You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by rs...@apache.org on 2019/09/27 20:10:02 UTC
[httpcomponents-client] branch master updated: Enforce h2 TLS rules
after negotiating TLS, not before
This is an automated email from the ASF dual-hosted git repository.
rschmitt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/httpcomponents-client.git
The following commit(s) were added to refs/heads/master by this push:
new a1adf79 Enforce h2 TLS rules after negotiating TLS, not before
a1adf79 is described below
commit a1adf7910069a1dff0d862fa71e4066776a2474f
Author: Ryan Schmitt <rs...@apache.org>
AuthorDate: Thu Sep 26 15:39:36 2019 -0700
Enforce h2 TLS rules after negotiating TLS, not before
---
.../hc/client5/http/ssl/AbstractClientTlsStrategy.java | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java
index 239c14c..72859c6 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java
@@ -34,6 +34,7 @@ import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
@@ -44,6 +45,7 @@ import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
import org.apache.hc.core5.http.ssl.TLS;
import org.apache.hc.core5.http.ssl.TlsCiphers;
import org.apache.hc.core5.http2.HttpVersionPolicy;
+import org.apache.hc.core5.http2.ssl.ApplicationProtocols;
import org.apache.hc.core5.http2.ssl.H2TlsSupport;
import org.apache.hc.core5.net.NamedEndpoint;
import org.apache.hc.core5.reactor.ssl.SSLBufferMode;
@@ -107,7 +109,7 @@ abstract class AbstractClientTlsStrategy implements TlsStrategy {
}
if (supportedCipherSuites != null) {
sslParameters.setCipherSuites(supportedCipherSuites);
- } else if (versionPolicy != HttpVersionPolicy.FORCE_HTTP_1) {
+ } else if (versionPolicy == HttpVersionPolicy.FORCE_HTTP_2) {
sslParameters.setCipherSuites(TlsCiphers.excludeH2Blacklisted(sslParameters.getCipherSuites()));
}
@@ -130,7 +132,15 @@ abstract class AbstractClientTlsStrategy implements TlsStrategy {
@Override
public TlsDetails verify(final NamedEndpoint endpoint, final SSLEngine sslEngine) throws SSLException {
verifySession(host.getHostName(), sslEngine.getSession());
- return createTlsDetails(sslEngine);
+ final TlsDetails tlsDetails = createTlsDetails(sslEngine);
+ final String negotiatedCipherSuite = sslEngine.getSession().getCipherSuite();
+ if (tlsDetails != null && ApplicationProtocols.HTTP_2.id.equals(tlsDetails.getApplicationProtocol())) {
+ if (TlsCiphers.isH2Blacklisted(negotiatedCipherSuite)) {
+ throw new SSLHandshakeException("Cipher suite `" + negotiatedCipherSuite
+ + "` does not provide adequate security for HTTP/2");
+ }
+ }
+ return tlsDetails;
}
}, handshakeTimeout);