Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace invalid default excludedProtocols in HttpsConnectorFactory #3533

Merged
merged 2 commits into from Oct 29, 2020
Merged

Replace invalid default excludedProtocols in HttpsConnectorFactory #3533

merged 2 commits into from Oct 29, 2020

Conversation

joschi
Copy link
Member

@joschi joschi commented Oct 28, 2020

The default list of excluded protocols used in HttpsConnectorFactory wasn't working as expected.

Jetty currently doesn't support using regular expressions for supported or excluded protocols.
This is only working for supported and excluded cipher suites as of Jetty 9.4.33.v20201020.

The default list of excluded protocols now only contains valid and complete entries:

SSLv3, TLSv1, and TLSv1.1

Refs jetty/jetty.project#5531
Fixes #3532

@joschi
Replace invalid default excludedProtocols in HttpsConnectorFactory
ff1ea43 
The default list of excluded protocols used in `HttpsConnectorFactory` wasn't working as expected.

Jetty currently doesn't support using regular expressions for supporte or excluded protocols.
This only works for supported and excluded cipher suites as of Jetty 9.4.33.v20201020.

The default list of excluded protocols now only contains valid and complete entries:

SSLv3, TLSv1, and TLSv1.1

Refs jetty/jetty.project#5531
Fixes #3532
@joschi joschi added this to the 2.0.15 milestone Oct 28, 2020
@joschi joschi requested a review from a team October 28, 2020 22:43
@joschi joschi self-assigned this Oct 28, 2020
pkwarren
pkwarren reviewed Oct 28, 2020
View reviewed changes
dropwizard-jetty/src/test/java/io/dropwizard/jetty/HttpsConnectorFactoryTest.java
try {
assertThat(sslContextFactory.newSSLEngine().getEnabledProtocols())
.doesNotContainAnyElementsOf(factory.getExcludedProtocols())
.allSatisfy(protocol -> assertThat(protocol).doesNotStartWith("SSL"));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also want to ensure that enabled protocols only includes TLS v1.2/v1.3 and nothing else? Feels like a good test to fail if any older protocols are enabled.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also thought about adding this, but then the test will start failing when run on JVMs which support other (newer) protocols in the future.

Or maybe some JVM only supports up to TLSv2. 🤔

@sonarcloud
Copy link

sonarcloud bot commented Oct 28, 2020

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities (and Security Hotspot 0 Security Hotspots to review)
Code Smell A 1 Code Smell

84.6% 84.6% Coverage
0.0% 0.0% Duplication

@joschi joschi merged commit 206e858 into master Oct 29, 2020
@joschi joschi deleted the issue-3532 branch October 29, 2020 09:11
joschi added a commit that referenced this pull request Oct 29, 2020
@joschi
Replace invalid default excludedProtocols in HttpsConnectorFactory (#…
84d38e3 
…3533)

The default list of excluded protocols used in `HttpsConnectorFactory` wasn't working as expected.

Jetty currently doesn't support using regular expressions for supported or excluded protocols.
This only works for supported and excluded cipher suites as of Jetty 9.4.33.v20201020.

The default list of excluded protocols now only contains valid and complete entries:

SSLv3, TLSv1, and TLSv1.1

Refs jetty/jetty.project#5531
Fixes #3532

(cherry picked from commit 206e858)
joschi added a commit that referenced this pull request Nov 26, 2020
@joschi
Revert "Replace invalid default excludedProtocols in HttpsConnectorFa…
0f0706c 
…ctory"

Refs (#3533)
This partially reverts commit 206e858.
@joschi joschi mentioned this pull request Nov 26, 2020
Merged
joschi added a commit that referenced this pull request Nov 26, 2020
@joschi
Revert "Replace invalid default excludedProtocols in HttpsConnectorFa…
b6ab8bb 
…ctory"

Refs (#3533)
This partially reverts commit 206e858.
joschi added a commit that referenced this pull request Nov 26, 2020
@joschi
Revert "Replace invalid default excludedProtocols in HttpsConnectorFa…
4ec205e 
…ctory"

Refs (#3533)
This partially reverts commit 206e858.
joschi added a commit that referenced this pull request Nov 26, 2020
@joschi
Revert "Replace invalid default excludedProtocols in HttpsConnectorFa…
cf2230d 
…ctory" (#3579)

Jetty 9.4.34.v20201102 added support for regular expressions in included/excluded protocols.

https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.34.v20201102

Refs #3533
Refs jetty/jetty.project#5535
This partially reverts commit 206e858.
joschi added a commit that referenced this pull request Nov 26, 2020
@joschi
Revert "Replace invalid default excludedProtocols in HttpsConnectorFa…
083fed8 
…ctory" (#3579)

Jetty 9.4.34.v20201102 added support for regular expressions in included/excluded protocols.

https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.34.v20201102

Refs #3533
Refs jetty/jetty.project#5535
This partially reverts commit 206e858.

(cherry picked from commit cf2230d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pkwarren pkwarren pkwarren approved these changes

@arteam arteam arteam approved these changes

Assignees

@joschi joschi

Labels
bug security
Projects
None yet
Milestone
2.0.15
Development

Successfully merging this pull request may close these issues.

Dropwizard reporting incorrectly enabled HTTPS protocols
3 participants
@joschi @pkwarren @arteam