From 6d4e94b3b7260d54625172ef7a0222921e76c97f Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Fri, 21 Jul 2023 00:53:51 +0200 Subject: [PATCH] Added option to filter out not supported ciphers and protocols --- CHANGELOG.md | 3 ++ README.md | 20 +++++------ .../main/java/nl/altindag/ssl/SSLFactory.java | 34 +++++++++++++++++-- .../nl/altindag/ssl/SSLFactoryShould.java | 12 +++---- 4 files changed, 50 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d116136..c70b0d33 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,9 @@ This list is not intended to be all-encompassing - it will document major and breaking API changes with their rationale when appropriate: +### v8.1.4 +- Bug-fix Filter out unsupported ciphers and protocols + ### v8.1.3 - Added default hostname verifier in HostnameVerifierUtils - Marked a method in HostnameVerifierUtils as deprecated diff --git a/README.md b/README.md index 0423e407..f550525a 100644 --- a/README.md +++ b/README.md @@ -23,25 +23,25 @@ Hey, hello there 👋 Welcome, I hope you will like this library ❤️ Feel fre io.github.hakky54 sslcontext-kickstart - 8.1.3 + 8.1.4 ``` ### Install with Gradle ```groovy -implementation 'io.github.hakky54:sslcontext-kickstart:8.1.3' +implementation 'io.github.hakky54:sslcontext-kickstart:8.1.4' ``` ### Install with Gradle Kotlin DSL ```kotlin -implementation("io.github.hakky54:sslcontext-kickstart:8.1.3") +implementation("io.github.hakky54:sslcontext-kickstart:8.1.4") ``` ### Install with Scala SBT ``` -libraryDependencies += "io.github.hakky54" % "sslcontext-kickstart" % "8.1.3" +libraryDependencies += "io.github.hakky54" % "sslcontext-kickstart" % "8.1.4" ``` ### Install with Apache Ivy ```xml - + ``` ## Table of contents @@ -712,7 +712,7 @@ Add the dependency below to use this feature, it also includes the core features io.github.hakky54 sslcontext-kickstart-for-pem - 8.1.3 + 8.1.4 ``` ##### Loading pem files from the classpath @@ -1067,7 +1067,7 @@ Some know http clients which relay on netty libraries are: [Spring WebFlux WebCl io.github.hakky54 sslcontext-kickstart-for-netty - 8.1.3 + 8.1.4 ``` Example setup for Spring WebClient with Netty: @@ -1105,7 +1105,7 @@ public class App { io.github.hakky54 sslcontext-kickstart-for-jetty - 8.1.3 + 8.1.4 ``` Example setup for [Spring WebFlux WebClient Jetty](https://docs.spring.io/spring/docs/current/spring-framework-reference/web-reactive.html): @@ -1143,7 +1143,7 @@ However it is still possible to configure the http client with their custom conf io.github.hakky54 sslcontext-kickstart-for-apache4 - 8.1.3 + 8.1.4 ``` ```java @@ -1174,7 +1174,7 @@ public class App { io.github.hakky54 sslcontext-kickstart-for-apache5 - 8.1.3 + 8.1.4 ``` ```java diff --git a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java index 687cf843..4868f2ec 100644 --- a/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java +++ b/sslcontext-kickstart/src/main/java/nl/altindag/ssl/SSLFactory.java @@ -846,9 +846,7 @@ public SSLFactory build() { SSLSessionUtils.updateSessionCacheSize(baseSslContext, sessionCacheSizeInBytes); } - sslParameters.setCipherSuites(ciphers.isEmpty() ? null : ciphers.stream().distinct().toArray(String[]::new)); - sslParameters.setProtocols(protocols.isEmpty() ? null : protocols.stream().distinct().toArray(String[]::new)); - SSLParameters baseSslParameters = SSLParametersUtils.merge(sslParameters, baseSslContext.getDefaultSSLParameters()); + SSLParameters baseSslParameters = createSslParameters(baseSslContext); SSLContext sslContext = new FenixSSLContext(baseSslContext, baseSslParameters); HostnameVerifier hostnameVerifier = Optional.ofNullable(hostnameVerifierEnhancer) @@ -901,5 +899,35 @@ private X509ExtendedTrustManager createTrustManager() { .build(); } + private SSLParameters createSslParameters(SSLContext sslContext) { + SSLParameters defaultSSLParameters = sslContext.getDefaultSSLParameters(); + List defaultCiphers = Arrays.asList(defaultSSLParameters.getCipherSuites()); + List defaultProtocols = Arrays.asList(defaultSSLParameters.getProtocols()); + + List preferredCiphers = ciphers.stream() + .distinct() + .filter(defaultCiphers::contains) + .collect(Collectors.toList()); + + if (preferredCiphers.isEmpty()) { + sslParameters.setCipherSuites(defaultCiphers.stream().toArray(String[]::new)); + } else { + sslParameters.setCipherSuites(preferredCiphers.stream().toArray(String[]::new)); + } + + List preferredProtocols = protocols.stream() + .distinct() + .filter(defaultProtocols::contains) + .collect(Collectors.toList()); + + if (preferredProtocols.isEmpty()) { + sslParameters.setProtocols(defaultProtocols.stream().toArray(String[]::new)); + } else { + sslParameters.setProtocols(preferredProtocols.stream().toArray(String[]::new)); + } + + return SSLParametersUtils.merge(sslParameters, defaultSSLParameters); + } + } } diff --git a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java index 393080a2..8bb9cbc3 100644 --- a/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java +++ b/sslcontext-kickstart/src/test/java/nl/altindag/ssl/SSLFactoryShould.java @@ -1340,14 +1340,14 @@ void buildSSLFactoryWithSystemPropertyDerivedIdentityAndTrustMaterialWithSecurit @Test void buildSSLFactoryWithSystemPropertyDerivedProtocol() { String propertyName = "https.protocols"; - System.setProperty(propertyName, "TLSv1.2, ,TLSv1.1"); + System.setProperty(propertyName, "TLSv1.2, "); SSLFactory sslFactory = SSLFactory.builder() .withDefaultTrustMaterial() .withSystemPropertyDerivedProtocols() .build(); - assertThat(sslFactory.getProtocols()).containsExactly("TLSv1.2", "TLSv1.1"); + assertThat(sslFactory.getProtocols()).containsExactly("TLSv1.2"); System.clearProperty(propertyName); } @@ -1554,14 +1554,14 @@ void returnSpecifiedCiphersAndProtocolsWithinSslParameters() { SSLFactory sslFactory = SSLFactory.builder() .withDefaultTrustMaterial() .withCiphers("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384") - .withProtocols("TLSv1.2", "TLSv1.1") + .withProtocols("TLSv1.2") .build(); assertThat(sslFactory.getSslContext()).isNotNull(); assertThat(sslFactory.getSslParameters().getCipherSuites()) .containsExactlyInAnyOrder("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"); assertThat(sslFactory.getSslParameters().getProtocols()) - .containsExactlyInAnyOrder("TLSv1.2", "TLSv1.1"); + .contains("TLSv1.2"); assertThat(sslFactory.getSslParameters()) .isNotEqualTo(sslFactory.getSslContext().getDefaultSSLParameters()); } @@ -1580,11 +1580,11 @@ void returnDefaultProtocolsWhenNoneSpecified() { void returnSpecifiedProtocols() { SSLFactory sslFactory = SSLFactory.builder() .withDefaultTrustMaterial() - .withProtocols("TLSv1.2", "TLSv1.1") + .withProtocols("TLSv1.2") .build(); assertThat(sslFactory.getSslContext()).isNotNull(); - assertThat(sslFactory.getProtocols()).containsExactlyInAnyOrder("TLSv1.2", "TLSv1.1"); + assertThat(sslFactory.getProtocols()).contains("TLSv1.2"); } @Test