/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2014 Red Hat, Inc., and individual contributors
 * as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */

package io.undertow.server.protocol.http;

import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;

SSLEngine that will limit the cipher selection to HTTP/2 suitable protocols if the client is offering h2 as an option.

In theory this is not a perfect solution to the HTTP/2 cipher strength issue, but in practice it should be sufficent as any RFC compliant implementation should be able to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Author:Stuart Douglas
/** * SSLEngine that will limit the cipher selection to HTTP/2 suitable protocols if the client is offering h2 as an option. * <p> * In theory this is not a perfect solution to the HTTP/2 cipher strength issue, but in practice it should be sufficent * as any RFC compliant implementation should be able to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * * @author Stuart Douglas */
public class ALPNLimitingSSLEngine extends SSLEngine { private final SSLEngine delegate; private final Runnable invalidAlpnRunnable; private boolean done; public ALPNLimitingSSLEngine(SSLEngine delegate, Runnable invalidAlpnRunnable) { this.delegate = delegate; this.invalidAlpnRunnable = invalidAlpnRunnable; } @Override public String getPeerHost() { return delegate.getPeerHost(); } @Override public int getPeerPort() { return delegate.getPeerPort(); } @Override public SSLEngineResult wrap(ByteBuffer src, ByteBuffer dst) throws SSLException { return delegate.wrap(src, dst); } @Override public SSLEngineResult wrap(ByteBuffer[] srcs, ByteBuffer dst) throws SSLException { return wrap(srcs, 0, srcs.length, dst); } @Override public SSLEngineResult unwrap(ByteBuffer src, ByteBuffer dst) throws SSLException { if (done) { return delegate.unwrap(src, dst); } try { List<Integer> clientCiphers = ALPNOfferedClientHelloExplorer.parseClientHello(src); if (clientCiphers != null) { limitCiphers(clientCiphers); done = true; } else { done = true; } } catch (BufferUnderflowException e) { return new SSLEngineResult(SSLEngineResult.Status.BUFFER_UNDERFLOW, SSLEngineResult.HandshakeStatus.NEED_UNWRAP, 0, 0); } return delegate.unwrap(src, dst); } private void limitCiphers(List<Integer> clientCiphers) { boolean clientIsCompliant = false; for (int cipher : clientCiphers) { if (cipher == 0xC02F) { //TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, required to be offered by spec clientIsCompliant = true; } } if (!clientIsCompliant) { invalidAlpnRunnable.run(); } else { List<String> ciphers = new ArrayList<>(); for (String cipher : delegate.getEnabledCipherSuites()) { if (ALPNBannedCiphers.isAllowed(cipher)) { ciphers.add(cipher); } } delegate.setEnabledCipherSuites(ciphers.toArray(new String[ciphers.size()])); } } @Override public SSLEngineResult unwrap(ByteBuffer src, ByteBuffer[] dsts) throws SSLException { return unwrap(src, dsts, 0, dsts.length); } @Override public SSLSession getHandshakeSession() { return delegate.getHandshakeSession(); } @Override public SSLParameters getSSLParameters() { return delegate.getSSLParameters(); } @Override public void setSSLParameters(final SSLParameters sslParameters) { delegate.setSSLParameters(sslParameters); } @Override public SSLEngineResult wrap(ByteBuffer[] srcs, int off, int len, ByteBuffer dst) throws SSLException { return delegate.wrap(srcs, off, len, dst); } @Override public SSLEngineResult unwrap(ByteBuffer byteBuffer, ByteBuffer[] byteBuffers, int i, int i1) throws SSLException { if (done) { return delegate.unwrap(byteBuffer, byteBuffers, i, i1); } try { List<Integer> clientCiphers = ALPNOfferedClientHelloExplorer.parseClientHello(byteBuffer); if (clientCiphers != null) { limitCiphers(clientCiphers); done = true; } else { done = true; } } catch (BufferUnderflowException e) { return new SSLEngineResult(SSLEngineResult.Status.BUFFER_UNDERFLOW, SSLEngineResult.HandshakeStatus.NEED_UNWRAP, 0, 0); } return delegate.unwrap(byteBuffer, byteBuffers, i, i1); } @Override public Runnable getDelegatedTask() { return delegate.getDelegatedTask(); } @Override public void closeInbound() throws SSLException { delegate.closeInbound(); } @Override public boolean isInboundDone() { return delegate.isInboundDone(); } @Override public void closeOutbound() { delegate.closeOutbound(); } @Override public boolean isOutboundDone() { return delegate.isOutboundDone(); } @Override public String[] getSupportedCipherSuites() { return delegate.getSupportedCipherSuites(); } @Override public String[] getEnabledCipherSuites() { return delegate.getEnabledCipherSuites(); } @Override public void setEnabledCipherSuites(final String[] strings) { delegate.setEnabledCipherSuites(strings); } @Override public String[] getSupportedProtocols() { return delegate.getSupportedProtocols(); } @Override public String[] getEnabledProtocols() { return delegate.getEnabledProtocols(); } @Override public void setEnabledProtocols(final String[] strings) { delegate.setEnabledProtocols(strings); } @Override public SSLSession getSession() { return delegate.getSession(); } @Override public void beginHandshake() throws SSLException { delegate.beginHandshake(); } @Override public SSLEngineResult.HandshakeStatus getHandshakeStatus() { return delegate.getHandshakeStatus(); } @Override public void setUseClientMode(boolean b) { if (b) { throw new IllegalArgumentException(); } } @Override public boolean getUseClientMode() { return delegate.getUseClientMode(); } @Override public void setNeedClientAuth(final boolean b) { delegate.setNeedClientAuth(b); } @Override public boolean getNeedClientAuth() { return delegate.getNeedClientAuth(); } @Override public void setWantClientAuth(final boolean b) { delegate.setWantClientAuth(b); } @Override public boolean getWantClientAuth() { return delegate.getWantClientAuth(); } @Override public void setEnableSessionCreation(final boolean b) { delegate.setEnableSessionCreation(b); } @Override public boolean getEnableSessionCreation() { return delegate.getEnableSessionCreation(); } }