andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Ensure we only log message on BoringSSL when the ciphers really are not the default (#11583)

Browse Source 
Motivation:

0c9a86db81 added a change to log a message if someone tried to change the TLSv1.3 ciphers when using BoringSSL. Unfortunally the code had some error and so even if the user did not change these we logged something.

Modifications:

- Ensure there are no duplicates in the ciphers
- Correctly take TLSv1.3 extra ciphers into account when using BoringSSL

Result:

Correctly log or not log
This commit is contained in:
Norman Maurer 2021-08-16 22:23:25 +02:00 committed by GitHub
parent f8f17f676d
commit ea932dd706
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
handler/src/main/java/io/netty/handler/ssl/OpenSsl.java
View File

@ -331,6 +331,8 @@ public final class OpenSsl {
addIfSupported(availableJavaCipherSuites, defaultCiphers, DEFAULT_CIPHER_SUITES);
addIfSupported(availableJavaCipherSuites, defaultCiphers, TLSV13_CIPHER_SUITES);
// Also handle the extra supported ciphers as these will contain some more stuff on BoringSSL.
addIfSupported(availableJavaCipherSuites, defaultCiphers, EXTRA_SUPPORTED_TLS_1_3_CIPHERS);
useFallbackCiphersIfDefaultIsEmpty(defaultCiphers, availableJavaCipherSuites);
DEFAULT_CIPHERS = Collections.unmodifiableList(defaultCiphers);

10
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java
View File

@ -47,8 +47,10 @@ import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Executor;
@ -258,8 +260,12 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone();
unmodifiableCiphers = Arrays.asList(checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites()));
String[] suites = checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites());
// Filter out duplicates.
LinkedHashSet<String> suitesSet = new LinkedHashSet<String>(suites.length);
Collections.addAll(suitesSet, suites);
unmodifiableCiphers = new ArrayList<String>(suitesSet);
this.apn = checkNotNull(apn, "apn");

3
handler/src/main/java/io/netty/handler/ssl/SslUtils.java
View File

@ -33,7 +33,6 @@ import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
@ -120,7 +119,7 @@ final class SslUtils {
DEFAULT_TLSV13_CIPHER_SUITES = EmptyArrays.EMPTY_STRINGS;
}
List<String> defaultCiphers = new ArrayList<String>();
Set<String> defaultCiphers = new LinkedHashSet<String>();
// GCM (Galois/Counter Mode) requires JDK 8.
defaultCiphers.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
defaultCiphers.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");