[#5401] Support -Djdk.tls.ephemeralDHKeySize=num when using OpenSslContext

Motivation: Java8+ adds support set a DH key size via a System property (jdk.tls.ephemeralDHKeySize). We should respect this when using OpenSSL. Modifications: Respect system property. Result: More consistent SSL implementation.
2016-06-16 14:56:30 +02:00 · 2016-06-16 14:56:30 +02:00 · 707784081e
commit 707784081e
parent b0f0922834
1 changed files with 29 additions and 18 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
@ -32,10 +32,10 @@ import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509ExtendedTrustManager;
 import javax.net.ssl.X509TrustManager;
-import java.io.File;
+import java.security.AccessController;
 import java.security.PrivateKey;
+import java.security.PrivilegedAction;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.CertificateRevokedException;
@ -63,6 +63,7 @@ public abstract class OpenSslContext extends SslContext {
    private static final boolean JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION =
            SystemPropertyUtil.getBoolean("jdk.tls.rejectClientInitiatedRenegotiation", false);
    private static final List<String> DEFAULT_CIPHERS;
+    private static final Integer DH_KEY_LENGTH;

    // TODO: Maybe make configurable ?
    protected static final int VERIFY_DEPTH = 10;
@ -122,6 +123,28 @@ public abstract class OpenSslContext extends SslContext {
        if (logger.isDebugEnabled()) {
            logger.debug("Default cipher suite (OpenSSL): " + ciphers);
        }
+
+        Integer dhLen = null;
+
+        try {
+            String dhKeySize = AccessController.doPrivileged(new PrivilegedAction<String>() {
+                @Override
+                public String run() {
+                    return SystemPropertyUtil.get("jdk.tls.ephemeralDHKeySize");
+                }
+            });
+            if (dhKeySize != null) {
+                try {
+                    dhLen = Integer.parseInt(dhKeySize);
+                } catch (NumberFormatException e) {
+                    logger.debug("OpenSslContext only support -Djdk.tls.ephemeralDHKeySize={int}, but got: "
+                            + dhKeySize);
+                }
+            }
+        } catch (Throwable ignore) {
+            // ignore
+        }
+        DH_KEY_LENGTH = dhLen;
    }

    OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apnCfg,
@ -203,6 +226,10 @@ public abstract class OpenSslContext extends SslContext {
                // See https://github.com/netty/netty-tcnative/issues/100
                SSLContext.setMode(ctx, SSLContext.getMode(ctx) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

+                if (DH_KEY_LENGTH != null) {
+                    SSLContext.setTmpDHLength(ctx, DH_KEY_LENGTH);
+                }
+
                /* List the ciphers that are permitted to negotiate. */
                try {
                    SSLContext.setCipherSuite(ctx, CipherSuiteConverter.toOpenSsl(unmodifiableCiphers));
@ -587,20 +614,4 @@ public abstract class OpenSslContext extends SslContext {
            buffer.release();
        }
    }
-
-    static PrivateKey toPrivateKeyInternal(File keyFile, String keyPassword) throws SSLException {
-        try {
-            return SslContext.toPrivateKey(keyFile, keyPassword);
-        } catch (Exception e) {
-            throw new SSLException(e);
-        }
-    }
-
-    static X509Certificate[] toX509CertificatesInternal(File file) throws SSLException {
-        try {
-            return SslContext.toX509Certificates(file);
-        } catch (CertificateException e) {
-            throw new SSLException(e);
-        }
-    }
 }