restrict default to TLS 1.2 if old/unavailable OpenSSL
This commit is contained in:
parent
8a4775c05c
commit
7f69090bcb
8 changed files with 69 additions and 14 deletions
|
@ -1,11 +1,11 @@
|
|||
group = org.xbib
|
||||
name = netty-http
|
||||
version = 4.1.66.0
|
||||
version = 4.1.68.0
|
||||
|
||||
gradle.wrapper.version = 6.6.1
|
||||
|
||||
netty.version = 4.1.66.Final
|
||||
tcnative.version = 2.0.40.Final
|
||||
netty.version = 4.1.68.Final
|
||||
tcnative.version = 2.0.43.Final
|
||||
bouncycastle.version = 1.69
|
||||
reactivestreams.version = 1.0.3
|
||||
reactivex.version = 1.3.8
|
||||
|
|
|
@ -693,7 +693,7 @@ public final class Client implements AutoCloseable {
|
|||
return this;
|
||||
}
|
||||
|
||||
public Builder setTlsProtocols(String[] protocols) {
|
||||
public Builder setTransportLayerSecurityProtocols(String... protocols) {
|
||||
clientConfig.setProtocols(protocols);
|
||||
return this;
|
||||
}
|
||||
|
|
|
@ -6,6 +6,7 @@ import io.netty.handler.codec.http2.Http2Settings;
|
|||
import io.netty.handler.logging.LogLevel;
|
||||
import io.netty.handler.proxy.HttpProxyHandler;
|
||||
import io.netty.handler.ssl.CipherSuiteFilter;
|
||||
import io.netty.handler.ssl.OpenSsl;
|
||||
import io.netty.handler.ssl.SslProvider;
|
||||
import org.xbib.netty.http.client.api.Pool;
|
||||
import org.xbib.netty.http.client.api.BackOff;
|
||||
|
@ -94,7 +95,6 @@ public class ClientConfig {
|
|||
|
||||
/**
|
||||
* This is Netty's default.
|
||||
* See {@link io.netty.handler.codec.MessageAggregator}.
|
||||
*/
|
||||
int MAX_COMPOSITE_BUFFER_COMPONENTS = 1024;
|
||||
|
||||
|
@ -119,9 +119,11 @@ public class ClientConfig {
|
|||
Provider SSL_CONTEXT_PROVIDER = null;
|
||||
|
||||
/**
|
||||
* Transport layer security protocol versions.
|
||||
* Default transport layer security protocol versions (depends on OpenSSL version)
|
||||
*/
|
||||
String[] PROTOCOLS = new String[] { "TLSv1.3", "TLSv1.2" };
|
||||
String[] PROTOCOLS = OpenSsl.isAvailable() && OpenSsl.version() <= 0x10101009L ?
|
||||
new String[] { "TLSv1.2" } :
|
||||
new String[] { "TLSv1.3", "TLSv1.2" };
|
||||
|
||||
/**
|
||||
* Default ciphers. We care about HTTP/2.
|
||||
|
@ -211,7 +213,7 @@ public class ClientConfig {
|
|||
|
||||
private Provider sslContextProvider = Defaults.SSL_CONTEXT_PROVIDER;
|
||||
|
||||
private String[] protocols = Defaults.PROTOCOLS;
|
||||
private String[] protocols = Defaults.PROTOCOLS;
|
||||
|
||||
private Iterable<String> ciphers = Defaults.CIPHERS;
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@ class ConscryptTest {
|
|||
Client client = Client.builder()
|
||||
.setJdkSslProvider()
|
||||
.setSslContextProvider(provider)
|
||||
.setTlsProtocols(new String[]{"TLSv1.2"}) // disable TLSv1.3 for Conscrypt
|
||||
.setTransportLayerSecurityProtocols("TLSv1.2") // disable TLSv1.3 for Conscrypt
|
||||
.build();
|
||||
logger.log(Level.INFO, client.getClientConfig().toString());
|
||||
try {
|
||||
|
|
|
@ -23,7 +23,7 @@ class GoogleTest {
|
|||
void testHttp1WithTlsV13() throws Exception {
|
||||
AtomicBoolean success = new AtomicBoolean();
|
||||
Client client = Client.builder()
|
||||
.setTlsProtocols(new String[] { "TLSv1.3" })
|
||||
.setTransportLayerSecurityProtocols(new String[] { "TLSv1.3" })
|
||||
.build();
|
||||
try {
|
||||
Request request = Request.get().url("https://www.google.com/")
|
||||
|
|
|
@ -4,6 +4,7 @@ import io.netty.channel.WriteBufferWaterMark;
|
|||
import io.netty.handler.codec.http2.Http2Settings;
|
||||
import io.netty.handler.logging.LogLevel;
|
||||
import io.netty.handler.ssl.CipherSuiteFilter;
|
||||
import io.netty.handler.ssl.OpenSsl;
|
||||
import io.netty.handler.ssl.SslProvider;
|
||||
import org.xbib.netty.http.common.HttpAddress;
|
||||
import org.xbib.netty.http.common.security.SecurityUtil;
|
||||
|
@ -130,7 +131,6 @@ public class DefaultServerConfig implements ServerConfig {
|
|||
|
||||
/**
|
||||
* This is Netty's default.
|
||||
* See {@link io.netty.handler.codec.MessageAggregator#maxCumulationBufferComponents()}.
|
||||
*/
|
||||
int MAX_COMPOSITE_BUFFER_COMPONENTS = 1024;
|
||||
|
||||
|
@ -179,7 +179,9 @@ public class DefaultServerConfig implements ServerConfig {
|
|||
* Transport layer security protocol versions.
|
||||
* Do not use SSLv2, SSLv3, TLS 1.0, TLS 1.1.
|
||||
*/
|
||||
String[] PROTOCOLS = new String[] { "TLSv1.3", "TLSv1.2" };
|
||||
String[] PROTOCOLS = OpenSsl.isAvailable() && OpenSsl.version() <= 0x10101009L ?
|
||||
new String[] { "TLSv1.2" } :
|
||||
new String[] { "TLSv1.3", "TLSv1.2" };
|
||||
|
||||
/**
|
||||
* Default ciphers. We care about HTTP/2.
|
||||
|
|
|
@ -664,6 +664,16 @@ public final class Server implements AutoCloseable {
|
|||
return this;
|
||||
}
|
||||
|
||||
public Builder setOpenSSLSslProvider() {
|
||||
this.serverConfig.setOpenSSLSslProvider();
|
||||
return this;
|
||||
}
|
||||
|
||||
public Builder setJdkSslProvider() {
|
||||
this.serverConfig.setJdkSslProvider();
|
||||
return this;
|
||||
}
|
||||
|
||||
public Builder setTransportLayerSecurityProtocols(String... protocols) {
|
||||
this.serverConfig.setProtocols(protocols);
|
||||
return this;
|
||||
|
|
|
@ -24,7 +24,42 @@ class TransportLayerSecurityServerTest {
|
|||
private static final Logger logger = Logger.getLogger(TransportLayerSecurityServerTest.class.getName());
|
||||
|
||||
@Test
|
||||
void testTLS12() throws Exception {
|
||||
void testTLSDefaultSettings() throws Exception {
|
||||
HttpAddress httpAddress = HttpAddress.secureHttp1("localhost", 8143);
|
||||
Server server = Server.builder(HttpServerDomain.builder(httpAddress)
|
||||
.setSelfCert()
|
||||
.singleEndpoint("/", (request, response) ->
|
||||
response.getBuilder().setStatus(HttpResponseStatus.OK.code()).setContentType("text/plain").build()
|
||||
.write(request.getContent().toString(StandardCharsets.UTF_8)))
|
||||
.build())
|
||||
.build();
|
||||
Client client = Client.builder()
|
||||
.trustInsecure()
|
||||
.build();
|
||||
AtomicInteger counter = new AtomicInteger();
|
||||
final ResponseListener<HttpResponse> responseListener = resp -> {
|
||||
logger.log(Level.INFO, "response listener: headers = " + resp.getHeaders() +
|
||||
" response body = " + resp.getBodyAsString(StandardCharsets.UTF_8));
|
||||
counter.incrementAndGet();
|
||||
};
|
||||
try {
|
||||
server.accept();
|
||||
Request request = Request.get().setVersion(HttpVersion.HTTP_1_1)
|
||||
.url(server.getServerConfig().getAddress().base())
|
||||
.content("Hello Jörg", "text/plain")
|
||||
.setResponseListener(responseListener)
|
||||
.build();
|
||||
ClientTransport transport = client.execute(request).get();
|
||||
logger.log(Level.INFO, "TLS protocol = " + transport.getSession().getProtocol());
|
||||
} finally {
|
||||
client.shutdownGracefully();
|
||||
server.shutdownGracefully();
|
||||
}
|
||||
assertEquals(1, counter.get());
|
||||
}
|
||||
|
||||
@Test
|
||||
void testOpenSSL12() throws Exception {
|
||||
HttpAddress httpAddress = HttpAddress.secureHttp1("localhost", 8143);
|
||||
Server server = Server.builder(HttpServerDomain.builder(httpAddress)
|
||||
.setSelfCert()
|
||||
|
@ -32,9 +67,12 @@ class TransportLayerSecurityServerTest {
|
|||
response.getBuilder().setStatus(HttpResponseStatus.OK.code()).setContentType("text/plain").build()
|
||||
.write(request.getContent().toString(StandardCharsets.UTF_8)))
|
||||
.build())
|
||||
.setOpenSSLSslProvider()
|
||||
.setTransportLayerSecurityProtocols("TLSv1.2")
|
||||
.build();
|
||||
Client client = Client.builder()
|
||||
.setOpenSSLSslProvider()
|
||||
.setTransportLayerSecurityProtocols("TLSv1.2")
|
||||
.trustInsecure()
|
||||
.build();
|
||||
AtomicInteger counter = new AtomicInteger();
|
||||
|
@ -61,7 +99,7 @@ class TransportLayerSecurityServerTest {
|
|||
}
|
||||
|
||||
@Test
|
||||
void testTLS13() throws Exception {
|
||||
void testOpenSSL13() throws Exception {
|
||||
HttpAddress httpAddress = HttpAddress.secureHttp2("localhost", 8143);
|
||||
Server server = Server.builder(HttpServerDomain.builder(httpAddress)
|
||||
.setSelfCert()
|
||||
|
@ -69,9 +107,12 @@ class TransportLayerSecurityServerTest {
|
|||
response.getBuilder().setStatus(HttpResponseStatus.OK.code()).setContentType("text/plain").build()
|
||||
.write(request.getContent().toString(StandardCharsets.UTF_8)))
|
||||
.build())
|
||||
.setOpenSSLSslProvider()
|
||||
.setTransportLayerSecurityProtocols("TLSv1.3")
|
||||
.build();
|
||||
Client client = Client.builder()
|
||||
.setOpenSSLSslProvider()
|
||||
.setTransportLayerSecurityProtocols("TLSv1.3")
|
||||
.trustInsecure()
|
||||
.build();
|
||||
AtomicInteger counter = new AtomicInteger();
|
||||
|
|
Loading…
Reference in a new issue