New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for setting several cipher suites for HTTP/2 #2119

Merged
merged 1 commit into from Aug 2, 2017

Conversation

Projects
None yet
4 participants
@arteam
Member

arteam commented Aug 1, 2017

There are many SSL ciphers which are supported by HTTP/2 clients (see https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) and the user should have the ability to use them in Dropwizard
applications. Currently it's not possible because Dropwizard forces the default cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 defined in the HTTP2 spec.

This change allows users to provide a custom list of supported ciphers, so clients who support more strong ciphers, can use them. The provided list of ciphers MUST contain the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher as defined in the HTTP2 spec.

Redux of #1978.

@evnm

evnm approved these changes Aug 1, 2017

if (getSupportedCipherSuites() == null) {
setSupportedCipherSuites(ImmutableList.of(HTTP2_DEFAULT_CIPHER));
} else if (!getSupportedCipherSuites().contains(HTTP2_DEFAULT_CIPHER)) {
throw new IllegalArgumentException("h2 server configuration must include cipher: " + HTTP2_DEFAULT_CIPHER);

This comment has been minimized.

@evnm

evnm Aug 1, 2017

Member

Take it or leave it: Mild preference for "HTTP/2" in the error message.

This comment has been minimized.

@arteam

arteam Aug 1, 2017

Member

Agreed. Updated to HTTP/2.

@coveralls

This comment has been minimized.

coveralls commented Aug 1, 2017

Coverage Status

Coverage decreased (-0.02%) to 85.181% when pulling a303e82 on several_suites into 545a598 on master.

@arteam arteam force-pushed the several_suites branch from a303e82 to 806af01 Aug 1, 2017

@arteam

This comment has been minimized.

Member

arteam commented Aug 1, 2017

port: 0
keyStorePassword: http2_server
validateCerts: false
supportedCipherSuites: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256']

This comment has been minimized.

@jplock

jplock Aug 1, 2017

Member

would this be more appropriate as a yaml list?

supportedCipherSuites:
  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

This comment has been minimized.

@arteam

arteam Aug 2, 2017

Member

Good idea. Updated.

Add support for setting several cipher suites for HTTP/2
There are many SSL ciphers which are supported by HTTP/2 clients (see
https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility)
and the user should have the ability to use them in Dropwizard
applications. Currently it's not possible because Dropwizard forces
the default cipher `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` defined
in the HTTP2 spec.

This change allows users to provide a custom list of supported ciphers,
so clients who support more strong ciphers, can use them. The provided
list of ciphers MUST contain the `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
cipher as defined in the HTTP2 spec.

Redux of #1978.

@arteam arteam force-pushed the several_suites branch from 806af01 to 03c2350 Aug 2, 2017

@arteam arteam merged commit ea2f123 into master Aug 2, 2017

3 of 6 checks passed

ci/circleci CircleCI is running your tests
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
continuous-integration/travis-ci/push The Travis CI build is in progress
Details
codeclimate All good!
Details
continuous-integration/appveyor/branch AppVeyor build succeeded
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details

@arteam arteam deleted the several_suites branch Aug 2, 2017

@dropwizard dropwizard deleted a comment from coveralls Aug 2, 2017

@arteam arteam added this to the 1.2.0 milestone Aug 2, 2017

@arteam arteam added the improvement label Aug 2, 2017

sankate pushed a commit to sankate/dropwizard that referenced this pull request Nov 21, 2017

Add support for setting several cipher suites for HTTP/2 (dropwizard#…
…2119)

There are many SSL ciphers which are supported by HTTP/2 clients (see
https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility)
and the user should have the ability to use them in Dropwizard
applications. Currently it's not possible because Dropwizard forces
the default cipher `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` defined
in the HTTP2 spec.

This change allows users to provide a custom list of supported ciphers,
so clients who support more strong ciphers, can use them. The provided
list of ciphers MUST contain the `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
cipher as defined in the HTTP2 spec.

Redux of dropwizard#1978.

aaanders added a commit to aaanders/dropwizard that referenced this pull request Sep 20, 2018

Add support for setting several cipher suites for HTTP/2 (dropwizard#…
…2119)

There are many SSL ciphers which are supported by HTTP/2 clients (see
https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility)
and the user should have the ability to use them in Dropwizard
applications. Currently it's not possible because Dropwizard forces
the default cipher `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` defined
in the HTTP2 spec.

This change allows users to provide a custom list of supported ciphers,
so clients who support more strong ciphers, can use them. The provided
list of ciphers MUST contain the `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
cipher as defined in the HTTP2 spec.

Redux of dropwizard#1978.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment