Allow to have the session tickets automatically managed by the native… (#10280)

Motivation:

BoringSSL supports to automatically manage the session tickets to be used and so also rotate them etc. This is often prefered by users as it removed some complexity. We should support to make use of this.

Modifications:

- Allow to have setSessionTickets() called without an argument or an empty array
- Add tests

Result:

Easier usage of session tickets
This commit is contained in:
Norman Maurer 2020-05-14 12:09:26 +02:00 committed by GitHub
parent 2183b37892
commit 91ca3d332f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 32 additions and 9 deletions

View File

@ -97,7 +97,11 @@ public abstract class OpenSslSessionContext implements SSLSessionContext {
} }
/** /**
* Sets the SSL session ticket keys of this context. * Sets the SSL session ticket keys of this context. Depending on the underlying native library you may omit the
* argument or pass an empty array and so let the native library handle the key generation and rotating for you.
* If this is supported by the underlying native library should be checked in this case. For example
* <a href="https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets/">
* BoringSSL</a> is known to support this.
*/ */
public void setTicketKeys(OpenSslSessionTicketKey... keys) { public void setTicketKeys(OpenSslSessionTicketKey... keys) {
ObjectUtil.checkNotNull(keys, "keys"); ObjectUtil.checkNotNull(keys, "keys");
@ -109,7 +113,9 @@ public abstract class OpenSslSessionContext implements SSLSessionContext {
writerLock.lock(); writerLock.lock();
try { try {
SSLContext.clearOptions(context.ctx, SSL.SSL_OP_NO_TICKET); SSLContext.clearOptions(context.ctx, SSL.SSL_OP_NO_TICKET);
SSLContext.setSessionTicketKeys(context.ctx, ticketKeys); if (ticketKeys.length > 0) {
SSLContext.setSessionTicketKeys(context.ctx, ticketKeys);
}
} finally { } finally {
writerLock.unlock(); writerLock.unlock();
} }

View File

@ -1118,16 +1118,28 @@ public class SslHandlerTest {
@Test(timeout = 5000L) @Test(timeout = 5000L)
public void testSessionTicketsWithTLSv12() throws Throwable { public void testSessionTicketsWithTLSv12() throws Throwable {
testSessionTickets(SslUtils.PROTOCOL_TLS_V1_2); testSessionTickets(SslUtils.PROTOCOL_TLS_V1_2, true);
} }
@Test(timeout = 5000L) @Test(timeout = 5000L)
public void testSessionTicketsWithTLSv13() throws Throwable { public void testSessionTicketsWithTLSv13() throws Throwable {
assumeTrue(OpenSsl.isTlsv13Supported()); assumeTrue(OpenSsl.isTlsv13Supported());
testSessionTickets(SslUtils.PROTOCOL_TLS_V1_3); testSessionTickets(SslUtils.PROTOCOL_TLS_V1_3, true);
} }
private static void testSessionTickets(String protocol) throws Throwable { @Test(timeout = 5000L)
public void testSessionTicketsWithTLSv12AndNoKey() throws Throwable {
assumeTrue(OpenSsl.isBoringSSL());
testSessionTickets(SslUtils.PROTOCOL_TLS_V1_2, false);
}
@Test(timeout = 5000L)
public void testSessionTicketsWithTLSv13AndNoKey() throws Throwable {
assumeTrue(OpenSsl.isTlsv13Supported());
testSessionTickets(SslUtils.PROTOCOL_TLS_V1_3, false);
}
private static void testSessionTickets(String protocol, boolean withKey) throws Throwable {
assumeTrue(OpenSsl.isAvailable()); assumeTrue(OpenSsl.isAvailable());
final SslContext sslClientCtx = SslContextBuilder.forClient() final SslContext sslClientCtx = SslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE) .trustManager(InsecureTrustManagerFactory.INSTANCE)
@ -1141,10 +1153,15 @@ public class SslHandlerTest {
.protocols(protocol) .protocols(protocol)
.build(); .build();
OpenSslSessionTicketKey key = new OpenSslSessionTicketKey(new byte[OpenSslSessionTicketKey.NAME_SIZE], if (withKey) {
new byte[OpenSslSessionTicketKey.HMAC_KEY_SIZE], new byte[OpenSslSessionTicketKey.AES_KEY_SIZE]); OpenSslSessionTicketKey key = new OpenSslSessionTicketKey(new byte[OpenSslSessionTicketKey.NAME_SIZE],
((OpenSslSessionContext) sslClientCtx.sessionContext()).setTicketKeys(key); new byte[OpenSslSessionTicketKey.HMAC_KEY_SIZE], new byte[OpenSslSessionTicketKey.AES_KEY_SIZE]);
((OpenSslSessionContext) sslServerCtx.sessionContext()).setTicketKeys(key); ((OpenSslSessionContext) sslClientCtx.sessionContext()).setTicketKeys(key);
((OpenSslSessionContext) sslServerCtx.sessionContext()).setTicketKeys(key);
} else {
((OpenSslSessionContext) sslClientCtx.sessionContext()).setTicketKeys();
((OpenSslSessionContext) sslServerCtx.sessionContext()).setTicketKeys();
}
EventLoopGroup group = new NioEventLoopGroup(); EventLoopGroup group = new NioEventLoopGroup();
Channel sc = null; Channel sc = null;