Correctly filter out TLSv1.3 ciphers if TLSv1.3 is not enabled #10919
Conversation
Motivation: We didnt correctly filter out TLSv1.3 ciphers when TLSv1.3 is not enabled. Modifications: - Filter out ciphers that are not supported due the selected TLS version - Add unit test Result: Fixes #10911 Co-authored-by: Bryce Anderson <banderson@twitter.com>
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
Show resolved
Hide resolved
|
@bryce-anderson PTAL again |
|
For some reason when I pull this and run the tests, I get failures to throw the expected expected |
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
Show resolved
Hide resolved
It looks like I'm getting TLSv1.1 with the |
|
@bryce-anderson you have a unit test that shows this ? |
@normanmaurer, yes, see here: bryce-anderson@117607c |
|
@bryce-anderson what java version / netty-tcnative version ? Also is this with BoringSSL or not ? |
I have used both what is in the maven project description by default and switch to boringssl-static and they give the same result. Same with jdk8 and jdk11: Fwiw, this is the behavior I'd expect: we didn't implicitly disable the TLSv1.(x<3) ciphers if the set is empty which I believe then defaults to all ciphers being available. |
|
super strange the it passes here without your change... hmmm. |
Agreed. |
|
@normanmaurer, let me know if there is anything you need from me on this. |
|
@bryce-anderson will do... I just didn't have time yet to check |
|
@bryce-anderson PTAL and verify :) |
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
Outdated
Show resolved
Hide resolved
|
@bryce-anderson so all work now on your side ? |
|
@normanmaurer, I haven't deployed and tested it but as far as I can tell it should fix our problem. If something else comes up I'll file another ticket. |
|
@slandelle @chrisvest thoughts ? |
Motivation: We didnt correctly filter out TLSv1.3 ciphers when TLSv1.3 is not enabled. Modifications: - Filter out ciphers that are not supported due the selected TLS version - Add unit test Result: Fixes #10911 Co-authored-by: Bryce Anderson <banderson@twitter.com>
| if (OpenSsl.isTlsv13Supported()) { | ||
| // Set TLSv1.3 ciphers. | ||
| SSL.setCipherSuites(ssl, cipherSuiteSpecTLSv13, true); | ||
| } | ||
|
|
||
| // We also need to update the enabled protocols to ensure we disable the protocol if there are | ||
| // no compatible ciphers left. | ||
| Set<String> protocols = new HashSet<String>(explicitlyEnabledProtocols.length); |
There was a problem hiding this comment.
The default load factor for HashSet is 0.75. Using explicitlyEnabledProtocols.length will cause resize of the internal hash table when the next line adds all explicitlyEnabledProtocols.
The following formula should be used: (int) (c.size()/.75f) + 1. Or use new HasSet(Arrays.asList(explicitlyEnabledProtocols)).
The similar situation may happen for line 1522:
Set<String> enabledSet = new LinkedHashSet<String>(enabled.length + extraCiphers.length);
If all ciphers will be added, it will cause resize of the internal hash table.
…#10919) Motivation: We didnt correctly filter out TLSv1.3 ciphers when TLSv1.3 is not enabled. Modifications: - Filter out ciphers that are not supported due the selected TLS version - Add unit test Result: Fixes netty#10911 Co-authored-by: Bryce Anderson <banderson@twitter.com>
Motivation:
We didnt correctly filter out TLSv1.3 ciphers when TLSv1.3 is not enabled.
Modifications:
Result:
Fixes #10911
Co-authored-by: Bryce Anderson banderson@twitter.com