Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Provide a way to disable cipher suites filtering

See original GitHub issue

Expected behavior

There should be a way to have client side SslContext work against any website, regardless of security.

Actual behavior

Supported ciphers are filtered against a hard coded whitelist (SslUtils#DEFAULT_CIPHER_SUITES).

I wonder if the whitelist way is a good thing. Wouldn’t it filter out modern ciphers that would be introduced in JDK updates? Properly maintaining this blacklist would require Netty core devs to frequently update it. Wouldn’t a blacklist work better: ban ciphers that are known as unsecure?

Then, my core issue is that there’s no way to disable this security. On the client side, sometimes security is not the top most priority and users just want things to work, all the more as they do work with all the other user agents around (browsers, curl, Apache HttpComponents). Typical examples are load tests and web crawlers.

Steps to reproduce

For example, it’s not possible to connect to “https://www.gretalr.com” with a JdkSslHandler while it’s possible with any other user agent I know of (reported against AHC as https://github.com/AsyncHttpClient/async-http-client/issues/1510).

Minimal yet complete reproducer code (or URL to code)

EventLoopGroup eventLoopGroup = new NioEventLoopGroup();
final SslContext sslContext = SslContextBuilder.forClient().build();
final CountDownLatch latch = new CountDownLatch(1);

Bootstrap b = new Bootstrap()
        .group(eventLoopGroup)
        .channel(NioSocketChannel.class)
        .handler(new ChannelInitializer<NioSocketChannel>() {
          @Override
          protected void initChannel(NioSocketChannel nioSocketChannel) {
            SSLEngine sslEngine = sslContext.newEngine(nioSocketChannel.alloc(), "www.gretalr.com", 443);
            SslHandler sslHandler = new SslHandler(sslEngine);
            sslHandler.handshakeFuture().addListener(whenHandshaked -> {
              if (whenHandshaked.isSuccess()) {
                System.out.println("All good");
              } else {
                whenHandshaked.cause().printStackTrace();
              }
              latch.countDown();
            });
            nioSocketChannel.pipeline().addLast(sslHandler);
          }
        });
Channel channel = b.connect("www.gretalr.com", 443).sync().channel();
latch.await();
channel.close();
eventLoopGroup.shutdownGracefully();

Note: I can connect fine if I create the SSLEngine from a javax.net.ssl.SSLContext instead.