From ea932dd70673b28420302b3323ff7809326955d1 Mon Sep 17 00:00:00 2001 From: Norman Maurer Date: Mon, 16 Aug 2021 22:23:25 +0200 Subject: [PATCH] Ensure we only log message on BoringSSL when the ciphers really are not the default (#11583) Motivation: 0c9a86db812573fbdc9f39b4ec4f29188248ff3a added a change to log a message if someone tried to change the TLSv1.3 ciphers when using BoringSSL. Unfortunally the code had some error and so even if the user did not change these we logged something. Modifications: - Ensure there are no duplicates in the ciphers - Correctly take TLSv1.3 extra ciphers into account when using BoringSSL Result: Correctly log or not log --- .../src/main/java/io/netty/handler/ssl/OpenSsl.java | 2 ++ .../handler/ssl/ReferenceCountedOpenSslContext.java | 10 ++++++++-- .../src/main/java/io/netty/handler/ssl/SslUtils.java | 3 +-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java index b425b36c15..0778031572 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java @@ -331,6 +331,8 @@ public final class OpenSsl { addIfSupported(availableJavaCipherSuites, defaultCiphers, DEFAULT_CIPHER_SUITES); addIfSupported(availableJavaCipherSuites, defaultCiphers, TLSV13_CIPHER_SUITES); + // Also handle the extra supported ciphers as these will contain some more stuff on BoringSSL. + addIfSupported(availableJavaCipherSuites, defaultCiphers, EXTRA_SUPPORTED_TLS_1_3_CIPHERS); useFallbackCiphersIfDefaultIsEmpty(defaultCiphers, availableJavaCipherSuites); DEFAULT_CIPHERS = Collections.unmodifiableList(defaultCiphers); diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java index 408681bf6b..4d4586e465 100644 --- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java @@ -47,8 +47,10 @@ import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateNotYetValidException; import java.security.cert.CertificateRevokedException; import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; +import java.util.LinkedHashSet; import java.util.List; import java.util.Map; import java.util.concurrent.Executor; @@ -258,8 +260,12 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone(); - unmodifiableCiphers = Arrays.asList(checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites( - ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites())); + String[] suites = checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites( + ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites()); + // Filter out duplicates. + LinkedHashSet suitesSet = new LinkedHashSet(suites.length); + Collections.addAll(suitesSet, suites); + unmodifiableCiphers = new ArrayList(suitesSet); this.apn = checkNotNull(apn, "apn"); diff --git a/handler/src/main/java/io/netty/handler/ssl/SslUtils.java b/handler/src/main/java/io/netty/handler/ssl/SslUtils.java index 9f3e924630..49665002ba 100644 --- a/handler/src/main/java/io/netty/handler/ssl/SslUtils.java +++ b/handler/src/main/java/io/netty/handler/ssl/SslUtils.java @@ -33,7 +33,6 @@ import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.Provider; -import java.util.ArrayList; import java.util.Collections; import java.util.LinkedHashSet; import java.util.List; @@ -120,7 +119,7 @@ final class SslUtils { DEFAULT_TLSV13_CIPHER_SUITES = EmptyArrays.EMPTY_STRINGS; } - List defaultCiphers = new ArrayList(); + Set defaultCiphers = new LinkedHashSet(); // GCM (Galois/Counter Mode) requires JDK 8. defaultCiphers.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"); defaultCiphers.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");