[#5401] Support -Djdk.tls.ephemeralDHKeySize=num when using OpenSslContext

Motivation:

Java8+ adds support set a DH key size via a System property (jdk.tls.ephemeralDHKeySize). We should respect this when using OpenSSL.

Modifications:

Respect system property.

Result:

More consistent SSL implementation.
This commit is contained in:
Norman Maurer 2016-06-16 14:56:30 +02:00
parent 70651cc58d
commit 3a69adfefb

View File

@ -33,7 +33,9 @@ import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager; import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager; import javax.net.ssl.X509TrustManager;
import java.security.AccessController;
import java.security.PrivateKey; import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException; import java.security.cert.CertificateNotYetValidException;
@ -62,6 +64,7 @@ public abstract class OpenSslContext extends SslContext {
private static final boolean JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION = private static final boolean JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION =
SystemPropertyUtil.getBoolean("jdk.tls.rejectClientInitiatedRenegotiation", false); SystemPropertyUtil.getBoolean("jdk.tls.rejectClientInitiatedRenegotiation", false);
private static final List<String> DEFAULT_CIPHERS; private static final List<String> DEFAULT_CIPHERS;
private static final Integer DH_KEY_LENGTH;
// TODO: Maybe make configurable ? // TODO: Maybe make configurable ?
protected static final int VERIFY_DEPTH = 10; protected static final int VERIFY_DEPTH = 10;
@ -121,6 +124,28 @@ public abstract class OpenSslContext extends SslContext {
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug("Default cipher suite (OpenSSL): " + ciphers); logger.debug("Default cipher suite (OpenSSL): " + ciphers);
} }
Integer dhLen = null;
try {
String dhKeySize = AccessController.doPrivileged(new PrivilegedAction<String>() {
@Override
public String run() {
return SystemPropertyUtil.get("jdk.tls.ephemeralDHKeySize");
}
});
if (dhKeySize != null) {
try {
dhLen = Integer.parseInt(dhKeySize);
} catch (NumberFormatException e) {
logger.debug("OpenSslContext only support -Djdk.tls.ephemeralDHKeySize={int}, but got: "
+ dhKeySize);
}
}
} catch (Throwable ignore) {
// ignore
}
DH_KEY_LENGTH = dhLen;
} }
OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apnCfg, OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apnCfg,
@ -202,6 +227,10 @@ public abstract class OpenSslContext extends SslContext {
// See https://github.com/netty/netty-tcnative/issues/100 // See https://github.com/netty/netty-tcnative/issues/100
SSLContext.setMode(ctx, SSLContext.getMode(ctx) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSLContext.setMode(ctx, SSLContext.getMode(ctx) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
if (DH_KEY_LENGTH != null) {
SSLContext.setTmpDHLength(ctx, DH_KEY_LENGTH);
}
/* List the ciphers that are permitted to negotiate. */ /* List the ciphers that are permitted to negotiate. */
try { try {
SSLContext.setCipherSuite(ctx, CipherSuiteConverter.toOpenSsl(unmodifiableCiphers)); SSLContext.setCipherSuite(ctx, CipherSuiteConverter.toOpenSsl(unmodifiableCiphers));