New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace invalid default excludedProtocols in HttpsConnectorFactory #3533
Conversation
The default list of excluded protocols used in `HttpsConnectorFactory` wasn't working as expected. Jetty currently doesn't support using regular expressions for supporte or excluded protocols. This only works for supported and excluded cipher suites as of Jetty 9.4.33.v20201020. The default list of excluded protocols now only contains valid and complete entries: SSLv3, TLSv1, and TLSv1.1 Refs jetty/jetty.project#5531 Fixes #3532
try { | ||
assertThat(sslContextFactory.newSSLEngine().getEnabledProtocols()) | ||
.doesNotContainAnyElementsOf(factory.getExcludedProtocols()) | ||
.allSatisfy(protocol -> assertThat(protocol).doesNotStartWith("SSL")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we also want to ensure that enabled protocols only includes TLS v1.2/v1.3 and nothing else? Feels like a good test to fail if any older protocols are enabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also thought about adding this, but then the test will start failing when run on JVMs which support other (newer) protocols in the future.
Or maybe some JVM only supports up to TLSv2. 🤔
Kudos, SonarCloud Quality Gate passed! 0 Bugs |
…3533) The default list of excluded protocols used in `HttpsConnectorFactory` wasn't working as expected. Jetty currently doesn't support using regular expressions for supported or excluded protocols. This only works for supported and excluded cipher suites as of Jetty 9.4.33.v20201020. The default list of excluded protocols now only contains valid and complete entries: SSLv3, TLSv1, and TLSv1.1 Refs jetty/jetty.project#5531 Fixes #3532 (cherry picked from commit 206e858)
…ctory" (#3579) Jetty 9.4.34.v20201102 added support for regular expressions in included/excluded protocols. https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.34.v20201102 Refs #3533 Refs jetty/jetty.project#5535 This partially reverts commit 206e858.
…ctory" (#3579) Jetty 9.4.34.v20201102 added support for regular expressions in included/excluded protocols. https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.34.v20201102 Refs #3533 Refs jetty/jetty.project#5535 This partially reverts commit 206e858. (cherry picked from commit cf2230d)
The default list of excluded protocols used in
HttpsConnectorFactory
wasn't working as expected.Jetty currently doesn't support using regular expressions for supported or excluded protocols.
This is only working for supported and excluded cipher suites as of Jetty 9.4.33.v20201020.
The default list of excluded protocols now only contains valid and complete entries:
SSLv3, TLSv1, and TLSv1.1
Refs jetty/jetty.project#5531
Fixes #3532