Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not enable TLSv1.3 when the current SSLEngine does not support it. #1984

Closed
trustin opened this issue Aug 10, 2019 · 2 comments · Fixed by #1986
Closed

Do not enable TLSv1.3 when the current SSLEngine does not support it. #1984

trustin opened this issue Aug 10, 2019 · 2 comments · Fixed by #1986
Labels
defect good first issue
Milestone
0.90.1

Comments

@trustin
Copy link
Member

trustin commented Aug 10, 2019

For example, when a user is running Armeria on an old JDK without TLSv1.3 support and BoringSSL is not loaded, he or she will get the following exception:

[armeria-common-worker-epoll-2-1] WARN com.linecorp.armeria.server.HttpServerPipelineConfigurator - [id: 0xc833df45, L:/127.0.0.1:8080 - R:/127.0.0.1:46360] Unexpected exception:
io.netty.handler.codec.DecoderException: java.lang.IllegalArgumentException: TLSv1.3
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:475)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:283)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
	at io.netty.handler.flush.FlushConsolidationHandler.channelRead(FlushConsolidationHandler.java:154)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1421)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:794)
	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:424)
	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:326)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: TLSv1.3
	at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
	at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
	at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
	at sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2070)
	at io.netty.handler.ssl.JdkSslContext.configureAndWrapEngine(JdkSslContext.java:341)
	at io.netty.handler.ssl.JdkSslContext.newEngine(JdkSslContext.java:330)
	at io.netty.handler.ssl.SslContext.newHandler(SslContext.java:943)
	at io.netty.handler.ssl.SslContext.newHandler(SslContext.java:935)
	at io.netty.handler.ssl.SniHandler.newSslHandler(SniHandler.java:151)
	at io.netty.handler.ssl.SniHandler.replaceHandler(SniHandler.java:133)
	at io.netty.handler.ssl.SniHandler.onLookupComplete(SniHandler.java:114)
	at io.netty.handler.ssl.AbstractSniHandler.select(AbstractSniHandler.java:211)
	at io.netty.handler.ssl.AbstractSniHandler.decode(AbstractSniHandler.java:203)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:505)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:444)
	... 19 more
[armeria-common-worker-epoll-2-1] WARN com.linecorp.armeria.server.HttpServerPipelineConfigurator - [id: 0xc833df45, L:/127.0.0.1:8080 ! R:/127.0.0.1:46360] Unexpected exception:
io.netty.handler.codec.DecoderException: java.lang.IllegalArgumentException: TLSv1.3
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:475)
	at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:408)
	at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:375)
	at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:358)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:257)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:243)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:236)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1416)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:257)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:243)
	at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(DefaultChannelPipeline.java:912)
	at io.netty.channel.AbstractChannel$AbstractUnsafe$8.run(AbstractChannel.java:816)
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:416)
	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:331)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: TLSv1.3
	at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
	at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
	at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
	at sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2070)
	at io.netty.handler.ssl.JdkSslContext.configureAndWrapEngine(JdkSslContext.java:341)
	at io.netty.handler.ssl.JdkSslContext.newEngine(JdkSslContext.java:330)
	at io.netty.handler.ssl.SslContext.newHandler(SslContext.java:943)
	at io.netty.handler.ssl.SslContext.newHandler(SslContext.java:935)
	at io.netty.handler.ssl.SniHandler.newSslHandler(SniHandler.java:151)
	at io.netty.handler.ssl.SniHandler.replaceHandler(SniHandler.java:133)
	at io.netty.handler.ssl.SniHandler.onLookupComplete(SniHandler.java:114)
	at io.netty.handler.ssl.AbstractSniHandler.select(AbstractSniHandler.java:211)
	at io.netty.handler.ssl.AbstractSniHandler.decode(AbstractSniHandler.java:203)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:505)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:444)
	... 18 more

We could avoid enabling TLSv1.3 when the current SSLEngine implementation we are going to use does not support it.

See:

armeria/core/src/main/java/com/linecorp/armeria/internal/SslContextUtil.java

Lines 66 to 78 in 44a7e12

public static final List<String> DEFAULT_PROTOCOLS = ImmutableList.of("TLSv1.3", "TLSv1.2");
/**
* Creates a {@link SslContext} with Armeria's defaults, enabling support for HTTP/2, TLSv1.3, and
* TLSv1.2.
*/
public static SslContext createSslContext(Supplier<SslContextBuilder> sslContextSupplier,
boolean forceHttp1,
Consumer<? super SslContextBuilder> userCustomizer) {
final SslContextBuilder builder = sslContextSupplier.get();
builder.sslProvider(Flags.useOpenSsl() ? SslProvider.OPENSSL : SslProvider.JDK)
.protocols(DEFAULT_PROTOCOLS.toArray(new String[0]));

@rmohta rmohta mentioned this issue Aug 11, 2019
Merged
trustin pushed a commit that referenced this issue Aug 12, 2019
@rmohta @trustin
Disable TLS v1.3 when not supported (#1986)
0d820e0 
Motivation:

Armeria should disable TLSv1.3 when using `JdkSslContext` and the current Java version is lower than 11.

Modifications:

- Filter out unsupported TLS protocols.
- Miscellaneous:
  - Update `CONTRIBUTING.md`

Result:

- Fixes #1984
@trustin trustin added this to the 0.90.1 milestone Aug 12, 2019
fmguerreiro pushed a commit to fmguerreiro/armeria that referenced this issue Sep 19, 2020
@rmohta @trustin
Disable TLS v1.3 when not supported (line#1986)
1398125 
Motivation:

Armeria should disable TLSv1.3 when using `JdkSslContext` and the current Java version is lower than 11.

Modifications:

- Filter out unsupported TLS protocols.
- Miscellaneous:
  - Update `CONTRIBUTING.md`

Result:

- Fixes line#1984
@packleader
Copy link

I'm experiencing a similar issue using Armeria 1.13.2 with Java 1.8.0_144. Netty is throwing an exception as shown below. This exception appears to be related to ciphers rather than protocols. Should I open a new issue? Or is there a configuration change I need to make?

java.lang.IllegalArgumentException: TLSv1.3 is not supported by this java version.

	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.setEnabledCipherSuites(ReferenceCountedOpenSslEngine.java:1645)
	at com.linecorp.armeria.server.VirtualHostBuilder.validateSslContext(VirtualHostBuilder.java:1178)
	at com.linecorp.armeria.server.VirtualHostBuilder.build(VirtualHostBuilder.java:1111)
	at com.linecorp.armeria.server.ServerBuilder.buildServerConfig(ServerBuilder.java:1711)
	at com.linecorp.armeria.server.ServerBuilder.build(ServerBuilder.java:1695)

@ikhoon
Copy link
Contributor

ikhoon commented Nov 17, 2021

You can configure ciphers using ServerBuilder.tlsCustomizer(). For example:

Server.builder()
      .tlsCustomizer(sslCtxBuilder -> {
          // Override the default cipher suites
          sslCtxBuilder.ciphers(...);
      });

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect good first issue
Projects
None yet
Milestone
0.90.1
Development

Successfully merging a pull request may close this issue.

Disable TLS v1.3 when using JdkSslContext rmohta/armeria
3 participants
@trustin @ikhoon @packleader