Do not enforce HTTP/2 TLS requirements in case of FORCE_HTTP_1 protocol version policy

This commit is contained in:
Oleg Kalnichevski 2018-10-21 19:08:12 +02:00
parent 309afeff07
commit 8150e37cc3
1 changed files with 36 additions and 4 deletions

View File

@ -34,6 +34,7 @@ import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException; import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSession;
import org.apache.hc.core5.annotation.Contract; import org.apache.hc.core5.annotation.Contract;
@ -41,6 +42,8 @@ import org.apache.hc.core5.annotation.ThreadingBehavior;
import org.apache.hc.core5.function.Factory; import org.apache.hc.core5.function.Factory;
import org.apache.hc.core5.http.HttpHost; import org.apache.hc.core5.http.HttpHost;
import org.apache.hc.core5.http.nio.ssl.TlsStrategy; import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
import org.apache.hc.core5.http2.HttpVersionPolicy;
import org.apache.hc.core5.http2.ssl.ApplicationProtocols;
import org.apache.hc.core5.http2.ssl.H2TlsSupport; import org.apache.hc.core5.http2.ssl.H2TlsSupport;
import org.apache.hc.core5.net.NamedEndpoint; import org.apache.hc.core5.net.NamedEndpoint;
import org.apache.hc.core5.reactor.ssl.SSLBufferMode; import org.apache.hc.core5.reactor.ssl.SSLBufferMode;
@ -129,16 +132,45 @@ public class DefaultClientTlsStrategy implements TlsStrategy {
final SocketAddress localAddress, final SocketAddress localAddress,
final SocketAddress remoteAddress, final SocketAddress remoteAddress,
final Object attachment) { final Object attachment) {
tlsSession.startTls(sslContext, host, sslBufferManagement, H2TlsSupport.enforceRequirements(attachment, new SSLSessionInitializer() { tlsSession.startTls(sslContext, host, sslBufferManagement, new SSLSessionInitializer() {
@Override @Override
public void initialize(final NamedEndpoint endpoint, final SSLEngine sslEngine) { public void initialize(final NamedEndpoint endpoint, final SSLEngine sslEngine) {
final HttpVersionPolicy versionPolicy = attachment instanceof HttpVersionPolicy ?
(HttpVersionPolicy) attachment : HttpVersionPolicy.NEGOTIATE;
final SSLParameters sslParameters = sslEngine.getSSLParameters();
if (supportedProtocols != null) { if (supportedProtocols != null) {
sslEngine.setEnabledProtocols(supportedProtocols); sslParameters.setProtocols(supportedProtocols);
} else if (versionPolicy != HttpVersionPolicy.FORCE_HTTP_1) {
sslParameters.setProtocols(H2TlsSupport.excludeBlacklistedProtocols(sslParameters.getProtocols()));
} }
if (supportedCipherSuites != null) { if (supportedCipherSuites != null) {
sslEngine.setEnabledCipherSuites(supportedCipherSuites); sslParameters.setCipherSuites(supportedCipherSuites);
} else if (versionPolicy != HttpVersionPolicy.FORCE_HTTP_1) {
sslParameters.setCipherSuites(H2TlsSupport.excludeBlacklistedCiphers(sslParameters.getCipherSuites()));
} }
switch (versionPolicy) {
case FORCE_HTTP_1:
H2TlsSupport.setApplicationProtocols(sslParameters, new String[] {
ApplicationProtocols.HTTP_1_1.id });
break;
case FORCE_HTTP_2:
H2TlsSupport.setEnableRetransmissions(sslParameters, false);
H2TlsSupport.setApplicationProtocols(sslParameters, new String[] {
ApplicationProtocols.HTTP_2.id });
break;
case NEGOTIATE:
H2TlsSupport.setEnableRetransmissions(sslParameters, false);
H2TlsSupport.setApplicationProtocols(sslParameters, new String[] {
ApplicationProtocols.HTTP_2.id, ApplicationProtocols.HTTP_1_1.id });
break;
}
sslEngine.setSSLParameters(sslParameters);
initializeEngine(sslEngine); initializeEngine(sslEngine);
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
@ -147,7 +179,7 @@ public class DefaultClientTlsStrategy implements TlsStrategy {
} }
} }
}), new SSLSessionVerifier() { }, new SSLSessionVerifier() {
@Override @Override
public TlsDetails verify(final NamedEndpoint endpoint, final SSLEngine sslEngine) throws SSLException { public TlsDetails verify(final NamedEndpoint endpoint, final SSLEngine sslEngine) throws SSLException {