From 69db5bff7126fb1d4c26370aa20b258f14246da4 Mon Sep 17 00:00:00 2001 From: Norman Maurer Date: Fri, 15 May 2020 10:01:09 +0200 Subject: [PATCH] Respect jdk.tls.client.enableSessionTicketExtension and jdk.tls.server.enableSessionTicketExtension when using native SSL impl (#10296) Motivation: We should respect jdk.tls.client.enableSessionTicketExtension and jdk.tls.server.enableSessionTicketExtension when using the native SSL implementation as well to make the usage of it easier and more consistent. These properties were introduced by JDK13: https://seanjmullan.org/blog/2019/08/05/jdk13 Modifications: Check if the properties are set to true and if so enable tickets Result: Easier to enable tickets and be more consistent --- .../handler/ssl/ReferenceCountedOpenSslClientContext.java | 6 ++++++ .../handler/ssl/ReferenceCountedOpenSslServerContext.java | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java index 56893b3f69..6b945506b9 100644 --- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java @@ -17,6 +17,7 @@ package io.netty.handler.ssl; import io.netty.internal.tcnative.CertificateCallback; import io.netty.util.internal.SuppressJava6Requirement; +import io.netty.util.internal.SystemPropertyUtil; import io.netty.util.internal.logging.InternalLogger; import io.netty.util.internal.logging.InternalLoggerFactory; import io.netty.internal.tcnative.SSL; @@ -56,6 +57,8 @@ public final class ReferenceCountedOpenSslClientContext extends ReferenceCounted OpenSslKeyMaterialManager.KEY_TYPE_EC, OpenSslKeyMaterialManager.KEY_TYPE_EC_RSA, OpenSslKeyMaterialManager.KEY_TYPE_EC_EC))); + private static final boolean ENABLE_SESSION_TICKET = + SystemPropertyUtil.getBoolean("jdk.tls.client.enableSessionTicketExtension", false); private final OpenSslSessionContext sessionContext; ReferenceCountedOpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory, @@ -70,6 +73,9 @@ public final class ReferenceCountedOpenSslClientContext extends ReferenceCounted try { sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory, keyStore); + if (ENABLE_SESSION_TICKET) { + sessionContext.setTicketKeys(); + } success = true; } finally { if (!success) { diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java index 6d78e6d0ac..bac027a3b4 100644 --- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java @@ -23,6 +23,7 @@ import io.netty.internal.tcnative.SniHostNameMatcher; import io.netty.util.CharsetUtil; import io.netty.util.internal.PlatformDependent; import io.netty.util.internal.SuppressJava6Requirement; +import io.netty.util.internal.SystemPropertyUtil; import io.netty.util.internal.logging.InternalLogger; import io.netty.util.internal.logging.InternalLoggerFactory; @@ -51,6 +52,9 @@ public final class ReferenceCountedOpenSslServerContext extends ReferenceCounted private static final byte[] ID = {'n', 'e', 't', 't', 'y'}; private final OpenSslServerSessionContext sessionContext; + private static final boolean ENABLE_SESSION_TICKET = + SystemPropertyUtil.getBoolean("jdk.tls.server.enableSessionTicketExtension", false); + ReferenceCountedOpenSslServerContext( X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory, @@ -75,6 +79,9 @@ public final class ReferenceCountedOpenSslServerContext extends ReferenceCounted try { sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory, keyStore); + if (ENABLE_SESSION_TICKET) { + sessionContext.setTicketKeys(); + } success = true; } finally { if (!success) {