diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2SecurityUtil.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2SecurityUtil.java index 026ca18afe..9c8c177984 100644 --- a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2SecurityUtil.java +++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2SecurityUtil.java @@ -43,9 +43,9 @@ public final class Http2SecurityUtil { public static final List CIPHERS; /** - * Mozilla Modern Cipher - * Suites minus the following cipher suites that are black listed by the - * HTTP/2 RFC. + * Mozilla Modern Cipher Suites Intermediate compatibility minus the following cipher suites that are black + * listed by the HTTP/2 RFC. */ private static final List CIPHERS_JAVA_MOZILLA_MODERN_SECURITY = Collections.unmodifiableList(Arrays .asList( @@ -64,7 +64,12 @@ public final class Http2SecurityUtil { /* openssl = ECDHE-ECDSA-CHACHA20-POLY1305 */ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", /* openssl = ECDHE-RSA-CHACHA20-POLY1305 */ - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + + /* TLS 1.3 ciphers */ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256" )); static { diff --git a/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2SecurityUtilTest.java b/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2SecurityUtilTest.java new file mode 100644 index 0000000000..0560675111 --- /dev/null +++ b/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2SecurityUtilTest.java @@ -0,0 +1,49 @@ +/* + * Copyright 2020 The Netty Project + * + * The Netty Project licenses this file to you under the Apache License, + * version 2.0 (the "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + */ +package io.netty.handler.codec.http2; + +import io.netty.buffer.UnpooledByteBufAllocator; +import io.netty.handler.ssl.SslContext; +import io.netty.handler.ssl.SslContextBuilder; +import io.netty.handler.ssl.SslProvider; +import io.netty.handler.ssl.SupportedCipherSuiteFilter; +import org.junit.Assert; +import org.junit.Assume; +import org.junit.Test; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLException; + +public class Http2SecurityUtilTest { + + @Test + public void testTLSv13CiphersIncluded() throws SSLException { + Assume.assumeTrue(SslProvider.isTlsv13Supported(SslProvider.JDK)); + testCiphersIncluded("TLSv1.3"); + } + + @Test + public void testTLSv12CiphersIncluded() throws SSLException { + testCiphersIncluded("TLSv1.2"); + } + + private static void testCiphersIncluded(String protocol) throws SSLException { + SslContext context = SslContextBuilder.forClient().sslProvider(SslProvider.JDK).protocols(protocol) + .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE).build(); + SSLEngine engine = context.newEngine(UnpooledByteBufAllocator.DEFAULT); + Assert.assertTrue("No " + protocol + " ciphers found", engine.getEnabledCipherSuites().length > 0); + } +}