OpenJDK / amber / amber
changeset 60861:4a39a7ad717f
8239594: jdk.tls.client.protocols is not respected
8239595: ssl context version is not respected
Summary: The java.net.HttpClient is updated to no longer override any default selected protocols in the SSLContext, in the absence of any SSLParameters explicitly supplied to the HttpClient.builder.
Reviewed-by: chegar, dfuchs
Contributed-by: Rahul Yadav <rahul.r.yadav@oracle.com>
| author | pconcannon |
|---|---|
| date | Fri, 10 Apr 2020 10:05:33 +0100 |
| parents | ed79f6aea385 |
| children | eb85b2d3b217 |
| files | src/java.net.http/share/classes/jdk/internal/net/http/HttpClientImpl.java test/jdk/java/net/httpclient/TlsContextTest.java test/jdk/java/net/httpclient/ssltest/TlsVersionTest.java test/lib/jdk/test/lib/net/SimpleSSLContext.java |
| diffstat | 4 files changed, 321 insertions(+), 19 deletions(-) [+] |
line wrap: on
line diff
--- a/src/java.net.http/share/classes/jdk/internal/net/http/HttpClientImpl.java Fri Apr 10 15:05:42 2020 +0800 +++ b/src/java.net.http/share/classes/jdk/internal/net/http/HttpClientImpl.java Fri Apr 10 10:05:33 2020 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -334,19 +334,7 @@ } private static SSLParameters getDefaultParams(SSLContext ctx) { - SSLParameters params = ctx.getSupportedSSLParameters(); - String[] protocols = params.getProtocols(); - boolean found13 = false; - for (String proto : protocols) { - if (proto.equals("TLSv1.3")) { - found13 = true; - break; - } - } - if (found13) - params.setProtocols(new String[] {"TLSv1.3", "TLSv1.2"}); - else - params.setProtocols(new String[] {"TLSv1.2"}); + SSLParameters params = ctx.getDefaultSSLParameters(); return params; }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/java/net/httpclient/TlsContextTest.java Fri Apr 10 10:05:33 2020 +0100 @@ -0,0 +1,151 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.net.URI; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; +import javax.net.ssl.SSLContext; +import jdk.test.lib.net.SimpleSSLContext; +import org.testng.annotations.AfterTest; +import org.testng.annotations.BeforeTest; +import org.testng.annotations.DataProvider; +import org.testng.annotations.Test; +import static java.lang.System.out; +import static java.net.http.HttpClient.Version; +import static java.net.http.HttpClient.Version.HTTP_1_1; +import static java.net.http.HttpClient.Version.HTTP_2; +import static java.net.http.HttpResponse.BodyHandlers.ofString; +import static org.testng.Assert.assertEquals; + +/* + * @test + * @bug 8239594 + * @summary This test verifies that the TLS version handshake respects ssl context + * @library /test/lib http2/server + * @build jdk.test.lib.net.SimpleSSLContext HttpServerAdapters TlsContextTest + * @modules java.net.http/jdk.internal.net.http.common + * java.net.http/jdk.internal.net.http.frame + * java.net.http/jdk.internal.net.http.hpack + * java.logging + * java.base/sun.net.www.http + * java.base/sun.net.www + * java.base/sun.net + * @run testng/othervm -Dtest.requiresHost=true + * -Djdk.httpclient.HttpClient.log=headers + * -Djdk.internal.httpclient.disableHostnameVerification + * -Djdk.internal.httpclient.debug=false + * TlsContextTest + */ + +public class TlsContextTest implements HttpServerAdapters { + + static HttpTestServer https2Server; + static String https2URI; + SSLContext server; + final static Integer ITERATIONS = 3; + + @BeforeTest + public void setUp() throws Exception { + server = SimpleSSLContext.getContext("TLS"); + final ExecutorService executor = Executors.newCachedThreadPool(); + https2Server = HttpTestServer.of( + new Http2TestServer("localhost", true, 0, executor, 50, null, server, true)); + https2Server.addHandler(new TlsVersionTestHandler("https", https2Server), + "/server/"); + https2Server.start(); + https2URI = "https://" + https2Server.serverAuthority() + "/server/"; + } + + @DataProvider(name = "scenarios") + public Object[][] scenarios() throws Exception { + return new Object[][]{ + { SimpleSSLContext.getContext("TLS"), HTTP_2, "TLSv1.3" }, + { SimpleSSLContext.getContext("TLSv1.2"), HTTP_2, "TLSv1.2" }, + { SimpleSSLContext.getContext("TLSv1.1"), HTTP_1_1, "TLSv1.1" }, + { SimpleSSLContext.getContext("TLSv1.1"), HTTP_2, "TLSv1.1" }, + }; + } + + /** + * Tests various scenarios between client and server tls handshake with valid http + */ + @Test(dataProvider = "scenarios") + public void testVersionProtocols(SSLContext context, + Version version, + String expectedProtocol) throws Exception { + HttpClient client = HttpClient.newBuilder() + .sslContext(context) + .version(version) + .build(); + HttpRequest request = HttpRequest.newBuilder(new URI(https2URI)) + .GET() + .build(); + for (int i = 0; i < ITERATIONS; i++) { + HttpResponse<String> response = client.send(request, ofString()); + testAllProtocols(response, expectedProtocol); + } + } + + private void testAllProtocols(HttpResponse<String> response, + String expectedProtocol) throws Exception { + String protocol = response.sslSession().get().getProtocol(); + int statusCode = response.statusCode(); + Version version = response.version(); + out.println("Got Body " + response.body()); + out.println("The protocol negotiated is :" + protocol); + assertEquals(statusCode, 200); + assertEquals(protocol, expectedProtocol); + assertEquals(version, expectedProtocol.equals("TLSv1.1") ? HTTP_1_1 : HTTP_2); + } + + @AfterTest + public void teardown() throws Exception { + https2Server.stop(); + } + + static class TlsVersionTestHandler implements HttpTestHandler { + final String scheme; + final HttpTestServer server; + + TlsVersionTestHandler(String scheme, HttpTestServer server) { + this.scheme = scheme; + this.server = server; + } + + @Override + public void handle(HttpTestExchange t) throws IOException { + try (InputStream is = t.getRequestBody(); + OutputStream os = t.getResponseBody()) { + byte[] bytes = is.readAllBytes(); + t.sendResponseHeaders(200, 10); + os.write(bytes); + } + } + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/java/net/httpclient/ssltest/TlsVersionTest.java Fri Apr 10 10:05:33 2020 +0100 @@ -0,0 +1,148 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.io.IOException; +import java.net.URI; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; +import java.util.List; +import javax.net.ssl.SSLContext; +import jdk.test.lib.net.URIBuilder; +import jdk.test.lib.security.KeyEntry; +import jdk.test.lib.security.KeyStoreUtils; +import jdk.test.lib.security.SSLContextBuilder; +import static java.net.http.HttpResponse.BodyHandlers.ofString; +import static java.net.http.HttpClient.Builder.NO_PROXY; + +/* + * @test + * @bug 8239594 8239595 + * @library /test/lib + * @build Server TlsVersionTest + * @run main/othervm + * -Djdk.internal.httpclient.disableHostnameVerification + * TlsVersionTest false + * + * @run main/othervm + * -Djdk.internal.httpclient.disableHostnameVerification + * -Djdk.tls.client.protocols="TLSv1.2" + * TlsVersionTest true + */ + +/** + * The test uses a valid self-signed certificate + * that is installed in the trust store (so is trusted) and the same cert + * is supplied by the server for its own identity. + * + * The test sets the context TLS Version 1.2 for client and 1.3 + * for the server, as per the bug, the server checks for the + * negotiated protocol version, it should adhere to the protocol + * version value used in SSL Context for client and the server should + * be able to downgrade to 1.2 during the handshake. The test would + * fail if the negotiated protocol version is different from the one set in + * SSL Context for the client as it is the lower version. + */ + +public class TlsVersionTest { + + private static Cert cert; + // parameter to distinguish scenarios where system property is set and unset + static String tlsVersion; + static Server server; + static int port; + + public static void main(String[] args) throws Exception { + try { + tlsVersion = args[0]; + // certificate name set to be accepted by dummy server + cert = Cert.valueOf("LOOPBACK_CERT"); + server = new Server(getServerSSLContext(cert)); + port = server.getPort(); + test(cert); + } finally { + if (server != null) { + server.stop(); + } + } + } + + private static SSLContext getServerSSLContext(Cert cert) throws Exception { + SSLContextBuilder builder = SSLContextBuilder.builder(); + builder.trustStore( + KeyStoreUtils.createTrustStore(new String[] { cert.certStr })); + builder.keyStore(KeyStoreUtils.createKeyStore( + new KeyEntry[] { new KeyEntry(cert.keyAlgo, + cert.keyStr, new String[] { cert.certStr }) })); + builder.protocol("TLSv1.3"); + return builder.build(); + } + + private static SSLContext getClientSSLContext(Cert cert) throws Exception { + SSLContextBuilder builder = SSLContextBuilder.builder(); + builder.trustStore( + KeyStoreUtils.createTrustStore(new String[] { cert.certStr })); + builder.keyStore(KeyStoreUtils.createKeyStore( + new KeyEntry[] { new KeyEntry(cert.keyAlgo, + cert.keyStr, new String[] { cert.certStr }) })); + if(tlsVersion.equals("false")) + builder.protocol("TLSv1.2"); + return builder.build(); + } + + static void test(Cert cert) throws Exception { + URI serverURI = URIBuilder.newBuilder() + .scheme("https") + .loopback() + .port(server.getPort()) + .path("/foo") + .build(); + String error = null; + System.out.println("Making request to " + serverURI.getPath()); + SSLContext ctx = getClientSSLContext(cert); + HttpClient client = HttpClient.newBuilder() + .proxy(NO_PROXY) + .sslContext(ctx) + .build(); + + for (var version : List.of(HttpClient.Version.HTTP_2, HttpClient.Version.HTTP_1_1)) { + HttpRequest request = HttpRequest.newBuilder(serverURI) + .version(version) + .GET() + .build(); + System.out.println("Using version: " + version); + try { + HttpResponse<String> response = client.send(request, ofString()); + String protocol = response.sslSession().get().getProtocol(); + System.out.println("TLS version negotiated is: " + protocol); + if (!(protocol.equals("TLSv1.2"))) { + error = "Test failed : TLS version should be " + "TLSv1.2"; + throw new RuntimeException(error); + } + } catch (IOException e) { + System.out.println("Caught Exception " + e); + throw e; + } + } + } +}
--- a/test/lib/jdk/test/lib/net/SimpleSSLContext.java Fri Apr 10 15:05:42 2020 +0800 +++ b/test/lib/jdk/test/lib/net/SimpleSSLContext.java Fri Apr 10 10:05:33 2020 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,6 +27,7 @@ import java.io.*; import java.security.*; import java.security.cert.*; +import java.util.function.Supplier; import javax.net.ssl.*; /** @@ -50,7 +51,12 @@ * source directory */ public SimpleSSLContext() throws IOException { + this(() -> "TLS"); + } + + private SimpleSSLContext(Supplier<String> protocols) throws IOException { try { + final String proto = protocols.get(); AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { @@ -63,7 +69,7 @@ File f = new File(path, "jdk/test/lib/net/testkeys"); if (f.exists()) { try (FileInputStream fis = new FileInputStream(f)) { - init(fis); + init(fis, proto); return null; } } @@ -97,11 +103,11 @@ public SimpleSSLContext(String dir) throws IOException { String file = dir + "/testkeys"; try (FileInputStream fis = new FileInputStream(file)) { - init(fis); + init(fis, "TLS"); } } - private void init(InputStream i) throws IOException { + private void init(InputStream i, String protocol) throws IOException { try { char[] passphrase = "passphrase".toCharArray(); KeyStore ks = KeyStore.getInstance("PKCS12"); @@ -113,7 +119,7 @@ TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); tmf.init(ks); - ssl = SSLContext.getInstance("TLS"); + ssl = SSLContext.getInstance(protocol); ssl.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); } catch (KeyManagementException | KeyStoreException | UnrecoverableKeyException | CertificateException | @@ -122,6 +128,15 @@ } } + public static SSLContext getContext(String protocol) throws IOException { + if(protocol == null || protocol.isEmpty()) { + return new SimpleSSLContext().get(); + } + else { + return new SimpleSSLContext(() -> protocol).get(); + } + } + public SSLContext get() { return ssl; }