andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Changed Netty JDK SSL to use default protocols instead of hardcoded supported (#9707)

Browse Source 
Motivation:

Netty should respect JVM flags to control SSL protocols, eg. `-Djdk.tls.client.protocols`


Modification: 

Changed `JdkSslContext` to use `SSLContext.getDefaultSSLParameters().getProtocols()` instead of `engine.getSupportedProtocols()` which is hardcoded as `SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2`.

Result:

Without `-Djdk.tls.client.protocols`, `SSLContext.getDefaultSSLParameters().getProtocols()` returns `TLSv1, TLSv1.1, TLSv1.2`.

With `-Djdk.tls.client.protocols=TLSv1.2`, `SSLContext.getDefaultSSLParameters().getProtocols()` returns `TLSv1.2`.

Fixes #9706
This commit is contained in:
Zhao Yang 2019-10-25 14:19:42 +08:00 committed by Norman Maurer
parent 844b82b986
commit 2f32e0b8ad
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
View File

@ -79,7 +79,7 @@ public class JdkSslContext extends SslContext {
DEFAULT_PROVIDER = context.getProvider(); DEFAULT_PROVIDER = context.getProvider();
SSLEngine engine = context.createSSLEngine(); SSLEngine engine = context.createSSLEngine();
DEFAULT_PROTOCOLS = defaultProtocols(engine); DEFAULT_PROTOCOLS = defaultProtocols(context, engine);
SUPPORTED_CIPHERS = Collections.unmodifiableSet(supportedCiphers(engine)); SUPPORTED_CIPHERS = Collections.unmodifiableSet(supportedCiphers(engine));
DEFAULT_CIPHERS = Collections.unmodifiableList(defaultCiphers(engine, SUPPORTED_CIPHERS)); DEFAULT_CIPHERS = Collections.unmodifiableList(defaultCiphers(engine, SUPPORTED_CIPHERS));
@ -98,9 +98,9 @@ public class JdkSslContext extends SslContext {
} }
} }
private static String[] defaultProtocols(SSLEngine engine) { private static String[] defaultProtocols(SSLContext context, SSLEngine engine) {
// Choose the sensible default list of protocols. // Choose the sensible default list of protocols that respects JDK flags, eg. jdk.tls.client.protocols
final String[] supportedProtocols = engine.getSupportedProtocols(); final String[] supportedProtocols = context.getDefaultSSLParameters().getProtocols();
Set<String> supportedProtocolsSet = new HashSet<String>(supportedProtocols.length); Set<String> supportedProtocolsSet = new HashSet<String>(supportedProtocols.length);
Collections.addAll(supportedProtocolsSet, supportedProtocols); Collections.addAll(supportedProtocolsSet, supportedProtocols);
List<String> protocols = new ArrayList<String>(); List<String> protocols = new ArrayList<String>();
@ -261,7 +261,7 @@ public class JdkSslContext extends SslContext {
SSLEngine engine = sslContext.createSSLEngine(); SSLEngine engine = sslContext.createSSLEngine();
try { try {
if (protocols == null) { if (protocols == null) {
this.protocols = defaultProtocols(engine); this.protocols = defaultProtocols(sslContext, engine);
} else { } else {
this.protocols = protocols; this.protocols = protocols;
} }