New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dropwizard reporting incorrectly enabled HTTPS protocols #3532
Comments
@shahr Thank you very much for reporting this! That's an interesting find. We do indeed add TLSv1.1 to the list of excluded protocols: This list of excluded protocols is then set on the A test like the following also dumps the correct selection of included and excluded protocols: @Test
public void testDefaultExcludedProtocols() throws Exception {
HttpsConnectorFactory factory = new HttpsConnectorFactory();
factory.setKeyStorePassword("password"); // necessary to avoid a prompt for a password
SslContextFactory sslContextFactory = factory.configureSslContextFactory(new SslContextFactory.Server());
sslContextFactory.dump(System.out, "");
} Output:
And yet, any |
Yes, thank you for verifying - I was surprised by this because a cursory look at the code seemed like everything was configured correctly. For context, I was creating a verification that ensured servers were only using TLSv1.2 and when testing this I oddly discovered that the 1.1 protocol was still enabled. I'm a bit time bound at the moment, but will try take a look into this a bit deeper to try understand where TLS 1.1 is bieng re-enabled. |
As a side note - is it worth changing the logging to use |
This seems to be rooted in an inconsistency between I've filed a bug report with the Jetty project for this: |
This explains why it seemed to be behaving correctly when I explicitly set the excludedProtocol list without using the regexp. Thank you. |
The default list of excluded protocols used in `HttpsConnectorFactory` wasn't working as expected. Jetty currently doesn't support using regular expressions for supporte or excluded protocols. This only works for supported and excluded cipher suites as of Jetty 9.4.33.v20201020. The default list of excluded protocols now only contains valid and complete entries: SSLv3, TLSv1, and TLSv1.1 Refs jetty/jetty.project#5531 Fixes #3532
…3533) The default list of excluded protocols used in `HttpsConnectorFactory` wasn't working as expected. Jetty currently doesn't support using regular expressions for supported or excluded protocols. This only works for supported and excluded cipher suites as of Jetty 9.4.33.v20201020. The default list of excluded protocols now only contains valid and complete entries: SSLv3, TLSv1, and TLSv1.1 Refs jetty/jetty.project#5531 Fixes #3532
…3533) The default list of excluded protocols used in `HttpsConnectorFactory` wasn't working as expected. Jetty currently doesn't support using regular expressions for supported or excluded protocols. This only works for supported and excluded cipher suites as of Jetty 9.4.33.v20201020. The default list of excluded protocols now only contains valid and complete entries: SSLv3, TLSv1, and TLSv1.1 Refs jetty/jetty.project#5531 Fixes #3532 (cherry picked from commit 206e858)
The deafult Dropwizard behaviour seems to enable TLSv1.1 (despite the documentation stating that TLSv1.1 is in the excludedProtocols by default). It does also not match what is bieng logged by Dropwizard.
Steps to reproduce (using Dropwizard v.2.0.13):
io.dropwizard.jersey.HttpsConnectorFactory: Enabled protocols: [TLSv1.2, TLSv1.3] io.dropwizard.jersey.HttpsConnectorFactory: Disabled protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1]
curl --tlsv1.1 https://localhost
- this actually works (using curl version: libcurl/7.29.0, NSS/3.44)Further proof:
ServerLifecycleListener
with theserverStarted
method as:server -> LOGGER.info(Arrays.asList(server.getBean(SslContextFactory.class).getSelectedProtocols()))
Notes:
The text was updated successfully, but these errors were encountered: