From 00fd4ea2647ae3551508654ddff7dfb7e2ab0e61 Mon Sep 17 00:00:00 2001 From: Norman Maurer Date: Tue, 11 May 2021 10:43:40 +0200 Subject: [PATCH] Disable TLSv1 and TLSv1.1 by default (#11237) Motivation: TLSv1 and TLSv1.1 is considered insecure. Let's follow the JDK and disable these by default Modifications: - Disable TLSv1 and TLSv1.1 by default when using OpenSSL. - Add unit tests Result: Use only strong TLS versions by default when using OpenSSL --- .../ssl/ReferenceCountedOpenSslContext.java | 5 ++ .../netty/handler/ssl/OpenSslEngineTest.java | 55 +++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java index d9365e5a07..c8d6ba06c3 100644 --- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java @@ -297,6 +297,11 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen int options = SSLContext.getOptions(ctx) | SSL.SSL_OP_NO_SSLv2 | SSL.SSL_OP_NO_SSLv3 | + // Disable TLSv1 and TLSv1.1 by default as these are not considered secure anymore + // and the JDK is doing the same: + // https://www.oracle.com/java/technologies/javase/8u291-relnotes.html + SSL.SSL_OP_NO_TLSv1 | + SSL.SSL_OP_NO_TLSv1_1 | SSL.SSL_OP_CIPHER_SERVER_PREFERENCE | diff --git a/handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java b/handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java index 177e72849e..106c90edd6 100644 --- a/handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java @@ -38,6 +38,7 @@ import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLEngineResult.HandshakeStatus; import javax.net.ssl.SSLException; +import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLParameters; import javax.net.ssl.X509ExtendedKeyManager; import java.net.Socket; @@ -71,6 +72,7 @@ import static org.junit.Assert.assertNotEquals; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; import static org.junit.Assume.assumeTrue; @RunWith(Parameterized.class) @@ -1389,6 +1391,59 @@ public class OpenSslEngineTest extends SSLEngineTest { super.testSessionLocalWhenNonMutualWithoutKeyManager(); } + @Test + public void testDefaultTLS1NotAcceptedByDefaultServer() throws Exception { + testDefaultTLS1NotAcceptedByDefault(null, PROTOCOL_TLS_V1); + } + + @Test + public void testDefaultTLS11NotAcceptedByDefaultServer() throws Exception { + testDefaultTLS1NotAcceptedByDefault(null, PROTOCOL_TLS_V1_1); + } + + @Test + public void testDefaultTLS1NotAcceptedByDefaultClient() throws Exception { + testDefaultTLS1NotAcceptedByDefault(PROTOCOL_TLS_V1, null); + } + + @Test + public void testDefaultTLS11NotAcceptedByDefaultClient() throws Exception { + testDefaultTLS1NotAcceptedByDefault(PROTOCOL_TLS_V1_1, null); + } + + private void testDefaultTLS1NotAcceptedByDefault(String clientProtocol, String serverProtocol) throws Exception { + SslContextBuilder clientCtxBuilder = SslContextBuilder.forClient() + .trustManager(InsecureTrustManagerFactory.INSTANCE) + .sslProvider(sslClientProvider()) + .sslContextProvider(clientSslContextProvider()); + if (clientProtocol != null) { + clientCtxBuilder.protocols(clientProtocol); + } + clientSslCtx = wrapContext(clientCtxBuilder.build()); + SelfSignedCertificate ssc = new SelfSignedCertificate(); + + SslContextBuilder serverCtxBuilder = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()) + .sslProvider(sslServerProvider()) + .sslContextProvider(serverSslContextProvider()); + if (serverProtocol != null) { + serverCtxBuilder.protocols(serverProtocol); + } + serverSslCtx = wrapContext(serverCtxBuilder.build()); + SSLEngine client = wrapEngine(clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT)); + SSLEngine server = wrapEngine(serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT)); + + try { + handshake(client, server); + fail(); + } catch (SSLHandshakeException expected) { + // expected + } finally { + cleanupClientSslEngine(client); + cleanupServerSslEngine(server); + ssc.delete(); + } + } + @Override protected SslProvider sslClientProvider() { return SslProvider.OPENSSL;