-
-
Notifications
You must be signed in to change notification settings - Fork 15.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Correctly filter out TLSv1.3 ciphers if TLSv1.3 is not enabled #10919
Conversation
Motivation: We didnt correctly filter out TLSv1.3 ciphers when TLSv1.3 is not enabled. Modifications: - Filter out ciphers that are not supported due the selected TLS version - Add unit test Result: Fixes #10911 Co-authored-by: Bryce Anderson <banderson@twitter.com>
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
Show resolved
Hide resolved
@bryce-anderson PTAL again |
For some reason when I pull this and run the tests, I get failures to throw the expected expected |
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
Show resolved
Hide resolved
It looks like I'm getting TLSv1.1 with the |
@bryce-anderson you have a unit test that shows this ? |
@normanmaurer, yes, see here: bryce-anderson@117607c |
@bryce-anderson what java version / netty-tcnative version ? Also is this with BoringSSL or not ? |
I have used both what is in the maven project description by default and switch to boringssl-static
and they give the same result. Same with jdk8 and jdk11:
Fwiw, this is the behavior I'd expect: we didn't implicitly disable the TLSv1.(x<3) ciphers if the set is empty which I believe then defaults to all ciphers being available.
|
super strange the it passes here without your change... hmmm. |
Agreed. |
@normanmaurer, let me know if there is anything you need from me on this. |
@bryce-anderson will do... I just didn't have time yet to check |
@bryce-anderson PTAL and verify :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @normanmaurer!
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
Outdated
Show resolved
Hide resolved
@bryce-anderson so all work now on your side ? |
@normanmaurer, I haven't deployed and tested it but as far as I can tell it should fix our problem. If something else comes up I'll file another ticket. |
@slandelle @chrisvest thoughts ? |
Motivation: We didnt correctly filter out TLSv1.3 ciphers when TLSv1.3 is not enabled. Modifications: - Filter out ciphers that are not supported due the selected TLS version - Add unit test Result: Fixes #10911 Co-authored-by: Bryce Anderson <banderson@twitter.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change LGTM, one nit related to intermediate collections size, but I'm not sure if it really matters because it's not on the hot path:
if (OpenSsl.isTlsv13Supported()) { | ||
// Set TLSv1.3 ciphers. | ||
SSL.setCipherSuites(ssl, cipherSuiteSpecTLSv13, true); | ||
} | ||
|
||
// We also need to update the enabled protocols to ensure we disable the protocol if there are | ||
// no compatible ciphers left. | ||
Set<String> protocols = new HashSet<String>(explicitlyEnabledProtocols.length); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The default load factor for HashSet
is 0.75. Using explicitlyEnabledProtocols.length
will cause resize of the internal hash table when the next line adds all explicitlyEnabledProtocols
.
The following formula should be used: (int) (c.size()/.75f) + 1
. Or use new HasSet(Arrays.asList(explicitlyEnabledProtocols))
.
The similar situation may happen for line 1522:
Set<String> enabledSet = new LinkedHashSet<String>(enabled.length + extraCiphers.length);
If all ciphers will be added, it will cause resize of the internal hash table.
…#10919) Motivation: We didnt correctly filter out TLSv1.3 ciphers when TLSv1.3 is not enabled. Modifications: - Filter out ciphers that are not supported due the selected TLS version - Add unit test Result: Fixes netty#10911 Co-authored-by: Bryce Anderson <banderson@twitter.com>
Motivation:
We didnt correctly filter out TLSv1.3 ciphers when TLSv1.3 is not enabled.
Modifications:
Result:
Fixes #10911
Co-authored-by: Bryce Anderson banderson@twitter.com