diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java index b425b36c15..0778031572 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java @@ -331,6 +331,8 @@ public final class OpenSsl { addIfSupported(availableJavaCipherSuites, defaultCiphers, DEFAULT_CIPHER_SUITES); addIfSupported(availableJavaCipherSuites, defaultCiphers, TLSV13_CIPHER_SUITES); + // Also handle the extra supported ciphers as these will contain some more stuff on BoringSSL. + addIfSupported(availableJavaCipherSuites, defaultCiphers, EXTRA_SUPPORTED_TLS_1_3_CIPHERS); useFallbackCiphersIfDefaultIsEmpty(defaultCiphers, availableJavaCipherSuites); DEFAULT_CIPHERS = Collections.unmodifiableList(defaultCiphers); diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java index 408681bf6b..4d4586e465 100644 --- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java @@ -47,8 +47,10 @@ import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateNotYetValidException; import java.security.cert.CertificateRevokedException; import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; +import java.util.LinkedHashSet; import java.util.List; import java.util.Map; import java.util.concurrent.Executor; @@ -258,8 +260,12 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone(); - unmodifiableCiphers = Arrays.asList(checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites( - ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites())); + String[] suites = checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites( + ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites()); + // Filter out duplicates. + LinkedHashSet suitesSet = new LinkedHashSet(suites.length); + Collections.addAll(suitesSet, suites); + unmodifiableCiphers = new ArrayList(suitesSet); this.apn = checkNotNull(apn, "apn"); diff --git a/handler/src/main/java/io/netty/handler/ssl/SslUtils.java b/handler/src/main/java/io/netty/handler/ssl/SslUtils.java index 9f3e924630..49665002ba 100644 --- a/handler/src/main/java/io/netty/handler/ssl/SslUtils.java +++ b/handler/src/main/java/io/netty/handler/ssl/SslUtils.java @@ -33,7 +33,6 @@ import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.Provider; -import java.util.ArrayList; import java.util.Collections; import java.util.LinkedHashSet; import java.util.List; @@ -120,7 +119,7 @@ final class SslUtils { DEFAULT_TLSV13_CIPHER_SUITES = EmptyArrays.EMPTY_STRINGS; } - List defaultCiphers = new ArrayList(); + Set defaultCiphers = new LinkedHashSet(); // GCM (Galois/Counter Mode) requires JDK 8. defaultCiphers.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"); defaultCiphers.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");