Include TLSv1.3 ciphers as recommented ciphers for HTTP2 (#10480)

Motivation:

We should include TLSv1.3 ciphers as well as recommented ciphers these days for HTTP/2. That is especially true as Java supports TLSv1.3 these days out of the box

Modifications:

- Add TLSv1.3 ciphers that are recommended by mozilla as was for HTTP/2
- Add unit test

Result:

Include TLSv1.3 ciphers as well
This commit is contained in:
Norman Maurer 2020-08-13 20:33:07 +02:00 committed by GitHub
parent 92fff79c5f
commit fdd4706783
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 4 deletions

View File

@ -43,9 +43,9 @@ public final class Http2SecurityUtil {
public static final List<String> CIPHERS;
/**
* <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility">Mozilla Modern Cipher
* Suites</a> minus the following cipher suites that are black listed by the
* <a href="https://tools.ietf.org/html/rfc7540#appendix-A">HTTP/2 RFC</a>.
* <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29"
* >Mozilla Modern Cipher Suites Intermediate compatibility</a> minus the following cipher suites that are black
* listed by the <a href="https://tools.ietf.org/html/rfc7540#appendix-A">HTTP/2 RFC</a>.
*/
private static final List<String> CIPHERS_JAVA_MOZILLA_MODERN_SECURITY = Collections.unmodifiableList(Arrays
.asList(
@ -64,7 +64,12 @@ public final class Http2SecurityUtil {
/* openssl = ECDHE-ECDSA-CHACHA20-POLY1305 */
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
/* openssl = ECDHE-RSA-CHACHA20-POLY1305 */
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
/* TLS 1.3 ciphers */
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
));
static {

View File

@ -0,0 +1,49 @@
/*
* Copyright 2020 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.codec.http2;
import io.netty.buffer.UnpooledByteBufAllocator;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.SupportedCipherSuiteFilter;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Test;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
public class Http2SecurityUtilTest {
@Test
public void testTLSv13CiphersIncluded() throws SSLException {
Assume.assumeTrue(SslProvider.isTlsv13Supported(SslProvider.JDK));
testCiphersIncluded("TLSv1.3");
}
@Test
public void testTLSv12CiphersIncluded() throws SSLException {
testCiphersIncluded("TLSv1.2");
}
private static void testCiphersIncluded(String protocol) throws SSLException {
SslContext context = SslContextBuilder.forClient().sslProvider(SslProvider.JDK).protocols(protocol)
.ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE).build();
SSLEngine engine = context.newEngine(UnpooledByteBufAllocator.DEFAULT);
Assert.assertTrue("No " + protocol + " ciphers found", engine.getEnabledCipherSuites().length > 0);
}
}