Remove workaround in tests for TLSv1.3 bug in Java11 as it was fixed in 11.0.1 (#8409)

Motivation:

We had put some workaround in our tests due a bug in the Java11 implementation of TLSv1.3. This was now fixes as part of 11.0.1.

See https://bugs.openjdk.java.net/browse/JDK-8211067.

Modifications:

Remove workaround in SSL tests.

Result:

Run all tests with supported TLS version.
This commit is contained in:
Norman Maurer 2018-10-19 17:21:04 +02:00 committed by GitHub
parent 87ec2f882a
commit 91201fb338
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 43 deletions

View File

@ -15,12 +15,6 @@
*/ */
package io.netty.handler.ssl; package io.netty.handler.ssl;
import io.netty.util.internal.PlatformDependent;
import java.util.Arrays;
import java.util.Collections;
import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1_2;
import static org.junit.Assume.assumeTrue; import static org.junit.Assume.assumeTrue;
final class OpenSslTestUtils { final class OpenSslTestUtils {
@ -34,17 +28,4 @@ final class OpenSslTestUtils {
static boolean isBoringSSL() { static boolean isBoringSSL() {
return "BoringSSL".equals(OpenSsl.versionString()); return "BoringSSL".equals(OpenSsl.versionString());
} }
static SslContextBuilder configureProtocolForMutualAuth(
SslContextBuilder ctx, SslProvider sslClientProvider, SslProvider sslServerProvider) {
if (PlatformDependent.javaVersion() >= 11
&& sslClientProvider == SslProvider.JDK && sslServerProvider != SslProvider.JDK) {
// Make sure we do not use TLSv1.3 as there seems to be a bug currently in the JDK TLSv1.3 implementation.
// See:
// - http://mail.openjdk.java.net/pipermail/security-dev/2018-September/018191.html
// - https://bugs.openjdk.java.net/projects/JDK/issues/JDK-8210846
ctx.protocols(PROTOCOL_TLS_V1_2).ciphers(Collections.singleton("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
}
return ctx;
}
} }

View File

@ -36,7 +36,6 @@ import io.netty.channel.socket.nio.NioSocketChannel;
import io.netty.handler.ssl.ApplicationProtocolConfig.Protocol; import io.netty.handler.ssl.ApplicationProtocolConfig.Protocol;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory; import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.netty.handler.ssl.util.SelfSignedCertificate; import io.netty.handler.ssl.util.SelfSignedCertificate;
import io.netty.handler.ssl.util.SimpleTrustManagerFactory;
import io.netty.util.CharsetUtil; import io.netty.util.CharsetUtil;
import io.netty.util.NetUtil; import io.netty.util.NetUtil;
import io.netty.util.ReferenceCountUtil; import io.netty.util.ReferenceCountUtil;
@ -46,7 +45,6 @@ import io.netty.util.internal.EmptyArrays;
import io.netty.util.internal.PlatformDependent; import io.netty.util.internal.PlatformDependent;
import io.netty.util.internal.StringUtil; import io.netty.util.internal.StringUtil;
import org.junit.After; import org.junit.After;
import org.junit.Assert;
import org.junit.Assume; import org.junit.Assume;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
@ -61,9 +59,7 @@ import java.io.InputStream;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.nio.ByteBuffer; import java.nio.ByteBuffer;
import java.nio.channels.ClosedChannelException; import java.nio.channels.ClosedChannelException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider; import java.security.Provider;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
@ -655,16 +651,12 @@ public abstract class SSLEngineTest {
protected void mySetupMutualAuthServerInitSslHandler(SslHandler handler) { protected void mySetupMutualAuthServerInitSslHandler(SslHandler handler) {
} }
private SslContextBuilder configureProtocolForMutualAuth(SslContextBuilder ctx) {
return OpenSslTestUtils.configureProtocolForMutualAuth(ctx, sslClientProvider(), sslServerProvider());
}
private void mySetupMutualAuth(KeyManagerFactory serverKMF, final File serverTrustManager, private void mySetupMutualAuth(KeyManagerFactory serverKMF, final File serverTrustManager,
KeyManagerFactory clientKMF, File clientTrustManager, KeyManagerFactory clientKMF, File clientTrustManager,
ClientAuth clientAuth, final boolean failureExpected, ClientAuth clientAuth, final boolean failureExpected,
final boolean serverInitEngine) final boolean serverInitEngine)
throws SSLException, InterruptedException { throws SSLException, InterruptedException {
serverSslCtx = configureProtocolForMutualAuth( serverSslCtx =
SslContextBuilder.forServer(serverKMF) SslContextBuilder.forServer(serverKMF)
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -674,9 +666,9 @@ public abstract class SSLEngineTest {
.clientAuth(clientAuth) .clientAuth(clientAuth)
.ciphers(null, IdentityCipherSuiteFilter.INSTANCE) .ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
.sessionCacheSize(0) .sessionCacheSize(0)
.sessionTimeout(0)).build(); .sessionTimeout(0).build();
clientSslCtx = configureProtocolForMutualAuth( clientSslCtx =
SslContextBuilder.forClient() SslContextBuilder.forClient()
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers()) .ciphers(ciphers())
@ -686,7 +678,7 @@ public abstract class SSLEngineTest {
.keyManager(clientKMF) .keyManager(clientKMF)
.ciphers(null, IdentityCipherSuiteFilter.INSTANCE) .ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
.sessionCacheSize(0) .sessionCacheSize(0)
.sessionTimeout(0)).build(); .sessionTimeout(0).build();
serverConnectedChannel = null; serverConnectedChannel = null;
sb = new ServerBootstrap(); sb = new ServerBootstrap();
@ -941,7 +933,7 @@ public abstract class SSLEngineTest {
File servertTrustCrtFile, File serverKeyFile, final File serverCrtFile, String serverKeyPassword, File servertTrustCrtFile, File serverKeyFile, final File serverCrtFile, String serverKeyPassword,
File clientTrustCrtFile, File clientKeyFile, File clientCrtFile, String clientKeyPassword) File clientTrustCrtFile, File clientKeyFile, File clientCrtFile, String clientKeyPassword)
throws InterruptedException, SSLException { throws InterruptedException, SSLException {
serverSslCtx = configureProtocolForMutualAuth( serverSslCtx =
SslContextBuilder.forServer(serverCrtFile, serverKeyFile, serverKeyPassword) SslContextBuilder.forServer(serverCrtFile, serverKeyFile, serverKeyPassword)
.sslProvider(sslServerProvider()) .sslProvider(sslServerProvider())
.sslContextProvider(serverSslContextProvider()) .sslContextProvider(serverSslContextProvider())
@ -950,8 +942,8 @@ public abstract class SSLEngineTest {
.trustManager(servertTrustCrtFile) .trustManager(servertTrustCrtFile)
.ciphers(null, IdentityCipherSuiteFilter.INSTANCE) .ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
.sessionCacheSize(0) .sessionCacheSize(0)
.sessionTimeout(0)).build(); .sessionTimeout(0).build();
clientSslCtx = configureProtocolForMutualAuth( clientSslCtx =
SslContextBuilder.forClient() SslContextBuilder.forClient()
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.sslContextProvider(clientSslContextProvider()) .sslContextProvider(clientSslContextProvider())
@ -961,7 +953,7 @@ public abstract class SSLEngineTest {
.keyManager(clientCrtFile, clientKeyFile, clientKeyPassword) .keyManager(clientCrtFile, clientKeyFile, clientKeyPassword)
.ciphers(null, IdentityCipherSuiteFilter.INSTANCE) .ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
.sessionCacheSize(0) .sessionCacheSize(0)
.sessionTimeout(0)).build(); .sessionTimeout(0).build();
serverConnectedChannel = null; serverConnectedChannel = null;
sb = new ServerBootstrap(); sb = new ServerBootstrap();
@ -1611,7 +1603,7 @@ public abstract class SSLEngineTest {
@Test(timeout = 30000) @Test(timeout = 30000)
public void testMutualAuthSameCertChain() throws Exception { public void testMutualAuthSameCertChain() throws Exception {
serverSslCtx = configureProtocolForMutualAuth( serverSslCtx =
SslContextBuilder.forServer( SslContextBuilder.forServer(
new ByteArrayInputStream(X509_CERT_PEM.getBytes(CharsetUtil.UTF_8)), new ByteArrayInputStream(X509_CERT_PEM.getBytes(CharsetUtil.UTF_8)),
new ByteArrayInputStream(PRIVATE_KEY_PEM.getBytes(CharsetUtil.UTF_8))) new ByteArrayInputStream(PRIVATE_KEY_PEM.getBytes(CharsetUtil.UTF_8)))
@ -1619,7 +1611,7 @@ public abstract class SSLEngineTest {
.clientAuth(ClientAuth.REQUIRE).sslProvider(sslServerProvider()) .clientAuth(ClientAuth.REQUIRE).sslProvider(sslServerProvider())
.sslContextProvider(serverSslContextProvider()) .sslContextProvider(serverSslContextProvider())
.protocols(protocols()) .protocols(protocols())
.ciphers(ciphers())).build(); .ciphers(ciphers()).build();
sb = new ServerBootstrap(); sb = new ServerBootstrap();
sb.group(new NioEventLoopGroup(), new NioEventLoopGroup()); sb.group(new NioEventLoopGroup(), new NioEventLoopGroup());
@ -1670,14 +1662,14 @@ public abstract class SSLEngineTest {
} }
}).bind(new InetSocketAddress(0)).syncUninterruptibly().channel(); }).bind(new InetSocketAddress(0)).syncUninterruptibly().channel();
clientSslCtx = configureProtocolForMutualAuth( clientSslCtx =
SslContextBuilder.forClient().keyManager( SslContextBuilder.forClient().keyManager(
new ByteArrayInputStream(CLIENT_X509_CERT_CHAIN_PEM.getBytes(CharsetUtil.UTF_8)), new ByteArrayInputStream(CLIENT_X509_CERT_CHAIN_PEM.getBytes(CharsetUtil.UTF_8)),
new ByteArrayInputStream(CLIENT_PRIVATE_KEY_PEM.getBytes(CharsetUtil.UTF_8))) new ByteArrayInputStream(CLIENT_PRIVATE_KEY_PEM.getBytes(CharsetUtil.UTF_8)))
.trustManager(new ByteArrayInputStream(X509_CERT_PEM.getBytes(CharsetUtil.UTF_8))) .trustManager(new ByteArrayInputStream(X509_CERT_PEM.getBytes(CharsetUtil.UTF_8)))
.sslProvider(sslClientProvider()) .sslProvider(sslClientProvider())
.sslContextProvider(clientSslContextProvider()) .sslContextProvider(clientSslContextProvider())
.protocols(protocols()).ciphers(ciphers())).build(); .protocols(protocols()).ciphers(ciphers()).build();
cb = new Bootstrap(); cb = new Bootstrap();
cb.group(new NioEventLoopGroup()); cb.group(new NioEventLoopGroup());
cb.channel(NioSocketChannel.class); cb.channel(NioSocketChannel.class);

View File

@ -124,7 +124,7 @@ public class SslErrorTest {
Assume.assumeTrue(OpenSsl.isAvailable()); Assume.assumeTrue(OpenSsl.isAvailable());
SelfSignedCertificate ssc = new SelfSignedCertificate(); SelfSignedCertificate ssc = new SelfSignedCertificate();
final SslContext sslServerCtx = OpenSslTestUtils.configureProtocolForMutualAuth( final SslContext sslServerCtx =
SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()) SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
.sslProvider(serverProvider) .sslProvider(serverProvider)
.trustManager(new SimpleTrustManagerFactory() { .trustManager(new SimpleTrustManagerFactory() {
@ -155,13 +155,13 @@ public class SslErrorTest {
} }
} }; } };
} }
}).clientAuth(ClientAuth.REQUIRE), clientProvider, serverProvider).build(); }).clientAuth(ClientAuth.REQUIRE).build();
final SslContext sslClientCtx = OpenSslTestUtils.configureProtocolForMutualAuth(SslContextBuilder.forClient() final SslContext sslClientCtx = SslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE) .trustManager(InsecureTrustManagerFactory.INSTANCE)
.keyManager(new File(getClass().getResource("test.crt").getFile()), .keyManager(new File(getClass().getResource("test.crt").getFile()),
new File(getClass().getResource("test_unencrypted.pem").getFile())) new File(getClass().getResource("test_unencrypted.pem").getFile()))
.sslProvider(clientProvider), clientProvider, serverProvider).build(); .sslProvider(clientProvider).build();
Channel serverChannel = null; Channel serverChannel = null;
Channel clientChannel = null; Channel clientChannel = null;