Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
package org.apache.zookeeper.common;

import io.netty.handler.ssl.DelegatingSslContext;
import io.netty.handler.ssl.IdentityCipherSuiteFilter;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
Expand Down Expand Up @@ -81,7 +82,9 @@ public SslContext createNettySslContextForClient(ZKConfig config)
sslContextBuilder.protocols(enabledProtocols);
}
Iterable<String> enabledCiphers = getCipherSuites(config);
if (enabledCiphers != null) {
if (enabledCiphers == null) {
sslContextBuilder.ciphers(null, IdentityCipherSuiteFilter.INSTANCE_DEFAULTING_TO_SUPPORTED_CIPHERS);
} else {
sslContextBuilder.ciphers(enabledCiphers);
}
sslContextBuilder.sslProvider(getSslProvider(config));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -732,7 +732,7 @@ public void testCreateSSLContext_ocspWithJreProvider(
throws Exception {
init(caKeyType, certKeyType, keyPassword, paramIndex);
ZKConfig zkConfig = new ZKConfig();
try (ClientX509Util clientX509Util = new ClientX509Util();) {
try (ClientX509Util clientX509Util = new ClientX509Util()) {
zkConfig.setProperty(clientX509Util.getSslOcspEnabledProperty(), "true");
// Must not throw IllegalArgumentException
clientX509Util.createSSLContext(zkConfig);
Expand Down Expand Up @@ -761,6 +761,32 @@ public void testCreateSSLContext_hostnameVerificationNoCustomTrustStore(X509KeyT
}
}

@ParameterizedTest
@MethodSource("data")
public void testCreateSSLContext_ChaCha20Cipher(X509KeyType caKeyType,
X509KeyType certKeyType, String keyPassword, Integer paramIndex) throws Exception {
init(caKeyType, certKeyType, keyPassword, paramIndex);

// TLS_CHACHA20_POLY1305_SHA256 cipher is a mandatory cipher suite on TLSv1.3,
// so a client with default configuration must support it.

ZKConfig zkConfig = new ZKConfig();
zkConfig.setProperty(x509Util.getSslEnabledProtocolsProperty(), "TLSv1.3");

try (ClientX509Util clientX509Util = new ClientX509Util()) {
SslContext context = clientX509Util.createNettySslContextForClient(zkConfig);

UnpooledByteBufAllocator byteBufAllocator = new UnpooledByteBufAllocator(false);
SSLEngine engine = context.newEngine(byteBufAllocator);

String[] enabledProtocols = engine.getEnabledProtocols();
assertArrayEquals(new String[] { "TLSv1.3" }, enabledProtocols);

List<String> enabledCipherSuites = Arrays.asList(engine.getEnabledCipherSuites());
assertTrue(enabledCipherSuites.contains("TLS_CHACHA20_POLY1305_SHA256"));
}
}

private static void forceClose(Socket s) {
if (s == null || s.isClosed()) {
return;
Expand Down
Loading