Allow to have the session tickets automatically managed by the native… (#10280)
Motivation: BoringSSL supports to automatically manage the session tickets to be used and so also rotate them etc. This is often prefered by users as it removed some complexity. We should support to make use of this. Modifications: - Allow to have setSessionTickets() called without an argument or an empty array - Add tests Result: Easier usage of session tickets
This commit is contained in:
parent
2183b37892
commit
91ca3d332f
@ -97,7 +97,11 @@ public abstract class OpenSslSessionContext implements SSLSessionContext {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the SSL session ticket keys of this context.
|
* Sets the SSL session ticket keys of this context. Depending on the underlying native library you may omit the
|
||||||
|
* argument or pass an empty array and so let the native library handle the key generation and rotating for you.
|
||||||
|
* If this is supported by the underlying native library should be checked in this case. For example
|
||||||
|
* <a href="https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets/">
|
||||||
|
* BoringSSL</a> is known to support this.
|
||||||
*/
|
*/
|
||||||
public void setTicketKeys(OpenSslSessionTicketKey... keys) {
|
public void setTicketKeys(OpenSslSessionTicketKey... keys) {
|
||||||
ObjectUtil.checkNotNull(keys, "keys");
|
ObjectUtil.checkNotNull(keys, "keys");
|
||||||
@ -109,7 +113,9 @@ public abstract class OpenSslSessionContext implements SSLSessionContext {
|
|||||||
writerLock.lock();
|
writerLock.lock();
|
||||||
try {
|
try {
|
||||||
SSLContext.clearOptions(context.ctx, SSL.SSL_OP_NO_TICKET);
|
SSLContext.clearOptions(context.ctx, SSL.SSL_OP_NO_TICKET);
|
||||||
SSLContext.setSessionTicketKeys(context.ctx, ticketKeys);
|
if (ticketKeys.length > 0) {
|
||||||
|
SSLContext.setSessionTicketKeys(context.ctx, ticketKeys);
|
||||||
|
}
|
||||||
} finally {
|
} finally {
|
||||||
writerLock.unlock();
|
writerLock.unlock();
|
||||||
}
|
}
|
||||||
|
@ -1118,16 +1118,28 @@ public class SslHandlerTest {
|
|||||||
|
|
||||||
@Test(timeout = 5000L)
|
@Test(timeout = 5000L)
|
||||||
public void testSessionTicketsWithTLSv12() throws Throwable {
|
public void testSessionTicketsWithTLSv12() throws Throwable {
|
||||||
testSessionTickets(SslUtils.PROTOCOL_TLS_V1_2);
|
testSessionTickets(SslUtils.PROTOCOL_TLS_V1_2, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test(timeout = 5000L)
|
@Test(timeout = 5000L)
|
||||||
public void testSessionTicketsWithTLSv13() throws Throwable {
|
public void testSessionTicketsWithTLSv13() throws Throwable {
|
||||||
assumeTrue(OpenSsl.isTlsv13Supported());
|
assumeTrue(OpenSsl.isTlsv13Supported());
|
||||||
testSessionTickets(SslUtils.PROTOCOL_TLS_V1_3);
|
testSessionTickets(SslUtils.PROTOCOL_TLS_V1_3, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
private static void testSessionTickets(String protocol) throws Throwable {
|
@Test(timeout = 5000L)
|
||||||
|
public void testSessionTicketsWithTLSv12AndNoKey() throws Throwable {
|
||||||
|
assumeTrue(OpenSsl.isBoringSSL());
|
||||||
|
testSessionTickets(SslUtils.PROTOCOL_TLS_V1_2, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(timeout = 5000L)
|
||||||
|
public void testSessionTicketsWithTLSv13AndNoKey() throws Throwable {
|
||||||
|
assumeTrue(OpenSsl.isTlsv13Supported());
|
||||||
|
testSessionTickets(SslUtils.PROTOCOL_TLS_V1_3, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void testSessionTickets(String protocol, boolean withKey) throws Throwable {
|
||||||
assumeTrue(OpenSsl.isAvailable());
|
assumeTrue(OpenSsl.isAvailable());
|
||||||
final SslContext sslClientCtx = SslContextBuilder.forClient()
|
final SslContext sslClientCtx = SslContextBuilder.forClient()
|
||||||
.trustManager(InsecureTrustManagerFactory.INSTANCE)
|
.trustManager(InsecureTrustManagerFactory.INSTANCE)
|
||||||
@ -1141,10 +1153,15 @@ public class SslHandlerTest {
|
|||||||
.protocols(protocol)
|
.protocols(protocol)
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
OpenSslSessionTicketKey key = new OpenSslSessionTicketKey(new byte[OpenSslSessionTicketKey.NAME_SIZE],
|
if (withKey) {
|
||||||
new byte[OpenSslSessionTicketKey.HMAC_KEY_SIZE], new byte[OpenSslSessionTicketKey.AES_KEY_SIZE]);
|
OpenSslSessionTicketKey key = new OpenSslSessionTicketKey(new byte[OpenSslSessionTicketKey.NAME_SIZE],
|
||||||
((OpenSslSessionContext) sslClientCtx.sessionContext()).setTicketKeys(key);
|
new byte[OpenSslSessionTicketKey.HMAC_KEY_SIZE], new byte[OpenSslSessionTicketKey.AES_KEY_SIZE]);
|
||||||
((OpenSslSessionContext) sslServerCtx.sessionContext()).setTicketKeys(key);
|
((OpenSslSessionContext) sslClientCtx.sessionContext()).setTicketKeys(key);
|
||||||
|
((OpenSslSessionContext) sslServerCtx.sessionContext()).setTicketKeys(key);
|
||||||
|
} else {
|
||||||
|
((OpenSslSessionContext) sslClientCtx.sessionContext()).setTicketKeys();
|
||||||
|
((OpenSslSessionContext) sslServerCtx.sessionContext()).setTicketKeys();
|
||||||
|
}
|
||||||
|
|
||||||
EventLoopGroup group = new NioEventLoopGroup();
|
EventLoopGroup group = new NioEventLoopGroup();
|
||||||
Channel sc = null;
|
Channel sc = null;
|
||||||
|
Loading…
Reference in New Issue
Block a user