-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Selected protocols in SslContextFactory#dump() and actual SSLContext inconsistent #5531
Comments
The default list of excluded protocols used in `HttpsConnectorFactory` wasn't working as expected. Jetty currently doesn't support using regular expressions for supporte or excluded protocols. This only works for supported and excluded cipher suites as of Jetty 9.4.33.v20201020. The default list of excluded protocols now only contains valid and complete entries: SSLv3, TLSv1, and TLSv1.1 Refs jetty/jetty.project#5531 Fixes #3532
…3533) The default list of excluded protocols used in `HttpsConnectorFactory` wasn't working as expected. Jetty currently doesn't support using regular expressions for supported or excluded protocols. This only works for supported and excluded cipher suites as of Jetty 9.4.33.v20201020. The default list of excluded protocols now only contains valid and complete entries: SSLv3, TLSv1, and TLSv1.1 Refs jetty/jetty.project#5531 Fixes #3532
…3533) The default list of excluded protocols used in `HttpsConnectorFactory` wasn't working as expected. Jetty currently doesn't support using regular expressions for supported or excluded protocols. This only works for supported and excluded cipher suites as of Jetty 9.4.33.v20201020. The default list of excluded protocols now only contains valid and complete entries: SSLv3, TLSv1, and TLSv1.1 Refs jetty/jetty.project#5531 Fixes #3532 (cherry picked from commit 206e858)
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
That's an invalid test. You cannot use the dump THEN I added a testcase based on your report, it works as designed, and correctly. |
Going to test this on a few different OS combinations now. |
Results from OSX 10.15.7 Using AdoptOpenJDK 8u272 - PASS Results from Windows 10 Using AdoptOpenJDK 8u272 - PASS |
@joakime Thanks for checking this bug report!
I didn't find anything in the Javadoc about that: Would it make sense to throw an
Are you sure the test is working correctly? The assertion for "Confirm behavior in engine" is failing for me. Here's the minimal project to reproduce the issue: Test case: The only relevant difference is that I'm using AssertJ instead of Hamcrest matchers. @Test
public void testDumpExcludedProtocols() throws Exception {
SslContextFactory.Server cf = new SslContextFactory.Server();
cf.setKeyStorePassword("storepwd");
cf.setKeyManagerPassword("keypwd");
cf.setExcludeProtocols("SSL.*", "TLSv1", "TLSv1\\.[01]");
cf.start();
// Confirm behavior in engine
String[] enabledProtocols = cf.newSSLEngine().getEnabledProtocols();
assertThat(enabledProtocols).doesNotContain("TLSv1.1");
} Failing output on Linux (Ubuntu 18.04.5), macOS 10.15.7, Windows (Windows Server 2019 10.0.17763) with Java (Azul Zulu) 1.8.0_272, 11.0.9, and 15.0.1: https://github.com/joschi/jetty-issue-5531-excluded-protocols/actions/runs/336689872 |
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Wait a sec. First, and most "duh" moment of my own, is that Commit c969fba addresses both the bad usage of .setExcludeProtocols and the bad assertion. |
@joakime Thanks for looking further into this!
That's what I tried to convey in my original post of this issue:
But great that this is going to be fixed. 😃 |
Opened PR #5538 |
Merged PR #5538 into |
Jetty version
9.4.33.v20201020
Java version
OS type/version
macOS 10.15.7
Description
When a list of protocols used with or
SslContextFactory#excludeProtocols()
contains a regular expression, the respective protocols will be shown as excluded in the output ofSslContextFactory#dump()
, but they won't necessarily be excluded in the actualSSLEngine
instance created bySslContextFactory#newSSLEngine()
.The same is true for the inverse case when using
SslContextFactory#includeProtocols()
.While the list of included/excluded ciphers is actually being processed to allow regular expressions (https://github.com/eclipse/jetty.project/blob/jetty-9.4.33.v20201020/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L1420-L1453), the list of included/excluded protocols is not processed in the same way.
SslContextFactory#dump()
is passing the list of excluded protocols toSslSelectionDump
:https://github.com/eclipse/jetty.project/blob/jetty-9.4.33.v20201020/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L420-L424
There, any regular expressions the respective list will be compiled and matched against the list of supported protocols and removed accordingly, so that they appear to excluded:
https://github.com/eclipse/jetty.project/blob/jetty-9.4.33.v20201020/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslSelectionDump.java#L86-L102
Unfortunately, when the actual
SSLContext
is being configured, the list of excluded protocols is passed fromSslContextFactory
as-is to remove the protocols from the list of selected protocols of theSSLContext
:https://github.com/eclipse/jetty.project/blob/jetty-9.4.33.v20201020/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L1377-L1378
This leads to a discrepancy between which enabled and disabled protocols are listed in the output of
SslContextFactory#dump()
and which protocols theSSLContext
andSSLEngine
actually support.Example unit test and output
The text was updated successfully, but these errors were encountered: