You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by rs...@apache.org on 2019/09/27 20:10:02 UTC

[httpcomponents-client] branch master updated: Enforce h2 TLS rules after negotiating TLS, not before

This is an automated email from the ASF dual-hosted git repository.

rschmitt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/httpcomponents-client.git


The following commit(s) were added to refs/heads/master by this push:
     new a1adf79  Enforce h2 TLS rules after negotiating TLS, not before
a1adf79 is described below

commit a1adf7910069a1dff0d862fa71e4066776a2474f
Author: Ryan Schmitt <rs...@apache.org>
AuthorDate: Thu Sep 26 15:39:36 2019 -0700

    Enforce h2 TLS rules after negotiating TLS, not before
---
 .../hc/client5/http/ssl/AbstractClientTlsStrategy.java     | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java
index 239c14c..72859c6 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java
@@ -34,6 +34,7 @@ import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
 
@@ -44,6 +45,7 @@ import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
 import org.apache.hc.core5.http.ssl.TLS;
 import org.apache.hc.core5.http.ssl.TlsCiphers;
 import org.apache.hc.core5.http2.HttpVersionPolicy;
+import org.apache.hc.core5.http2.ssl.ApplicationProtocols;
 import org.apache.hc.core5.http2.ssl.H2TlsSupport;
 import org.apache.hc.core5.net.NamedEndpoint;
 import org.apache.hc.core5.reactor.ssl.SSLBufferMode;
@@ -107,7 +109,7 @@ abstract class AbstractClientTlsStrategy implements TlsStrategy {
                 }
                 if (supportedCipherSuites != null) {
                     sslParameters.setCipherSuites(supportedCipherSuites);
-                } else if (versionPolicy != HttpVersionPolicy.FORCE_HTTP_1) {
+                } else if (versionPolicy == HttpVersionPolicy.FORCE_HTTP_2) {
                     sslParameters.setCipherSuites(TlsCiphers.excludeH2Blacklisted(sslParameters.getCipherSuites()));
                 }
 
@@ -130,7 +132,15 @@ abstract class AbstractClientTlsStrategy implements TlsStrategy {
             @Override
             public TlsDetails verify(final NamedEndpoint endpoint, final SSLEngine sslEngine) throws SSLException {
                 verifySession(host.getHostName(), sslEngine.getSession());
-                return createTlsDetails(sslEngine);
+                final TlsDetails tlsDetails = createTlsDetails(sslEngine);
+                final String negotiatedCipherSuite = sslEngine.getSession().getCipherSuite();
+                if (tlsDetails != null && ApplicationProtocols.HTTP_2.id.equals(tlsDetails.getApplicationProtocol())) {
+                    if (TlsCiphers.isH2Blacklisted(negotiatedCipherSuite)) {
+                        throw new SSLHandshakeException("Cipher suite `" + negotiatedCipherSuite
+                            + "` does not provide adequate security for HTTP/2");
+                    }
+                }
+                return tlsDetails;
             }
 
         }, handshakeTimeout);