Allow server initiated renegotiate when using OpenSSL / BoringSSL based SSLEngine (#11601)

Motivation:

We should allow server initiated renegotiation when OpenSSL / BoringSSL bases SSLEngine is used as it might be used for client auth.

Modifications:

- Upgrade netty-tcnative version to be able to allow renegotiate once
- Adjust code

Result
Fixes https://github.com/netty/netty/issues/11529
This commit is contained in:
Norman Maurer 2021-08-20 18:52:22 +02:00 committed by GitHub
parent 36eb399b4b
commit 33b63c325f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 2 deletions

View File

@ -370,6 +370,13 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
} }
} }
if (OpenSsl.isBoringSSL() && clientMode) {
// If in client-mode and BoringSSL let's allow to renegotiate once as the server may use this
// for client auth.
//
// See https://github.com/netty/netty/issues/11529
SSL.setRenegotiateMode(ssl, SSL.SSL_RENEGOTIATE_ONCE);
}
// setMode may impact the overhead. // setMode may impact the overhead.
calculateMaxWrapOverhead(); calculateMaxWrapOverhead();
} catch (Throwable cause) { } catch (Throwable cause) {
@ -1359,7 +1366,9 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
// As rejectRemoteInitiatedRenegotiation() is called in a finally block we also need to check if we shutdown // As rejectRemoteInitiatedRenegotiation() is called in a finally block we also need to check if we shutdown
// the engine before as otherwise SSL.getHandshakeCount(ssl) will throw an NPE if the passed in ssl is 0. // the engine before as otherwise SSL.getHandshakeCount(ssl) will throw an NPE if the passed in ssl is 0.
// See https://github.com/netty/netty/issues/7353 // See https://github.com/netty/netty/issues/7353
if (!isDestroyed() && SSL.getHandshakeCount(ssl) > 1 && if (!isDestroyed() && (!clientMode && SSL.getHandshakeCount(ssl) > 1 ||
// Let's allow to renegotiate once for client auth.
clientMode && SSL.getHandshakeCount(ssl) > 2) &&
// As we may count multiple handshakes when TLSv1.3 is used we should just ignore this here as // As we may count multiple handshakes when TLSv1.3 is used we should just ignore this here as
// renegotiation is not supported in TLSv1.3 as per spec. // renegotiation is not supported in TLSv1.3 as per spec.
!SslProtocols.TLS_v1_3.equals(session.getProtocol()) && handshakeState == HandshakeState.FINISHED) { !SslProtocols.TLS_v1_3.equals(session.getProtocol()) && handshakeState == HandshakeState.FINISHED) {

View File

@ -508,7 +508,7 @@
<!-- keep in sync with PlatformDependent#ALLOWED_LINUX_OS_CLASSIFIERS --> <!-- keep in sync with PlatformDependent#ALLOWED_LINUX_OS_CLASSIFIERS -->
<os.detection.classifierWithLikes>fedora,suse,arch</os.detection.classifierWithLikes> <os.detection.classifierWithLikes>fedora,suse,arch</os.detection.classifierWithLikes>
<tcnative.artifactId>netty-tcnative</tcnative.artifactId> <tcnative.artifactId>netty-tcnative</tcnative.artifactId>
<tcnative.version>2.0.40.Final</tcnative.version> <tcnative.version>2.0.41.Final</tcnative.version>
<tcnative.classifier>${os.detected.classifier}</tcnative.classifier> <tcnative.classifier>${os.detected.classifier}</tcnative.classifier>
<conscrypt.groupId>org.conscrypt</conscrypt.groupId> <conscrypt.groupId>org.conscrypt</conscrypt.groupId>
<conscrypt.artifactId>conscrypt-openjdk-uber</conscrypt.artifactId> <conscrypt.artifactId>conscrypt-openjdk-uber</conscrypt.artifactId>