Enable Tlsv1.3 when using BouncyCastle ALPN support (#11193)

Motivation: In the latest version of BouncyCastle, BCJSSE:'TLSv1.3' is now a supported protocol for both client and server. So should consider enabling TLSv1.3 when TLSv1.3 is available Modification: This pr is to enable TLSv1.3 when using BouncyCastle ALPN support, please review this pr,thanks Result: Enable TLSv1.3 when using BouncyCastle ALPN support Signed-off-by: xingrufei <xingrufei@sogou-inc.com> Co-authored-by: xingrufei <xingrufei@sogou-inc.com>
2021-04-26 16:01:16 +08:00 · 2021-04-26 16:01:16 +08:00 · f221e4d706
commit f221e4d706
parent 6389f18a16
2 changed files with 21 additions and 2 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/BouncyCastleAlpnSslUtils.java
+++ b/handler/src/main/java/io/netty/handler/ssl/BouncyCastleAlpnSslUtils.java
@ -31,6 +31,8 @@ import java.security.PrivilegedExceptionAction;
 import java.util.List;
 import java.util.function.BiFunction;

+import static io.netty.handler.ssl.SslUtils.getSSLContext;
+
 final class BouncyCastleAlpnSslUtils {
    private static final InternalLogger logger = InternalLoggerFactory.getInstance(BouncyCastleAlpnSslUtils.class);
    private static final Class BC_SSL_PARAMETERS;
@ -76,8 +78,7 @@ final class BouncyCastleAlpnSslUtils {
                }
            });

-            SSLContext context = SSLContext.getInstance("TLSV1.2", "BCJSSE");
-            context.init(null, null, null);
+            SSLContext context = getSSLContext("BCJSSE");
            SSLEngine engine = context.createSSLEngine();
            setParameters = AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
                @Override
--- a/handler/src/main/java/io/netty/handler/ssl/SslUtils.java
+++ b/handler/src/main/java/io/netty/handler/ssl/SslUtils.java
@ -23,6 +23,7 @@ import io.netty.handler.codec.base64.Base64;
 import io.netty.handler.codec.base64.Base64Dialect;
 import io.netty.util.NetUtil;
 import io.netty.util.internal.EmptyArrays;
+import io.netty.util.internal.StringUtil;
 import io.netty.util.internal.logging.InternalLogger;
 import io.netty.util.internal.logging.InternalLoggerFactory;

@ -30,6 +31,7 @@ import java.nio.ByteBuffer;
 import java.nio.ByteOrder;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 import java.security.Provider;
 import java.util.ArrayList;
 import java.util.Collections;
@ -195,6 +197,22 @@ final class SslUtils {
        return context;
    }

+    static SSLContext getSSLContext(String provider)
+            throws NoSuchAlgorithmException, KeyManagementException, NoSuchProviderException {
+        final SSLContext context;
+        if (StringUtil.isNullOrEmpty(provider)) {
+            context = SSLContext.getInstance(getTlsVersion());
+        } else {
+            context = SSLContext.getInstance(getTlsVersion(), provider);
+        }
+        context.init(null, new TrustManager[0], null);
+        return context;
+    }
+
+    private static String getTlsVersion() {
+        return TLSV1_3_JDK_SUPPORTED ? PROTOCOL_TLS_V1_3 : PROTOCOL_TLS_V1_2;
+    }
+
    static boolean arrayContains(String[] array, String value) {
        for (String v: array) {
            if (value.equals(v)) {