[#4736] Clear disabled SSL protocols before enabling provided SSL pro… #4737
Conversation
|
@normanmaurer @Scottmitch PTAL Note: this pull request assumes that a new netty-tcnative tag (1.1.33.Fork11) has been created. This pull request will not build successfully until that tag exists. |
| @@ -1076,21 +1076,31 @@ public void setEnabledProtocols(String[] protocols) { | |||
| // Enable all and then disable what we not want | |||
| SSL.setOptions(ssl, SSL.SSL_OP_ALL); | |||
|
|
|||
| int opts = SSL.SSL_OP_NO_SSLv2 | SSL.SSL_OP_NO_SSLv3 | SSL.SSL_OP_NO_TLSv1 | | |||
There was a problem hiding this comment.
nit: i guess there is no need to assign this to a temp variable ... consider just passing in the mask directly to clearOptions
There was a problem hiding this comment.
Initially, I did what you suggested, but then noticed I needed the temp variable for the call to setOptions so thought I might as well use it for clearOptions as well. I'm not bothered either way, let me know your thoughts and I'll make the change if you still think I should.
There was a problem hiding this comment.
@blucas please adjust as @Scottmitch suggested.
|
@blucas - Any thoughts on a test for this, maybe create peers that don't support the same versions and verify the handshake fails? I'll assign to @normanmaurer to pull in after tcnative is released. |
| @@ -298,7 +298,7 @@ | |||
| <dependency> | |||
| <groupId>${project.groupId}</groupId> | |||
| <artifactId>netty-tcnative</artifactId> | |||
| <version>1.1.33.Fork10</version> | |||
| <version>1.1.33.Fork11</version> | |||
There was a problem hiding this comment.
revert? this artifact does not exist in central Maven and is the reason why the CI build failed.
There was a problem hiding this comment.
No it's fine. We need a new netty-tcnative release for this PR
There was a problem hiding this comment.
@normanmaurer - Do you think we could cut a netty-tcnative release for this soon?
There was a problem hiding this comment.
Yes
Am 21.01.2016 um 11:02 schrieb Brendt notifications@github.com:
In pom.xml:
@@ -298,7 +298,7 @@
${project.groupId}
netty-tcnative
<version>1.1.33.Fork10</version><version>1.1.33.Fork11</version>—
Reply to this email directly or view it on GitHub.
I think a more fundamental test would be nice. Something that:
WDYT? |
|
+1 ... Maybe you could make it part of SSLEngineTest ?
|
|
@normanmaurer @Scottmitch - I've added a test and removed the temp variable. PTAL |
| @@ -263,6 +267,40 @@ public String select(List<String> protocols) { | |||
| } | |||
| } | |||
|
|
|||
| @Test | |||
| public void testEnablingAnAlreadyDisabledSslProtocol() throws Exception { | |||
There was a problem hiding this comment.
can we just have this test live in SSLEngineTest? That way we won't need to duplicate the code.
There was a problem hiding this comment.
@blucas to make the same test work with OpenSslEngine and the jdk one you can do and instanceof .
|
@blucas - Code looks good! after #4737 (comment) is addressed and squashed we can pull in. |
| @@ -60,6 +66,42 @@ public void testAlpnCompatibleProtocolsDifferentClientOrder() throws Exception { | |||
| runTest(PREFERRED_APPLICATION_LEVEL_PROTOCOL); | |||
| } | |||
|
|
|||
| @Test | |||
| public void testEnablingAnAlreadyDisabledSslProtocol() throws Exception { | |||
| SSLEngine sslEngine = null; | |||
There was a problem hiding this comment.
Check if openssl is present first. See the tests above
|
@blucas can you address this today as I want to cut 4.1.0.CR1 today ? If not we will need to include it in the next release. |
|
@normanmaurer - I've made the changes, if you are happy I can squash them. |
|
@blucas I think @Scottmitch may have meant moving the entire test to the super class like this johnou@5d8557b it will be run for all concrete classes which will set the correct provider via io.netty.handler.ssl.SSLEngineTest#sslProvider |
|
@johnou - Looking at your test, I don't think it will pass in the case where sslEngine is an instance of |
|
@normanmaurer - Do you need me to squash? |
|
@blucas yes please |
|
@normanmaurer - Can I do that even while the CI build is running? |
…tocols Motivation: Attempts to enable SSL protocols which are currently disabled fail when using the OpenSslEngine. Related to #4736 Modifications: Clear out all options that have disabled SSL protocols before attempting to enable any SSL protocol. Result: setEnabledProtocols works as expected.
|
@blucas yes |
|
@blucas wouldn't it make more sense to have the actual test in the super class so if a new provider is added it is automatically covered? |
|
@normanmaurer - Done @johnou - You are right, but maybe we can worry about fixing that in a separate PR so that Norman can get this one cherry-picked and cut a release. |
|
alright cool, good work with the contribution 👍 |
|
good work @blucas ! |
|
@normanmaurer @Scottmitch @johnou - Thanks guys, I'm glad I could help |
…tocols
Motivation:
Attempts to enable SSL protocols which are currently disabled fail when using the OpenSslEngine. Related to #4736
Modifications:
Clear out all options that have disabled SSL protocols before attempting to enable any SSL protocol.
Result:
setEnabledProtocols works as expected.