make ssl custom ciphers and protocols work with all versions

sscarduzio · sscarduzio · commit 1415b342de7c · 2017-12-19T15:36:12.000-06:00
diff --git a/es23x/src/main/java/tech/beshu/ror/es/SSLTransport.java b/es23x/src/main/java/tech/beshu/ror/es/SSLTransport.java
@@ -21,8 +21,8 @@
  * Created by sscarduzio on 28/11/2016.
  */
 
+import cz.seznam.euphoria.shaded.guava.com.google.common.base.Joiner;
 import org.elasticsearch.common.inject.Inject;
-import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.BigArrays;
@@ -33,11 +33,11 @@
 import org.jboss.netty.handler.ssl.SslContext;
 import tech.beshu.ror.commons.SSLCertParser;
 import tech.beshu.ror.commons.settings.BasicSettings;
-import tech.beshu.ror.commons.settings.RawSettings;
 import tech.beshu.ror.commons.shims.es.LoggerShim;
 import tech.beshu.ror.commons.utils.TempFile;
 
 import java.io.File;
+import java.util.List;
 import java.util.Optional;
 
 public class SSLTransport extends NettyHttpServerTransport {
@@ -72,16 +72,30 @@ public HttpSslChannelPipelineFactory(NettyHttpServerTransport transport) {
         try {
           File chainFile = TempFile.newFile("fullchain", "pem", certChain);
           File privatekeyFile = TempFile.newFile("privkey", "pem", privateKey);
-
-          if (sslSettings.getAllowedSSLProtocols().isPresent() ||sslSettings.getAllowedSSLCiphers().isPresent()) {
-            logger.error("ROR SSL: setting accepted protocols or ciphers not available for ES < 6.0!");
-//            List<String> protocols = basicSettings.getAllowedSSLProtocols().get();
-//            sslcb.protocols(basicSettings.getAllowedSSLProtocols().get().toArray(new String[protocols.size()]));
-//            logger.info("ROR SSL accepted protocols: " + Joiner.on(",").join(protocols));
+          List<String> ciphers = sslSettings.getAllowedSSLCiphers().orElse(null);
+          List<String> protocols = sslSettings.getAllowedSSLProtocols().orElse(null);
+
+          SslContext sslContext = SslContext.newServerContext(
+            null,
+            null,
+            chainFile,
+            privatekeyFile,
+            null,
+            ciphers,
+            protocols,
+            0, 0
+          );
+
+          if (ciphers != null) {
+            logger.info("ROR SSL accepted ciphers: " + Joiner.on(",").join(ciphers));
+          }
+          if (protocols != null) {
+            logger.info("ROR SSL accepted protocols: " + Joiner.on(",").join(protocols));
           }
 
+
           // #TODO expose configuration of sslPrivKeyPem password? Letsencrypt never sets one..
-          context = Optional.of(SslContext.newServerContext(chainFile, privatekeyFile, null));
+          context = Optional.of(sslContext);
 
         } catch (Exception e) {
           context = Optional.empty();
diff --git a/es51x/src/main/java/tech/beshu/ror/es/SSLTransportNetty4.java b/es51x/src/main/java/tech/beshu/ror/es/SSLTransportNetty4.java
@@ -21,9 +21,11 @@
  * Created by sscarduzio on 28/11/2016.
  */
 
+import cz.seznam.euphoria.shaded.guava.com.google.common.base.Joiner;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.netty.handler.ssl.NotSslRecordException;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
@@ -36,11 +38,11 @@
 import org.elasticsearch.threadpool.ThreadPool;
 import tech.beshu.ror.commons.SSLCertParser;
 import tech.beshu.ror.commons.settings.BasicSettings;
-import tech.beshu.ror.commons.settings.RawSettings;
 import tech.beshu.ror.commons.shims.es.LoggerShim;
 
 import java.io.ByteArrayInputStream;
 import java.nio.charset.StandardCharsets;
+import java.util.List;
 import java.util.Optional;
 
 public class SSLTransportNetty4 extends Netty4HttpServerTransport {
@@ -76,7 +78,9 @@ protected void exceptionCaught(final ChannelHandlerContext ctx, final Throwable
   }
 
   public ChannelHandler configureServerChannelHandler() {
-    return new SSLHandler(this);
+    SSLHandler handler = new SSLHandler(this);
+    logger.info("ROR SSL accepted ciphers: " + Joiner.on(",").join(handler.context.get().cipherSuites()));
+    return handler;
   }
 
   private class SSLHandler extends Netty4HttpServerTransport.HttpChannelHandler {
@@ -86,13 +90,31 @@ private class SSLHandler extends Netty4HttpServerTransport.HttpChannelHandler {
       super(transport, SSLTransportNetty4.this.detailedErrorsEnabled, SSLTransportNetty4.this.threadPool.getThreadContext());
 
       new SSLCertParser(basicSettings, logger, (certChain, privateKey) -> {
+
         try {
           // #TODO expose configuration of sslPrivKeyPem password? Letsencrypt never sets one..
-          context = Optional.of(SslContextBuilder.forServer(
+          SslContextBuilder sslcb = SslContextBuilder.forServer(
             new ByteArrayInputStream(certChain.getBytes(StandardCharsets.UTF_8)),
             new ByteArrayInputStream(privateKey.getBytes(StandardCharsets.UTF_8)),
             null
-          ).build());
+          );
+
+          if (basicSettings.getAllowedSSLCiphers().isPresent()) {
+            sslcb.ciphers(basicSettings.getAllowedSSLCiphers().get());
+          }
+
+          if (basicSettings.getAllowedSSLProtocols().isPresent()) {
+            List<String> protocols = basicSettings.getAllowedSSLProtocols().get();
+            sslcb.applicationProtocolConfig(new ApplicationProtocolConfig(
+              ApplicationProtocolConfig.Protocol.NPN_AND_ALPN,
+              ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL,
+              ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
+              protocols
+            ));
+            logger.info("ROR SSL accepted protocols: " + Joiner.on(",").join(protocols));
+          }
+
+          context = Optional.of(sslcb.build());
         } catch (Exception e) {
           context = Optional.empty();
           logger.error("Failed to load SSL CertChain & private key from Keystore!");
diff --git a/es52x/src/main/java/tech/beshu/ror/es/SSLTransportNetty4.java b/es52x/src/main/java/tech/beshu/ror/es/SSLTransportNetty4.java
@@ -25,6 +25,7 @@
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.netty.handler.ssl.NotSslRecordException;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
@@ -42,6 +43,7 @@
 
 import java.io.ByteArrayInputStream;
 import java.nio.charset.StandardCharsets;
+import java.util.List;
 import java.util.Optional;
 
 public class SSLTransportNetty4 extends Netty4HttpServerTransport {
@@ -102,10 +104,15 @@ private class SSLHandler extends Netty4HttpServerTransport.HttpChannelHandler {
           }
 
           if (basicSettings.getAllowedSSLProtocols().isPresent()) {
-            logger.error("ROR SSL: setting accepted protocols not available for ES < 6.0!");
-//            List<String> protocols = basicSettings.getAllowedSSLProtocols().get();
-//            sslcb.protocols(basicSettings.getAllowedSSLProtocols().get().toArray(new String[protocols.size()]));
-//            logger.info("ROR SSL accepted protocols: " + Joiner.on(",").join(protocols));
+            List<String> protocols = basicSettings.getAllowedSSLProtocols().get();
+            sslcb.applicationProtocolConfig(new ApplicationProtocolConfig(
+              ApplicationProtocolConfig.Protocol.NPN_AND_ALPN,
+              ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL,
+              ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
+              protocols
+            ));
+
+            logger.info("ROR SSL accepted protocols: " + Joiner.on(",").join(protocols));
           }
 
           context = Optional.of(sslcb.build());
diff --git a/es53x/src/main/java/tech/beshu/ror/es/SSLTransportNetty4.java b/es53x/src/main/java/tech/beshu/ror/es/SSLTransportNetty4.java
@@ -25,6 +25,7 @@
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.netty.handler.ssl.NotSslRecordException;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
@@ -42,6 +43,7 @@
 
 import java.io.ByteArrayInputStream;
 import java.nio.charset.StandardCharsets;
+import java.util.List;
 import java.util.Optional;
 
 public class SSLTransportNetty4 extends Netty4HttpServerTransport {
@@ -102,11 +104,17 @@ private class SSLHandler extends Netty4HttpServerTransport.HttpChannelHandler {
           }
 
           if (basicSettings.getAllowedSSLProtocols().isPresent()) {
-            logger.error("ROR SSL: setting accepted protocols not available for ES < 6.0!");
-//            List<String> protocols = basicSettings.getAllowedSSLProtocols().get();
-//            sslcb.protocols(basicSettings.getAllowedSSLProtocols().get().toArray(new String[protocols.size()]));
-//            logger.info("ROR SSL accepted protocols: " + Joiner.on(",").join(protocols));
+            List<String> protocols = basicSettings.getAllowedSSLProtocols().get();
+            sslcb.applicationProtocolConfig(new ApplicationProtocolConfig(
+              ApplicationProtocolConfig.Protocol.NPN_AND_ALPN,
+              ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL,
+              ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
+              protocols
+            ));
+
+            logger.info("ROR SSL accepted protocols: " + Joiner.on(",").join(protocols));
           }
+
           SslContext sslContext = sslcb.build();
           context = Optional.of(sslContext);
 
