Revert "Replace invalid default excludedProtocols in HttpsConnectorFa…

…ctory" (#3579) Jetty 9.4.34.v20201102 added support for regular expressions in included/excluded protocols. https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.34.v20201102 Refs #3533 Refs jetty/jetty.project#5535 This partially reverts commit 206e858. (cherry picked from commit cf2230d)
dropwizard · Nov 26, 2020 · 083fed8 · 083fed8
1 parent 13177e4
commit 083fed8
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 9 deletions.
diff --git a/docs/source/manual/configuration.rst b/docs/source/manual/configuration.rst
@@ -470,8 +470,8 @@ validatePeers                    false                            Whether or not
                                                                   implemented.
 supportedProtocols               (none)                           A list of protocols (e.g., ``SSLv3``, ``TLSv1``) which are supported. All
                                                                   other protocols will be refused.
-excludedProtocols                ["SSLv2Hello", "SSLv3",          A list of protocols (e.g., ``SSLv3``, ``TLSv1``) which are excluded. These
-                                  "TLSv1", "TLSv1.1"]             protocols will be refused.
+excludedProtocols                ["SSL.*", "TLSv1", "TLSv1\\.1"]  A list of protocols (e.g., ``SSLv3``, ``TLSv1``) which are excluded. These
+                                                                  protocols will be refused.
 supportedCipherSuites            (none)                           A list of cipher suites (e.g., ``TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256``) which
                                                                   are supported. All other cipher suites will be refused.
 excludedCipherSuites             (none)                           A list of cipher suites (e.g., ``TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256``) which

diff --git a/dropwizard-jetty/src/main/java/io/dropwizard/jetty/HttpsConnectorFactory.java b/dropwizard-jetty/src/main/java/io/dropwizard/jetty/HttpsConnectorFactory.java
@@ -182,7 +182,7 @@
  *     </tr>
  *     <tr>
  *         <td>{@code excludedProtocols}</td>
- *         <td>["SSLv3", "TLSv1", "TLSv1.1"]</td>
+ *         <td>["SSL.*", "TLSv1", "TLSv1\.1"]</td>
  *         <td>
  *             A list of protocols (e.g., {@code SSLv3}, {@code TLSv1}) which are excluded. These
  *             protocols will be refused.
@@ -287,7 +287,7 @@ public class HttpsConnectorFactory extends HttpConnectorFactory {
     private List<String> supportedProtocols;
 
     @Nullable
-    private List<String> excludedProtocols = Arrays.asList("SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1");
+    private List<String> excludedProtocols = Arrays.asList("SSL.*", "TLSv1", "TLSv1\\.1");
 
     @Nullable
     private List<String> supportedCipherSuites;

diff --git a/dropwizard-jetty/src/test/java/io/dropwizard/jetty/HttpsConnectorFactoryTest.java b/dropwizard-jetty/src/test/java/io/dropwizard/jetty/HttpsConnectorFactoryTest.java
@@ -90,27 +90,89 @@ void testParsingConfiguration() throws Exception {
     }
 
     @Test
-    void testSupportedProtocols() {
-        List<String> supportedProtocols = Arrays.asList("SSLv3", "TLS1");
+    void testSupportedProtocols() throws Exception {
+        List<String> supportedProtocols = Arrays.asList("SSLv3", "TLSv1");
 
         HttpsConnectorFactory factory = new HttpsConnectorFactory();
         factory.setKeyStorePassword("password"); // necessary to avoid a prompt for a password
         factory.setSupportedProtocols(supportedProtocols);
+        factory.setExcludedProtocols(Collections.emptyList());
 
         SslContextFactory sslContextFactory = factory.configureSslContextFactory(new SslContextFactory.Server());
         assertThat(Arrays.asList(sslContextFactory.getIncludeProtocols())).isEqualTo(supportedProtocols);
+
+        sslContextFactory.start();
+        try {
+            assertThat(sslContextFactory.newSSLEngine().getEnabledProtocols())
+                .containsExactlyElementsOf(supportedProtocols);
+        } finally {
+            sslContextFactory.stop();
+        }
+    }
+
+    @Test
+    void testSupportedProtocolsWithWildcards() throws Exception {
+        List<String> supportedProtocols = Arrays.asList("SSL.*", "TLSv1\\.[01]");
+
+        HttpsConnectorFactory factory = new HttpsConnectorFactory();
+        factory.setKeyStorePassword("password"); // necessary to avoid a prompt for a password
+        factory.setSupportedProtocols(supportedProtocols);
+        factory.setExcludedProtocols(Collections.emptyList());
+
+        SslContextFactory sslContextFactory = factory.configureSslContextFactory(new SslContextFactory.Server());
+        assertThat(Arrays.asList(sslContextFactory.getIncludeProtocols())).isEqualTo(supportedProtocols);
+
+        sslContextFactory.start();
+        try {
+            assertThat(sslContextFactory.newSSLEngine().getEnabledProtocols())
+                .contains("SSLv3", "TLSv1.1")
+                .doesNotContain("TLSv1.2", "TLSv1.3");
+        } finally {
+            sslContextFactory.stop();
+        }
     }
 
     @Test
-    void testExcludedProtocols() {
-        List<String> excludedProtocols = Arrays.asList("SSLv3", "TLS1");
+    void testExcludedProtocols() throws Exception {
+        List<String> excludedProtocols = Arrays.asList("SSLv3", "TLSv1");
 
         HttpsConnectorFactory factory = new HttpsConnectorFactory();
         factory.setKeyStorePassword("password"); // necessary to avoid a prompt for a password
         factory.setExcludedProtocols(excludedProtocols);
 
         SslContextFactory sslContextFactory = factory.configureSslContextFactory(new SslContextFactory.Server());
         assertThat(Arrays.asList(sslContextFactory.getExcludeProtocols())).isEqualTo(excludedProtocols);
+
+        sslContextFactory.start();
+        try {
+            assertThat(sslContextFactory.newSSLEngine().getEnabledProtocols())
+                .contains("TLSv1.1", "TLSv1.2")
+                .doesNotContain("SSLv3", "TLSv1");
+        } finally {
+            sslContextFactory.stop();
+        }
+    }
+
+    @Test
+    void testExcludedProtocolsWithWildcards() throws Exception {
+        List<String> excludedProtocols = Arrays.asList("SSL.*", "TLSv1(\\.[01])?");
+
+        HttpsConnectorFactory factory = new HttpsConnectorFactory();
+        factory.setKeyStorePassword("password"); // necessary to avoid a prompt for a password
+        factory.setExcludedProtocols(excludedProtocols);
+
+        SslContextFactory sslContextFactory = factory.configureSslContextFactory(new SslContextFactory.Server());
+        assertThat(Arrays.asList(sslContextFactory.getExcludeProtocols())).isEqualTo(excludedProtocols);
+
+        sslContextFactory.start();
+        try {
+            assertThat(sslContextFactory.newSSLEngine().getEnabledProtocols())
+                .contains("TLSv1.2")
+                .allSatisfy(protocol -> assertThat(protocol).doesNotStartWith("SSL"))
+                .doesNotContain("TLSv1");
+        } finally {
+            sslContextFactory.stop();
+        }
     }
 
     @Test
@@ -125,7 +187,8 @@ void testDefaultExcludedProtocols() throws Exception {
         try {
             assertThat(sslContextFactory.newSSLEngine().getEnabledProtocols())
                     .doesNotContainAnyElementsOf(factory.getExcludedProtocols())
-                    .allSatisfy(protocol -> assertThat(protocol).doesNotStartWith("SSL"));
+                    .allSatisfy(protocol -> assertThat(protocol).doesNotStartWith("SSL"))
+                    .doesNotContain("TLSv1", "TLSv1.1");
         } finally {
             sslContextFactory.stop();
         }