Enable stateless resumption for TLSv1.3 by default when using OpenSSL / BoringSSL (#10997)
Motivation: At the moment we always set SSL_OP_NO_TICKET when building our context. The problem with this is that this also disables resumption for TLSv1.3 in BoringSSL as it only supports stateless resumption for TLSv1.3 which uses tickets. We should better clear this option when TLSv1.3 is enabled to be able to resume sessions. This is also inline with the OpenJDK which enables this for TLSv1.3 by default as well. Modifications: Check for enabled protocols and if TLSv1.3 is set clear SSL_OP_NO_TICKET. Result: Be able to resume sessions for TLSv1.3 when using BoringSSL.
This commit is contained in:
parent
9c2de76add
commit
42a2c9c831
@ -15,7 +15,6 @@
|
||||
*/
|
||||
package io.netty.handler.ssl;
|
||||
|
||||
import io.netty.util.internal.SystemPropertyUtil;
|
||||
import io.netty.internal.tcnative.CertificateCallback;
|
||||
import io.netty.internal.tcnative.SSL;
|
||||
import io.netty.internal.tcnative.SSLContext;
|
||||
@ -53,8 +52,7 @@ public final class ReferenceCountedOpenSslClientContext extends ReferenceCounted
|
||||
OpenSslKeyMaterialManager.KEY_TYPE_EC,
|
||||
OpenSslKeyMaterialManager.KEY_TYPE_EC_RSA,
|
||||
OpenSslKeyMaterialManager.KEY_TYPE_EC_EC)));
|
||||
private static final boolean ENABLE_SESSION_TICKET =
|
||||
SystemPropertyUtil.getBoolean("jdk.tls.client.enableSessionTicketExtension", false);
|
||||
|
||||
private final OpenSslSessionContext sessionContext;
|
||||
|
||||
ReferenceCountedOpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
|
||||
@ -169,7 +167,7 @@ public final class ReferenceCountedOpenSslClientContext extends ReferenceCounted
|
||||
throw new SSLException("unable to setup trustmanager", e);
|
||||
}
|
||||
OpenSslClientSessionContext context = new OpenSslClientSessionContext(thiz, keyMaterialProvider);
|
||||
if (ENABLE_SESSION_TICKET) {
|
||||
if (CLIENT_ENABLE_SESSION_TICKET) {
|
||||
context.setTicketKeys();
|
||||
}
|
||||
keyMaterialProvider = null;
|
||||
|
@ -91,6 +91,18 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
|
||||
// TODO: Maybe make configurable ?
|
||||
protected static final int VERIFY_DEPTH = 10;
|
||||
|
||||
static final boolean CLIENT_ENABLE_SESSION_TICKET =
|
||||
SystemPropertyUtil.getBoolean("jdk.tls.client.enableSessionTicketExtension", false);
|
||||
|
||||
static final boolean CLIENT_ENABLE_SESSION_TICKET_TLSV13 =
|
||||
SystemPropertyUtil.getBoolean("jdk.tls.client.enableSessionTicketExtension", true);
|
||||
|
||||
static final boolean SERVER_ENABLE_SESSION_TICKET =
|
||||
SystemPropertyUtil.getBoolean("jdk.tls.server.enableSessionTicketExtension", false);
|
||||
|
||||
static final boolean SERVER_ENABLE_SESSION_TICKET_TLSV13 =
|
||||
SystemPropertyUtil.getBoolean("jdk.tls.server.enableSessionTicketExtension", true);
|
||||
|
||||
/**
|
||||
* The OpenSSL SSL_CTX object.
|
||||
*
|
||||
|
@ -351,6 +351,22 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
|
||||
SSL.setMode(ssl, SSL.getMode(ssl) | SSL.SSL_MODE_ENABLE_PARTIAL_WRITE);
|
||||
}
|
||||
|
||||
if (isProtocolEnabled(SSL.getOptions(ssl), SSL.SSL_OP_NO_TLSv1_3, PROTOCOL_TLS_V1_3)) {
|
||||
final boolean enableTickets = clientMode ?
|
||||
ReferenceCountedOpenSslContext.CLIENT_ENABLE_SESSION_TICKET_TLSV13 :
|
||||
ReferenceCountedOpenSslContext.SERVER_ENABLE_SESSION_TICKET_TLSV13;
|
||||
if (enableTickets) {
|
||||
// We should enable session tickets for stateless resumption when TLSv1.3 is enabled. This
|
||||
// is also done by OpenJDK and without this session resumption does not work at all with
|
||||
// BoringSSL when TLSv1.3 is used as BoringSSL only supports stateless resumption with TLSv1.3:
|
||||
//
|
||||
// See:
|
||||
// - https://bugs.openjdk.java.net/browse/JDK-8223922
|
||||
// - https://boringssl.googlesource.com/boringssl/+/refs/heads/master/ssl/tls13_server.cc#104
|
||||
SSL.clearOptions(ssl, SSL.SSL_OP_NO_TICKET);
|
||||
}
|
||||
}
|
||||
|
||||
// setMode may impact the overhead.
|
||||
calculateMaxWrapOverhead();
|
||||
} catch (Throwable cause) {
|
||||
|
@ -50,9 +50,6 @@ public final class ReferenceCountedOpenSslServerContext extends ReferenceCounted
|
||||
private static final byte[] ID = {'n', 'e', 't', 't', 'y'};
|
||||
private final OpenSslServerSessionContext sessionContext;
|
||||
|
||||
private static final boolean ENABLE_SESSION_TICKET =
|
||||
SystemPropertyUtil.getBoolean("jdk.tls.server.enableSessionTicketExtension", false);
|
||||
|
||||
ReferenceCountedOpenSslServerContext(
|
||||
X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
|
||||
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
|
||||
@ -77,7 +74,7 @@ public final class ReferenceCountedOpenSslServerContext extends ReferenceCounted
|
||||
try {
|
||||
sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
|
||||
keyCertChain, key, keyPassword, keyManagerFactory, keyStore);
|
||||
if (ENABLE_SESSION_TICKET) {
|
||||
if (SERVER_ENABLE_SESSION_TICKET) {
|
||||
sessionContext.setTicketKeys();
|
||||
}
|
||||
success = true;
|
||||
|
Loading…
Reference in New Issue
Block a user