Include TLSv1.3 ciphers as recommented ciphers for HTTP2 (#10480)
Motivation: We should include TLSv1.3 ciphers as well as recommented ciphers these days for HTTP/2. That is especially true as Java supports TLSv1.3 these days out of the box Modifications: - Add TLSv1.3 ciphers that are recommended by mozilla as was for HTTP/2 - Add unit test Result: Include TLSv1.3 ciphers as well
This commit is contained in:
parent
cc33da49aa
commit
3c49d09eb9
@ -43,9 +43,9 @@ public final class Http2SecurityUtil {
|
||||
public static final List<String> CIPHERS;
|
||||
|
||||
/**
|
||||
* <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility">Mozilla Modern Cipher
|
||||
* Suites</a> minus the following cipher suites that are black listed by the
|
||||
* <a href="https://tools.ietf.org/html/rfc7540#appendix-A">HTTP/2 RFC</a>.
|
||||
* <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29"
|
||||
* >Mozilla Modern Cipher Suites Intermediate compatibility</a> minus the following cipher suites that are black
|
||||
* listed by the <a href="https://tools.ietf.org/html/rfc7540#appendix-A">HTTP/2 RFC</a>.
|
||||
*/
|
||||
private static final List<String> CIPHERS_JAVA_MOZILLA_MODERN_SECURITY = Collections.unmodifiableList(Arrays
|
||||
.asList(
|
||||
@ -64,7 +64,12 @@ public final class Http2SecurityUtil {
|
||||
/* openssl = ECDHE-ECDSA-CHACHA20-POLY1305 */
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
|
||||
/* openssl = ECDHE-RSA-CHACHA20-POLY1305 */
|
||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
|
||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
|
||||
|
||||
/* TLS 1.3 ciphers */
|
||||
"TLS_AES_128_GCM_SHA256",
|
||||
"TLS_AES_256_GCM_SHA384",
|
||||
"TLS_CHACHA20_POLY1305_SHA256"
|
||||
));
|
||||
|
||||
static {
|
||||
|
@ -0,0 +1,49 @@
|
||||
/*
|
||||
* Copyright 2020 The Netty Project
|
||||
*
|
||||
* The Netty Project licenses this file to you under the Apache License,
|
||||
* version 2.0 (the "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at:
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
* License for the specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package io.netty.handler.codec.http2;
|
||||
|
||||
import io.netty.buffer.UnpooledByteBufAllocator;
|
||||
import io.netty.handler.ssl.SslContext;
|
||||
import io.netty.handler.ssl.SslContextBuilder;
|
||||
import io.netty.handler.ssl.SslProvider;
|
||||
import io.netty.handler.ssl.SupportedCipherSuiteFilter;
|
||||
import org.junit.Assert;
|
||||
import org.junit.Assume;
|
||||
import org.junit.Test;
|
||||
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.SSLException;
|
||||
|
||||
public class Http2SecurityUtilTest {
|
||||
|
||||
@Test
|
||||
public void testTLSv13CiphersIncluded() throws SSLException {
|
||||
Assume.assumeTrue(SslProvider.isTlsv13Supported(SslProvider.JDK));
|
||||
testCiphersIncluded("TLSv1.3");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testTLSv12CiphersIncluded() throws SSLException {
|
||||
testCiphersIncluded("TLSv1.2");
|
||||
}
|
||||
|
||||
private static void testCiphersIncluded(String protocol) throws SSLException {
|
||||
SslContext context = SslContextBuilder.forClient().sslProvider(SslProvider.JDK).protocols(protocol)
|
||||
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE).build();
|
||||
SSLEngine engine = context.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
Assert.assertTrue("No " + protocol + " ciphers found", engine.getEnabledCipherSuites().length > 0);
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user