diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java index 1e50b84257c..7cf7124036c 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java @@ -19,6 +19,7 @@ package org.apache.zookeeper.common; import io.netty.handler.ssl.DelegatingSslContext; +import io.netty.handler.ssl.IdentityCipherSuiteFilter; import io.netty.handler.ssl.OpenSsl; import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContextBuilder; @@ -81,7 +82,9 @@ public SslContext createNettySslContextForClient(ZKConfig config) sslContextBuilder.protocols(enabledProtocols); } Iterable enabledCiphers = getCipherSuites(config); - if (enabledCiphers != null) { + if (enabledCiphers == null) { + sslContextBuilder.ciphers(null, IdentityCipherSuiteFilter.INSTANCE_DEFAULTING_TO_SUPPORTED_CIPHERS); + } else { sslContextBuilder.ciphers(enabledCiphers); } sslContextBuilder.sslProvider(getSslProvider(config)); diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java index 660ca64bfdb..2634506a4ae 100644 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java @@ -732,7 +732,7 @@ public void testCreateSSLContext_ocspWithJreProvider( throws Exception { init(caKeyType, certKeyType, keyPassword, paramIndex); ZKConfig zkConfig = new ZKConfig(); - try (ClientX509Util clientX509Util = new ClientX509Util();) { + try (ClientX509Util clientX509Util = new ClientX509Util()) { zkConfig.setProperty(clientX509Util.getSslOcspEnabledProperty(), "true"); // Must not throw IllegalArgumentException clientX509Util.createSSLContext(zkConfig); @@ -761,6 +761,32 @@ public void testCreateSSLContext_hostnameVerificationNoCustomTrustStore(X509KeyT } } + @ParameterizedTest + @MethodSource("data") + public void testCreateSSLContext_ChaCha20Cipher(X509KeyType caKeyType, + X509KeyType certKeyType, String keyPassword, Integer paramIndex) throws Exception { + init(caKeyType, certKeyType, keyPassword, paramIndex); + + // TLS_CHACHA20_POLY1305_SHA256 cipher is a mandatory cipher suite on TLSv1.3, + // so a client with default configuration must support it. + + ZKConfig zkConfig = new ZKConfig(); + zkConfig.setProperty(x509Util.getSslEnabledProtocolsProperty(), "TLSv1.3"); + + try (ClientX509Util clientX509Util = new ClientX509Util()) { + SslContext context = clientX509Util.createNettySslContextForClient(zkConfig); + + UnpooledByteBufAllocator byteBufAllocator = new UnpooledByteBufAllocator(false); + SSLEngine engine = context.newEngine(byteBufAllocator); + + String[] enabledProtocols = engine.getEnabledProtocols(); + assertArrayEquals(new String[] { "TLSv1.3" }, enabledProtocols); + + List enabledCipherSuites = Arrays.asList(engine.getEnabledCipherSuites()); + assertTrue(enabledCipherSuites.contains("TLS_CHACHA20_POLY1305_SHA256")); + } + } + private static void forceClose(Socket s) { if (s == null || s.isClosed()) { return;