New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The default SSL engine enabled protocols should not prevent to use protocols declared by options #2179
Comments
Having looked at the OpenSslEngine it seems that SSLv2Hello cant be disabled: So may have to go with the latter fix so the code actually does do what it should, as it may be just as confusing that it is not listed but OpenSsl adds it. |
is it possible to provide a test for asserting this behavior ? |
ping @johnoliver |
Right now,
This means that there is currently no way to add protocols not already enabled in both As I need SSLv3 and SSLv2Hello support for a customer's legacy devices, I'd like to bring this forward. Let's not discuss the security implications here I propose to move the
|
@vietj : would you accept a PR adding this feature? |
if the SSLHelper removes the protocols not supported by the engine how does it help you to use SSLv3 ? |
ah you change by supported protocols as advocated by @johnoliver |
yes I'm all for that, Vert.x should not get in your way if you want to shot in your feet :-) |
Signed-off-by: Philipp Lehmann <github@phil.to>
fixed |
@johnoliver @philrykoff I will remove SSLv2Hello from the list of default enabled protocols. Actually this protocol was already filtered by the previous code (as the engine supports it but does not enable it by default) : so the behavior will be the same for users. Also some tests don't pass with SSLv2Hello like the SNI tests (I think it does not supports SNI but I can't find evidence of it). |
I will add a test that checks we can still use this protocol by setting it in the protocols list |
Makes sense. |
SSLHelper has:
However later builds up the enabled protocol list with:
And since netty by default does not enable SSLv2Hello (ref ), SSLv2Hello in fact is not enabled, and I believe it is not possible to enable any protocols other than TLSv1/1.1/1.2.
This could be regarded as a feature as it prevents developers selecting insecure protocols, however is confusing that
addEnabledSecureTransportProtocol
will only actually work if its TLSv1/1.1/1.2.Could be fixed by removing SSLv2Hello from the default list to make it less confusing, and maybe documenting what protocols are available. Or by re-enabling all protocols by changing
to
The text was updated successfully, but these errors were encountered: