Log if the user tries to explicit set TLSv1.3 ciphers and using BoringSSL (#11392)
Motivation: At the moment BoringSSL doesnt support explicit set the TLSv1.3 ciphers that should be used. If TLSv1.3 should be used it just enables all ciphers. We should better log if the user tries to explicit set a specific ciphers and using BoringSSL to inform the user that what is tried doesnt really work. Modifications: Log if the user tries to not use all TLSv1.3 ciphers and use BoringSSL Result: Easier for the user to understand why always all TLSv1.3 ciphers are enabled when using BoringSSL Co-authored-by: Trustin Lee <trustin@gmail.com>
This commit is contained in:
Norman Maurer
GitHub
parent
f1742c0e43
commit
0c9a86db81
@ -29,6 +29,7 @@ import io.netty.util.ReferenceCounted;
|
||||
import io.netty.util.internal.EmptyArrays;
|
||||
import io.netty.util.internal.NativeLibraryLoader;
|
||||
import io.netty.util.internal.PlatformDependent;
|
||||
import io.netty.util.internal.StringUtil;
|
||||
import io.netty.util.internal.SystemPropertyUtil;
|
||||
import io.netty.util.internal.logging.InternalLogger;
|
||||
import io.netty.util.internal.logging.InternalLoggerFactory;
|
||||
@ -38,6 +39,7 @@ import java.security.cert.CertificateException;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
@ -64,6 +66,7 @@ public final class OpenSsl {
|
||||
private static final boolean IS_BORINGSSL;
|
||||
static final Set<String> SUPPORTED_PROTOCOLS_SET;
|
||||
static final String[] EXTRA_SUPPORTED_TLS_1_3_CIPHERS;
|
||||
static final String EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING;
|
||||
|
||||
// self-signed certificate for netty.io and the matching private-key
|
||||
private static final String CERT = "-----BEGIN CERTIFICATE-----\n" +
|
||||
@ -184,8 +187,16 @@ public final class OpenSsl {
|
||||
EXTRA_SUPPORTED_TLS_1_3_CIPHERS = new String [] { "TLS_AES_128_GCM_SHA256",
|
||||
"TLS_AES_256_GCM_SHA384" ,
|
||||
"TLS_CHACHA20_POLY1305_SHA256" };
|
||||
|
||||
StringBuilder ciphersBuilder = new StringBuilder(128);
|
||||
for (String cipher: EXTRA_SUPPORTED_TLS_1_3_CIPHERS) {
|
||||
ciphersBuilder.append(cipher).append(":");
|
||||
}
|
||||
ciphersBuilder.setLength(ciphersBuilder.length() - 1);
|
||||
EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING = ciphersBuilder.toString();
|
||||
} else {
|
||||
EXTRA_SUPPORTED_TLS_1_3_CIPHERS = EmptyArrays.EMPTY_STRINGS;
|
||||
EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING = StringUtil.EMPTY_STRING;
|
||||
}
|
||||
|
||||
try {
|
||||
@ -381,9 +392,49 @@ public final class OpenSsl {
|
||||
TLSV13_SUPPORTED = false;
|
||||
IS_BORINGSSL = false;
|
||||
EXTRA_SUPPORTED_TLS_1_3_CIPHERS = EmptyArrays.EMPTY_STRINGS;
|
||||
EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING = StringUtil.EMPTY_STRING;
|
||||
}
|
||||
}
|
||||
|
||||
static String checkTls13Ciphers(InternalLogger logger, String ciphers) {
|
||||
if (IS_BORINGSSL && !ciphers.isEmpty()) {
|
||||
assert EXTRA_SUPPORTED_TLS_1_3_CIPHERS.length > 0;
|
||||
Set<String> boringsslTlsv13Ciphers = new HashSet<String>(EXTRA_SUPPORTED_TLS_1_3_CIPHERS.length);
|
||||
Collections.addAll(boringsslTlsv13Ciphers, EXTRA_SUPPORTED_TLS_1_3_CIPHERS);
|
||||
boolean ciphersNotMatch = false;
|
||||
for (String cipher: ciphers.split(":")) {
|
||||
if (boringsslTlsv13Ciphers.isEmpty()) {
|
||||
ciphersNotMatch = true;
|
||||
break;
|
||||
}
|
||||
if (!boringsslTlsv13Ciphers.remove(cipher) &&
|
||||
!boringsslTlsv13Ciphers.remove(CipherSuiteConverter.toJava(cipher, "TLS"))) {
|
||||
ciphersNotMatch = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
// Also check if there are ciphers left.
|
||||
ciphersNotMatch |= !boringsslTlsv13Ciphers.isEmpty();
|
||||
|
||||
if (ciphersNotMatch) {
|
||||
if (logger.isInfoEnabled()) {
|
||||
StringBuilder javaCiphers = new StringBuilder(128);
|
||||
for (String cipher : ciphers.split(":")) {
|
||||
javaCiphers.append(CipherSuiteConverter.toJava(cipher, "TLS")).append(":");
|
||||
}
|
||||
javaCiphers.setLength(javaCiphers.length() - 1);
|
||||
logger.info(
|
||||
"BoringSSL doesn't allow to enable or disable TLSv1.3 ciphers explicitly." +
|
||||
" Provided TLSv1.3 ciphers: '{}', default TLSv1.3 ciphers that will be used: '{}'.",
|
||||
javaCiphers, EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING);
|
||||
}
|
||||
return EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING;
|
||||
}
|
||||
}
|
||||
return ciphers;
|
||||
}
|
||||
|
||||
static boolean isSessionCacheSupported() {
|
||||
return version() >= 0x10100000L;
|
||||
}
|
||||
|
||||
@ -286,7 +286,8 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
|
||||
SSLContext.setCipherSuite(ctx, cipherBuilder.toString(), false);
|
||||
if (tlsv13Supported) {
|
||||
// Set TLSv1.3 ciphers.
|
||||
SSLContext.setCipherSuite(ctx, cipherTLSv13Builder.toString(), true);
|
||||
SSLContext.setCipherSuite(ctx,
|
||||
OpenSsl.checkTls13Ciphers(logger, cipherTLSv13Builder.toString()), true);
|
||||
}
|
||||
}
|
||||
} catch (SSLException e) {
|
||||
|
||||
@ -1598,7 +1598,7 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
|
||||
SSL.setCipherSuites(ssl, cipherSuiteSpec, false);
|
||||
if (OpenSsl.isTlsv13Supported()) {
|
||||
// Set TLSv1.3 ciphers.
|
||||
SSL.setCipherSuites(ssl, cipherSuiteSpecTLSv13, true);
|
||||
SSL.setCipherSuites(ssl, OpenSsl.checkTls13Ciphers(logger, cipherSuiteSpecTLSv13), true);
|
||||
}
|
||||
|
||||
// We also need to update the enabled protocols to ensure we disable the protocol if there are
|
||||
|
||||
Loading…
Reference in New Issue
Block a user