zio-http icon indicating copy to clipboard operation
zio-http copied to clipboard
verified publisher icon zio

Avoid dependency on netty-pkitesting

Open civilizeddev opened this issue 4 months ago • 2 comments

What is not easy to do right now?

Because zio-http depends on netty-pkitesting, it introduces a transitive dependency on the BouncyCastle provider. As a result, when running jdeps (for JPMS modularization), we encounter module-missing errors related to BouncyCastle. Moreover, we do not want to bundle unnecessary SSL-related dependencies like BouncyCastle in our production application.

Describe the solution you'd like

I would like netty-pkitesting to be used only in test or developer mode. Ideally, zio-http should:

  • Move the certificate generation feature (SSLConfig.Generate) into a testkit or a separate module, or
  • Mark netty-pkitesting as an optional/test scope dependency, so production users are not forced to include it.

This way, applications that need self-signed certificates for development can opt in, while production users can provide their own certificates without inheriting test-only dependencies.

Why is it important?

Including netty-pkitesting at runtime has several drawbacks:

  • It brings test-only code and extra cryptographic providers into production builds unnecessarily.
  • It breaks tools like jdeps and jlink unless additional manual steps are taken.
  • It introduces potential security risks by encouraging the use of incomplete self-signed certificates (missing SAN, EKU, etc.) in production.

Separating or scoping this dependency properly will make zio-http easier to use in production, safer by default, and more modular.

Additional context

https://github.com/zio/zio-http/blob/d8917d5db5037ed8348ec16195e014920aa41065/project/Dependencies.scala#L31

Netty maintainers have clarified that netty-pkitesting is only intended for testing PKI/TLS scenarios. Current zio-http code (SSLConfig.Generate) relies on it at runtime, which is what causes the issue.

https://github.com/netty/netty/discussions/15564#discussioncomment-14127372

civilizeddev avatar Aug 18 '25 01:08 civilizeddev

https://github.com/zio/zio-http/blob/604b5659d35899f8fcf718561359d2a60322cea5/zio-http/jvm/src/main/scala/zio/http/netty/server/ServerSSLDecoder.scala#L41

https://github.com/zio/zio-http/blob/604b5659d35899f8fcf718561359d2a60322cea5/zio-http/jvm/src/main/scala/zio/http/netty/server/ServerSSLDecoder.scala#L90-L91

civilizeddev avatar Aug 22 '25 06:08 civilizeddev

While I agree and see the issue, I do not see an easy way to do this while keeping binary compatibility. I will mark this as a change for 4.0 that will focus on modularization. I will start working on this soonish. Can't say when it will be done.

987Nabil avatar Aug 22 '25 07:08 987Nabil