From 887173352bfa94e963af8000b395562364c7e8ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alen=20Vre=C4=8Dko?= <332217+avrecko@users.noreply.github.com> Date: Sat, 21 Dec 2024 21:37:35 +0100 Subject: [PATCH] Support for setting ciphersuites. --- src/one/nio/net/JavaSslClientContext.java | 5 +++++ src/one/nio/net/NativeSslContext.java | 3 +++ src/one/nio/net/SslConfig.java | 3 +++ src/one/nio/net/SslContext.java | 2 ++ src/one/nio/net/native/ssl.c | 14 ++++++++++++++ 5 files changed, 27 insertions(+) diff --git a/src/one/nio/net/JavaSslClientContext.java b/src/one/nio/net/JavaSslClientContext.java index ede91674..ad871659 100644 --- a/src/one/nio/net/JavaSslClientContext.java +++ b/src/one/nio/net/JavaSslClientContext.java @@ -64,6 +64,11 @@ public void setCiphers(String ciphers) throws SSLException { parameters.setCipherSuites(ciphers.split(":")); } + @Override + public void setCiphersuites(String ciphersuites) throws SSLException { + // Ignore + } + @Override public void setCurve(String curve) throws SSLException { // Ignore diff --git a/src/one/nio/net/NativeSslContext.java b/src/one/nio/net/NativeSslContext.java index a8a15f3c..6b90564d 100755 --- a/src/one/nio/net/NativeSslContext.java +++ b/src/one/nio/net/NativeSslContext.java @@ -199,6 +199,9 @@ public void setSessionCache(String mode, int size) throws SSLException { @Override public native void setCiphers(String ciphers) throws SSLException; + @Override + public native void setCiphersuites(String ciphersuites) throws SSLException; + /** * Sets the curve used for ECDH temporary keys used during key exchange. * Use openssl ecparam -list_curves to get list of supported curves. diff --git a/src/one/nio/net/SslConfig.java b/src/one/nio/net/SslConfig.java index 70566211..fbab00fd 100644 --- a/src/one/nio/net/SslConfig.java +++ b/src/one/nio/net/SslConfig.java @@ -25,6 +25,7 @@ public class SslConfig { // Conservative ciphersuite according to https://wiki.mozilla.org/Security/Server_Side_TLS static final String DEFAULT_CIPHERS = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"; + static final String DEFAULT_CIPHERSUITES = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"; static final String DEFAULT_CACHE_MODE = "internal"; static final int DEFAULT_CACHE_SIZE = 262144; static final long DEFAULT_TIMEOUT_SEC = 300; @@ -34,6 +35,7 @@ public class SslConfig { public boolean rdrand; public String protocols; public String ciphers; + public String ciphersuites; public String curve; public String[] certFile; public String[] privateKeyFile; @@ -65,6 +67,7 @@ public static SslConfig from(Properties props) { SslConfig config = new SslConfig(); config.protocols = props.getProperty("one.nio.ssl.protocols"); config.ciphers = props.getProperty("one.nio.ssl.ciphers"); + config.ciphersuites = props.getProperty("one.nio.ssl.ciphersuites"); config.curve = props.getProperty("one.nio.ssl.curve"); config.certFile = toArray(props.getProperty("one.nio.ssl.certFile")); config.privateKeyFile = toArray(props.getProperty("one.nio.ssl.privateKeyFile")); diff --git a/src/one/nio/net/SslContext.java b/src/one/nio/net/SslContext.java index f50e6c76..e4bb052b 100755 --- a/src/one/nio/net/SslContext.java +++ b/src/one/nio/net/SslContext.java @@ -84,6 +84,7 @@ public synchronized SslContext configure(SslConfig config) throws IOException { } setCiphers(config.ciphers != null ? config.ciphers : SslConfig.DEFAULT_CIPHERS); + setCiphersuites(config.ciphersuites != null ? config.ciphersuites : SslConfig.DEFAULT_CIPHERSUITES); // with null the curve will be auto-selected by openssl setCurve(config.curve); @@ -307,6 +308,7 @@ void refresh() { public abstract void setRdrand(boolean rdrand) throws SSLException; public abstract void setProtocols(String protocols) throws SSLException; public abstract void setCiphers(String ciphers) throws SSLException; + public abstract void setCiphersuites(String ciphersuites) throws SSLException; public abstract void setCurve(String curve) throws SSLException; public abstract void setCertificate(String certFile) throws SSLException; public abstract void setPrivateKey(String privateKeyFile) throws SSLException; diff --git a/src/one/nio/net/native/ssl.c b/src/one/nio/net/native/ssl.c index 434d5d0f..c047ccad 100755 --- a/src/one/nio/net/native/ssl.c +++ b/src/one/nio/net/native/ssl.c @@ -709,6 +709,20 @@ Java_one_nio_net_NativeSslContext_setCiphers(JNIEnv* env, jobject self, jstring } } +JNIEXPORT void JNICALL +Java_one_nio_net_NativeSslContext_setCiphersuites(JNIEnv* env, jobject self, jstring ciphersuites) { + SSL_CTX* ctx = (SSL_CTX*)(intptr_t)(*env)->GetLongField(env, self, f_ctx); + + if (ciphersuites != NULL) { + const char* value = (*env)->GetStringUTFChars(env, ciphersuites, NULL); + int result = SSL_CTX_set_ciphersuites(ctx, value); + (*env)->ReleaseStringUTFChars(env, ciphersuites, value); + if (result <= 0) { + throw_ssl_exception(env); + } + } +} + JNIEXPORT void JNICALL Java_one_nio_net_NativeSslContext_setCurve(JNIEnv* env, jobject self, jstring curve) { SSL_CTX* ctx = (SSL_CTX*)(intptr_t)(*env)->GetLongField(env, self, f_ctx);