New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSslEngine.setEnabledProtocols fails to enable protocols that are currently disabled #4736
Comments
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html
|
@blucas - Your approach as described sounds reasonable. |
@normanmaurer - On a related note I wonder if we should be more careful about |
Motivation: We currently provide a way to set SSL options via SSL_set_options but we do not provide a way to clear out those options. Related to netty/netty#4736 Modifications: Add clearOptions function which executes SSL_clear_options Result: Allow users to clear out options which were set using SSL_set_options
@Scottmitch - On another related note (but outside the scope of this issue), it might be worth adding a |
sgtm |
Motivation: Attempts to enable SSL protocols which are currently disabled fail when using the OpenSslEngine. Related to #4736 Modifications: Clear out all options that have disabled SSL protocols before attempting to enable any SSL protocol. Result: setEnabledProtocols works as expected.
Motivation: Attempts to enable SSL protocols which are currently disabled fail when using the OpenSslEngine. Related to #4736 Modifications: Clear out all options that have disabled SSL protocols before attempting to enable any SSL protocol. Result: setEnabledProtocols works as expected.
Fixed by #4737 |
Motivation: Attempts to enable SSL protocols which are currently disabled fail when using the OpenSslEngine. Related to netty#4736 Modifications: Clear out all options that have disabled SSL protocols before attempting to enable any SSL protocol. Result: setEnabledProtocols works as expected.
Netty Version: master (I know... 😦 )
The
OpenSslEngine.setEnabledProtocols()
will not allow the user to enable a protocol that has already been disabled. For example, netty (by default) disablesSSLv3
. If you wish to enableSSLv3
you should be able to callOpenSslEngine.setEnabledProtocols()
includingSSLv3
as one of the parameters of the array. Unfortunately this does not work.The reason has to do with the implementation of the method.
It does the following:
The problem is step 2 above does not work. I have no idea what
SSL.SSL_OP_ALL
actually does, but it doesn't do what the comment expects.Solution:
Expose
SSL_clear_options
to netty via a new native methodclearOptions()
then useclearOptions
insetEnabledProtocols
Pull Requests to follow. Will need one for netty-tcnative and netty.
The text was updated successfully, but these errors were encountered: