NettyWebServer uses a deprecated constructor for JdkSslContext

[pejomstd]

Environment Details

• Helidon Version: 1.0.1
• Helidon SE
• JDK version: irrelevant
• OS: irrelevant
• Docker version (if applicable): irrelevant

---

Problem Description

We would like to use Helidon, but with a restricted TLS version (1.2). Helidon does not allow this, and also uses a deprecated constructor of JdkSslContext in NettyWebServer.java.
Please change to use the non deprecated constructor, and also make it configurable which protocols to enable / use

Steps to reproduce

"Step by step instructions to reproduce the problem"

Start WebServer,
do openssl s_client -connect localhost:port -tls1, this should fail if setup with "TLSv1.2"

[kallekarlberg]

Should this not be considered a bug?

[romain-grecourt]

Helidon 1.0.1 uses Netty 4.1.30.Final, the JdkSslContext constructor used in NettyWebServer is not deprecated in 4.1.30.Final, but is deprecated in 4.1.31.Final.

I wouldn't call this a bug, it feels more like a request for enhancement.

@tomas-langer @spericas thoughts ?

[kallekarlberg]

Ok, you don't have to call it a bug :-)

However this prevents us from using helidon in production :-( as security auditors will find this and say: "please disable TLS 1.0 on port X" And currenly we can't as fiddling in java.security jre/jdk files is not a viable option to use

[pejomstd]

I would suggest,
upgrade to Netty 4.1.31.Final or later,

Change NettyWebserver.java

From:

sslContext = new JdkSslContext(soConfig.ssl(), false, ClientAuth.NONE);

to

sslContext = new JdkSslContext(
	sslContext, 
	isClient, 
	null, 
	IdentityCipherSuiteFilter.INSTANCE,
    JdkDefaultApplicationProtocolNegotiator.INSTANCE, 
	clientAuth, 
	config.enabledSslProtocols(), 
	false
	);

And support for adding protocol(s) in ServerConfiguration like:

ServerConfiguration serverConfiguration = ServerConfiguration.builder()
                .bindAddress(bindAddress)
                .port(1234)
                .ssl(sslContext)
.enabledSslProtocols("TLSv1.2") // vararg String...

And use this when spawning up

[pejomstd]

Any chance this will be released soon?

[romain-grecourt]

This will be part of the next release, most likely next week or so.

[pejomstd]

seems like the suggested implementation was not kept when moving this to #530.

It now requires to load a config object just to get this feature, as it seems hidden deep insite ServerConfigurationBuilder and no obvious way to do this porgrammatically. Or did I miss something?

[romain-grecourt]

Most of the suggested implementation was kept, except the attribute changed from String[] to a Set<String> and config mapping was added.

However I forgot to add a new method to ServerConfiguration.Builder (oops), this is a bug that will be fixed promptly.

Basically this means that in v1.0.3 you can't set the SSL enabled protocols for the default socket programmatically.

You can do it with configuration like this:

server:
  port: 8080
  host: 0.0.0.0
  ssl-protocols:
    - "TLSv1.2"
  ssl:
    private-key:
      keystore-resource-path: "xxx"
      keystore-passphrase: "xxx"

You can also configure an additional socket for SSL, programmatically or by config:

ServerConfiguration serverConfig = ServerConfiguration.builder()
        .addSocket("secure", SocketConfiguration.builder()
                .port(8081)
                .enabledSSlProtocols("TLSv1.2"))
        .build(); 

server:
  port: 8080
  host: 0.0.0.0
  sockets:
    secure:
      port: 8082
      host: 0.0.0.0
      ssl-protocols:
        - "TLSv1.2"
      ssl:
        private-key:
          keystore-resource-path: "xxx"
          keystore-passphrase: "xxx"

Note the inconsistency in the configuration with "ssl-protocols" and "ssl". We will re-work the SSL configuration sometime soon to address that and the way to configure the SSL enabled protocols will change then.