netty.channel.nio.NioIoHandler;
 import io.netty.channel.socket.SocketChannel;
 import io.netty.channel.socket.nio.NioSocketChannel;
 import io.netty.handler.codec.string.StringEncoder;
@@ -132,7 +133,7 @@ public static void initializeSharedResources()
             }
             Log.debug("Initialising shared Netty resources for outbound S2S.");
             final ThreadFactory ioFactory = new NamedThreadFactory("socket_s2s_outbound-worker-", null, false, Thread.NORM_PRIORITY);
-            ioWorkerGroup = new NioEventLoopGroup(ioFactory);
+            ioWorkerGroup = new MultiThreadIoEventLoopGroup(ioFactory, NioIoHandler.newFactory());
 
             final int handlerThreads = Math.max(1, Runtime.getRuntime().availableProcessors()) * 2;
             final ThreadFactory handlerFactory = new NamedThreadFactory("socket_s2s_outbound-handler-", null, false, Thread.NORM_PRIORITY);
@@ -310,7 +311,7 @@ public boolean exceptionOccurredForDirectTLS(Throwable cause) {
 
             this.channel = b.connect(socketAddress).sync().channel();
 
-            // Make sure we free up resources (worker group NioEventLoopGroup) when the channel is closed
+            // Make sure we free up resources (worker group MultiThreadIoEventLoopGroup) when the channel is closed
             this.channel.closeFuture().addListener(future -> stop());
 
             // When using directTLS a Netty SSLHandler is added to the pipeline from instantiation. This initiates the TLS handshake, and as such we do not need to send an opening stream element.

xmppserver/src/main/java/org/jivesoftware/openfire/spi/EncryptionArtifactFactory.java

@@ -417,13 +417,18 @@ public SslContext createClientModeSslContext() throws SSLException, Unrecoverabl
         // createClientModeSslContext is only used when the Openfire server is acting as a client when
         // making outbound S2S connections so the first stanza we send should be encrypted hence startTls(false)
 
+        // Netty 4.2 changed the default for endpointIdentificationAlgorithm from null (disabled) to "HTTPS".
+        // XMPP S2S certificate validation is handled by Openfire's own trust manager (getTrustManagers()), which
+        // applies XMPP-specific rules (RFC 6120). Enabling Netty's HTTPS hostname verification on top would be
+        // redundant and could reject valid XMPP servers whose certificates do not conform to HTTPS naming conventions.
         return SslContextBuilder
             .forClient()
             .protocols(protocols)
             .ciphers(configuration.getEncryptionCipherSuites())
             .keyManager(getKeyManagerFactory())
             .trustManager(getTrustManagers()[0]) // The existing implementation never returns more than one trust manager.
             .startTls(false) // Acting as client making outbound S2S connection so encrypt next stanza
+            .endpointIdentificationAlgorithm(null) // Disable Netty's built-in hostname verification; Openfire's trust manager handles XMPP certificate validation.
             .build();
     }
 

xmppserver/src/main/java/org/jivesoftware/openfire/spi/NettyConnectionAcceptor.java

@@ -21,9 +21,10 @@
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelOption;
 import io.netty.channel.EventLoopGroup;
+import io.netty.channel.MultiThreadIoEventLoopGroup;
 import io.netty.channel.group.ChannelGroup;
 import io.netty.channel.group.DefaultChannelGroup;
-import io.netty.channel.nio.NioEventLoopGroup;
+import io.netty.channel.nio.NioIoHandler;
 import io.netty.channel.socket.nio.NioServerSocketChannel;
 import io.netty.util.concurrent.DefaultEventExecutorGroup;
 import io.netty.util.concurrent.EventExecutorGroup;
@@ -133,7 +134,7 @@ public class NettyConnectionAcceptor extends ConnectionAcceptor {
         .setMaxValue(Duration.ofSeconds(Integer.MAX_VALUE))
         .build();
 
-    // NioEventLoopGroup is a multithreaded event loop that handles I/O operation.
+    // MultiThreadIoEventLoopGroup is a multithreaded event loop that handles I/O operation.
     // The first one, often called 'boss', accepts an incoming connection.
     // The second one, often called 'worker', handles the traffic of the accepted connection once the boss
     // accepts the connection and registers the accepted connection to the worker. How many Threads are
@@ -194,10 +195,10 @@ public NettyConnectionAcceptor(ConnectionConfiguration configuration) {
 
         // The configuration of threads is based on defaults used by io.netty.util.concurrent.DefaultThreadFactory (OF-3028)
         final ThreadFactory acceptorGroupThreadFactory = new NamedThreadFactory(name + "-acceptor-", null, false, Thread.NORM_PRIORITY);
-        acceptorGroup = new NioEventLoopGroup(acceptorGroupThreadFactory);
+        acceptorGroup = new MultiThreadIoEventLoopGroup(acceptorGroupThreadFactory, NioIoHandler.newFactory());
 
         final ThreadFactory ioWorkerGroupThreadFactory = new NamedThreadFactory(name + "-worker-", null, false, Thread.NORM_PRIORITY);
-        ioWorkerGroup = new NioEventLoopGroup(ioWorkerGroupThreadFactory);
+        ioWorkerGroup = new MultiThreadIoEventLoopGroup(ioWorkerGroupThreadFactory, NioIoHandler.newFactory());
 
         final ThreadFactory blockingHandlerGroupThreadFactory = new NamedThreadFactory(name + "-handler-", null, false, Thread.NORM_PRIORITY);
         blockingHandlerExecutor = new DefaultEventExecutorGroup(configuration.getMaxThreadPoolSize(), blockingHandlerGroupThreadFactory);