Correctly detect if Ocsp is supported

Motivation: We only used the openssl version to detect if Ocsp is supported or not which is not good enough as even the version is correct it may be compiled without support for OCSP (like for example on ubuntu). Modifications: Try to enable OCSP while static init OpenSsl and based on if this works return true or false when calling OpenSsl.isOcspSupported(). Result: Correctly detect if OSCP is supported.
2017-05-09 11:41:04 +02:00 · 2017-05-09 11:41:04 +02:00 · c053c5144d
commit c053c5144d
parent 94e9448ae3
1 changed files with 22 additions and 1 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java
@ -53,6 +53,7 @@ public final class OpenSsl {
    private static final boolean SUPPORTS_KEYMANAGER_FACTORY;
    private static final boolean SUPPORTS_HOSTNAME_VALIDATION;
    private static final boolean USE_KEYMANAGER_FACTORY;
+    private static final boolean SUPPORTS_OCSP;

    // Protocols
    static final String PROTOCOL_SSL_V2_HELLO = "SSLv2Hello";
@ -221,6 +222,7 @@ public final class OpenSsl {
            }

            SUPPORTED_PROTOCOLS_SET = Collections.unmodifiableSet(protocols);
+            SUPPORTS_OCSP = doesSupportOcsp();
        } else {
            AVAILABLE_OPENSSL_CIPHER_SUITES = Collections.emptySet();
            AVAILABLE_JAVA_CIPHER_SUITES = Collections.emptySet();
@ -229,9 +231,28 @@ public final class OpenSsl {
            SUPPORTS_HOSTNAME_VALIDATION = false;
            USE_KEYMANAGER_FACTORY = false;
            SUPPORTED_PROTOCOLS_SET = Collections.emptySet();
+            SUPPORTS_OCSP = false;
        }
    }

+    private static boolean doesSupportOcsp() {
+        boolean supportsOcsp = false;
+        if (version() >= 0x10002000L) {
+            long sslCtx = -1;
+            try {
+                sslCtx = SSLContext.make(SSL.SSL_PROTOCOL_TLSV1_2, SSL.SSL_MODE_SERVER);
+                SSLContext.enableOcsp(sslCtx, false);
+                supportsOcsp = true;
+            } catch (Exception ignore) {
+                // ignore
+            } finally {
+                if (sslCtx != -1) {
+                    SSLContext.free(sslCtx);
+                }
+            }
+        }
+        return supportsOcsp;
+    }
    private static boolean doesSupportProtocol(int protocol) {
        long sslCtx = -1;
        try {
@ -267,7 +288,7 @@ public final class OpenSsl {
     * Returns {@code true} if the used version of OpenSSL supports OCSP stapling.
     */
    public static boolean isOcspSupported() {
-      return version() >= 0x10002000L;
+      return SUPPORTS_OCSP;
    }

    /**