Add support for TLSv1.3 #8293
Add support for TLSv1.3 #8293
Conversation
|
This depends on netty/netty-tcnative#389. |
| synchronized (this) { | ||
| if (!isDestroyed()) { | ||
| // TODO: Should we also adjust the protocols based on if there are any ciphers left that can be used | ||
| // for TLSv1.3 or for previor SSL/TLS versions ? |
There was a problem hiding this comment.
@carl-mastrangelo @ejona86 @ryanoneill @bryce-anderson @Scottmitch @trustin not sure about this one...
There was a problem hiding this comment.
Sounds kinda niche. Maybe we can wait until someone asks for it?
| @@ -2199,6 +2209,10 @@ public int getPeerPort() { | |||
|
|
|||
| @Override | |||
| public int getPacketBufferSize() { | |||
| // TODO: Do a better job for TLSv1.3 here. | |||
There was a problem hiding this comment.
@carl-mastrangelo @ejona86 @ryanoneill @bryce-anderson @Scottmitch @trustin this needs to be fixed before merging as it may waste memory.
There was a problem hiding this comment.
Currently checking what to do best...
|
Once this is merged I have a followup PR that will allow to use TLSv1.3 also on Java8,9 and 10 :) But I want to have this one merged first to keep the scope small |
normanmaurer
requested review from
Scottmitch,
carl-mastrangelo,
ejona86,
bryce-anderson,
ryanoneill,
trustin and
vkostyukov
and removed request for
Scottmitch,
carl-mastrangelo and
ejona86
normanmaurer
force-pushed
the
openssl_1_1_1
branch
from
fe61871
to
2b20117
Compare
|
Also another question is if we should add TLSv1.3 by default to the protocols used or if the user should enable it explicit... thoughts ? |
|
IIRC TLS 1.3 was subject (sometimes) to replay attacks, which considered ok for idempotent requests like GETs. I have no idea about the details, but I remember that and being surprised. Probably worth checking before turning it on by default. |
| synchronized (this) { | ||
| if (!isDestroyed()) { | ||
| // TODO: Should we also adjust the protocols based on if there are any ciphers left that can be used | ||
| // for TLSv1.3 or for previor SSL/TLS versions ? |
There was a problem hiding this comment.
Sounds kinda niche. Maybe we can wait until someone asks for it?
| @@ -1470,13 +1473,20 @@ public final void setEnabledProtocols(String[] protocols) { | |||
| if (maxProtocolIndex < OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2) { | |||
| maxProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2; | |||
| } | |||
| } else if (p.equals(PROTOCOL_TLS_V1_3)) { | |||
| if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_3) { | |||
There was a problem hiding this comment.
minProtocolIndex = Math.min(minProtocolIndex, OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_3);
There was a problem hiding this comment.
@carl-mastrangelo I could do this I just wanted to keep it consistent with the rest.
| // This may fail or not depending on the OpenSSL version used | ||
| // See https://github.com/openssl/openssl/issues/7196 | ||
| testInvalidCipher(SslProvider.OPENSSL); | ||
| if (!OpenSsl.versionString().contains("1.1.1")) { |
There was a problem hiding this comment.
Why not also asume the version string above?
There was a problem hiding this comment.
@carl-mastrangelo because I want to have the test run with all versions and just test for different things.
normanmaurer
force-pushed
the
openssl_1_1_1
branch
2 times, most recently
from
79ee03c
to
344505f
Compare
|
@carl-mastrangelo @ejona86 @Scottmitch @trustin any more comments ? I would love to pull this in... |
| @@ -450,4 +489,8 @@ static void releaseIfNeeded(ReferenceCounted counted) { | |||
| ReferenceCountUtil.safeRelease(counted); | |||
| } | |||
| } | |||
|
|
|||
| static boolean isTlsv13Supported() { | |||
There was a problem hiding this comment.
I actually like isTlsv13Supported best... are you strong here ?
There was a problem hiding this comment.
Lowercase v is what Google's style guide says, if it matters.
| import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1_2; | ||
| import static io.netty.handler.ssl.SslUtils.SSL_RECORD_HEADER_LENGTH; | ||
|
|
||
| import static io.netty.handler.ssl.SslUtils.*; |
There was a problem hiding this comment.
Hmm, did we change our coding style?
There was a problem hiding this comment.
not sure :D I can revert this if you want.
There was a problem hiding this comment.
Maybe it's time to adopt https://github.com/google/google-java-format for love and peace? 😄
normanmaurer
force-pushed
the
openssl_1_1_1
branch
2 times, most recently
from
19bc197
to
20f3043
Compare
|
@carl-mastrangelo @trustin anything else ? |
normanmaurer
force-pushed
the
openssl_1_1_1
branch
from
8bb1e8c
to
fdacb32
Compare
|
@netty-bot test this please |
|
@netty-bot test this please |
Motivation: TLSv1.3 support is included in java11 and is also supported by OpenSSL 1.1.1, so we should support when possible. Modifications: - Add support for TLSv1.3 using either the JDK implementation or the native implementation provided by netty-tcnative when compiled against openssl 1.1.1 - Adjust unit tests for semantics provided by TLSv1.3 - Correctly handle custom Provider implementations that not support TLSv1.3 Result: Be able to use TLSv1.3 with netty.
normanmaurer
force-pushed
the
openssl_1_1_1
branch
from
fdacb32
to
59c9ad6
Compare
Is it fair to say netty does not yet support TLS 1.3 if the jdk used is Java 8? |
|
@thekalinga nope... as long as you use netty-tcnative-boringssl-static it will also support TLSv1.3 with Java8 |
|
@normanmaurer Thanks for the clarification |
|
@normanmaurer Request for one small clarification. If |
|
@thekalinga sorry I dont get what you are asking for... Can you clarify ? |
|
I just came across the other pull request of yours where you added support for Java < 11 support This clarifies my confusion Please ignore my previous comment. Looks like my question caused more confusion |
Motivation:
TLSv1.3 support is included in java11 and is also supported by OpenSSL 1.1.1, so we should support when possible.
Modifications:
Result:
Be able to use TLSv1.3 with netty.