Disable TLSv1 and TLSv1.1 by default (#11237)
Motivation: TLSv1 and TLSv1.1 is considered insecure. Let's follow the JDK and disable these by default Modifications: - Disable TLSv1 and TLSv1.1 by default when using OpenSSL. - Add unit tests Result: Use only strong TLS versions by default when using OpenSSL
This commit is contained in:
Norman Maurer
parent
e54aeea1da
commit
f546718df6
@ -296,6 +296,11 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
|
|||||||
int options = SSLContext.getOptions(ctx) |
|
int options = SSLContext.getOptions(ctx) |
|
||||||
SSL.SSL_OP_NO_SSLv2 |
|
SSL.SSL_OP_NO_SSLv2 |
|
||||||
SSL.SSL_OP_NO_SSLv3 |
|
SSL.SSL_OP_NO_SSLv3 |
|
||||||
|
// Disable TLSv1 and TLSv1.1 by default as these are not considered secure anymore
|
||||||
|
// and the JDK is doing the same:
|
||||||
|
// https://www.oracle.com/java/technologies/javase/8u291-relnotes.html
|
||||||
|
SSL.SSL_OP_NO_TLSv1 |
|
||||||
|
SSL.SSL_OP_NO_TLSv1_1 |
|
||||||
|
|
||||||
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE |
|
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE |
|
||||||
|
|
||||||
|
|||||||
@ -38,6 +38,7 @@ import javax.net.ssl.SSLEngine;
|
|||||||
import javax.net.ssl.SSLEngineResult;
|
import javax.net.ssl.SSLEngineResult;
|
||||||
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
|
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
|
||||||
import javax.net.ssl.SSLException;
|
import javax.net.ssl.SSLException;
|
||||||
|
import javax.net.ssl.SSLHandshakeException;
|
||||||
import javax.net.ssl.SSLParameters;
|
import javax.net.ssl.SSLParameters;
|
||||||
import javax.net.ssl.X509ExtendedKeyManager;
|
import javax.net.ssl.X509ExtendedKeyManager;
|
||||||
import java.net.Socket;
|
import java.net.Socket;
|
||||||
@ -72,6 +73,7 @@ import static org.junit.Assert.assertNotEquals;
|
|||||||
import static org.junit.Assert.assertNull;
|
import static org.junit.Assert.assertNull;
|
||||||
import static org.junit.Assert.assertSame;
|
import static org.junit.Assert.assertSame;
|
||||||
import static org.junit.Assert.assertTrue;
|
import static org.junit.Assert.assertTrue;
|
||||||
|
import static org.junit.Assert.fail;
|
||||||
import static org.junit.Assume.assumeTrue;
|
import static org.junit.Assume.assumeTrue;
|
||||||
|
|
||||||
@RunWith(Parameterized.class)
|
@RunWith(Parameterized.class)
|
||||||
@ -1388,6 +1390,59 @@ public class OpenSslEngineTest extends SSLEngineTest {
|
|||||||
super.testSessionLocalWhenNonMutualWithoutKeyManager();
|
super.testSessionLocalWhenNonMutualWithoutKeyManager();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDefaultTLS1NotAcceptedByDefaultServer() throws Exception {
|
||||||
|
testDefaultTLS1NotAcceptedByDefault(null, PROTOCOL_TLS_V1);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDefaultTLS11NotAcceptedByDefaultServer() throws Exception {
|
||||||
|
testDefaultTLS1NotAcceptedByDefault(null, PROTOCOL_TLS_V1_1);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDefaultTLS1NotAcceptedByDefaultClient() throws Exception {
|
||||||
|
testDefaultTLS1NotAcceptedByDefault(PROTOCOL_TLS_V1, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDefaultTLS11NotAcceptedByDefaultClient() throws Exception {
|
||||||
|
testDefaultTLS1NotAcceptedByDefault(PROTOCOL_TLS_V1_1, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void testDefaultTLS1NotAcceptedByDefault(String clientProtocol, String serverProtocol) throws Exception {
|
||||||
|
SslContextBuilder clientCtxBuilder = SslContextBuilder.forClient()
|
||||||
|
.trustManager(InsecureTrustManagerFactory.INSTANCE)
|
||||||
|
.sslProvider(sslClientProvider())
|
||||||
|
.sslContextProvider(clientSslContextProvider());
|
||||||
|
if (clientProtocol != null) {
|
||||||
|
clientCtxBuilder.protocols(clientProtocol);
|
||||||
|
}
|
||||||
|
clientSslCtx = wrapContext(clientCtxBuilder.build());
|
||||||
|
SelfSignedCertificate ssc = new SelfSignedCertificate();
|
||||||
|
|
||||||
|
SslContextBuilder serverCtxBuilder = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
|
||||||
|
.sslProvider(sslServerProvider())
|
||||||
|
.sslContextProvider(serverSslContextProvider());
|
||||||
|
if (serverProtocol != null) {
|
||||||
|
serverCtxBuilder.protocols(serverProtocol);
|
||||||
|
}
|
||||||
|
serverSslCtx = wrapContext(serverCtxBuilder.build());
|
||||||
|
SSLEngine client = wrapEngine(clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT));
|
||||||
|
SSLEngine server = wrapEngine(serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT));
|
||||||
|
|
||||||
|
try {
|
||||||
|
handshake(client, server);
|
||||||
|
fail();
|
||||||
|
} catch (SSLHandshakeException expected) {
|
||||||
|
// expected
|
||||||
|
} finally {
|
||||||
|
cleanupClientSslEngine(client);
|
||||||
|
cleanupServerSslEngine(server);
|
||||||
|
ssc.delete();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected SslProvider sslClientProvider() {
|
protected SslProvider sslClientProvider() {
|
||||||
return SslProvider.OPENSSL;
|
return SslProvider.OPENSSL;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user