Comments (8)
Thank you for sharing the code snippet of how you are using it in your situation. It gives me a better understanding how the requested feature would work in your case and what could be a proper implementation.
In the initial version of the implementation the SSLFactory will supply all default protocols which it will allow as defined in the SSLContext. However if you do specify a specific protocol, just like the example below, the NettySslContextUtils will pick that up and correctly pass it on so your Netty client can only allow those protocols.
SSLFactory sslFactory = SSLFactory.builder()
.withDefaultTrustMaterial()
.withProtocols("TLSv1.2", "TLSv1.1")
.build()
SslContext sslContext = NettySslContextUtils.forClient(sslFactory).build();
HttpClient httpClient = HttpClient.create().secure(sslSpec -> sslSpec.sslContext(sslContext));
WebClient webClient = WebClient.builder()
.clientConnector(new ReactorClientHttpConnector(httpClient))
.build();
As a bonus to your feature request I have also included the same behaviour for ciphers. You can use these two options from 5.2.3 onwards. Good luck!
from sslcontext-kickstart.
it works perfect! thank you for the quick release!
In case others want to know how to test this capability, run a spring boot app with TLSv1 (env variable given below) and connect with SslContext having enabled only TLSv1.2
server.ssl.enabled-protocols=TLSv1
Netty client will throw error as follows
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client
from sslcontext-kickstart.
Hi @winster
Thank you for this suggestion, it would be nice to have a feature to narrow down the allowed protocols to communicate with the server. This would be a nice way to block a specific version from client side if the server wants to communicates with it.
I investigated in the past if this would be possible and the conclusion is the magic word: it depends...
First of al while creating an SSLContext we would expect by calling SSLContext.getInstance(protocol)
it would create a ssl configuration with only the provided protocol version. So if we would pass TLSv1.3
we would expect in this case all http clients would be using only TLSv1.3
. Unfortunately this is not the case. When you are using JDK 11 and create it in this way it will use a list of protocols ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
. If you specify TLSv1.2
as protocol the resulting list of protocols would be ["TLSv1.1", "TLSv1.2"]
so it looks like this is treated as a upper bound, while we would prefer this to be a lower bound. Unfortunately it is in this way not possible to achieve what you are asking.
You suggested an alternative by adjusting the property in the sslContext in the following way: this.sslContext.getDefaultSSLParameters().setProtocols(this.allowedProtocols);
I tried this out, but after setting the value and passing the sslContext to different clients within this project: https://github.com/Hakky54/mutual-tls-ssl I discovered that the change is not picked up. So basically the following expressions will have the following results:
SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
String[] protocols = sslContext.getDefaultSSLParameters().getProtocols();
System.out.println(protocols); // prints ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
sslContext.getDefaultSSLParameters().setProtocols(new String[]{"TLSv1.3"});
protocols = sslContext.getDefaultSSLParameters().getProtocols();
System.out.println(protocols); // prints ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
So adjusting the protocol with this way also doesn't work...
There is an option which will work for some http client and that's by providing the following VM argument during the startup of your application: -Dhttps.protocols=TLSv1.3
This property will force, for example, the HttpsURLConnection to communicate only with that protocol. However not all http clients do support this approach, so even though I can add this feature to SSLFactory by hardcoding System.setProperty()
I cannot guarantee the expected behaviour for all users of this library for their http client...
Some http clients such as from Apache, Netty, Jetty, JDK 9+ Http Client, Finagle and AsyncHttpClient do support setting custom list of allowed protocols, but others don't. So even tough it would be a nice feature to have, and I think it should be even a must-have however it is not possible to enforce the protocol from adjusting the SSLContext or other property
from sslcontext-kickstart.
It may not be as simple as I suggested above. There are 4 options given in https://www.java.com/en/configure_crypto.html under section Changing default TLS protocol version for client end points : TLS 1.0 to TLS 1.2
Option3, seems to meet our requirements.
from sslcontext-kickstart.
Thank you for sharing the link. Oracle has provided a nice overview for all those options. I also tried the jdk.tls.client.protocols
property, but that also doesn't do the trick. The most effective configuration would be indeed option 3 what you suggested, adjusting the properties within the SSLEngine or SSLSocket. I have seen that those properties don't disappear like the following snippet: this.sslContext.getDefaultSSLParameters().setProtocols(this.allowedProtocols);
I will further investigate configuring the SSLEngine/SSLSocket. I am wondering by the way how this option would work for you, does your http client support injecting these objects? If so which http client are you using?
from sslcontext-kickstart.
Thanks. I use netty.
from sslcontext-kickstart.
Can you share how you are currently configuring SSLFactory and your Netty client with it and how you will be configuring netty with either the SSLEngine or SSLSocket? That would give me more context of your current setup
from sslcontext-kickstart.
Sorry for the late response.
SSLFactory.Builder sslFactoryBuilder = SSLFactory.builder().withDefaultTrustMaterial();
.......
SSLFactory sslFactory = sslFactoryBuilder.build();
SslContext sslContext = NettySslContextUtils.forClient(sslFactory).build();
HttpClient httpClient = HttpClient.create().secure(t -> t.sslContext(sslContext));
ClientHttpConnector httpConnector = new ReactorClientHttpConnector(httpClient);
return WebClient.builder().clientConnector(httpConnector);
from sslcontext-kickstart.
Related Issues (20)
- Dependency on bcpkix-jdk15on introduces vulnerability CVE-2023-33201 HOT 2
- Disable "Acceptable client certificate CA names" on MTLS client connect.
- Hostname verifier doesn't work with JDK Http Client HOT 4
- No available authentication scheme HOT 8
- Add Support For `withoutProtocols` + `withoutCiphers` HOT 3
- Question about Classic Configuration Migration HOT 18
- When using pem utils v8.2.0 dependency in android, Duplicate class error in org.bouncycastle HOT 3
- Loading the keystore takes a very long time in some rare cases HOT 9
- JDK9+ jdeps error HOT 6
- Implementing Dynamic SSL Pinning Using Base64 Encoded Server Certificate? HOT 6
- PKIX path building failed (client-side) when using certificates from Let's Encyrpt HOT 9
- aarch64 macOS runner support HOT 6
- FTPs - None of the TrustManagers trust this certificate chain HOT 3
- Loading of System-Certificates takes long or forever when USB-Token Software is installed. HOT 8
- Trust Anchor not found on Android HOT 10
- Remove too verbose logs when loading system certificates HOT 7
- LoggingX509ExtendedTrustManager should log CertificateException HOT 3
- Add abiilty to load JDK cacerts file HOT 6
- Is SSLFactory thread safe? HOT 2
- Remove `bouncycastle` deps for `sslcontext-kickstart-for-pem` HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sslcontext-kickstart.