Re: [PR] RATIS-2064. Bump Netty to 4.1.109 [ratis-thirdparty]

Mon, 29 Apr 2024 10:45:15 -0700 


adoroszlai commented on code in PR #50:
URL: https://github.com/apache/ratis-thirdparty/pull/50#discussion_r1583475107


##########
test/src/main/java/org/apache/ratis/thirdparty/demo/common/SslConfig.java:
##########
@@ -24,15 +24,23 @@
 public class SslConfig {
   // TODO: allow configure cipher suites
   private final List<String> tlsCipherSuitesWithEncryption = 
Collections.unmodifiableList(Arrays.asList(
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
       "TLS_RSA_WITH_AES_128_GCM_SHA256",
       "TLS_RSA_WITH_AES_128_CBC_SHA",
-      "SSL_RSA_WITH_3DES_EDE_CBC_SHA"));
-
-  // "RSA" in this case refers to the key exchange algorithm,
-  // "SHA" refers to the message digest algorithm to provide integrity
-  // "NULL" is the encryption algorithm, to disable encryption.
-  // TODO: support NULL cipher from tcnative
-  private final List<String> tlsCipherSuitesNoEncryption = 
Collections.singletonList("TLS_RSA_WITH_AES_128_GCM_SHA256");
+      "TLS_RSA_WITH_AES_256_CBC_SHA",
+      "TLS_AES_128_GCM_SHA256",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_AES_128_GCM_SHA256",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_AES_128_GCM_SHA256",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_CHACHA20_POLY1305_SHA256"

Review Comment:
   I took the list from this log message emitted by Netty during the test:
   
   ```
   [main] DEBUG ssl.OpenSsl (OpenSsl.java:<clinit>(402)) - Default cipher 
suites (OpenSSL): [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, 
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, 
TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, 
TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, 
TLS_CHACHA20_POLY1305_SHA256]
   ```
   
   I don't know why the old list (particularly the `NoEncryption` one) wouldn't 
work.  The list of default ciphers is the same for both versions.
   
   The following mapping is no longer present with new Netty:
   
   ```
   [main] DEBUG ssl.CipherSuiteConverter 
(CipherSuiteConverter.java:cacheFromOpenSsl(352)) - Cipher suite mapping: 
TLS_RSA_WITH_3DES_EDE_CBC_SHA => DES-CBC3-SHA
   [main] DEBUG ssl.CipherSuiteConverter 
(CipherSuiteConverter.java:cacheFromOpenSsl(353)) - Cipher suite mapping: 
SSL_RSA_WITH_3DES_EDE_CBC_SHA => DES-CBC3-SHA
   ```
   
   so I first removed that from the original list, but that would not fix the 
problem.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to