Ensure we only log message on BoringSSL when the ciphers really are not the default (#11583)

Motivation:

0c9a86db81 added a change to log a message if someone tried to change the TLSv1.3 ciphers when using BoringSSL. Unfortunally the code had some error and so even if the user did not change these we logged something.

Modifications:

- Ensure there are no duplicates in the ciphers
- Correctly take TLSv1.3 extra ciphers into account when using BoringSSL

Result:

Correctly log or not log
This commit is contained in:
Norman Maurer 2021-08-16 22:23:25 +02:00
parent 3e2e36eac5
commit 8083818b45
3 changed files with 11 additions and 4 deletions

View File

@ -307,6 +307,8 @@ public final class OpenSsl {
addIfSupported(availableJavaCipherSuites, defaultCiphers, DEFAULT_CIPHER_SUITES);
addIfSupported(availableJavaCipherSuites, defaultCiphers, TLSV13_CIPHER_SUITES);
// Also handle the extra supported ciphers as these will contain some more stuff on BoringSSL.
addIfSupported(availableJavaCipherSuites, defaultCiphers, EXTRA_SUPPORTED_TLS_1_3_CIPHERS);
useFallbackCiphersIfDefaultIsEmpty(defaultCiphers, availableJavaCipherSuites);
DEFAULT_CIPHERS = Collections.unmodifiableList(defaultCiphers);

View File

@ -45,8 +45,10 @@ import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
@ -257,8 +259,12 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone();
unmodifiableCiphers = Arrays.asList(requireNonNull(cipherFilter, "cipherFilter").filterCipherSuites(
ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites()));
String[] suites = requireNonNull(cipherFilter, "cipherFilter").filterCipherSuites(
ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites());
// Filter out duplicates.
LinkedHashSet<String> suitesSet = new LinkedHashSet<>(suites.length);
Collections.addAll(suitesSet, suites);
unmodifiableCiphers = new ArrayList<>(suitesSet);
this.apn = requireNonNull(apn, "apn");

View File

@ -33,7 +33,6 @@ import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
@ -120,7 +119,7 @@ final class SslUtils {
DEFAULT_TLSV13_CIPHER_SUITES = EmptyArrays.EMPTY_STRINGS;
}
List<String> defaultCiphers = new ArrayList<>();
Set<String> defaultCiphers = new LinkedHashSet<>();
// GCM (Galois/Counter Mode) requires JDK 8.
defaultCiphers.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
defaultCiphers.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");