Custom cipher list with BoringSSL breaks in 4.1.31.Final
See original GitHub issueExpected behavior
TLS continues to work in 4.1.31.Final when providing an explicit list of ciphers via SslContextBuilder.ciphers(...)
.
Actual behavior
After upgrading, my SslContextBuilder.build()
throws:
Caused by: java.lang.IllegalArgumentException: unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(ECDHE-ECDSA-AES256-SHA384)
at io.netty.handler.ssl.CipherSuiteConverter.convertToCipherStrings(CipherSuiteConverter.java:418)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext.<init>(ReferenceCountedOpenSslContext.java:252)
... 34 more
It looks like this is due to changes in #8293, in particular this check in CipherSuiteConverter.convertToCipherStrings()
which throws if false. Should it just continue
instead of throwing so that the current cipherSuite is excluded from the lists being built (since a later cipher in the list may be available)? I verified that it works as before with this modification.
Minimal yet complete reproducer code (or URL to code)
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(null,null);
String[] ciphers = ((SSLSocketFactory)SSLSocketFactory.getDefault()).getDefaultCipherSuites();
SslContextBuilder.forServer(kmf).sslProvider(SslProvider.OPENSSL)
.ciphers(Arrays.asList(ciphers)).build();
Netty version
4.1.31.Final
JVM version (e.g. java -version
)
java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)
OS version (e.g. uname -a
)
Linux 3.10.0-862.14.4.el7.x86_64
Issue Analytics
- State:
- Created 5 years ago
- Comments:7 (7 by maintainers)
Top Results From Across the Web
Index (Netty API Reference (4.1.41.Final)) - Javadoc.io
Create a new AbstractBinaryMemcacheDecoder with custom settings. ... Returns all the available cipher suites (Java-style).
Read more >Changelog — Finagle 22.4.0 documentation
createClientContext and c.t.f.n.ssl.server.Netty4ServerSslConfigurations.createServerContext now create contexts using the provided cipher suites.
Read more >CVE - Search Results - MITRE
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Read more >CVE's linked by bid - CVE-Search
ID CVSS Last (major) update Published
CVE‑2014‑0160 5.0 15‑11‑2022 ‑ 21:15 07‑04‑2014 ‑ 22:55
CVE‑2014‑3166 4.3 10‑11‑2022 ‑ 17:55 13‑08‑2014 ‑ 04:57
CVE‑2017‑10355 5.0 06‑10‑2022 ‑...
Read more >Download Patch File
files/patch-chrome_common_pref__names.cc | 12 +- . ... Final.jar -%%DATADIR%%/plugins/Docker/lib/rt/netty-codec-4.1.31.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
As discussed works as expected
Thanks @normanmaurer and sorry for leaving you hanging, I was debugging late and open this right before I fell asleep 😃
To answer your questions - yes it worked before with openssl (boringssl) and still works with the JDK provider (since the ciphers are valid in that case).
Now I understand more what’s going on I agree the new behaviour seems reasonable, however my code actually does this:
So the difference now is that the cipher suite list needs to be tailored depending on the provider type provided, rather than having the builder choose the valid subset in each case. This sounds fine to me, since I guess like you said it will catch unsupported ones earlier in the case they are included unintentionally.