Ensure we only log message on BoringSSL when the ciphers really are not the default (#11583)
Motivation:
0c9a86db81
added a change to log a message if someone tried to change the TLSv1.3 ciphers when using BoringSSL. Unfortunally the code had some error and so even if the user did not change these we logged something.
Modifications:
- Ensure there are no duplicates in the ciphers
- Correctly take TLSv1.3 extra ciphers into account when using BoringSSL
Result:
Correctly log or not log
This commit is contained in:
parent
f8f17f676d
commit
ea932dd706
@ -331,6 +331,8 @@ public final class OpenSsl {
|
||||
|
||||
addIfSupported(availableJavaCipherSuites, defaultCiphers, DEFAULT_CIPHER_SUITES);
|
||||
addIfSupported(availableJavaCipherSuites, defaultCiphers, TLSV13_CIPHER_SUITES);
|
||||
// Also handle the extra supported ciphers as these will contain some more stuff on BoringSSL.
|
||||
addIfSupported(availableJavaCipherSuites, defaultCiphers, EXTRA_SUPPORTED_TLS_1_3_CIPHERS);
|
||||
|
||||
useFallbackCiphersIfDefaultIsEmpty(defaultCiphers, availableJavaCipherSuites);
|
||||
DEFAULT_CIPHERS = Collections.unmodifiableList(defaultCiphers);
|
||||
|
@ -47,8 +47,10 @@ import java.security.cert.CertificateExpiredException;
|
||||
import java.security.cert.CertificateNotYetValidException;
|
||||
import java.security.cert.CertificateRevokedException;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.Executor;
|
||||
@ -258,8 +260,12 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
|
||||
|
||||
this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone();
|
||||
|
||||
unmodifiableCiphers = Arrays.asList(checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
|
||||
ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites()));
|
||||
String[] suites = checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
|
||||
ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites());
|
||||
// Filter out duplicates.
|
||||
LinkedHashSet<String> suitesSet = new LinkedHashSet<String>(suites.length);
|
||||
Collections.addAll(suitesSet, suites);
|
||||
unmodifiableCiphers = new ArrayList<String>(suitesSet);
|
||||
|
||||
this.apn = checkNotNull(apn, "apn");
|
||||
|
||||
|
@ -33,7 +33,6 @@ import java.security.KeyManagementException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.NoSuchProviderException;
|
||||
import java.security.Provider;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.List;
|
||||
@ -120,7 +119,7 @@ final class SslUtils {
|
||||
DEFAULT_TLSV13_CIPHER_SUITES = EmptyArrays.EMPTY_STRINGS;
|
||||
}
|
||||
|
||||
List<String> defaultCiphers = new ArrayList<String>();
|
||||
Set<String> defaultCiphers = new LinkedHashSet<String>();
|
||||
// GCM (Galois/Counter Mode) requires JDK 8.
|
||||
defaultCiphers.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
|
||||
defaultCiphers.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
|
||||
|
Loading…
Reference in New Issue
Block a user