Filter user-provided ciphers using RFC cipher names
Motivation:
Previously filterCipherSuites was being passed the OpenSSL-formatted
cipher names. Commit 43ae974 introduced a regression as it swapped to the
RFC/JDK format, except that user-provided ciphers were not converted and
remained in the OpenSSL format.
This mis-match would cause all user-provided to be thrown away, leading
to failure trying to set zero ciphers:
Exception in thread "main" javax.net.ssl.SSLException: failed to set cipher suite: []
at io.netty.handler.ssl.ReferenceCountedOpenSslContext.<init>(ReferenceCountedOpenSslContext.java:299)
at io.netty.handler.ssl.OpenSslContext.<init>(OpenSslContext.java:43)
at io.netty.handler.ssl.OpenSslServerContext.<init>(OpenSslServerContext.java:347)
at io.netty.handler.ssl.OpenSslServerContext.<init>(OpenSslServerContext.java:335)
at io.netty.handler.ssl.SslContext.newServerContextInternal(SslContext.java:421)
at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:441)
Caused by: java.lang.Exception: Unable to configure permitted SSL ciphers (error:100000b1:SSL routines:OPENSSL_internal:NO_CIPHER_MATCH)
at io.netty.internal.tcnative.SSLContext.setCipherSuite(Native Method)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext.<init>(ReferenceCountedOpenSslContext.java:295)
... 7 more
Modifications:
Remove the reformatting of user-provided ciphers, as they are already in
the RFC/JDK format.
Result:
No regression, and the internals stay sane using the RFC/JDK format.
This commit is contained in:
Eric Anderson
Scott Mitchell
parent
d141ba11bf
commit
8a25c35939
@ -235,26 +235,9 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
|
|||||||
JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION;
|
JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION;
|
||||||
}
|
}
|
||||||
this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone();
|
this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone();
|
||||||
final List<String> convertedCiphers;
|
|
||||||
if (ciphers == null) {
|
|
||||||
convertedCiphers = null;
|
|
||||||
} else {
|
|
||||||
convertedCiphers = new ArrayList<String>();
|
|
||||||
for (String c : ciphers) {
|
|
||||||
if (c == null) {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
String converted = CipherSuiteConverter.toOpenSsl(c);
|
|
||||||
if (converted != null) {
|
|
||||||
c = converted;
|
|
||||||
}
|
|
||||||
convertedCiphers.add(c);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
unmodifiableCiphers = Arrays.asList(checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
|
unmodifiableCiphers = Arrays.asList(checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
|
||||||
convertedCiphers, DEFAULT_CIPHERS, availableJavaCipherSuites()));
|
ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites()));
|
||||||
|
|
||||||
this.apn = checkNotNull(apn, "apn");
|
this.apn = checkNotNull(apn, "apn");
|
||||||
|
|
||||||
|
|||||||
@ -1714,6 +1714,37 @@ public abstract class SSLEngineTest {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testHandshakeCompletesWithoutFilteringSupportedCipher() throws Exception {
|
||||||
|
SelfSignedCertificate ssc = new SelfSignedCertificate();
|
||||||
|
// Select a mandatory cipher from the TLSv1.2 RFC https://www.ietf.org/rfc/rfc5246.txt so handshakes won't fail
|
||||||
|
// due to no shared/supported cipher.
|
||||||
|
final String sharedCipher = "TLS_RSA_WITH_AES_128_CBC_SHA";
|
||||||
|
clientSslCtx = SslContextBuilder.forClient()
|
||||||
|
.trustManager(InsecureTrustManagerFactory.INSTANCE)
|
||||||
|
.ciphers(Arrays.asList(sharedCipher), SupportedCipherSuiteFilter.INSTANCE)
|
||||||
|
.protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1)
|
||||||
|
.sslProvider(sslClientProvider())
|
||||||
|
.build();
|
||||||
|
|
||||||
|
serverSslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
|
||||||
|
.ciphers(Arrays.asList(sharedCipher), SupportedCipherSuiteFilter.INSTANCE)
|
||||||
|
.protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1)
|
||||||
|
.sslProvider(sslServerProvider())
|
||||||
|
.build();
|
||||||
|
SSLEngine clientEngine = null;
|
||||||
|
SSLEngine serverEngine = null;
|
||||||
|
try {
|
||||||
|
clientEngine = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||||
|
serverEngine = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||||
|
handshake(clientEngine, serverEngine);
|
||||||
|
} finally {
|
||||||
|
cleanupClientSslEngine(clientEngine);
|
||||||
|
cleanupServerSslEngine(serverEngine);
|
||||||
|
ssc.delete();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testPacketBufferSizeLimit() throws Exception {
|
public void testPacketBufferSizeLimit() throws Exception {
|
||||||
SelfSignedCertificate cert = new SelfSignedCertificate();
|
SelfSignedCertificate cert = new SelfSignedCertificate();
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user