Provide a way to disable cipher suites filtering
See original GitHub issueExpected behavior
There should be a way to have client side SslContext
work against any website, regardless of security.
Actual behavior
Supported ciphers are filtered against a hard coded whitelist (SslUtils#DEFAULT_CIPHER_SUITES
).
I wonder if the whitelist way is a good thing. Wouldn’t it filter out modern ciphers that would be introduced in JDK updates? Properly maintaining this blacklist would require Netty core devs to frequently update it. Wouldn’t a blacklist work better: ban ciphers that are known as unsecure?
Then, my core issue is that there’s no way to disable this security. On the client side, sometimes security is not the top most priority and users just want things to work, all the more as they do work with all the other user agents around (browsers, curl, Apache HttpComponents). Typical examples are load tests and web crawlers.
Steps to reproduce
For example, it’s not possible to connect to “https://www.gretalr.com” with a JdkSslHandler
while it’s possible with any other user agent I know of (reported against AHC as https://github.com/AsyncHttpClient/async-http-client/issues/1510).
Minimal yet complete reproducer code (or URL to code)
EventLoopGroup eventLoopGroup = new NioEventLoopGroup();
final SslContext sslContext = SslContextBuilder.forClient().build();
final CountDownLatch latch = new CountDownLatch(1);
Bootstrap b = new Bootstrap()
.group(eventLoopGroup)
.channel(NioSocketChannel.class)
.handler(new ChannelInitializer<NioSocketChannel>() {
@Override
protected void initChannel(NioSocketChannel nioSocketChannel) {
SSLEngine sslEngine = sslContext.newEngine(nioSocketChannel.alloc(), "www.gretalr.com", 443);
SslHandler sslHandler = new SslHandler(sslEngine);
sslHandler.handshakeFuture().addListener(whenHandshaked -> {
if (whenHandshaked.isSuccess()) {
System.out.println("All good");
} else {
whenHandshaked.cause().printStackTrace();
}
latch.countDown();
});
nioSocketChannel.pipeline().addLast(sslHandler);
}
});
Channel channel = b.connect("www.gretalr.com", 443).sync().channel();
latch.await();
channel.close();
eventLoopGroup.shutdownGracefully();
Note: I can connect fine if I create the SSLEngine from a javax.net.ssl.SSLContext
instead.
Netty version
4.1.20.Final
JVM version (e.g. java -version
)
1.8.0_152
OS version (e.g. uname -a
)
not relevant
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:7 (7 by maintainers)
Top GitHub Comments
Will do later tonight
Fixed by https://github.com/netty/netty/pull/7691