New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configuration of ciphers is ignored for TCP #1543
Comments
In case of |
@Johannes-Rost The change in 1.0.x is intentional as we want to guarantee that if the user does not provide configuration type the default configuration will be applied on top of the provided |
@violetagg My I have tried writing a local fix within Alternatively, you could pass the SslContext already present in |
Maybe this should be fixed by changing the |
@Johannes-Rost Reactor Netty will expose a new API that will be used by Spring Boot |
…or any other configuration. SslProvider.SslContextSpec#sslContext(SslProvider.ProtocolSslContextSpec) provides, specific for the protocol, default configuration (DefaultSslContextSpec, TcpSslContextSpec, Http11SslContextSpec, Http2SslContextSpec). As opposed to SslProvider.SslContextSpec#sslContext(SslContextBuilder), the default configuration is applied before any other custom configuration. Fixes #1543
…or any other configuration (#1573) SslProvider.SslContextSpec#sslContext(SslProvider.ProtocolSslContextSpec) provides, specific for the protocol, default configuration (DefaultSslContextSpec, TcpSslContextSpec, Http11SslContextSpec, Http2SslContextSpec). As opposed to SslProvider.SslContextSpec#sslContext(SslContextBuilder), the default configuration is applied before any other custom configuration. Fixes #1543
With version Reactor Netty v1.0.6, can you start using the following API for configuring the security on the server
Examples HTTP/1.1
HTTP/2
|
Expected Behavior
Configuring a list of ciphers should result in a running server with this ciphers configured for Spring Boot 2.4.x with reactor-netty 1.0.x
Actual Behavior
reactor.netty.tcp.SslProvider is overriding the list of ciphers with
null
since commit 41e7326 forreactor.netty.tcp.SslProvider.DefaultConfigurationType#TCP
. This results in a running server which falls back to default ciphersSteps to Reproduce
Start a Spring Boot WebFlux Application with SSL support on localhost port 8443 and the following properties set
Open SSL should not be able to complete a SSL handshake for
ECDHE-RSA-AES256-SHA
, but it is:Spring Boot 2.3.x with reactor-netty 0.9.x is working as expected (handshake is not successfull for the same configuration)
Possible Solution
case TCP
inreactor.netty.tcp.SslProvider#updateDefaultConfiguration()
should copy the configured ciphers instead of just usingnull
Your Environment
Spring Boot 2.4.3 with reactor-netty-core 1.0.3 on JDK11
The text was updated successfully, but these errors were encountered: