From 7f69090bcb9774b81c13c26e5acb23ed70550b71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=CC=88rg=20Prante?= Date: Thu, 16 Sep 2021 12:07:58 +0200 Subject: [PATCH] restrict default to TLS 1.2 if old/unavailable OpenSSL --- gradle.properties | 6 +-- .../org/xbib/netty/http/client/Client.java | 2 +- .../xbib/netty/http/client/ClientConfig.java | 10 +++-- .../client/test/conscrypt/ConscryptTest.java | 2 +- .../http/client/test/http1/GoogleTest.java | 2 +- .../http/server/DefaultServerConfig.java | 6 ++- .../org/xbib/netty/http/server/Server.java | 10 +++++ .../TransportLayerSecurityServerTest.java | 45 ++++++++++++++++++- 8 files changed, 69 insertions(+), 14 deletions(-) diff --git a/gradle.properties b/gradle.properties index e6fe859..c582403 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,11 +1,11 @@ group = org.xbib name = netty-http -version = 4.1.66.0 +version = 4.1.68.0 gradle.wrapper.version = 6.6.1 -netty.version = 4.1.66.Final -tcnative.version = 2.0.40.Final +netty.version = 4.1.68.Final +tcnative.version = 2.0.43.Final bouncycastle.version = 1.69 reactivestreams.version = 1.0.3 reactivex.version = 1.3.8 diff --git a/netty-http-client/src/main/java/org/xbib/netty/http/client/Client.java b/netty-http-client/src/main/java/org/xbib/netty/http/client/Client.java index 6e20e79..5674bf3 100644 --- a/netty-http-client/src/main/java/org/xbib/netty/http/client/Client.java +++ b/netty-http-client/src/main/java/org/xbib/netty/http/client/Client.java @@ -693,7 +693,7 @@ public final class Client implements AutoCloseable { return this; } - public Builder setTlsProtocols(String[] protocols) { + public Builder setTransportLayerSecurityProtocols(String... protocols) { clientConfig.setProtocols(protocols); return this; } diff --git a/netty-http-client/src/main/java/org/xbib/netty/http/client/ClientConfig.java b/netty-http-client/src/main/java/org/xbib/netty/http/client/ClientConfig.java index 8e82824..f1dbf9d 100644 --- a/netty-http-client/src/main/java/org/xbib/netty/http/client/ClientConfig.java +++ b/netty-http-client/src/main/java/org/xbib/netty/http/client/ClientConfig.java @@ -6,6 +6,7 @@ import io.netty.handler.codec.http2.Http2Settings; import io.netty.handler.logging.LogLevel; import io.netty.handler.proxy.HttpProxyHandler; import io.netty.handler.ssl.CipherSuiteFilter; +import io.netty.handler.ssl.OpenSsl; import io.netty.handler.ssl.SslProvider; import org.xbib.netty.http.client.api.Pool; import org.xbib.netty.http.client.api.BackOff; @@ -94,7 +95,6 @@ public class ClientConfig { /** * This is Netty's default. - * See {@link io.netty.handler.codec.MessageAggregator}. */ int MAX_COMPOSITE_BUFFER_COMPONENTS = 1024; @@ -119,9 +119,11 @@ public class ClientConfig { Provider SSL_CONTEXT_PROVIDER = null; /** - * Transport layer security protocol versions. + * Default transport layer security protocol versions (depends on OpenSSL version) */ - String[] PROTOCOLS = new String[] { "TLSv1.3", "TLSv1.2" }; + String[] PROTOCOLS = OpenSsl.isAvailable() && OpenSsl.version() <= 0x10101009L ? + new String[] { "TLSv1.2" } : + new String[] { "TLSv1.3", "TLSv1.2" }; /** * Default ciphers. We care about HTTP/2. @@ -211,7 +213,7 @@ public class ClientConfig { private Provider sslContextProvider = Defaults.SSL_CONTEXT_PROVIDER; - private String[] protocols = Defaults.PROTOCOLS; + private String[] protocols = Defaults.PROTOCOLS; private Iterable ciphers = Defaults.CIPHERS; diff --git a/netty-http-client/src/test/java/org/xbib/netty/http/client/test/conscrypt/ConscryptTest.java b/netty-http-client/src/test/java/org/xbib/netty/http/client/test/conscrypt/ConscryptTest.java index 799cb6b..18e522f 100644 --- a/netty-http-client/src/test/java/org/xbib/netty/http/client/test/conscrypt/ConscryptTest.java +++ b/netty-http-client/src/test/java/org/xbib/netty/http/client/test/conscrypt/ConscryptTest.java @@ -28,7 +28,7 @@ class ConscryptTest { Client client = Client.builder() .setJdkSslProvider() .setSslContextProvider(provider) - .setTlsProtocols(new String[]{"TLSv1.2"}) // disable TLSv1.3 for Conscrypt + .setTransportLayerSecurityProtocols("TLSv1.2") // disable TLSv1.3 for Conscrypt .build(); logger.log(Level.INFO, client.getClientConfig().toString()); try { diff --git a/netty-http-client/src/test/java/org/xbib/netty/http/client/test/http1/GoogleTest.java b/netty-http-client/src/test/java/org/xbib/netty/http/client/test/http1/GoogleTest.java index 25a940e..a77469d 100644 --- a/netty-http-client/src/test/java/org/xbib/netty/http/client/test/http1/GoogleTest.java +++ b/netty-http-client/src/test/java/org/xbib/netty/http/client/test/http1/GoogleTest.java @@ -23,7 +23,7 @@ class GoogleTest { void testHttp1WithTlsV13() throws Exception { AtomicBoolean success = new AtomicBoolean(); Client client = Client.builder() - .setTlsProtocols(new String[] { "TLSv1.3" }) + .setTransportLayerSecurityProtocols(new String[] { "TLSv1.3" }) .build(); try { Request request = Request.get().url("https://www.google.com/") diff --git a/netty-http-server/src/main/java/org/xbib/netty/http/server/DefaultServerConfig.java b/netty-http-server/src/main/java/org/xbib/netty/http/server/DefaultServerConfig.java index 876d83c..01d2507 100644 --- a/netty-http-server/src/main/java/org/xbib/netty/http/server/DefaultServerConfig.java +++ b/netty-http-server/src/main/java/org/xbib/netty/http/server/DefaultServerConfig.java @@ -4,6 +4,7 @@ import io.netty.channel.WriteBufferWaterMark; import io.netty.handler.codec.http2.Http2Settings; import io.netty.handler.logging.LogLevel; import io.netty.handler.ssl.CipherSuiteFilter; +import io.netty.handler.ssl.OpenSsl; import io.netty.handler.ssl.SslProvider; import org.xbib.netty.http.common.HttpAddress; import org.xbib.netty.http.common.security.SecurityUtil; @@ -130,7 +131,6 @@ public class DefaultServerConfig implements ServerConfig { /** * This is Netty's default. - * See {@link io.netty.handler.codec.MessageAggregator#maxCumulationBufferComponents()}. */ int MAX_COMPOSITE_BUFFER_COMPONENTS = 1024; @@ -179,7 +179,9 @@ public class DefaultServerConfig implements ServerConfig { * Transport layer security protocol versions. * Do not use SSLv2, SSLv3, TLS 1.0, TLS 1.1. */ - String[] PROTOCOLS = new String[] { "TLSv1.3", "TLSv1.2" }; + String[] PROTOCOLS = OpenSsl.isAvailable() && OpenSsl.version() <= 0x10101009L ? + new String[] { "TLSv1.2" } : + new String[] { "TLSv1.3", "TLSv1.2" }; /** * Default ciphers. We care about HTTP/2. diff --git a/netty-http-server/src/main/java/org/xbib/netty/http/server/Server.java b/netty-http-server/src/main/java/org/xbib/netty/http/server/Server.java index 9902bb5..97cb624 100644 --- a/netty-http-server/src/main/java/org/xbib/netty/http/server/Server.java +++ b/netty-http-server/src/main/java/org/xbib/netty/http/server/Server.java @@ -664,6 +664,16 @@ public final class Server implements AutoCloseable { return this; } + public Builder setOpenSSLSslProvider() { + this.serverConfig.setOpenSSLSslProvider(); + return this; + } + + public Builder setJdkSslProvider() { + this.serverConfig.setJdkSslProvider(); + return this; + } + public Builder setTransportLayerSecurityProtocols(String... protocols) { this.serverConfig.setProtocols(protocols); return this; diff --git a/netty-http-server/src/test/java/org/xbib/netty/http/server/test/TransportLayerSecurityServerTest.java b/netty-http-server/src/test/java/org/xbib/netty/http/server/test/TransportLayerSecurityServerTest.java index 9c54b38..21beb41 100644 --- a/netty-http-server/src/test/java/org/xbib/netty/http/server/test/TransportLayerSecurityServerTest.java +++ b/netty-http-server/src/test/java/org/xbib/netty/http/server/test/TransportLayerSecurityServerTest.java @@ -24,7 +24,42 @@ class TransportLayerSecurityServerTest { private static final Logger logger = Logger.getLogger(TransportLayerSecurityServerTest.class.getName()); @Test - void testTLS12() throws Exception { + void testTLSDefaultSettings() throws Exception { + HttpAddress httpAddress = HttpAddress.secureHttp1("localhost", 8143); + Server server = Server.builder(HttpServerDomain.builder(httpAddress) + .setSelfCert() + .singleEndpoint("/", (request, response) -> + response.getBuilder().setStatus(HttpResponseStatus.OK.code()).setContentType("text/plain").build() + .write(request.getContent().toString(StandardCharsets.UTF_8))) + .build()) + .build(); + Client client = Client.builder() + .trustInsecure() + .build(); + AtomicInteger counter = new AtomicInteger(); + final ResponseListener responseListener = resp -> { + logger.log(Level.INFO, "response listener: headers = " + resp.getHeaders() + + " response body = " + resp.getBodyAsString(StandardCharsets.UTF_8)); + counter.incrementAndGet(); + }; + try { + server.accept(); + Request request = Request.get().setVersion(HttpVersion.HTTP_1_1) + .url(server.getServerConfig().getAddress().base()) + .content("Hello Jörg", "text/plain") + .setResponseListener(responseListener) + .build(); + ClientTransport transport = client.execute(request).get(); + logger.log(Level.INFO, "TLS protocol = " + transport.getSession().getProtocol()); + } finally { + client.shutdownGracefully(); + server.shutdownGracefully(); + } + assertEquals(1, counter.get()); + } + + @Test + void testOpenSSL12() throws Exception { HttpAddress httpAddress = HttpAddress.secureHttp1("localhost", 8143); Server server = Server.builder(HttpServerDomain.builder(httpAddress) .setSelfCert() @@ -32,9 +67,12 @@ class TransportLayerSecurityServerTest { response.getBuilder().setStatus(HttpResponseStatus.OK.code()).setContentType("text/plain").build() .write(request.getContent().toString(StandardCharsets.UTF_8))) .build()) + .setOpenSSLSslProvider() .setTransportLayerSecurityProtocols("TLSv1.2") .build(); Client client = Client.builder() + .setOpenSSLSslProvider() + .setTransportLayerSecurityProtocols("TLSv1.2") .trustInsecure() .build(); AtomicInteger counter = new AtomicInteger(); @@ -61,7 +99,7 @@ class TransportLayerSecurityServerTest { } @Test - void testTLS13() throws Exception { + void testOpenSSL13() throws Exception { HttpAddress httpAddress = HttpAddress.secureHttp2("localhost", 8143); Server server = Server.builder(HttpServerDomain.builder(httpAddress) .setSelfCert() @@ -69,9 +107,12 @@ class TransportLayerSecurityServerTest { response.getBuilder().setStatus(HttpResponseStatus.OK.code()).setContentType("text/plain").build() .write(request.getContent().toString(StandardCharsets.UTF_8))) .build()) + .setOpenSSLSslProvider() .setTransportLayerSecurityProtocols("TLSv1.3") .build(); Client client = Client.builder() + .setOpenSSLSslProvider() + .setTransportLayerSecurityProtocols("TLSv1.3") .trustInsecure() .build(); AtomicInteger counter = new AtomicInteger();