Set Enabled Protocols about sslcontext-kickstart HOT 8 CLOSED

Thank you for sharing the code snippet of how you are using it in your situation. It gives me a better understanding how the requested feature would work in your case and what could be a proper implementation.

In the initial version of the implementation the SSLFactory will supply all default protocols which it will allow as defined in the SSLContext. However if you do specify a specific protocol, just like the example below, the NettySslContextUtils will pick that up and correctly pass it on so your Netty client can only allow those protocols.

SSLFactory sslFactory = SSLFactory.builder()
    .withDefaultTrustMaterial()
    .withProtocols("TLSv1.2", "TLSv1.1")
    .build()

SslContext sslContext = NettySslContextUtils.forClient(sslFactory).build();
HttpClient httpClient = HttpClient.create().secure(sslSpec -> sslSpec.sslContext(sslContext));

WebClient webClient = WebClient.builder()
    .clientConnector(new ReactorClientHttpConnector(httpClient))
    .build();

As a bonus to your feature request I have also included the same behaviour for ciphers. You can use these two options from 5.2.3 onwards. Good luck!

from sslcontext-kickstart.

it works perfect! thank you for the quick release!

In case others want to know how to test this capability, run a spring boot app with TLSv1 (env variable given below) and connect with SslContext having enabled only TLSv1.2

server.ssl.enabled-protocols=TLSv1

Netty client will throw error as follows

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client

from sslcontext-kickstart.

Hi @winster

Thank you for this suggestion, it would be nice to have a feature to narrow down the allowed protocols to communicate with the server. This would be a nice way to block a specific version from client side if the server wants to communicates with it.

I investigated in the past if this would be possible and the conclusion is the magic word: it depends...

First of al while creating an SSLContext we would expect by calling SSLContext.getInstance(protocol) it would create a ssl configuration with only the provided protocol version. So if we would pass TLSv1.3 we would expect in this case all http clients would be using only TLSv1.3. Unfortunately this is not the case. When you are using JDK 11 and create it in this way it will use a list of protocols ["TLSv1.1", "TLSv1.2", "TLSv1.3"]. If you specify TLSv1.2 as protocol the resulting list of protocols would be ["TLSv1.1", "TLSv1.2"] so it looks like this is treated as a upper bound, while we would prefer this to be a lower bound. Unfortunately it is in this way not possible to achieve what you are asking.

You suggested an alternative by adjusting the property in the sslContext in the following way: this.sslContext.getDefaultSSLParameters().setProtocols(this.allowedProtocols); I tried this out, but after setting the value and passing the sslContext to different clients within this project: https://github.com/Hakky54/mutual-tls-ssl I discovered that the change is not picked up. So basically the following expressions will have the following results:

SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
String[] protocols = sslContext.getDefaultSSLParameters().getProtocols();
System.out.println(protocols); // prints ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
        
sslContext.getDefaultSSLParameters().setProtocols(new String[]{"TLSv1.3"});
protocols = sslContext.getDefaultSSLParameters().getProtocols();
System.out.println(protocols); // prints ["TLSv1.1", "TLSv1.2", "TLSv1.3"]

So adjusting the protocol with this way also doesn't work...

There is an option which will work for some http client and that's by providing the following VM argument during the startup of your application: -Dhttps.protocols=TLSv1.3 This property will force, for example, the HttpsURLConnection to communicate only with that protocol. However not all http clients do support this approach, so even though I can add this feature to SSLFactory by hardcoding System.setProperty() I cannot guarantee the expected behaviour for all users of this library for their http client...

Some http clients such as from Apache, Netty, Jetty, JDK 9+ Http Client, Finagle and AsyncHttpClient do support setting custom list of allowed protocols, but others don't. So even tough it would be a nice feature to have, and I think it should be even a must-have however it is not possible to enforce the protocol from adjusting the SSLContext or other property

from sslcontext-kickstart.

It may not be as simple as I suggested above. There are 4 options given in https://www.java.com/en/configure_crypto.html under section Changing default TLS protocol version for client end points : TLS 1.0 to TLS 1.2
Option3, seems to meet our requirements.

from sslcontext-kickstart.

Thank you for sharing the link. Oracle has provided a nice overview for all those options. I also tried the jdk.tls.client.protocols property, but that also doesn't do the trick. The most effective configuration would be indeed option 3 what you suggested, adjusting the properties within the SSLEngine or SSLSocket. I have seen that those properties don't disappear like the following snippet: this.sslContext.getDefaultSSLParameters().setProtocols(this.allowedProtocols);

I will further investigate configuring the SSLEngine/SSLSocket. I am wondering by the way how this option would work for you, does your http client support injecting these objects? If so which http client are you using?

from sslcontext-kickstart.

Thanks. I use netty.

from sslcontext-kickstart.

Can you share how you are currently configuring SSLFactory and your Netty client with it and how you will be configuring netty with either the SSLEngine or SSLSocket? That would give me more context of your current setup

from sslcontext-kickstart.

Sorry for the late response.

SSLFactory.Builder sslFactoryBuilder = SSLFactory.builder().withDefaultTrustMaterial();
.......
SSLFactory sslFactory = sslFactoryBuilder.build();
SslContext sslContext = NettySslContextUtils.forClient(sslFactory).build();
HttpClient httpClient = HttpClient.create().secure(t -> t.sslContext(sslContext));
ClientHttpConnector httpConnector = new ReactorClientHttpConnector(httpClient);
return WebClient.builder().clientConnector(httpConnector);

from sslcontext-kickstart.