diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8d116136..c70b0d33 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,9 @@
This list is not intended to be all-encompassing - it will document major and breaking API
changes with their rationale when appropriate:
+### v8.1.4
+- Bug-fix Filter out unsupported ciphers and protocols
+
### v8.1.3
- Added default hostname verifier in HostnameVerifierUtils
- Marked a method in HostnameVerifierUtils as deprecated
diff --git a/README.md b/README.md
index 0423e407..f550525a 100644
--- a/README.md
+++ b/README.md
@@ -23,25 +23,25 @@ Hey, hello there 👋 Welcome, I hope you will like this library ❤️ Feel fre
io.github.hakky54
sslcontext-kickstart
- 8.1.3
+ 8.1.4
```
### Install with Gradle
```groovy
-implementation 'io.github.hakky54:sslcontext-kickstart:8.1.3'
+implementation 'io.github.hakky54:sslcontext-kickstart:8.1.4'
```
### Install with Gradle Kotlin DSL
```kotlin
-implementation("io.github.hakky54:sslcontext-kickstart:8.1.3")
+implementation("io.github.hakky54:sslcontext-kickstart:8.1.4")
```
### Install with Scala SBT
```
-libraryDependencies += "io.github.hakky54" % "sslcontext-kickstart" % "8.1.3"
+libraryDependencies += "io.github.hakky54" % "sslcontext-kickstart" % "8.1.4"
```
### Install with Apache Ivy
```xml
-
+
```
## Table of contents
@@ -712,7 +712,7 @@ Add the dependency below to use this feature, it also includes the core features
io.github.hakky54
sslcontext-kickstart-for-pem
- 8.1.3
+ 8.1.4
```
##### Loading pem files from the classpath
@@ -1067,7 +1067,7 @@ Some know http clients which relay on netty libraries are: [Spring WebFlux WebCl
io.github.hakky54
sslcontext-kickstart-for-netty
- 8.1.3
+ 8.1.4
```
Example setup for Spring WebClient with Netty:
@@ -1105,7 +1105,7 @@ public class App {
io.github.hakky54
sslcontext-kickstart-for-jetty
- 8.1.3
+ 8.1.4
```
Example setup for [Spring WebFlux WebClient Jetty](https://docs.spring.io/spring/docs/current/spring-framework-reference/web-reactive.html):
@@ -1143,7 +1143,7 @@ However it is still possible to configure the http client with their custom conf
io.github.hakky54
sslcontext-kickstart-for-apache4
- 8.1.3
+ 8.1.4
```
```java
@@ -1174,7 +1174,7 @@ public class App {
io.github.hakky54
sslcontext-kickstart-for-apache5
- 8.1.3
+ 8.1.4
```
```java
diff --git a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java
index 687cf843..4868f2ec 100644
--- a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java
+++ b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java
@@ -846,9 +846,7 @@ public SSLFactory build() {
SSLSessionUtils.updateSessionCacheSize(baseSslContext, sessionCacheSizeInBytes);
}
- sslParameters.setCipherSuites(ciphers.isEmpty() ? null : ciphers.stream().distinct().toArray(String[]::new));
- sslParameters.setProtocols(protocols.isEmpty() ? null : protocols.stream().distinct().toArray(String[]::new));
- SSLParameters baseSslParameters = SSLParametersUtils.merge(sslParameters, baseSslContext.getDefaultSSLParameters());
+ SSLParameters baseSslParameters = createSslParameters(baseSslContext);
SSLContext sslContext = new FenixSSLContext(baseSslContext, baseSslParameters);
HostnameVerifier hostnameVerifier = Optional.ofNullable(hostnameVerifierEnhancer)
@@ -901,5 +899,35 @@ private X509ExtendedTrustManager createTrustManager() {
.build();
}
+ private SSLParameters createSslParameters(SSLContext sslContext) {
+ SSLParameters defaultSSLParameters = sslContext.getDefaultSSLParameters();
+ List defaultCiphers = Arrays.asList(defaultSSLParameters.getCipherSuites());
+ List defaultProtocols = Arrays.asList(defaultSSLParameters.getProtocols());
+
+ List preferredCiphers = ciphers.stream()
+ .distinct()
+ .filter(defaultCiphers::contains)
+ .collect(Collectors.toList());
+
+ if (preferredCiphers.isEmpty()) {
+ sslParameters.setCipherSuites(defaultCiphers.stream().toArray(String[]::new));
+ } else {
+ sslParameters.setCipherSuites(preferredCiphers.stream().toArray(String[]::new));
+ }
+
+ List preferredProtocols = protocols.stream()
+ .distinct()
+ .filter(defaultProtocols::contains)
+ .collect(Collectors.toList());
+
+ if (preferredProtocols.isEmpty()) {
+ sslParameters.setProtocols(defaultProtocols.stream().toArray(String[]::new));
+ } else {
+ sslParameters.setProtocols(preferredProtocols.stream().toArray(String[]::new));
+ }
+
+ return SSLParametersUtils.merge(sslParameters, defaultSSLParameters);
+ }
+
}
}
diff --git a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java
index 393080a2..8bb9cbc3 100644
--- a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java
+++ b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java
@@ -1340,14 +1340,14 @@ void buildSSLFactoryWithSystemPropertyDerivedIdentityAndTrustMaterialWithSecurit
@Test
void buildSSLFactoryWithSystemPropertyDerivedProtocol() {
String propertyName = "https.protocols";
- System.setProperty(propertyName, "TLSv1.2, ,TLSv1.1");
+ System.setProperty(propertyName, "TLSv1.2, ");
SSLFactory sslFactory = SSLFactory.builder()
.withDefaultTrustMaterial()
.withSystemPropertyDerivedProtocols()
.build();
- assertThat(sslFactory.getProtocols()).containsExactly("TLSv1.2", "TLSv1.1");
+ assertThat(sslFactory.getProtocols()).containsExactly("TLSv1.2");
System.clearProperty(propertyName);
}
@@ -1554,14 +1554,14 @@ void returnSpecifiedCiphersAndProtocolsWithinSslParameters() {
SSLFactory sslFactory = SSLFactory.builder()
.withDefaultTrustMaterial()
.withCiphers("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
- .withProtocols("TLSv1.2", "TLSv1.1")
+ .withProtocols("TLSv1.2")
.build();
assertThat(sslFactory.getSslContext()).isNotNull();
assertThat(sslFactory.getSslParameters().getCipherSuites())
.containsExactlyInAnyOrder("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
assertThat(sslFactory.getSslParameters().getProtocols())
- .containsExactlyInAnyOrder("TLSv1.2", "TLSv1.1");
+ .contains("TLSv1.2");
assertThat(sslFactory.getSslParameters())
.isNotEqualTo(sslFactory.getSslContext().getDefaultSSLParameters());
}
@@ -1580,11 +1580,11 @@ void returnDefaultProtocolsWhenNoneSpecified() {
void returnSpecifiedProtocols() {
SSLFactory sslFactory = SSLFactory.builder()
.withDefaultTrustMaterial()
- .withProtocols("TLSv1.2", "TLSv1.1")
+ .withProtocols("TLSv1.2")
.build();
assertThat(sslFactory.getSslContext()).isNotNull();
- assertThat(sslFactory.getProtocols()).containsExactlyInAnyOrder("TLSv1.2", "TLSv1.1");
+ assertThat(sslFactory.getProtocols()).contains("TLSv1.2");
}
@Test