Log if the user tries to explicit set TLSv1.3 ciphers and using BoringSSL (#11392)

Motivation:

At the moment BoringSSL doesnt support explicit set the TLSv1.3 ciphers that should be used. If TLSv1.3 should be used it just enables all ciphers. We should better log if the user tries to explicit set a specific ciphers and using BoringSSL to inform the user that what is tried doesnt really work.

Modifications:

Log if the user tries to not use all TLSv1.3 ciphers and use BoringSSL

Result:

Easier for the user to understand why always all TLSv1.3 ciphers are enabled when using BoringSSL

Co-authored-by: Trustin Lee <trustin@gmail.com>
This commit is contained in:
Norman Maurer 2021-06-21 08:54:58 +02:00
parent e59722037c
commit ec518878c3
3 changed files with 54 additions and 2 deletions

View File

@ -29,6 +29,7 @@ import io.netty.util.ReferenceCounted;
import io.netty.util.internal.EmptyArrays;
import io.netty.util.internal.NativeLibraryLoader;
import io.netty.util.internal.PlatformDependent;
import io.netty.util.internal.StringUtil;
import io.netty.util.internal.SystemPropertyUtil;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
@ -38,6 +39,7 @@ import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
@ -63,6 +65,7 @@ public final class OpenSsl {
private static final boolean IS_BORINGSSL;
static final Set<String> SUPPORTED_PROTOCOLS_SET;
static final String[] EXTRA_SUPPORTED_TLS_1_3_CIPHERS;
static final String EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING;
// self-signed certificate for netty.io and the matching private-key
private static final String CERT = "-----BEGIN CERTIFICATE-----\n" +
@ -183,8 +186,16 @@ public final class OpenSsl {
EXTRA_SUPPORTED_TLS_1_3_CIPHERS = new String [] { "TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384" ,
"TLS_CHACHA20_POLY1305_SHA256" };
StringBuilder ciphersBuilder = new StringBuilder(128);
for (String cipher: EXTRA_SUPPORTED_TLS_1_3_CIPHERS) {
ciphersBuilder.append(cipher).append(":");
}
ciphersBuilder.setLength(ciphersBuilder.length() - 1);
EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING = ciphersBuilder.toString();
} else {
EXTRA_SUPPORTED_TLS_1_3_CIPHERS = EmptyArrays.EMPTY_STRINGS;
EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING = StringUtil.EMPTY_STRING;
}
try {
@ -355,9 +366,49 @@ public final class OpenSsl {
TLSV13_SUPPORTED = false;
IS_BORINGSSL = false;
EXTRA_SUPPORTED_TLS_1_3_CIPHERS = EmptyArrays.EMPTY_STRINGS;
EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING = StringUtil.EMPTY_STRING;
}
}
static String checkTls13Ciphers(InternalLogger logger, String ciphers) {
if (IS_BORINGSSL && !ciphers.isEmpty()) {
assert EXTRA_SUPPORTED_TLS_1_3_CIPHERS.length > 0;
Set<String> boringsslTlsv13Ciphers = new HashSet<String>(EXTRA_SUPPORTED_TLS_1_3_CIPHERS.length);
Collections.addAll(boringsslTlsv13Ciphers, EXTRA_SUPPORTED_TLS_1_3_CIPHERS);
boolean ciphersNotMatch = false;
for (String cipher: ciphers.split(":")) {
if (boringsslTlsv13Ciphers.isEmpty()) {
ciphersNotMatch = true;
break;
}
if (!boringsslTlsv13Ciphers.remove(cipher) &&
!boringsslTlsv13Ciphers.remove(CipherSuiteConverter.toJava(cipher, "TLS"))) {
ciphersNotMatch = true;
break;
}
}
// Also check if there are ciphers left.
ciphersNotMatch |= !boringsslTlsv13Ciphers.isEmpty();
if (ciphersNotMatch) {
if (logger.isInfoEnabled()) {
StringBuilder javaCiphers = new StringBuilder(128);
for (String cipher : ciphers.split(":")) {
javaCiphers.append(CipherSuiteConverter.toJava(cipher, "TLS")).append(":");
}
javaCiphers.setLength(javaCiphers.length() - 1);
logger.info(
"BoringSSL doesn't allow to enable or disable TLSv1.3 ciphers explicitly." +
" Provided TLSv1.3 ciphers: '{}', default TLSv1.3 ciphers that will be used: '{}'.",
javaCiphers, EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING);
}
return EXTRA_SUPPORTED_TLS_1_3_CIPHERS_STRING;
}
}
return ciphers;
}
static boolean isSessionCacheSupported() {
return version() >= 0x10100000L;
}

View File

@ -285,7 +285,8 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
SSLContext.setCipherSuite(ctx, cipherBuilder.toString(), false);
if (tlsv13Supported) {
// Set TLSv1.3 ciphers.
SSLContext.setCipherSuite(ctx, cipherTLSv13Builder.toString(), true);
SSLContext.setCipherSuite(ctx,
OpenSsl.checkTls13Ciphers(logger, cipherTLSv13Builder.toString()), true);
}
}
} catch (SSLException e) {

View File

@ -1586,7 +1586,7 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
SSL.setCipherSuites(ssl, cipherSuiteSpec, false);
if (OpenSsl.isTlsv13Supported()) {
// Set TLSv1.3 ciphers.
SSL.setCipherSuites(ssl, cipherSuiteSpecTLSv13, true);
SSL.setCipherSuites(ssl, OpenSsl.checkTls13Ciphers(logger, cipherSuiteSpecTLSv13), true);
}
// We also need to update the enabled protocols to ensure we disable the protocol if there are