diff --git a/handler/src/main/java/io/netty/handler/ssl/Ciphers.java b/handler/src/main/java/io/netty/handler/ssl/Ciphers.java new file mode 100644 index 0000000000..caa390a447 --- /dev/null +++ b/handler/src/main/java/io/netty/handler/ssl/Ciphers.java @@ -0,0 +1,758 @@ +/* + * Copyright 2021 The Netty Project + * + * The Netty Project licenses this file to you under the Apache License, + * version 2.0 (the "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at: + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + */ +package io.netty.handler.ssl; + +import io.netty.util.internal.ObjectUtil; + +import java.util.Arrays; + +/** + * Cipher suites + */ +public final class Ciphers { + + /** + * TLS_AES_256_GCM_SHA384 + */ + public static final String TLS_AES_256_GCM_SHA384 = "TLS_AES_256_GCM_SHA384"; + + /** + * TLS_CHACHA20_POLY1305_SHA256 + */ + public static final String TLS_CHACHA20_POLY1305_SHA256 = "TLS_CHACHA20_POLY1305_SHA256"; + + /** + * TLS_AES_128_GCM_SHA256 + */ + public static final String TLS_AES_128_GCM_SHA256 = "TLS_AES_128_GCM_SHA256"; + + /** + * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + */ + public static final String TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; + + /** + * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + */ + public static final String TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; + + /** + * TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 + */ + public static final String TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"; + + /** + * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + */ + public static final String TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"; + + /** + * TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + */ + public static final String TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"; + + /** + * TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + */ + public static final String TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; + + /** + * TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + */ + public static final String TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; + + /** + * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_CCM8 + */ + public static final String TLS_ECDHE_ECDSA_WITH_AES_256_CBC_CCM8 = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_CCM8"; + + /** + * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_CCM + */ + public static final String TLS_ECDHE_ECDSA_WITH_AES_256_CBC_CCM = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_CCM"; + + /** + * TLS_DHE_RSA_WITH_AES_256_CBC_CCM8 + */ + public static final String TLS_DHE_RSA_WITH_AES_256_CBC_CCM8 = "TLS_DHE_RSA_WITH_AES_256_CBC_CCM8"; + + /** + * TLS_DHE_RSA_WITH_AES_256_CBC_CCM + */ + public static final String TLS_DHE_RSA_WITH_AES_256_CBC_CCM = "TLS_DHE_RSA_WITH_AES_256_CBC_CCM"; + + /** + * TLS_ECDHE_ECDSA_WITH_ARIA256_GCM_SHA384 + */ + public static final String TLS_ECDHE_ECDSA_WITH_ARIA256_GCM_SHA384 = "TLS_ECDHE_ECDSA_WITH_ARIA256_GCM_SHA384"; + + /** + * TLS_RSA_WITH_ECDHE_ARIA256_GCM_SHA384 + */ + public static final String TLS_RSA_WITH_ECDHE_ARIA256_GCM_SHA384 = "TLS_RSA_WITH_ECDHE_ARIA256_GCM_SHA384"; + + /** + * TLS_DHE_DSS_WITH_ARIA256_GCM_SHA384 + */ + public static final String TLS_DHE_DSS_WITH_ARIA256_GCM_SHA384 = "TLS_DHE_DSS_WITH_ARIA256_GCM_SHA384"; + + /** + * TLS_DHE_RSA_WITH_ARIA256_GCM_SHA384 + */ + public static final String TLS_DHE_RSA_WITH_ARIA256_GCM_SHA384 = "TLS_DHE_RSA_WITH_ARIA256_GCM_SHA384"; + + /** + * TLS_DH_anon_WITH_AES_256_GCM_SHA384 + */ + public static final String TLS_DH_anon_WITH_AES_256_GCM_SHA384 = "TLS_DH_anon_WITH_AES_256_GCM_SHA384"; + + /** + * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + */ + public static final String TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; + + /** + * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + */ + public static final String TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; + + /** + * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 + */ + public static final String TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"; + + /** + * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + */ + public static final String TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"; + + /** + * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_CCM8 + */ + public static final String TLS_ECDHE_ECDSA_WITH_AES_128_CBC_CCM8 = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_CCM8"; + + /** + * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_CCM + */ + public static final String TLS_ECDHE_ECDSA_WITH_AES_128_CBC_CCM = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_CCM"; + + /** + * TLS_DHE_RSA_WITH_AES_128_CBC_CCM8 + */ + public static final String TLS_DHE_RSA_WITH_AES_128_CBC_CCM8 = "TLS_DHE_RSA_WITH_AES_128_CBC_CCM8"; + + /** + * TLS_DHE_RSA_WITH_AES_128_CBC_CCM + */ + public static final String TLS_DHE_RSA_WITH_AES_128_CBC_CCM = "TLS_DHE_RSA_WITH_AES_128_CBC_CCM"; + + /** + * TLS_ECDHE_ECDSA_WITH_ARIA128_GCM_SHA256 + */ + public static final String TLS_ECDHE_ECDSA_WITH_ARIA128_GCM_SHA256 = "TLS_ECDHE_ECDSA_WITH_ARIA128_GCM_SHA256"; + + /** + * TLS_RSA_WITH_ECDHE_ARIA128_GCM_SHA256 + */ + public static final String TLS_RSA_WITH_ECDHE_ARIA128_GCM_SHA256 = "TLS_RSA_WITH_ECDHE_ARIA128_GCM_SHA256"; + + /** + * TLS_DHE_DSS_WITH_ARIA128_GCM_SHA256 + */ + public static final String TLS_DHE_DSS_WITH_ARIA128_GCM_SHA256 = "TLS_DHE_DSS_WITH_ARIA128_GCM_SHA256"; + + /** + * TLS_DHE_RSA_WITH_ARIA128_GCM_SHA256 + */ + public static final String TLS_DHE_RSA_WITH_ARIA128_GCM_SHA256 = "TLS_DHE_RSA_WITH_ARIA128_GCM_SHA256"; + + /** + * TLS_DH_anon_WITH_AES_128_GCM_SHA256 + */ + public static final String TLS_DH_anon_WITH_AES_128_GCM_SHA256 = "TLS_DH_anon_WITH_AES_128_GCM_SHA256"; + + /** + * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + */ + public static final String TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"; + + /** + * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + */ + public static final String TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; + + /** + * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + */ + public static final String TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"; + + /** + * TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 + */ + public static final String TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"; + + /** + * TLS_ECDHE_ECDSA_WITH_CAMELLIA256_SHA384 + */ + public static final String TLS_ECDHE_ECDSA_WITH_CAMELLIA256_SHA384 = "TLS_ECDHE_ECDSA_WITH_CAMELLIA256_SHA384"; + + /** + * TLS_ECDHE_RSA_WITH_CAMELLIA256_SHA384 + */ + public static final String TLS_ECDHE_RSA_WITH_CAMELLIA256_SHA384 = "TLS_ECDHE_RSA_WITH_CAMELLIA256_SHA384"; + + /** + * TLS_DHE_RSA_WITH_CAMELLIA256_SHA256 + */ + public static final String TLS_DHE_RSA_WITH_CAMELLIA256_SHA256 = "TLS_DHE_RSA_WITH_CAMELLIA256_SHA256"; + + /** + * TLS_DHE_DSS_WITH_CAMELLIA256_SHA256 + */ + public static final String TLS_DHE_DSS_WITH_CAMELLIA256_SHA256 = "TLS_DHE_DSS_WITH_CAMELLIA256_SHA256"; + + /** + * TLS_DH_anon_WITH_AES_256_CBC_SHA256 + */ + public static final String TLS_DH_anon_WITH_AES_256_CBC_SHA256 = "TLS_DH_anon_WITH_AES_256_CBC_SHA256"; + + /** + * TLS_DH_anon_WITH_CAMELLIA256_SHA256 + */ + public static final String TLS_DH_anon_WITH_CAMELLIA256_SHA256 = "TLS_DH_anon_WITH_CAMELLIA256_SHA256"; + + /** + * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + */ + public static final String TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"; + + /** + * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + */ + public static final String TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; + + /** + * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + */ + public static final String TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; + + /** + * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 + */ + public static final String TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"; + + /** + * TLS_ECDHE_ECDSA_WITH_CAMELLIA128_SHA256 + */ + public static final String TLS_ECDHE_ECDSA_WITH_CAMELLIA128_SHA256 = "TLS_ECDHE_ECDSA_WITH_CAMELLIA128_SHA256"; + + /** + * TLS_ECDHE_RSA_WITH_CAMELLIA128_SHA256 + */ + public static final String TLS_ECDHE_RSA_WITH_CAMELLIA128_SHA256 = "TLS_ECDHE_RSA_WITH_CAMELLIA128_SHA256"; + + /** + * TLS_DHE_RSA_WITH_CAMELLIA128_SHA256 + */ + public static final String TLS_DHE_RSA_WITH_CAMELLIA128_SHA256 = "TLS_DHE_RSA_WITH_CAMELLIA128_SHA256"; + + /** + * TLS_DHE_DSS_WITH_CAMELLIA128_SHA256 + */ + public static final String TLS_DHE_DSS_WITH_CAMELLIA128_SHA256 = "TLS_DHE_DSS_WITH_CAMELLIA128_SHA256"; + + /** + * TLS_DH_anon_WITH_AES_128_CBC_SHA256 + */ + public static final String TLS_DH_anon_WITH_AES_128_CBC_SHA256 = "TLS_DH_anon_WITH_AES_128_CBC_SHA256"; + + /** + * TLS_DH_anon_WITH_CAMELLIA128_SHA256 + */ + public static final String TLS_DH_anon_WITH_CAMELLIA128_SHA256 = "TLS_DH_anon_WITH_CAMELLIA128_SHA256"; + + /** + * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + */ + public static final String TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; + + /** + * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + */ + public static final String TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; + + /** + * TLS_DHE_RSA_WITH_AES_256_CBC_SHA + */ + public static final String TLS_DHE_RSA_WITH_AES_256_CBC_SHA = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"; + + /** + * TLS_DHE_DSS_WITH_AES_256_CBC_SHA + */ + public static final String TLS_DHE_DSS_WITH_AES_256_CBC_SHA = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"; + + /** + * TLS_DHE_RSA_WITH_CAMELLIA256_SHA + */ + public static final String TLS_DHE_RSA_WITH_CAMELLIA256_SHA = "TLS_DHE_RSA_WITH_CAMELLIA256_SHA"; + + /** + * TLS_DHE_DSS_WITH_CAMELLIA256_SHA + */ + public static final String TLS_DHE_DSS_WITH_CAMELLIA256_SHA = "TLS_DHE_DSS_WITH_CAMELLIA256_SHA"; + + /** + * TLS_ECDH_anon_WITH_AES_256_CBC_SHA + */ + public static final String TLS_ECDH_anon_WITH_AES_256_CBC_SHA = "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"; + + /** + * TLS_DH_anon_WITH_AES_256_CBC_SHA + */ + public static final String TLS_DH_anon_WITH_AES_256_CBC_SHA = "TLS_DH_anon_WITH_AES_256_CBC_SHA"; + + /** + * TLS_DH_anon_WITH_CAMELLIA256_SHA + */ + public static final String TLS_DH_anon_WITH_CAMELLIA256_SHA = "TLS_DH_anon_WITH_CAMELLIA256_SHA"; + + /** + * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + */ + public static final String TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"; + + /** + * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + */ + public static final String TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; + + /** + * TLS_DHE_RSA_WITH_AES_128_CBC_SHA + */ + public static final String TLS_DHE_RSA_WITH_AES_128_CBC_SHA = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"; + + /** + * TLS_DHE_DSS_WITH_AES_128_CBC_SHA + */ + public static final String TLS_DHE_DSS_WITH_AES_128_CBC_SHA = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"; + + /** + * TLS_DHE_RSA_WITH_SEED_SHA + */ + public static final String TLS_DHE_RSA_WITH_SEED_SHA = "TLS_DHE_RSA_WITH_SEED_SHA"; + + /** + * TLS_DHE_DSS_WITH_SEED_SHA + */ + public static final String TLS_DHE_DSS_WITH_SEED_SHA = "TLS_DHE_DSS_WITH_SEED_SHA"; + + /** + * TLS_DHE_RSA_WITH_CAMELLIA128_SHA + */ + public static final String TLS_DHE_RSA_WITH_CAMELLIA128_SHA = "TLS_DHE_RSA_WITH_CAMELLIA128_SHA"; + + /** + * TLS_DHE_DSS_WITH_CAMELLIA128_SHA + */ + public static final String TLS_DHE_DSS_WITH_CAMELLIA128_SHA = "TLS_DHE_DSS_WITH_CAMELLIA128_SHA"; + + /** + * TLS_ECDH_anon_WITH_AES_128_CBC_SHA + */ + public static final String TLS_ECDH_anon_WITH_AES_128_CBC_SHA = "TLS_ECDH_anon_WITH_AES_128_CBC_SHA"; + + /** + * TLS_DH_anon_WITH_AES_128_CBC_SHA + */ + public static final String TLS_DH_anon_WITH_AES_128_CBC_SHA = "TLS_DH_anon_WITH_AES_128_CBC_SHA"; + + /** + * TLS_DH_anon_WITH_SEED_SHA + */ + public static final String TLS_DH_anon_WITH_SEED_SHA = "TLS_DH_anon_WITH_SEED_SHA"; + + /** + * TLS_DH_anon_WITH_CAMELLIA128_SHA + */ + public static final String TLS_DH_anon_WITH_CAMELLIA128_SHA = "TLS_DH_anon_WITH_CAMELLIA128_SHA"; + + /** + * TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 + */ + public static final String TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"; + + /** + * TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 + */ + public static final String TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"; + + /** + * TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 + */ + public static final String TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256"; + + /** + * TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 + */ + public static final String TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; + + /** + * TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 + */ + public static final String TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = + "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; + + /** + * TLS_DHE_PSK_WITH_AES_256_CBC_CCM8 + */ + public static final String TLS_DHE_PSK_WITH_AES_256_CBC_CCM8 = "TLS_DHE_PSK_WITH_AES_256_CBC_CCM8"; + + /** + * TLS_DHE_PSK_WITH_AES_256_CBC_CCM + */ + public static final String TLS_DHE_PSK_WITH_AES_256_CBC_CCM = "TLS_DHE_PSK_WITH_AES_256_CBC_CCM"; + + /** + * TLS_RSA_PSK_WITH_ARIA256_GCM_SHA384 + */ + public static final String TLS_RSA_PSK_WITH_ARIA256_GCM_SHA384 = "TLS_RSA_PSK_WITH_ARIA256_GCM_SHA384"; + + /** + * TLS_DHE_PSK_WITH_ARIA256_GCM_SHA384 + */ + public static final String TLS_DHE_PSK_WITH_ARIA256_GCM_SHA384 = "TLS_DHE_PSK_WITH_ARIA256_GCM_SHA384"; + + /** + * TLS_RSA_WITH_AES_256_GCM_SHA384 + */ + public static final String TLS_RSA_WITH_AES_256_GCM_SHA384 = "TLS_RSA_WITH_AES_256_GCM_SHA384"; + + /** + * TLS_RSA_WITH_AES_256_CBC_CCM8 + */ + public static final String TLS_RSA_WITH_AES_256_CBC_CCM8 = "TLS_RSA_WITH_AES_256_CBC_CCM8"; + + /** + * TLS_RSA_WITH_AES_256_CBC_CCM + */ + public static final String TLS_RSA_WITH_AES_256_CBC_CCM = "TLS_RSA_WITH_AES_256_CBC_CCM"; + + /** + * TLS_RSA_WITH_ARIA256_GCM_SHA384 + */ + public static final String TLS_RSA_WITH_ARIA256_GCM_SHA384 = "TLS_RSA_WITH_ARIA256_GCM_SHA384"; + + /** + * TLS_PSK_WITH_AES_256_GCM_SHA384 + */ + public static final String TLS_PSK_WITH_AES_256_GCM_SHA384 = "TLS_PSK_WITH_AES_256_GCM_SHA384"; + + /** + * TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 + */ + public static final String TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"; + + /** + * TLS_PSK_WITH_AES_256_CBC_CCM8 + */ + public static final String TLS_PSK_WITH_AES_256_CBC_CCM8 = "TLS_PSK_WITH_AES_256_CBC_CCM8"; + + /** + * TLS_PSK_WITH_AES_256_CBC_CCM + */ + public static final String TLS_PSK_WITH_AES_256_CBC_CCM = "TLS_PSK_WITH_AES_256_CBC_CCM"; + + /** + * TLS_PSK_WITH_ARIA256_GCM_SHA384 + */ + public static final String TLS_PSK_WITH_ARIA256_GCM_SHA384 = "TLS_PSK_WITH_ARIA256_GCM_SHA384"; + + /** + * TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 + */ + public static final String TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"; + + /** + * TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 + */ + public static final String TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"; + + /** + * TLS_DHE_PSK_WITH_AES_128_CBC_CCM8 + */ + public static final String TLS_DHE_PSK_WITH_AES_128_CBC_CCM8 = "TLS_DHE_PSK_WITH_AES_128_CBC_CCM8"; + + /** + * TLS_DHE_PSK_WITH_AES_128_CBC_CCM + */ + public static final String TLS_DHE_PSK_WITH_AES_128_CBC_CCM = "TLS_DHE_PSK_WITH_AES_128_CBC_CCM"; + + /** + * TLS_RSA_PSK_WITH_ARIA128_GCM_SHA256 + */ + public static final String TLS_RSA_PSK_WITH_ARIA128_GCM_SHA256 = "TLS_RSA_PSK_WITH_ARIA128_GCM_SHA256"; + + /** + * TLS_DHE_PSK_WITH_ARIA128_GCM_SHA256 + */ + public static final String TLS_DHE_PSK_WITH_ARIA128_GCM_SHA256 = "TLS_DHE_PSK_WITH_ARIA128_GCM_SHA256"; + + /** + * TLS_RSA_WITH_AES_128_GCM_SHA256 + */ + public static final String TLS_RSA_WITH_AES_128_GCM_SHA256 = "TLS_RSA_WITH_AES_128_GCM_SHA256"; + + /** + * TLS_RSA_WITH_AES_128_CBC_CCM8 + */ + public static final String TLS_RSA_WITH_AES_128_CBC_CCM8 = "TLS_RSA_WITH_AES_128_CBC_CCM8"; + + /** + * TLS_RSA_WITH_AES_128_CBC_CCM + */ + public static final String TLS_RSA_WITH_AES_128_CBC_CCM = "TLS_RSA_WITH_AES_128_CBC_CCM"; + + /** + * TLS_RSA_WITH_ARIA128_GCM_SHA256 + */ + public static final String TLS_RSA_WITH_ARIA128_GCM_SHA256 = "TLS_RSA_WITH_ARIA128_GCM_SHA256"; + + /** + * TLS_PSK_WITH_AES_128_GCM_SHA256 + */ + public static final String TLS_PSK_WITH_AES_128_GCM_SHA256 = "TLS_PSK_WITH_AES_128_GCM_SHA256"; + + /** + * TLS_PSK_WITH_AES_128_CBC_CCM8 + */ + public static final String TLS_PSK_WITH_AES_128_CBC_CCM8 = "TLS_PSK_WITH_AES_128_CBC_CCM8"; + + /** + * TLS_PSK_WITH_AES_128_CBC_CCM + */ + public static final String TLS_PSK_WITH_AES_128_CBC_CCM = "TLS_PSK_WITH_AES_128_CBC_CCM"; + + /** + * TLS_PSK_WITH_ARIA128_GCM_SHA256 + */ + public static final String TLS_PSK_WITH_ARIA128_GCM_SHA256 = "TLS_PSK_WITH_ARIA128_GCM_SHA256"; + + /** + * TLS_RSA_WITH_AES_256_CBC_SHA256 + */ + public static final String TLS_RSA_WITH_AES_256_CBC_SHA256 = "TLS_RSA_WITH_AES_256_CBC_SHA256"; + + /** + * TLS_RSA_WITH_CAMELLIA256_SHA256 + */ + public static final String TLS_RSA_WITH_CAMELLIA256_SHA256 = "TLS_RSA_WITH_CAMELLIA256_SHA256"; + + /** + * TLS_RSA_WITH_AES_128_CBC_SHA256 + */ + public static final String TLS_RSA_WITH_AES_128_CBC_SHA256 = "TLS_RSA_WITH_AES_128_CBC_SHA256"; + + /** + * TLS_RSA_WITH_CAMELLIA128_SHA256 + */ + public static final String TLS_RSA_WITH_CAMELLIA128_SHA256 = "TLS_RSA_WITH_CAMELLIA128_SHA256"; + + /** + * TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 + */ + public static final String TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384"; + + /** + * TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA + */ + public static final String TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA"; + + /** + * TLS_SRP_DSS_WITH_AES_256_CBC_SHA + */ + public static final String TLS_SRP_DSS_WITH_AES_256_CBC_SHA = "TLS_SRP_DSS_WITH_AES_256_CBC_SHA"; + + /** + * TLS_SRP_RSA_WITH_AES_256_CBC_SHA + */ + public static final String TLS_SRP_RSA_WITH_AES_256_CBC_SHA = "TLS_SRP_RSA_WITH_AES_256_CBC_SHA"; + + /** + * TLS_SRP_WITH_AES_256_CBC_SHA + */ + public static final String TLS_SRP_WITH_AES_256_CBC_SHA = "TLS_SRP_WITH_AES_256_CBC_SHA"; + + /** + * TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 + */ + public static final String TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"; + + /** + * TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 + */ + public static final String TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"; + + /** + * TLS_RSA_PSK_WITH_AES_256_CBC_SHA + */ + public static final String TLS_RSA_PSK_WITH_AES_256_CBC_SHA = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA"; + + /** + * TLS_DHE_PSK_WITH_AES_256_CBC_SHA + */ + public static final String TLS_DHE_PSK_WITH_AES_256_CBC_SHA = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA"; + + /** + * TLS_ECDHE_PSK_WITH_CAMELLIA256_SHA384 + */ + public static final String TLS_ECDHE_PSK_WITH_CAMELLIA256_SHA384 = "TLS_ECDHE_PSK_WITH_CAMELLIA256_SHA384"; + + /** + * TLS_RSA_PSK_WITH_CAMELLIA256_SHA384 + */ + public static final String TLS_RSA_PSK_WITH_CAMELLIA256_SHA384 = "TLS_RSA_PSK_WITH_CAMELLIA256_SHA384"; + + /** + * TLS_DHE_PSK_WITH_CAMELLIA256_SHA384 + */ + public static final String TLS_DHE_PSK_WITH_CAMELLIA256_SHA384 = "TLS_DHE_PSK_WITH_CAMELLIA256_SHA384"; + + /** + * TLS_RSA_WITH_AES_256_CBC_SHA + */ + public static final String TLS_RSA_WITH_AES_256_CBC_SHA = "TLS_RSA_WITH_AES_256_CBC_SHA"; + + /** + * TLS_RSA_WITH_CAMELLIA256_SHA + */ + public static final String TLS_RSA_WITH_CAMELLIA256_SHA = "TLS_RSA_WITH_CAMELLIA256_SHA"; + + /** + * TLS_PSK_WITH_AES_256_CBC_SHA384 + */ + public static final String TLS_PSK_WITH_AES_256_CBC_SHA384 = "TLS_PSK_WITH_AES_256_CBC_SHA384"; + + /** + * TLS_PSK_WITH_AES_256_CBC_SHA + */ + public static final String TLS_PSK_WITH_AES_256_CBC_SHA = "TLS_PSK_WITH_AES_256_CBC_SHA"; + + /** + * TLS_PSK_WITH_CAMELLIA256_SHA384 + */ + public static final String TLS_PSK_WITH_CAMELLIA256_SHA384 = "TLS_PSK_WITH_CAMELLIA256_SHA384"; + + /** + * TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + */ + public static final String TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"; + + /** + * TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA + */ + public static final String TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"; + + /** + * TLS_SRP_DSS_WITH_AES_128_CBC_SHA + */ + public static final String TLS_SRP_DSS_WITH_AES_128_CBC_SHA = "TLS_SRP_DSS_WITH_AES_128_CBC_SHA"; + + /** + * TLS_SRP_RSA_WITH_AES_128_CBC_SHA + */ + public static final String TLS_SRP_RSA_WITH_AES_128_CBC_SHA = "TLS_SRP_RSA_WITH_AES_128_CBC_SHA"; + + /** + * TLS_SRP_WITH_AES_128_CBC_SHA + */ + public static final String TLS_SRP_WITH_AES_128_CBC_SHA = "TLS_SRP_WITH_AES_128_CBC_SHA"; + + /** + * TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 + */ + public static final String TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"; + + /** + * TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 + */ + public static final String TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"; + + /** + * TLS_RSA_PSK_WITH_AES_128_CBC_SHA + */ + public static final String TLS_RSA_PSK_WITH_AES_128_CBC_SHA = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA"; + + /** + * TLS_DHE_PSK_WITH_AES_128_CBC_SHA + */ + public static final String TLS_DHE_PSK_WITH_AES_128_CBC_SHA = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA"; + + /** + * TLS_ECDHE_PSK_WITH_CAMELLIA128_SHA256 + */ + public static final String TLS_ECDHE_PSK_WITH_CAMELLIA128_SHA256 = "TLS_ECDHE_PSK_WITH_CAMELLIA128_SHA256"; + + /** + * TLS_RSA_PSK_WITH_CAMELLIA128_SHA256 + */ + public static final String TLS_RSA_PSK_WITH_CAMELLIA128_SHA256 = "TLS_RSA_PSK_WITH_CAMELLIA128_SHA256"; + + /** + * TLS_DHE_PSK_WITH_CAMELLIA128_SHA256 + */ + public static final String TLS_DHE_PSK_WITH_CAMELLIA128_SHA256 = "TLS_DHE_PSK_WITH_CAMELLIA128_SHA256"; + + /** + * TLS_RSA_WITH_AES_128_CBC_SHA + */ + public static final String TLS_RSA_WITH_AES_128_CBC_SHA = "TLS_RSA_WITH_AES_128_CBC_SHA"; + + /** + * TLS_RSA_WITH_SEED_SHA + */ + public static final String TLS_RSA_WITH_SEED_SHA = "TLS_RSA_WITH_SEED_SHA"; + + /** + * TLS_RSA_WITH_CAMELLIA128_SHA + */ + public static final String TLS_RSA_WITH_CAMELLIA128_SHA = "TLS_RSA_WITH_CAMELLIA128_SHA"; + + /** + * TLS_RSA_WITH_IDEA_CBC_SHA + */ + public static final String TLS_RSA_WITH_IDEA_CBC_SHA = "TLS_RSA_WITH_IDEA_CBC_SHA"; + + /** + * TLS_PSK_WITH_AES_128_CBC_SHA256 + */ + public static final String TLS_PSK_WITH_AES_128_CBC_SHA256 = "TLS_PSK_WITH_AES_128_CBC_SHA256"; + + /** + * TLS_PSK_WITH_AES_128_CBC_SHA + */ + public static final String TLS_PSK_WITH_AES_128_CBC_SHA = "TLS_PSK_WITH_AES_128_CBC_SHA"; + + /** + * TLS_PSK_WITH_CAMELLIA128_SHA256 + */ + public static final String TLS_PSK_WITH_CAMELLIA128_SHA256 = "TLS_PSK_WITH_CAMELLIA128_SHA256"; + + private Ciphers() { + // Prevent outside initialization + } +} diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java index b5d5e3431b..a452924829 100644 --- a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java @@ -107,8 +107,8 @@ public class JdkSslContext extends SslContext { List protocols = new ArrayList(); addIfSupported( supportedProtocolsSet, protocols, - SslUtils.PROTOCOL_TLS_V1_3, SslUtils.PROTOCOL_TLS_V1_2, - SslUtils.PROTOCOL_TLS_V1_1, SslUtils.PROTOCOL_TLS_V1); + SslProtocols.TLS_v1_3, SslProtocols.TLS_v1_2, + SslProtocols.TLS_v1_1, SslProtocols.TLS_v1); if (!protocols.isEmpty()) { return protocols.toArray(EmptyArrays.EMPTY_STRINGS); @@ -154,7 +154,7 @@ public class JdkSslContext extends SslContext { private static boolean isTlsV13Supported(String[] protocols) { for (String protocol: protocols) { - if (SslUtils.PROTOCOL_TLS_V1_3.equals(protocol)) { + if (SslProtocols.TLS_v1_3.equals(protocol)) { return true; } } diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java index 92f1ff7a91..b425b36c15 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java @@ -348,26 +348,26 @@ public final class OpenSsl { Set protocols = new LinkedHashSet(6); // Seems like there is no way to explicitly disable SSLv2Hello in openssl so it is always enabled - protocols.add(PROTOCOL_SSL_V2_HELLO); + protocols.add(SslProtocols.SSL_v2_HELLO); if (doesSupportProtocol(SSL.SSL_PROTOCOL_SSLV2, SSL.SSL_OP_NO_SSLv2)) { - protocols.add(PROTOCOL_SSL_V2); + protocols.add(SslProtocols.SSL_v2); } if (doesSupportProtocol(SSL.SSL_PROTOCOL_SSLV3, SSL.SSL_OP_NO_SSLv3)) { - protocols.add(PROTOCOL_SSL_V3); + protocols.add(SslProtocols.SSL_v3); } if (doesSupportProtocol(SSL.SSL_PROTOCOL_TLSV1, SSL.SSL_OP_NO_TLSv1)) { - protocols.add(PROTOCOL_TLS_V1); + protocols.add(SslProtocols.TLS_v1); } if (doesSupportProtocol(SSL.SSL_PROTOCOL_TLSV1_1, SSL.SSL_OP_NO_TLSv1_1)) { - protocols.add(PROTOCOL_TLS_V1_1); + protocols.add(SslProtocols.TLS_v1_1); } if (doesSupportProtocol(SSL.SSL_PROTOCOL_TLSV1_2, SSL.SSL_OP_NO_TLSv1_2)) { - protocols.add(PROTOCOL_TLS_V1_2); + protocols.add(SslProtocols.TLS_v1_2); } // This is only supported by java11 and later. if (tlsv13Supported && doesSupportProtocol(SSL.SSL_PROTOCOL_TLSV1_3, SSL.SSL_OP_NO_TLSv1_3)) { - protocols.add(PROTOCOL_TLS_V1_3); + protocols.add(SslProtocols.TLS_v1_3); TLSV13_SUPPORTED = true; } else { TLSV13_SUPPORTED = false; diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslTlsv13X509ExtendedTrustManager.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslTlsv13X509ExtendedTrustManager.java index c55543a71d..1b3bed6ba2 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSslTlsv13X509ExtendedTrustManager.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslTlsv13X509ExtendedTrustManager.java @@ -66,7 +66,7 @@ final class OpenSslTlsv13X509ExtendedTrustManager extends X509ExtendedTrustManag private static SSLEngine wrapEngine(final SSLEngine engine) { final SSLSession session = engine.getHandshakeSession(); - if (session != null && SslUtils.PROTOCOL_TLS_V1_3.equals(session.getProtocol())) { + if (session != null && SslProtocols.TLS_v1_3.equals(session.getProtocol())) { return new JdkSslEngine(engine) { @Override public String getNegotiatedApplicationProtocol() { @@ -93,7 +93,7 @@ final class OpenSslTlsv13X509ExtendedTrustManager extends X509ExtendedTrustManag @Override public String getProtocol() { - return SslUtils.PROTOCOL_TLS_V1_2; + return SslProtocols.TLS_v1_2; } }; } else { @@ -181,7 +181,7 @@ final class OpenSslTlsv13X509ExtendedTrustManager extends X509ExtendedTrustManag @Override public String getProtocol() { - return SslUtils.PROTOCOL_TLS_V1_2; + return SslProtocols.TLS_v1_2; } @Override diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java index a37a14898f..f033e644a4 100644 --- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java +++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java @@ -65,13 +65,6 @@ import javax.net.ssl.SSLSessionBindingListener; import javax.security.cert.X509Certificate; import static io.netty.handler.ssl.OpenSsl.memoryAddress; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_SSL_V2; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_SSL_V2_HELLO; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_SSL_V3; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1_1; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1_2; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1_3; import static io.netty.handler.ssl.SslUtils.SSL_RECORD_HEADER_LENGTH; import static io.netty.util.internal.ObjectUtil.checkNotNull; import static io.netty.util.internal.ObjectUtil.checkNotNullArrayParam; @@ -360,7 +353,7 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc SSL.setMode(ssl, SSL.getMode(ssl) | SSL.SSL_MODE_ENABLE_PARTIAL_WRITE); } - if (isProtocolEnabled(SSL.getOptions(ssl), SSL.SSL_OP_NO_TLSv1_3, PROTOCOL_TLS_V1_3)) { + if (isProtocolEnabled(SSL.getOptions(ssl), SSL.SSL_OP_NO_TLSv1_3, SslProtocols.TLS_v1_3)) { final boolean enableTickets = clientMode ? ReferenceCountedOpenSslContext.CLIENT_ENABLE_SESSION_TICKET_TLSV13 : ReferenceCountedOpenSslContext.SERVER_ENABLE_SESSION_TICKET_TLSV13; @@ -1368,7 +1361,7 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc if (!isDestroyed() && SSL.getHandshakeCount(ssl) > 1 && // As we may count multiple handshakes when TLSv1.3 is used we should just ignore this here as // renegotiation is not supported in TLSv1.3 as per spec. - !SslUtils.PROTOCOL_TLS_V1_3.equals(session.getProtocol()) && handshakeState == HandshakeState.FINISHED) { + !SslProtocols.TLS_v1_3.equals(session.getProtocol()) && handshakeState == HandshakeState.FINISHED) { // TODO: In future versions me may also want to send a fatal_alert to the client and so notify it // that the renegotiation failed. shutdown(); @@ -1556,7 +1549,7 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc if (!isDestroyed()) { enabled = SSL.getCiphers(ssl); int opts = SSL.getOptions(ssl); - if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1_3, PROTOCOL_TLS_V1_3)) { + if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1_3, SslProtocols.TLS_v1_3)) { extraCiphers = OpenSsl.EXTRA_SUPPORTED_TLS_1_3_CIPHERS; tls13Enabled = true; } else { @@ -1618,16 +1611,16 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc // We have no ciphers that are compatible with none-TLSv1.3, let us explicit disable all other // protocols. if (cipherSuiteSpec.isEmpty()) { - protocols.remove(PROTOCOL_TLS_V1); - protocols.remove(PROTOCOL_TLS_V1_1); - protocols.remove(PROTOCOL_TLS_V1_2); - protocols.remove(PROTOCOL_SSL_V3); - protocols.remove(PROTOCOL_SSL_V2); - protocols.remove(PROTOCOL_SSL_V2_HELLO); + protocols.remove(SslProtocols.TLS_v1); + protocols.remove(SslProtocols.TLS_v1_1); + protocols.remove(SslProtocols.TLS_v1_2); + protocols.remove(SslProtocols.SSL_v3); + protocols.remove(SslProtocols.SSL_v2); + protocols.remove(SslProtocols.SSL_v2_HELLO); } // We have no ciphers that are compatible with TLSv1.3, let us explicit disable it. if (cipherSuiteSpecTLSv13.isEmpty()) { - protocols.remove(PROTOCOL_TLS_V1_3); + protocols.remove(SslProtocols.TLS_v1_3); } // Update the protocols but not cache the value. We only cache when we call it from the user // code or when we construct the engine. @@ -1650,7 +1643,7 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc public final String[] getEnabledProtocols() { List enabled = new ArrayList(6); // Seems like there is no way to explicit disable SSLv2Hello in openssl so it is always enabled - enabled.add(PROTOCOL_SSL_V2_HELLO); + enabled.add(SslProtocols.SSL_v2_HELLO); int opts; synchronized (this) { @@ -1660,23 +1653,23 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc return enabled.toArray(new String[0]); } } - if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1, PROTOCOL_TLS_V1)) { - enabled.add(PROTOCOL_TLS_V1); + if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1, SslProtocols.TLS_v1)) { + enabled.add(SslProtocols.TLS_v1); } - if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1_1, PROTOCOL_TLS_V1_1)) { - enabled.add(PROTOCOL_TLS_V1_1); + if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1_1, SslProtocols.TLS_v1_1)) { + enabled.add(SslProtocols.TLS_v1_1); } - if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1_2, PROTOCOL_TLS_V1_2)) { - enabled.add(PROTOCOL_TLS_V1_2); + if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1_2, SslProtocols.TLS_v1_2)) { + enabled.add(SslProtocols.TLS_v1_2); } - if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1_3, PROTOCOL_TLS_V1_3)) { - enabled.add(PROTOCOL_TLS_V1_3); + if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1_3, SslProtocols.TLS_v1_3)) { + enabled.add(SslProtocols.TLS_v1_3); } - if (isProtocolEnabled(opts, SSL.SSL_OP_NO_SSLv2, PROTOCOL_SSL_V2)) { - enabled.add(PROTOCOL_SSL_V2); + if (isProtocolEnabled(opts, SSL.SSL_OP_NO_SSLv2, SslProtocols.SSL_v2)) { + enabled.add(SslProtocols.SSL_v2); } - if (isProtocolEnabled(opts, SSL.SSL_OP_NO_SSLv3, PROTOCOL_SSL_V3)) { - enabled.add(PROTOCOL_SSL_V3); + if (isProtocolEnabled(opts, SSL.SSL_OP_NO_SSLv3, SslProtocols.SSL_v3)) { + enabled.add(SslProtocols.SSL_v3); } return enabled.toArray(new String[0]); } @@ -1710,42 +1703,42 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc if (!OpenSsl.SUPPORTED_PROTOCOLS_SET.contains(p)) { throw new IllegalArgumentException("Protocol " + p + " is not supported."); } - if (p.equals(PROTOCOL_SSL_V2)) { + if (p.equals(SslProtocols.SSL_v2)) { if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV2) { minProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV2; } if (maxProtocolIndex < OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV2) { // lgtm[java/constant-comparison] maxProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV2; } - } else if (p.equals(PROTOCOL_SSL_V3)) { + } else if (p.equals(SslProtocols.SSL_v3)) { if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV3) { minProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV3; } if (maxProtocolIndex < OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV3) { maxProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV3; } - } else if (p.equals(PROTOCOL_TLS_V1)) { + } else if (p.equals(SslProtocols.TLS_v1)) { if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1) { minProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1; } if (maxProtocolIndex < OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1) { maxProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1; } - } else if (p.equals(PROTOCOL_TLS_V1_1)) { + } else if (p.equals(SslProtocols.TLS_v1_1)) { if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_1) { minProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_1; } if (maxProtocolIndex < OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_1) { maxProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_1; } - } else if (p.equals(PROTOCOL_TLS_V1_2)) { + } else if (p.equals(SslProtocols.TLS_v1_2)) { if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2) { minProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2; } if (maxProtocolIndex < OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2) { maxProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2; } - } else if (p.equals(PROTOCOL_TLS_V1_3)) { + } else if (p.equals(SslProtocols.TLS_v1_3)) { if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_3) { minProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_3; } diff --git a/handler/src/main/java/io/netty/handler/ssl/SslProtocols.java b/handler/src/main/java/io/netty/handler/ssl/SslProtocols.java new file mode 100644 index 0000000000..c38e1cfab7 --- /dev/null +++ b/handler/src/main/java/io/netty/handler/ssl/SslProtocols.java @@ -0,0 +1,76 @@ +/* + * Copyright 2021 The Netty Project + * + * The Netty Project licenses this file to you under the Apache License, + * version 2.0 (the "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at: + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + */ +package io.netty.handler.ssl; + +/** + * SSL/TLS protocols + */ +public final class SslProtocols { + + /** + * SSL v2 Hello + * + * @deprecated SSLv2Hello is no longer secure. Consider using {@link #TLS_v1_2} or {@link #TLS_v1_3} + */ + @Deprecated + public static final String SSL_v2_HELLO = "SSLv2Hello"; + + /** + * SSL v2 + * + * @deprecated SSLv2 is no longer secure. Consider using {@link #TLS_v1_2} or {@link #TLS_v1_3} + */ + @Deprecated + public static final String SSL_v2 = "SSLv2"; + + /** + * SSLv3 + * + * @deprecated SSLv3 is no longer secure. Consider using {@link #TLS_v1_2} or {@link #TLS_v1_3} + */ + @Deprecated + public static final String SSL_v3 = "SSLv3"; + + /** + * TLS v1 + * + * @deprecated TLSv1 is no longer secure. Consider using {@link #TLS_v1_2} or {@link #TLS_v1_3} + */ + @Deprecated + public static final String TLS_v1 = "TLSv1"; + + /** + * TLS v1.1 + * + * @deprecated TLSv1.1 is no longer secure. Consider using {@link #TLS_v1_2} or {@link #TLS_v1_3} + */ + @Deprecated + public static final String TLS_v1_1 = "TLSv1.1"; + + /** + * TLS v1.2 + */ + public static final String TLS_v1_2 = "TLSv1.2"; + + /** + * TLS v1.3 + */ + public static final String TLS_v1_3 = "TLSv1.3"; + + private SslProtocols() { + // Prevent outside initialization + } +} diff --git a/handler/src/main/java/io/netty/handler/ssl/SslUtils.java b/handler/src/main/java/io/netty/handler/ssl/SslUtils.java index 79bd2fc257..9f3e924630 100644 --- a/handler/src/main/java/io/netty/handler/ssl/SslUtils.java +++ b/handler/src/main/java/io/netty/handler/ssl/SslUtils.java @@ -56,14 +56,10 @@ final class SslUtils { asList("TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "TLS_AES_128_CCM_SHA256"))); - // Protocols - static final String PROTOCOL_SSL_V2_HELLO = "SSLv2Hello"; - static final String PROTOCOL_SSL_V2 = "SSLv2"; - static final String PROTOCOL_SSL_V3 = "SSLv3"; - static final String PROTOCOL_TLS_V1 = "TLSv1"; - static final String PROTOCOL_TLS_V1_1 = "TLSv1.1"; - static final String PROTOCOL_TLS_V1_2 = "TLSv1.2"; - static final String PROTOCOL_TLS_V1_3 = "TLSv1.3"; + + /** + * GMSSL Protocol Version + */ static final int GMSSL_PROTOCOL_VERSION = 0x101; static final String INVALID_CIPHER = "SSL_NULL_WITH_NULL_NULL"; @@ -157,7 +153,7 @@ final class SslUtils { private static boolean isTLSv13SupportedByJDK0(Provider provider) { try { return arrayContains(newInitContext(provider) - .getSupportedSSLParameters().getProtocols(), PROTOCOL_TLS_V1_3); + .getSupportedSSLParameters().getProtocols(), SslProtocols.TLS_v1_3); } catch (Throwable cause) { logger.debug("Unable to detect if JDK SSLEngine with provider {} supports TLSv1.3, assuming no", provider, cause); @@ -178,7 +174,7 @@ final class SslUtils { private static boolean isTLSv13EnabledByJDK0(Provider provider) { try { return arrayContains(newInitContext(provider) - .getDefaultSSLParameters().getProtocols(), PROTOCOL_TLS_V1_3); + .getDefaultSSLParameters().getProtocols(), SslProtocols.TLS_v1_3); } catch (Throwable cause) { logger.debug("Unable to detect if JDK SSLEngine with provider {} enables TLSv1.3 by default," + " assuming no", provider, cause); @@ -211,7 +207,7 @@ final class SslUtils { } private static String getTlsVersion() { - return TLSV1_3_JDK_SUPPORTED ? PROTOCOL_TLS_V1_3 : PROTOCOL_TLS_V1_2; + return TLSV1_3_JDK_SUPPORTED ? SslProtocols.TLS_v1_3 : SslProtocols.TLS_v1_2; } static boolean arrayContains(String[] array, String value) { diff --git a/handler/src/test/java/io/netty/handler/ssl/CipherSuiteCanaryTest.java b/handler/src/test/java/io/netty/handler/ssl/CipherSuiteCanaryTest.java index ff491d3a73..9b7398ba5e 100644 --- a/handler/src/test/java/io/netty/handler/ssl/CipherSuiteCanaryTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/CipherSuiteCanaryTest.java @@ -124,7 +124,7 @@ public class CipherSuiteCanaryTest { .sslProvider(serverSslProvider) .ciphers(ciphers) // As this is not a TLSv1.3 cipher we should ensure we talk something else. - .protocols(SslUtils.PROTOCOL_TLS_V1_2) + .protocols(SslProtocols.TLS_v1_2) .build(); final ExecutorService executorService = delegate ? Executors.newCachedThreadPool() : null; @@ -134,7 +134,7 @@ public class CipherSuiteCanaryTest { .sslProvider(clientSslProvider) .ciphers(ciphers) // As this is not a TLSv1.3 cipher we should ensure we talk something else. - .protocols(SslUtils.PROTOCOL_TLS_V1_2) + .protocols(SslProtocols.TLS_v1_2) .trustManager(InsecureTrustManagerFactory.INSTANCE) .build(); diff --git a/handler/src/test/java/io/netty/handler/ssl/CloseNotifyTest.java b/handler/src/test/java/io/netty/handler/ssl/CloseNotifyTest.java index 362de40a38..ebf080c93a 100644 --- a/handler/src/test/java/io/netty/handler/ssl/CloseNotifyTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/CloseNotifyTest.java @@ -37,8 +37,6 @@ import javax.net.ssl.SSLSession; import static io.netty.buffer.ByteBufUtil.writeAscii; import static io.netty.buffer.Unpooled.EMPTY_BUFFER; import static io.netty.handler.codec.ByteToMessageDecoder.MERGE_CUMULATOR; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1_2; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1_3; import static java.nio.charset.StandardCharsets.US_ASCII; import static java.util.Arrays.asList; import static org.hamcrest.MatcherAssert.assertThat; @@ -62,10 +60,10 @@ public class CloseNotifyTest { static Collection data() { return asList(new Object[][] { - { SslProvider.JDK, PROTOCOL_TLS_V1_2 }, - { SslProvider.JDK, PROTOCOL_TLS_V1_3 }, - { SslProvider.OPENSSL, PROTOCOL_TLS_V1_2 }, - { SslProvider.OPENSSL, PROTOCOL_TLS_V1_3 }, + { SslProvider.JDK, SslProtocols.TLS_v1_2 }, + { SslProvider.JDK, SslProtocols.TLS_v1_3 }, + { SslProvider.OPENSSL, SslProtocols.TLS_v1_2 }, + { SslProvider.OPENSSL, SslProtocols.TLS_v1_3 }, }); } @@ -75,7 +73,7 @@ public class CloseNotifyTest { public void eventsOrder(SslProvider provider, String protocol) throws Exception { assumeTrue(provider != SslProvider.OPENSSL || OpenSsl.isAvailable(), "OpenSSL is not available"); - if (PROTOCOL_TLS_V1_3.equals(protocol)) { + if (SslProtocols.TLS_v1_3.equals(protocol)) { // Ensure we support TLSv1.3 assumeTrue(SslProvider.isTlsv13Supported(provider)); } @@ -144,7 +142,7 @@ public class CloseNotifyTest { } private static boolean jdkTls13(SslProvider provider, String protocol) { - return provider == SslProvider.JDK && PROTOCOL_TLS_V1_3.equals(protocol); + return provider == SslProvider.JDK && SslProtocols.TLS_v1_3.equals(protocol); } private static EmbeddedChannel initChannel(SslProvider provider, String protocol, final boolean useClientMode, diff --git a/handler/src/test/java/io/netty/handler/ssl/DelegatingSslContextTest.java b/handler/src/test/java/io/netty/handler/ssl/DelegatingSslContextTest.java index 7316420f94..56b36dee37 100644 --- a/handler/src/test/java/io/netty/handler/ssl/DelegatingSslContextTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/DelegatingSslContextTest.java @@ -25,7 +25,7 @@ import javax.net.ssl.SSLEngine; import static org.junit.jupiter.api.Assertions.assertArrayEquals; public class DelegatingSslContextTest { - private static final String[] EXPECTED_PROTOCOLS = { SslUtils.PROTOCOL_TLS_V1_1 }; + private static final String[] EXPECTED_PROTOCOLS = { SslProtocols.TLS_v1_1 }; @Test public void testInitEngineOnNewEngine() throws Exception { diff --git a/handler/src/test/java/io/netty/handler/ssl/JdkSslEngineTest.java b/handler/src/test/java/io/netty/handler/ssl/JdkSslEngineTest.java index 3b44f5155c..f91dc148ad 100644 --- a/handler/src/test/java/io/netty/handler/ssl/JdkSslEngineTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/JdkSslEngineTest.java @@ -299,7 +299,7 @@ public class JdkSslEngineTest extends SSLEngineTest { @Test public void testEnablingAnAlreadyDisabledSslProtocol() throws Exception { - testEnablingAnAlreadyDisabledSslProtocol(new String[]{}, new String[]{ SslUtils.PROTOCOL_TLS_V1_2 }); + testEnablingAnAlreadyDisabledSslProtocol(new String[]{}, new String[]{ SslProtocols.TLS_v1_2 }); } @Ignore /* Does the JDK support a "max certificate chain length"? */ diff --git a/handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java b/handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java index cf367fd8cf..fdabd3a850 100644 --- a/handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java @@ -58,11 +58,6 @@ import java.util.Set; import static io.netty.handler.ssl.OpenSslTestUtils.checkShouldUseKeyManagerFactory; import static io.netty.handler.ssl.ReferenceCountedOpenSslEngine.MAX_PLAINTEXT_LENGTH; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_SSL_V2_HELLO; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_SSL_V3; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1_1; -import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1_2; import static io.netty.internal.tcnative.SSL.SSL_CVERIFY_IGNORED; import static java.lang.Integer.MAX_VALUE; import static org.junit.Assert.assertArrayEquals; @@ -241,8 +236,8 @@ public class OpenSslEngineTest extends SSLEngineTest { @Test public void testEnablingAnAlreadyDisabledSslProtocol() throws Exception { - testEnablingAnAlreadyDisabledSslProtocol(new String[]{PROTOCOL_SSL_V2_HELLO}, - new String[]{PROTOCOL_SSL_V2_HELLO, PROTOCOL_TLS_V1_2}); + testEnablingAnAlreadyDisabledSslProtocol(new String[]{SslProtocols.SSL_v2_HELLO}, + new String[]{SslProtocols.SSL_v2_HELLO, SslProtocols.TLS_v1_2}); } @Test public void testWrapBuffersNoWritePendingError() throws Exception { @@ -546,24 +541,24 @@ public class OpenSslEngineTest extends SSLEngineTest { .sslProvider(sslServerProvider()) .build()); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "AES128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "ECDHE-RSA-AES128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "AECDH-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "CAMELLIA128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "SEED-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "RC4-MD5"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "AES256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "ADH-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "EDH-RSA-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "ADH-RC4-MD5"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "IDEA-CBC-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "RC4-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "CAMELLIA256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "AECDH-RC4-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "ECDHE-RSA-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "ECDHE-RSA-AES256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1, "ECDHE-RSA-RC4-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "AES128-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "ECDHE-RSA-AES128-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "AECDH-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "CAMELLIA128-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "SEED-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "RC4-MD5"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "AES256-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "ADH-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "EDH-RSA-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "ADH-RC4-MD5"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "IDEA-CBC-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "RC4-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "CAMELLIA256-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "AECDH-RC4-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "ECDHE-RSA-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "ECDHE-RSA-AES256-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1, "ECDHE-RSA-RC4-SHA"); } @Test @@ -577,21 +572,21 @@ public class OpenSslEngineTest extends SSLEngineTest { .sslProvider(sslServerProvider()) .build()); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "ECDHE-RSA-AES256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "AES256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "CAMELLIA256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "ECDHE-RSA-AES256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "SEED-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "CAMELLIA128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "IDEA-CBC-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "AECDH-RC4-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "ADH-RC4-MD5"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "RC4-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "ECDHE-RSA-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "EDH-RSA-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "AECDH-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "ADH-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_1, "DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "ECDHE-RSA-AES256-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "AES256-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "CAMELLIA256-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "ECDHE-RSA-AES256-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "SEED-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "CAMELLIA128-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "IDEA-CBC-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "AECDH-RC4-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "ADH-RC4-MD5"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "RC4-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "ECDHE-RSA-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "EDH-RSA-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "AECDH-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "ADH-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_1, "DES-CBC3-SHA"); } @Test @@ -605,31 +600,31 @@ public class OpenSslEngineTest extends SSLEngineTest { .sslProvider(sslServerProvider()) .build()); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "AES128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "ECDHE-RSA-AES128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "AES128-GCM-SHA256"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "ECDHE-RSA-AES256-SHA384"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "AECDH-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "AES256-GCM-SHA384"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "AES256-SHA256"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "ECDHE-RSA-AES128-GCM-SHA256"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "ECDHE-RSA-AES128-SHA256"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "CAMELLIA128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "SEED-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "RC4-MD5"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "AES256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "ADH-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "EDH-RSA-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "ADH-RC4-MD5"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "RC4-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "CAMELLIA256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "AES128-SHA256"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "AECDH-RC4-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "ECDHE-RSA-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "ECDHE-RSA-AES256-GCM-SHA384"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "ECDHE-RSA-AES256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_TLS_V1_2, "ECDHE-RSA-RC4-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "AES128-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "ECDHE-RSA-AES128-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "AES128-GCM-SHA256"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "ECDHE-RSA-AES256-SHA384"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "AECDH-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "AES256-GCM-SHA384"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "AES256-SHA256"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "ECDHE-RSA-AES128-GCM-SHA256"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "ECDHE-RSA-AES128-SHA256"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "CAMELLIA128-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "SEED-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "RC4-MD5"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "AES256-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "ADH-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "EDH-RSA-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "ADH-RC4-MD5"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "RC4-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "CAMELLIA256-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "AES128-SHA256"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "AECDH-RC4-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "ECDHE-RSA-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "ECDHE-RSA-AES256-GCM-SHA384"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "ECDHE-RSA-AES256-SHA"); + testWrapWithDifferentSizes(SslProtocols.TLS_v1_2, "ECDHE-RSA-RC4-SHA"); } @Test @@ -643,31 +638,31 @@ public class OpenSslEngineTest extends SSLEngineTest { .sslProvider(sslServerProvider()) .build()); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "ADH-AES128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "ADH-CAMELLIA128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "AECDH-AES128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "AECDH-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "CAMELLIA128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "DHE-RSA-AES256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "SEED-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "RC4-MD5"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "ADH-AES256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "ADH-SEED-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "ADH-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "EDH-RSA-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "ADH-RC4-MD5"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "IDEA-CBC-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "DHE-RSA-AES128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "RC4-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "CAMELLIA256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "AECDH-RC4-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "DHE-RSA-SEED-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "AECDH-AES256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "ECDHE-RSA-DES-CBC3-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "ADH-CAMELLIA256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "DHE-RSA-CAMELLIA256-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "DHE-RSA-CAMELLIA128-SHA"); - testWrapWithDifferentSizes(PROTOCOL_SSL_V3, "ECDHE-RSA-RC4-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "ADH-AES128-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "ADH-CAMELLIA128-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "AECDH-AES128-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "AECDH-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "CAMELLIA128-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "DHE-RSA-AES256-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "SEED-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "RC4-MD5"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "ADH-AES256-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "ADH-SEED-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "ADH-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "EDH-RSA-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "ADH-RC4-MD5"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "IDEA-CBC-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "DHE-RSA-AES128-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "RC4-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "CAMELLIA256-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "AECDH-RC4-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "DHE-RSA-SEED-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "AECDH-AES256-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "ECDHE-RSA-DES-CBC3-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "ADH-CAMELLIA256-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "DHE-RSA-CAMELLIA256-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "DHE-RSA-CAMELLIA128-SHA"); + testWrapWithDifferentSizes(SslProtocols.SSL_v3, "ECDHE-RSA-RC4-SHA"); } @Test @@ -1394,22 +1389,22 @@ public class OpenSslEngineTest extends SSLEngineTest { @Test public void testDefaultTLS1NotAcceptedByDefaultServer() throws Exception { - testDefaultTLS1NotAcceptedByDefault(null, PROTOCOL_TLS_V1); + testDefaultTLS1NotAcceptedByDefault(null, SslProtocols.TLS_v1); } @Test public void testDefaultTLS11NotAcceptedByDefaultServer() throws Exception { - testDefaultTLS1NotAcceptedByDefault(null, PROTOCOL_TLS_V1_1); + testDefaultTLS1NotAcceptedByDefault(null, SslProtocols.TLS_v1_1); } @Test public void testDefaultTLS1NotAcceptedByDefaultClient() throws Exception { - testDefaultTLS1NotAcceptedByDefault(PROTOCOL_TLS_V1, null); + testDefaultTLS1NotAcceptedByDefault(SslProtocols.TLS_v1, null); } @Test public void testDefaultTLS11NotAcceptedByDefaultClient() throws Exception { - testDefaultTLS1NotAcceptedByDefault(PROTOCOL_TLS_V1_1, null); + testDefaultTLS1NotAcceptedByDefault(SslProtocols.TLS_v1_1, null); } private void testDefaultTLS1NotAcceptedByDefault(String clientProtocol, String serverProtocol) throws Exception { diff --git a/handler/src/test/java/io/netty/handler/ssl/OpenSslPrivateKeyMethodTest.java b/handler/src/test/java/io/netty/handler/ssl/OpenSslPrivateKeyMethodTest.java index a966e4fe9a..3e9a327f14 100644 --- a/handler/src/test/java/io/netty/handler/ssl/OpenSslPrivateKeyMethodTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/OpenSslPrivateKeyMethodTest.java @@ -117,10 +117,10 @@ public class OpenSslPrivateKeyMethodTest { if (provider == SslProvider.JDK) { SSLEngine engine = SSLContext.getDefault().createSSLEngine(); for (String c: engine.getSupportedCipherSuites()) { - if (RFC_CIPHER_NAME.equals(c)) { - cipherSupported = true; - break; - } + if (RFC_CIPHER_NAME.equals(c)) { + cipherSupported = true; + break; + } } } else { cipherSupported = OpenSsl.isCipherSuiteAvailable(RFC_CIPHER_NAME); @@ -141,11 +141,11 @@ public class OpenSslPrivateKeyMethodTest { final KeyManagerFactory kmf = OpenSslX509KeyManagerFactory.newKeyless(CERT.cert()); - return SslContextBuilder.forServer(kmf) + return SslContextBuilder.forServer(kmf) .sslProvider(SslProvider.OPENSSL) .ciphers(ciphers) // As this is not a TLSv1.3 cipher we should ensure we talk something else. - .protocols(SslUtils.PROTOCOL_TLS_V1_2) + .protocols(SslProtocols.TLS_v1_2) .option(OpenSslContextOption.PRIVATE_KEY_METHOD, method) .build(); } @@ -155,13 +155,13 @@ public class OpenSslPrivateKeyMethodTest { .sslProvider(SslProvider.JDK) .ciphers(Collections.singletonList(RFC_CIPHER_NAME)) // As this is not a TLSv1.3 cipher we should ensure we talk something else. - .protocols(SslUtils.PROTOCOL_TLS_V1_2) + .protocols(SslProtocols.TLS_v1_2) .trustManager(InsecureTrustManagerFactory.INSTANCE) .build(); } private static Executor delegateExecutor(boolean delegate) { - return delegate ? EXECUTOR : null; + return delegate ? EXECUTOR : null; } private static void assertThread(boolean delegate) { @@ -282,7 +282,7 @@ public class OpenSslPrivateKeyMethodTest { Channel client = client(server, clientHandler); try { client.writeAndFlush(Unpooled.wrappedBuffer(new byte[] {'P', 'I', 'N', 'G'})) - .syncUninterruptibly(); + .syncUninterruptibly(); assertTrue(clientPromise.await(5L, TimeUnit.SECONDS), "client timeout"); assertTrue(serverPromise.await(5L, TimeUnit.SECONDS), "server timeout"); diff --git a/handler/src/test/java/io/netty/handler/ssl/OpenSslServerContextTest.java b/handler/src/test/java/io/netty/handler/ssl/OpenSslServerContextTest.java index a1b23436f3..17c0921f50 100644 --- a/handler/src/test/java/io/netty/handler/ssl/OpenSslServerContextTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/OpenSslServerContextTest.java @@ -13,17 +13,13 @@ * License for the specific language governing permissions and limitations * under the License. */ - package io.netty.handler.ssl; -import org.junit.Assume; import org.junit.BeforeClass; import javax.net.ssl.SSLException; import java.io.File; -import static org.junit.Assume.assumeTrue; - public class OpenSslServerContextTest extends SslContextTest { @BeforeClass diff --git a/handler/src/test/java/io/netty/handler/ssl/ParameterizedSslHandlerTest.java b/handler/src/test/java/io/netty/handler/ssl/ParameterizedSslHandlerTest.java index db5da0c5ec..13e1bd8f08 100644 --- a/handler/src/test/java/io/netty/handler/ssl/ParameterizedSslHandlerTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/ParameterizedSslHandlerTest.java @@ -405,7 +405,7 @@ public class ParameterizedSslHandlerTest { // Use TLSv1.2 as we depend on the fact that the handshake // is done in an extra round trip in the test which // is not true in TLSv1.3 - .protocols(SslUtils.PROTOCOL_TLS_V1_2) + .protocols(SslProtocols.TLS_v1_2) .build(); final SslContext sslClientCtx = SslContextBuilder.forClient() @@ -414,7 +414,7 @@ public class ParameterizedSslHandlerTest { // Use TLSv1.2 as we depend on the fact that the handshake // is done in an extra round trip in the test which // is not true in TLSv1.3 - .protocols(SslUtils.PROTOCOL_TLS_V1_2) + .protocols(SslProtocols.TLS_v1_2) .build(); EventLoopGroup group = new NioEventLoopGroup(); diff --git a/handler/src/test/java/io/netty/handler/ssl/RenegotiateTest.java b/handler/src/test/java/io/netty/handler/ssl/RenegotiateTest.java index a3f2c0cfde..cd2bd44e3a 100644 --- a/handler/src/test/java/io/netty/handler/ssl/RenegotiateTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/RenegotiateTest.java @@ -50,7 +50,7 @@ public abstract class RenegotiateTest { try { final SslContext context = SslContextBuilder.forServer(cert.key(), cert.cert()) .sslProvider(serverSslProvider()) - .protocols(SslUtils.PROTOCOL_TLS_V1_2) + .protocols(SslProtocols.TLS_v1_2) .build(); ServerBootstrap sb = new ServerBootstrap(); @@ -105,7 +105,7 @@ public abstract class RenegotiateTest { final SslContext clientContext = SslContextBuilder.forClient() .trustManager(InsecureTrustManagerFactory.INSTANCE) .sslProvider(SslProvider.JDK) - .protocols(SslUtils.PROTOCOL_TLS_V1_2) + .protocols(SslProtocols.TLS_v1_2) .build(); Bootstrap bootstrap = new Bootstrap(); diff --git a/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java b/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java index d04a1ef9a7..07fa482ab3 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java @@ -184,9 +184,9 @@ public abstract class SSLEngineTest { static final class ProtocolCipherCombo { private static final ProtocolCipherCombo TLSV12 = new ProtocolCipherCombo( - PROTOCOL_TLS_V1_2, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"); + SslProtocols.TLS_v1_2, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"); private static final ProtocolCipherCombo TLSV13 = new ProtocolCipherCombo( - PROTOCOL_TLS_V1_3, "TLS_AES_128_GCM_SHA256"); + SslProtocols.TLS_v1_3, "TLS_AES_128_GCM_SHA256"); final String protocol; final String cipher; @@ -532,13 +532,13 @@ public abstract class SSLEngineTest { // due to no shared/supported cipher. clientSslCtx = wrapContext(SslContextBuilder.forClient() .trustManager(InsecureTrustManagerFactory.INSTANCE) - .protocols(PROTOCOL_TLS_V1_3, PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1) + .protocols(SslProtocols.TLS_v1_3, SslProtocols.TLS_v1_2, SslProtocols.TLS_v1) .sslContextProvider(clientSslContextProvider()) .sslProvider(sslClientProvider()) .build()); serverSslCtx = wrapContext(SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()) - .protocols(PROTOCOL_TLS_V1_3, PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1) + .protocols(SslProtocols.TLS_v1_3, SslProtocols.TLS_v1_2, SslProtocols.TLS_v1) .sslContextProvider(serverSslContextProvider()) .sslProvider(sslServerProvider()) .build()); @@ -1513,7 +1513,7 @@ public abstract class SSLEngineTest { assertArrayEquals(protocols1, enabledProtocols); // Enable a protocol that is currently disabled - sslEngine.setEnabledProtocols(new String[]{ PROTOCOL_TLS_V1_2 }); + sslEngine.setEnabledProtocols(new String[]{ SslProtocols.TLS_v1_2 }); // The protocol that was just enabled should be returned enabledProtocols = sslEngine.getEnabledProtocols(); @@ -1584,7 +1584,7 @@ public abstract class SSLEngineTest { if (!clientHandshakeFinished || // After the handshake completes it is possible we have more data that was send by the server as // the server will send session updates after the handshake. In this case continue to unwrap. - SslUtils.PROTOCOL_TLS_V1_3.equals(clientEngine.getSession().getProtocol())) { + SslProtocols.TLS_v1_3.equals(clientEngine.getSession().getProtocol())) { int clientAppReadBufferPos = clientAppReadBuffer.position(); clientResult = clientEngine.unwrap(sTOc, clientAppReadBuffer); @@ -1700,7 +1700,7 @@ public abstract class SSLEngineTest { if (serverApn.protocol() == Protocol.NPN || serverApn.protocol() == Protocol.NPN_AND_ALPN) { // NPN is not really well supported with TLSv1.3 so force to use TLSv1.2 // See https://github.com/openssl/openssl/issues/3665 - serverCtxBuilder.protocols(PROTOCOL_TLS_V1_2); + serverCtxBuilder.protocols(SslProtocols.TLS_v1_2); } SslContextBuilder clientCtxBuilder = SslContextBuilder.forClient() @@ -1715,7 +1715,7 @@ public abstract class SSLEngineTest { if (clientApn.protocol() == Protocol.NPN || clientApn.protocol() == Protocol.NPN_AND_ALPN) { // NPN is not really well supported with TLSv1.3 so force to use TLSv1.2 // See https://github.com/openssl/openssl/issues/3665 - clientCtxBuilder.protocols(PROTOCOL_TLS_V1_2); + clientCtxBuilder.protocols(SslProtocols.TLS_v1_2); } setupHandlers(wrapContext(serverCtxBuilder.build()), wrapContext(clientCtxBuilder.build())); @@ -2043,9 +2043,9 @@ public abstract class SSLEngineTest { if (provider != null) { // conscrypt not correctly filters out TLSv1 and TLSv1.1 which is required now by the JDK. // https://github.com/google/conscrypt/issues/1013 - return new String[] { PROTOCOL_TLS_V1_2 }; + return new String[] { SslProtocols.TLS_v1_2 }; } - return new String[] {PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1}; + return new String[] {SslProtocols.TLS_v1_2, SslProtocols.TLS_v1}; } @Test @@ -2333,7 +2333,7 @@ public abstract class SSLEngineTest { .sslContextProvider(clientSslContextProvider()) .sslProvider(sslClientProvider()) // This test only works for non TLSv1.3 for now - .protocols(PROTOCOL_TLS_V1_2) + .protocols(SslProtocols.TLS_v1_2) .build()); SSLEngine client = wrapEngine(clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT)); @@ -2342,7 +2342,7 @@ public abstract class SSLEngineTest { .sslContextProvider(serverSslContextProvider()) .sslProvider(sslServerProvider()) // This test only works for non TLSv1.3 for now - .protocols(PROTOCOL_TLS_V1_2) + .protocols(SslProtocols.TLS_v1_2) .build()); SSLEngine server = wrapEngine(serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT)); @@ -2803,12 +2803,13 @@ public abstract class SSLEngineTest { @Test public void testDisableProtocols() throws Exception { - testDisableProtocols(PROTOCOL_SSL_V2, PROTOCOL_SSL_V2); - testDisableProtocols(PROTOCOL_SSL_V3, PROTOCOL_SSL_V2, PROTOCOL_SSL_V3); - testDisableProtocols(PROTOCOL_TLS_V1, PROTOCOL_SSL_V2, PROTOCOL_SSL_V3, PROTOCOL_TLS_V1); - testDisableProtocols(PROTOCOL_TLS_V1_1, PROTOCOL_SSL_V2, PROTOCOL_SSL_V3, PROTOCOL_TLS_V1, PROTOCOL_TLS_V1_1); - testDisableProtocols(PROTOCOL_TLS_V1_2, PROTOCOL_SSL_V2, - PROTOCOL_SSL_V3, PROTOCOL_TLS_V1, PROTOCOL_TLS_V1_1, PROTOCOL_TLS_V1_2); + testDisableProtocols(SslProtocols.SSL_v2, SslProtocols.SSL_v2); + testDisableProtocols(SslProtocols.SSL_v3, SslProtocols.SSL_v2, SslProtocols.SSL_v3); + testDisableProtocols(SslProtocols.TLS_v1, SslProtocols.SSL_v2, SslProtocols.SSL_v3, SslProtocols.TLS_v1); + testDisableProtocols(SslProtocols.TLS_v1_1, SslProtocols.SSL_v2, SslProtocols.SSL_v3, SslProtocols.TLS_v1, + SslProtocols.TLS_v1_1); + testDisableProtocols(SslProtocols.TLS_v1_2, SslProtocols.SSL_v2, + SslProtocols.SSL_v3, SslProtocols.TLS_v1, SslProtocols.TLS_v1_1, SslProtocols.TLS_v1_2); } private void testDisableProtocols(String protocol, String... disabledProtocols) throws Exception { @@ -2832,7 +2833,7 @@ public abstract class SSLEngineTest { for (String disabled : disabledProtocols) { supported.remove(disabled); } - if (supported.contains(PROTOCOL_SSL_V2_HELLO) && supported.size() == 1) { + if (supported.contains(SslProtocols.SSL_v2_HELLO) && supported.size() == 1) { // It's not allowed to set only PROTOCOL_SSL_V2_HELLO if using JDK SSLEngine. return; } @@ -4010,9 +4011,9 @@ public abstract class SSLEngineTest { } assertEquals(SslProvider.isTlsv13EnabledByDefault(sslClientProvider(), clientSslContextProvider()), - arrayContains(clientProtocols, PROTOCOL_TLS_V1_3)); + arrayContains(clientProtocols, SslProtocols.TLS_v1_3)); assertEquals(SslProvider.isTlsv13EnabledByDefault(sslServerProvider(), serverSslContextProvider()), - arrayContains(serverProtocols, PROTOCOL_TLS_V1_3)); + arrayContains(serverProtocols, SslProtocols.TLS_v1_3)); } protected SSLEngine wrapEngine(SSLEngine engine) { diff --git a/handler/src/test/java/io/netty/handler/ssl/SniHandlerTest.java b/handler/src/test/java/io/netty/handler/ssl/SniHandlerTest.java index 390ac684f3..d640eadf6c 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SniHandlerTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/SniHandlerTest.java @@ -611,7 +611,7 @@ public class SniHandlerTest { * This is a {@link SslHandler} that will call {@code release()} on the {@link SslContext} when * the client disconnects. * - * @see SniHandlerTest#testReplaceHandler() + * @see SniHandlerTest#testReplaceHandler(SslProvider) */ private static class CustomSslHandler extends SslHandler { private final SslContext sslContext; diff --git a/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java b/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java index aec0c34173..efe401d516 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java @@ -836,7 +836,7 @@ public class SslHandlerTest { @Timeout(value = 10000, unit = TimeUnit.MILLISECONDS) public void testHandshakeFailedByWriteBeforeChannelActive() throws Exception { final SslContext sslClientCtx = SslContextBuilder.forClient() - .protocols(SslUtils.PROTOCOL_SSL_V3) + .protocols(SslProtocols.SSL_v3) .trustManager(InsecureTrustManagerFactory.INSTANCE) .sslProvider(SslProvider.JDK).build(); @@ -1145,27 +1145,27 @@ public class SslHandlerTest { @Test @Timeout(value = 5000, unit = TimeUnit.MILLISECONDS) public void testSessionTicketsWithTLSv12() throws Throwable { - testSessionTickets(SslProvider.OPENSSL, SslUtils.PROTOCOL_TLS_V1_2, true); + testSessionTickets(SslProvider.OPENSSL, SslProtocols.TLS_v1_2, true); } @Test @Timeout(value = 5000, unit = TimeUnit.MILLISECONDS) public void testSessionTicketsWithTLSv13() throws Throwable { assumeTrue(SslProvider.isTlsv13Supported(SslProvider.OPENSSL)); - testSessionTickets(SslProvider.OPENSSL, SslUtils.PROTOCOL_TLS_V1_3, true); + testSessionTickets(SslProvider.OPENSSL, SslProtocols.TLS_v1_3, true); } @Test @Timeout(value = 5000, unit = TimeUnit.MILLISECONDS) public void testSessionTicketsWithTLSv12AndNoKey() throws Throwable { - testSessionTickets(SslProvider.OPENSSL, SslUtils.PROTOCOL_TLS_V1_2, false); + testSessionTickets(SslProvider.OPENSSL, SslProtocols.TLS_v1_2, false); } @Test @Timeout(value = 5000, unit = TimeUnit.MILLISECONDS) public void testSessionTicketsWithTLSv13AndNoKey() throws Throwable { assumeTrue(OpenSsl.isTlsv13Supported()); - testSessionTickets(SslProvider.OPENSSL, SslUtils.PROTOCOL_TLS_V1_3, false); + testSessionTickets(SslProvider.OPENSSL, SslProtocols.TLS_v1_3, false); } private static void testSessionTickets(SslProvider provider, String protocol, boolean withKey) throws Throwable { @@ -1223,7 +1223,7 @@ public class SslHandlerTest { // This test only works for non TLSv1.3 as TLSv1.3 will establish sessions after // the handshake is done. // See https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_sess_set_get_cb.html - if (!SslUtils.PROTOCOL_TLS_V1_3.equals(engine.getSession().getProtocol())) { + if (!SslProtocols.TLS_v1_3.equals(engine.getSession().getProtocol())) { // First should not re-use the session try { assertEquals(handshakeCount > 1, engine.isSessionReused()); @@ -1297,7 +1297,7 @@ public class SslHandlerTest { // This test only works for non TLSv1.3 as TLSv1.3 will establish sessions after // the handshake is done. // See https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_sess_set_get_cb.html - if (!SslUtils.PROTOCOL_TLS_V1_3.equals(engine.getSession().getProtocol())) { + if (!SslProtocols.TLS_v1_3.equals(engine.getSession().getProtocol())) { assertEquals(isReused, engine.isSessionReused()); } Object obj = queue.take(); @@ -1472,11 +1472,11 @@ public class SslHandlerTest { if (tls13) { clientCipher = "TLS_AES_128_GCM_SHA256"; serverCipher = "TLS_AES_256_GCM_SHA384"; - protocol = SslUtils.PROTOCOL_TLS_V1_3; + protocol = SslProtocols.TLS_v1_3; } else { clientCipher = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; serverCipher = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; - protocol = SslUtils.PROTOCOL_TLS_V1_2; + protocol = SslProtocols.TLS_v1_2; } final SslContext sslClientCtx = SslContextBuilder.forClient() .trustManager(InsecureTrustManagerFactory.INSTANCE) @@ -1566,26 +1566,26 @@ public class SslHandlerTest { @Test public void testHandshakeEventsTls12JDK() throws Exception { - testHandshakeEvents(SslProvider.JDK, SslUtils.PROTOCOL_TLS_V1_2); + testHandshakeEvents(SslProvider.JDK, SslProtocols.TLS_v1_2); } @Test public void testHandshakeEventsTls12Openssl() throws Exception { OpenSsl.ensureAvailability(); - testHandshakeEvents(SslProvider.OPENSSL, SslUtils.PROTOCOL_TLS_V1_2); + testHandshakeEvents(SslProvider.OPENSSL, SslProtocols.TLS_v1_2); } @Test public void testHandshakeEventsTls13JDK() throws Exception { assumeTrue(SslProvider.isTlsv13Supported(SslProvider.JDK)); - testHandshakeEvents(SslProvider.JDK, SslUtils.PROTOCOL_TLS_V1_3); + testHandshakeEvents(SslProvider.JDK, SslProtocols.TLS_v1_3); } @Test public void testHandshakeEventsTls13Openssl() throws Exception { OpenSsl.ensureAvailability(); assumeTrue(SslProvider.isTlsv13Supported(SslProvider.OPENSSL)); - testHandshakeEvents(SslProvider.OPENSSL, SslUtils.PROTOCOL_TLS_V1_3); + testHandshakeEvents(SslProvider.OPENSSL, SslProtocols.TLS_v1_3); } private void testHandshakeEvents(SslProvider provider, String protocol) throws Exception {