Allow server initiated renegotiate when using OpenSSL / BoringSSL based SSLEngine (#11601)
Motivation: We should allow server initiated renegotiation when OpenSSL / BoringSSL bases SSLEngine is used as it might be used for client auth. Modifications: - Upgrade netty-tcnative version to be able to allow renegotiate once - Adjust code Result Fixes https://github.com/netty/netty/issues/11529
This commit is contained in:
parent
ea5bc27c83
commit
3c5b6c3e66
@ -362,6 +362,13 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (OpenSsl.isBoringSSL() && clientMode) {
|
||||||
|
// If in client-mode and BoringSSL let's allow to renegotiate once as the server may use this
|
||||||
|
// for client auth.
|
||||||
|
//
|
||||||
|
// See https://github.com/netty/netty/issues/11529
|
||||||
|
SSL.setRenegotiateMode(ssl, SSL.SSL_RENEGOTIATE_ONCE);
|
||||||
|
}
|
||||||
// setMode may impact the overhead.
|
// setMode may impact the overhead.
|
||||||
calculateMaxWrapOverhead();
|
calculateMaxWrapOverhead();
|
||||||
} catch (Throwable cause) {
|
} catch (Throwable cause) {
|
||||||
@ -1350,7 +1357,9 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
|
|||||||
// As rejectRemoteInitiatedRenegotiation() is called in a finally block we also need to check if we shutdown
|
// As rejectRemoteInitiatedRenegotiation() is called in a finally block we also need to check if we shutdown
|
||||||
// the engine before as otherwise SSL.getHandshakeCount(ssl) will throw an NPE if the passed in ssl is 0.
|
// the engine before as otherwise SSL.getHandshakeCount(ssl) will throw an NPE if the passed in ssl is 0.
|
||||||
// See https://github.com/netty/netty/issues/7353
|
// See https://github.com/netty/netty/issues/7353
|
||||||
if (!isDestroyed() && SSL.getHandshakeCount(ssl) > 1 &&
|
if (!isDestroyed() && (!clientMode && SSL.getHandshakeCount(ssl) > 1 ||
|
||||||
|
// Let's allow to renegotiate once for client auth.
|
||||||
|
clientMode && SSL.getHandshakeCount(ssl) > 2) &&
|
||||||
// As we may count multiple handshakes when TLSv1.3 is used we should just ignore this here as
|
// As we may count multiple handshakes when TLSv1.3 is used we should just ignore this here as
|
||||||
// renegotiation is not supported in TLSv1.3 as per spec.
|
// renegotiation is not supported in TLSv1.3 as per spec.
|
||||||
!SslProtocols.TLS_v1_3.equals(session.getProtocol()) && handshakeState == HandshakeState.FINISHED) {
|
!SslProtocols.TLS_v1_3.equals(session.getProtocol()) && handshakeState == HandshakeState.FINISHED) {
|
||||||
|
2
pom.xml
2
pom.xml
@ -468,7 +468,7 @@
|
|||||||
<!-- keep in sync with PlatformDependent#ALLOWED_LINUX_OS_CLASSIFIERS -->
|
<!-- keep in sync with PlatformDependent#ALLOWED_LINUX_OS_CLASSIFIERS -->
|
||||||
<os.detection.classifierWithLikes>fedora,suse,arch</os.detection.classifierWithLikes>
|
<os.detection.classifierWithLikes>fedora,suse,arch</os.detection.classifierWithLikes>
|
||||||
<tcnative.artifactId>netty-tcnative</tcnative.artifactId>
|
<tcnative.artifactId>netty-tcnative</tcnative.artifactId>
|
||||||
<tcnative.version>2.0.40.Final</tcnative.version>
|
<tcnative.version>2.0.41.Final</tcnative.version>
|
||||||
<tcnative.classifier>${os.detected.classifier}</tcnative.classifier>
|
<tcnative.classifier>${os.detected.classifier}</tcnative.classifier>
|
||||||
<conscrypt.groupId>org.conscrypt</conscrypt.groupId>
|
<conscrypt.groupId>org.conscrypt</conscrypt.groupId>
|
||||||
<conscrypt.artifactId>conscrypt-openjdk-uber</conscrypt.artifactId>
|
<conscrypt.artifactId>conscrypt-openjdk-uber</conscrypt.artifactId>
|
||||||
|
Loading…
Reference in New Issue
Block a user