How to specify enabled protocols?

[woj-tek]

I'm trying to set enabled protocols but I can't make it work. Sample code:

SSLFactory.Builder sslFactoryBuilder = SSLFactory.builder()
		.withDefaultTrustMaterial()
		.withProtocols("TLSv1.2")
		.withSslContextAlgorithm("TLS");

System.out.println(sslFactoryBuilder.build().getProtocols());

SSLContext context = sslFactoryBuilder.build().getSslContext();
System.out.println(Arrays.toString(context.createSSLEngine().getEnabledProtocols()));

results in:

[TLSv1.2]
[TLSv1.3, TLSv1.2]

So it seems that .withProtocols() correctly sets the protocols, but it's ignored the actual SSLContext.

Am I doing anything wrong?

[Hakky54]

These options are a bit tricky to be honest. It is not possible to adjust the protocols of the sslcontext with the sslfactory builder protocol option as the sslcontext has no option to modify those properties. The only way I could manupulate it was by creating a custom SSLContextSpi under the covers. I tried that in the past, but it is difficult.

However some objects are possible to modify and luckily SSLFactory will provide those. The SSLSocketFactory, SSLServerSocketFactory and SSLEngine have the adjusted protocols. See here for an example:

import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSocket;
import java.io.IOException;
import java.util.Arrays;

public class App {

    public static void main(String[] args) throws IOException {
        SSLFactory sslFactory = SSLFactory.builder()
                .withDefaultTrustMaterial()
                .withProtocols("TLSv1.3")
                .build();

        System.out.println("SSLFactory");
        System.out.println(sslFactory.getProtocols());

        System.out.println("SSLContext");
        System.out.println(Arrays.toString(sslFactory.getSslContext().getDefaultSSLParameters().getProtocols()));
        System.out.println(Arrays.toString(sslFactory.getSslContext().getSupportedSSLParameters().getProtocols()));

        System.out.println("SSLSocket");
        SSLSocket socket = (SSLSocket) sslFactory.getSslSocketFactory().createSocket();
        System.out.println(Arrays.toString(socket.getSupportedProtocols()));
        System.out.println(Arrays.toString(socket.getEnabledProtocols()));

        System.out.println("SSLEngine");
        SSLEngine sslEngine = sslFactory.getSSLEngine();
        System.out.println(Arrays.toString(sslEngine.getSupportedProtocols()));
        System.out.println(Arrays.toString(sslEngine.getEnabledProtocols()));
    }

}

And the output:

SSLFactory
[TLSv1.3]
SSLContext
[TLSv1.3, TLSv1.2]
[TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]
SSLSocket
[TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]
[TLSv1.3]
SSLEngine
[TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]
[TLSv1.3]

The method getEnabledProtocols() should return the configured protocol, in this case TLSv1.3 and as you can see the SSLSocket from the SSLSocketFactory and SSLEngine are returning that value.

So if you are able to use SSLSocketFactory/SSLSocket or SSLEngine then it will work. If you only want to use SSLContext then it is very limited to what you can adjust. So if you want only TLSv1.2 for the SSLContext, then you should do something like this:

import java.io.IOException;
import java.util.Arrays;

public class App {

    public static void main(String[] args) throws IOException {
        SSLFactory sslFactory = SSLFactory.builder()
                .withDefaultTrustMaterial()
                .withSslContextAlgorithm("TLSv1.2")
                .build();

        System.out.println("SSLContext");
        System.out.println(Arrays.toString(sslFactory.getSslContext().getDefaultSSLParameters().getProtocols()));
        System.out.println(Arrays.toString(sslFactory.getSslContext().getSupportedSSLParameters().getProtocols()));
    }

}

which outputs:

SSLContext
[TLSv1.2]
[TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]

As you can see it will have TLSv1.2 configured. However if you adjust the withSslContextAlgorithm to TLSv1.3, then it will have the following output:

SSLContext
[TLSv1.3, TLSv1.2]
[TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]

I saw on your code snippet that you are using the SSLContext to create the SSLEngine, I would advice to call the SSLEngine of the SSLFactory as shown in my code examples to create the SSLEngine with the specified protocol. Can you give it a try on your side?

[Hakky54]

I also found now a way to do it with the SSLContext objects itself, but still refactoring it and testing it, see here for the changes: #360
Meanwhile I will wait for your input regarding my message of earlier.

[woj-tek]

Hi @Hakky54 and thanks for the detailed response.

• .withSslContextAlgorithm() felt like a solution, but unfortunately it only allows single algorithm
• sslFactory.getSSLEngine(); gives you single engine so that falls short if you need multiple of them.

I just noticed the same problem with .withNeedClientAuthentication() and .withWantClientAuthentication(), though in this case even engine directly obtained (sslFactoryBuilder.build().getSSLEngine()) doesn't have correct values.

IMHO, if there is a way to make it work directly (as noted in #360 - from the cursory look it looks promising) it would be splendid.

[Hakky54]

sslFactory.getSSLEngine(); will create a new instance of the SSLEngine every time that method is being called. Please have a look at the different hashcodes.

The withSslContextAlgorithm() is just a way to configure the underlying SSLContext Algorithm and only accepts a single argument. That is how the developers of Java have designed it and I can understand that it might be confusing. The actual adjustments to the protocols can be done via the protocols method of the SSLFactory, which will create a SSLParameters object which will be used in SSLContext, SSLSocket, SSLSocketFactory, SSLServerSocketFactory and SSLEngine.

I just noticed the same problem with .withNeedClientAuthentication() and .withWantClientAuthentication(), though in this case even engine directly obtained (sslFactoryBuilder.build().getSSLEngine()) doesn't have correct values.

Do you mean with the exsiting latest version? I have run a test and the values are consitent through out all of the objects, see also this comment here: #360 (comment)

Can you maybe try it out locally on your side, by forking it building it locally and using the snapshot version on your machine for your project?

[woj-tek]

sslFactory.getSSLEngine(); will create a new instance of the SSLEngine every time that method is being called. Please have a look at the different hashcodes.

Yes, I meant if you need multiple of them then adjusting each engine requires additional code (sslEngine.setEnabledProtocols())

The actual adjustments to the protocols can be done via the protocols method of the SSLFactory, which will create a SSLParameters object which will be used in SSLContext, SSLSocket, SSLSocketFactory, SSLServerSocketFactory and SSLEngine.

You mean SSLFactory.builder().withProtocols(…)? But as discussed - it's not exactly resulting in those protocols being enabled/available in created Engine

Do you mean with the exsiting latest version?

8.1.1, though after your comment I checked 8.1.2 with same result. I'll take a look at the PR and comments there.

EDIT: with 8.1.2 .withNeedClientAuthentication() seems to be working fine, odd...

EDIT2: tested 8.1.3-SNAPSHOT from PR #360 branch and sslFactoryBuilder.build().getSslContext().createSSLEngine() now gives expected results! Perfect! 🎉

[Hakky54]

Awesome, thank you for confirming that the PR is providing what you are seeking for. I will merge it and make a release soon.