Skip to content

Fix client/server inconsistency in SslCredential support matrix#16990

Merged
normanmaurer merged 1 commit into
netty:4.2from
jmcrawford45:fix/openssl-server-credentials
Jun 25, 2026
Merged

Fix client/server inconsistency in SslCredential support matrix#16990
normanmaurer merged 1 commit into
netty:4.2from
jmcrawford45:fix/openssl-server-credentials

Conversation

@jmcrawford45

Copy link
Copy Markdown
Contributor

Motivation:

SslContextBuilder.addCredentials(...) (the OpenSslCredential API from #15919) is honored for the client context and for the OPENSSL_REFCNT server context, but is silently dropped for the default OPENSSL server provider.

As a result, a server built with SslProvider.OPENSSL (the default server provider) plus addCredentials(...) never installs those credentials on the SSL_CTX, so they aren't available for cipher-/sigalg-based certificate selection.

Modification:

  • SslContext.newServerContextInternal: pass credentials to OpenSslServerContext in the OPENSSL branch (matching the OPENSSL_REFCNT branch and the client path).
  • OpenSslServerContext: add a package-private constructor overload that accepts List credentials and forwards it to the existing credential-aware constructor (mirroring OpenSslClientContext), instead of always delegating null.
  • OpenSslEngineTest: add testServerSelectsAddedCredentialWithOpenSslProvider — a default-OPENSSL server whose ECDSA certificate is supplied only via addCredentials (base/legacy cert is RSA), driven by an ECDSA-only client, asserting the served leaf is EC. Fails with NO_SHARED_CIPHER before the fix, passes after.

Result:

addCredentials(...) is now honored for the default OPENSSL server provider, not just OPENSSL_REFCNT. Dual-cert servers select the correct certificate per the negotiated cipher (TLS 1.2) / signature algorithm (TLS 1.3) without requiring OPENSSL_REFCNT, and the new regression test guards the behavior.

@normanmaurer normanmaurer added this to the 4.2.16.Final milestone Jun 25, 2026
@normanmaurer normanmaurer added the needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. label Jun 25, 2026
@normanmaurer normanmaurer merged commit 5b49a0a into netty:4.2 Jun 25, 2026
33 of 36 checks passed
@netty-project-bot

Copy link
Copy Markdown
Contributor

Auto-port PR for 5.0: #16996

@github-actions github-actions Bot removed the needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. label Jun 25, 2026
normanmaurer pushed a commit that referenced this pull request Jun 26, 2026
…rt matrix (#16996)

Auto-port of #16990 to 5.0
Cherry-picked commit: 5b49a0a

---
Motivation:

SslContextBuilder.addCredentials(...) (the OpenSslCredential API from
#15919) is honored for the client context and for the OPENSSL_REFCNT
server context, but is silently dropped for the default OPENSSL server
provider.

As a result, a server built with SslProvider.OPENSSL (the default server
provider) plus addCredentials(...) never installs those credentials on
the SSL_CTX, so they aren't available for cipher-/sigalg-based
certificate selection.

Modification:

- SslContext.newServerContextInternal: pass credentials to
OpenSslServerContext in the OPENSSL branch (matching the OPENSSL_REFCNT
branch and the client path).
- OpenSslServerContext: add a package-private constructor overload that
accepts List<OpenSslCredential> credentials and forwards it to the
existing credential-aware constructor (mirroring OpenSslClientContext),
instead of always delegating null.
- OpenSslEngineTest: add
testServerSelectsAddedCredentialWithOpenSslProvider — a default-OPENSSL
server whose ECDSA certificate is supplied only via addCredentials
(base/legacy cert is RSA), driven by an ECDSA-only client, asserting the
served leaf is EC. Fails with NO_SHARED_CIPHER before the fix, passes
after.

Result:

addCredentials(...) is now honored for the default OPENSSL server
provider, not just OPENSSL_REFCNT. Dual-cert servers select the correct
certificate per the negotiated cipher (TLS 1.2) / signature algorithm
(TLS 1.3) without requiring OPENSSL_REFCNT, and the new regression test
guards the behavior.

Co-authored-by: Jared Crawford <jaredcrawford@netflix.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants