Introduce AHCConfig#isFilterInsecureCipherSuites, close AsyncHttpClient#1510

Motivation:

Some use cases don’t care much about security (load testing, web
crawling). Those users don’t understand that their security is broken,
while their website can be displayed in web browsers and other user
agents.

Modifications:

Introduce a new config option that bypasses insecured and weak cipher
suites filtering done in Netty.

Result:

It’s now possible to lower security. Use at own risks thought!

Author: slandelle

client/src/main/java/org/asynchttpclient/AsyncHttpClientConfig.java

@@ -238,6 +238,11 @@ public interface AsyncHttpClientConfig {
    */
   String[] getEnabledCipherSuites();
 
+  /**
+   * @return if insecured cipher suites must be filtered out (only used when not explicitly passing enabled cipher suites)
+   */
+  boolean isFilterInsecureCipherSuites();
+
   /**
    * @return the size of the SSL session cache, 0 means using the default value
    */

client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClientConfig.java

@@ -93,6 +93,7 @@ public class DefaultAsyncHttpClientConfig implements AsyncHttpClientConfig {
   private final int handshakeTimeout;
   private final String[] enabledProtocols;
   private final String[] enabledCipherSuites;
+  private final boolean filterInsecureCipherSuites;
   private final int sslSessionCacheSize;
   private final int sslSessionTimeout;
   private final SslContext sslContext;
@@ -170,6 +171,7 @@ private DefaultAsyncHttpClientConfig(// http
                                        int handshakeTimeout,
                                        String[] enabledProtocols,
                                        String[] enabledCipherSuites,
+                                       boolean filterInsecureCipherSuites,
                                        int sslSessionCacheSize,
                                        int sslSessionTimeout,
                                        SslContext sslContext,
@@ -255,6 +257,7 @@ private DefaultAsyncHttpClientConfig(// http
     this.handshakeTimeout = handshakeTimeout;
     this.enabledProtocols = enabledProtocols;
     this.enabledCipherSuites = enabledCipherSuites;
+    this.filterInsecureCipherSuites = filterInsecureCipherSuites;
     this.sslSessionCacheSize = sslSessionCacheSize;
     this.sslSessionTimeout = sslSessionTimeout;
     this.sslContext = sslContext;
@@ -484,6 +487,11 @@ public String[] getEnabledCipherSuites() {
     return enabledCipherSuites;
   }
 
+  @Override
+  public boolean isFilterInsecureCipherSuites() {
+    return filterInsecureCipherSuites;
+  }
+
   @Override
   public int getSslSessionCacheSize() {
     return sslSessionCacheSize;
@@ -689,6 +697,7 @@ public static class Builder {
     private int handshakeTimeout = defaultHandshakeTimeout();
     private String[] enabledProtocols = defaultEnabledProtocols();
     private String[] enabledCipherSuites = defaultEnabledCipherSuites();
+    private boolean filterInsecureCipherSuites = defaultFilterInsecureCipherSuites();
     private int sslSessionCacheSize = defaultSslSessionCacheSize();
     private int sslSessionTimeout = defaultSslSessionTimeout();
     private SslContext sslContext;
@@ -766,6 +775,7 @@ public Builder(AsyncHttpClientConfig config) {
       handshakeTimeout = config.getHandshakeTimeout();
       enabledProtocols = config.getEnabledProtocols();
       enabledCipherSuites = config.getEnabledCipherSuites();
+      filterInsecureCipherSuites = config.isFilterInsecureCipherSuites();
       sslSessionCacheSize = config.getSslSessionCacheSize();
       sslSessionTimeout = config.getSslSessionTimeout();
       sslContext = config.getSslContext();
@@ -1010,6 +1020,11 @@ public Builder setEnabledCipherSuites(String[] enabledCipherSuites) {
       return this;
     }
 
+    public Builder setFilterInsecureCipherSuites(boolean filterInsecureCipherSuites) {
+      this.filterInsecureCipherSuites = filterInsecureCipherSuites;
+      return this;
+    }
+
     public Builder setSslSessionCacheSize(Integer sslSessionCacheSize) {
       this.sslSessionCacheSize = sslSessionCacheSize;
       return this;
@@ -1225,6 +1240,7 @@ public DefaultAsyncHttpClientConfig build() {
               handshakeTimeout,
               enabledProtocols,
               enabledCipherSuites,
+              filterInsecureCipherSuites,
               sslSessionCacheSize,
               sslSessionTimeout,
               sslContext,

client/src/main/java/org/asynchttpclient/config/AsyncHttpClientConfigDefaults.java

@@ -34,6 +34,7 @@ public final class AsyncHttpClientConfigDefaults {
   public static final String USER_AGENT_CONFIG = "userAgent";
   public static final String ENABLED_PROTOCOLS_CONFIG = "enabledProtocols";
   public static final String ENABLED_CIPHER_SUITES_CONFIG = "enabledCipherSuites";
+  public static final String FILTER_INSECURE_CIPHER_SUITES_CONFIG = "filterInsecureCipherSuites";
   public static final String USE_PROXY_SELECTOR_CONFIG = "useProxySelector";
   public static final String USE_PROXY_PROPERTIES_CONFIG = "useProxyProperties";
   public static final String VALIDATE_RESPONSE_HEADERS_CONFIG = "validateResponseHeaders";
@@ -144,6 +145,10 @@ public static String[] defaultEnabledCipherSuites() {
     return AsyncHttpClientConfigHelper.getAsyncHttpClientConfig().getStringArray(ASYNC_CLIENT_CONFIG_ROOT + ENABLED_CIPHER_SUITES_CONFIG);
   }
 
+  public static boolean defaultFilterInsecureCipherSuites() {
+    return AsyncHttpClientConfigHelper.getAsyncHttpClientConfig().getBoolean(ASYNC_CLIENT_CONFIG_ROOT + FILTER_INSECURE_CIPHER_SUITES_CONFIG);
+  }
+
   public static boolean defaultUseProxySelector() {
     return AsyncHttpClientConfigHelper.getAsyncHttpClientConfig().getBoolean(ASYNC_CLIENT_CONFIG_ROOT + USE_PROXY_SELECTOR_CONFIG);
   }

client/src/main/java/org/asynchttpclient/netty/ssl/DefaultSslEngineFactory.java

@@ -20,14 +20,33 @@
 import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import org.asynchttpclient.AsyncHttpClientConfig;
 
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
 import java.util.Arrays;
+import java.util.List;
 
 import static org.asynchttpclient.util.MiscUtils.isNonEmpty;
 
 public class DefaultSslEngineFactory extends SslEngineFactoryBase {
 
+  // TODO replace with a custom CipherSuiteFilter once https://github.com/netty/netty/issues/7673 is fixed
+  private static final List<String> JDK_SUPPORTED_CIPHER_SUITES;
+
+  static {
+    SSLContext context;
+    try {
+      context = SSLContext.getInstance("TLS");
+      context.init(null, null, null);
+    } catch (Exception e) {
+      throw new Error("Failed to initialize the default SSL context", e);
+    }
+
+    SSLEngine engine = context.createSSLEngine();
+
+    JDK_SUPPORTED_CIPHER_SUITES = Arrays.asList(engine.getSupportedCipherSuites());
+  }
+
   private volatile SslContext sslContext;
 
   private SslContext buildSslContext(AsyncHttpClientConfig config) throws SSLException {
@@ -46,6 +65,8 @@ private SslContext buildSslContext(AsyncHttpClientConfig config) throws SSLExcep
 
     if (isNonEmpty(config.getEnabledCipherSuites())) {
       sslContextBuilder.ciphers(Arrays.asList(config.getEnabledCipherSuites()));
+    } else if (!config.isFilterInsecureCipherSuites() && !config.isUseOpenSsl()) {
+      sslContextBuilder.ciphers(JDK_SUPPORTED_CIPHER_SUITES);
     }
 
     if (config.isUseInsecureTrustManager()) {

extras/typesafeconfig/src/main/java/org/asynchttpclient/extras/typesafeconfig/AsyncHttpClientTypesafeConfig.java

@@ -208,6 +208,11 @@ public String[] getEnabledCipherSuites() {
     return getListOpt(ENABLED_CIPHER_SUITES_CONFIG).map(list -> list.toArray(new String[0])).orElse(defaultEnabledCipherSuites());
   }
 
+  @Override
+  public boolean isFilterInsecureCipherSuites() {
+    return getBooleanOpt(FILTER_INSECURE_CIPHER_SUITES_CONFIG).orElse(defaultFilterInsecureCipherSuites());
+  }
+
   @Override
   public int getSslSessionCacheSize() {
     return getIntegerOpt(SSL_SESSION_CACHE_SIZE_CONFIG).orElse(defaultSslSessionCacheSize());