Support for setting ciphersuites.

avrecko · Dec 21, 2024 · 8871733 · 8871733
1 parent 22c7927
commit 8871733
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 0 deletions.
diff --git a/src/one/nio/net/JavaSslClientContext.java b/src/one/nio/net/JavaSslClientContext.java
@@ -64,6 +64,11 @@ public void setCiphers(String ciphers) throws SSLException {
         parameters.setCipherSuites(ciphers.split(":"));
     }
 
+    @Override
+    public void setCiphersuites(String ciphersuites) throws SSLException {
+        // Ignore
+    }
+
     @Override
     public void setCurve(String curve) throws SSLException {
         // Ignore

diff --git a/src/one/nio/net/NativeSslContext.java b/src/one/nio/net/NativeSslContext.java
@@ -199,6 +199,9 @@ public void setSessionCache(String mode, int size) throws SSLException {
     @Override
     public native void setCiphers(String ciphers) throws SSLException;
 
+    @Override
+    public native void setCiphersuites(String ciphersuites) throws SSLException;
+
     /**
      * Sets the curve used for ECDH temporary keys used during key exchange.
      * Use <code>openssl ecparam -list_curves</code> to get list of supported curves.

diff --git a/src/one/nio/net/SslConfig.java b/src/one/nio/net/SslConfig.java
@@ -25,6 +25,7 @@
 public class SslConfig {
     // Conservative ciphersuite according to https://wiki.mozilla.org/Security/Server_Side_TLS
     static final String DEFAULT_CIPHERS = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA";
+    static final String DEFAULT_CIPHERSUITES = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";
     static final String DEFAULT_CACHE_MODE = "internal";
     static final int DEFAULT_CACHE_SIZE = 262144;
     static final long DEFAULT_TIMEOUT_SEC = 300;
@@ -34,6 +35,7 @@ public class SslConfig {
     public boolean rdrand;
     public String protocols;
     public String ciphers;
+    public String ciphersuites;
     public String curve;
     public String[] certFile;
     public String[] privateKeyFile;
@@ -65,6 +67,7 @@ public static SslConfig from(Properties props) {
         SslConfig config = new SslConfig();
         config.protocols      = props.getProperty("one.nio.ssl.protocols");
         config.ciphers        = props.getProperty("one.nio.ssl.ciphers");
+        config.ciphersuites   = props.getProperty("one.nio.ssl.ciphersuites");
         config.curve          = props.getProperty("one.nio.ssl.curve");
         config.certFile       = toArray(props.getProperty("one.nio.ssl.certFile"));
         config.privateKeyFile = toArray(props.getProperty("one.nio.ssl.privateKeyFile"));

diff --git a/src/one/nio/net/SslContext.java b/src/one/nio/net/SslContext.java
@@ -84,6 +84,7 @@ public synchronized SslContext configure(SslConfig config) throws IOException {
         }
 
         setCiphers(config.ciphers != null ? config.ciphers : SslConfig.DEFAULT_CIPHERS);
+        setCiphersuites(config.ciphersuites != null ? config.ciphersuites : SslConfig.DEFAULT_CIPHERSUITES);
 
         // with null the curve will be auto-selected by openssl
         setCurve(config.curve);
@@ -307,6 +308,7 @@ void refresh() {
     public abstract void setRdrand(boolean rdrand) throws SSLException;
     public abstract void setProtocols(String protocols) throws SSLException;
     public abstract void setCiphers(String ciphers) throws SSLException;
+    public abstract void setCiphersuites(String ciphersuites) throws SSLException;
     public abstract void setCurve(String curve) throws SSLException;
     public abstract void setCertificate(String certFile) throws SSLException;
     public abstract void setPrivateKey(String privateKeyFile) throws SSLException;

diff --git a/src/one/nio/net/native/ssl.c b/src/one/nio/net/native/ssl.c
@@ -709,6 +709,20 @@ Java_one_nio_net_NativeSslContext_setCiphers(JNIEnv* env, jobject self, jstring
     }
 }
 
+JNIEXPORT void JNICALL
+Java_one_nio_net_NativeSslContext_setCiphersuites(JNIEnv* env, jobject self, jstring ciphersuites) {
+    SSL_CTX* ctx = (SSL_CTX*)(intptr_t)(*env)->GetLongField(env, self, f_ctx);
+
+    if (ciphersuites != NULL) {
+        const char* value = (*env)->GetStringUTFChars(env, ciphersuites, NULL);
+        int result = SSL_CTX_set_ciphersuites(ctx, value);
+        (*env)->ReleaseStringUTFChars(env, ciphersuites, value);
+        if (result <= 0) {
+            throw_ssl_exception(env);
+        }
+    }
+}
+
 JNIEXPORT void JNICALL
 Java_one_nio_net_NativeSslContext_setCurve(JNIEnv* env, jobject self, jstring curve) {
     SSL_CTX* ctx = (SSL_CTX*)(intptr_t)(*env)->GetLongField(env, self, f_ctx);