Have a way to configure SslEngine enabled Protocols and CipherSuites, close AsyncHttpClient#740

Author: Stephane Landelle

api/src/main/java/org/asynchttpclient/AsyncHttpClientConfig.java

@@ -104,6 +104,8 @@ public class AsyncHttpClientConfig {
     protected boolean disableUrlEncodingForBoundRequests;
     protected int ioThreadMultiplier;
     protected TimeConverter timeConverter;
+    protected String[] enabledProtocols;
+    protected String[] enabledCipherSuites;
     protected AsyncHttpProviderConfig<?, ?> providerConfig;
 
     // AHC 2 specific
@@ -144,6 +146,8 @@ private AsyncHttpClientConfig(int connectTimeout,//
             boolean disableUrlEncodingForBoundRequests, //
             int ioThreadMultiplier, //
             TimeConverter timeConverter,//
+            String[] enabledProtocols,//
+            String[] enabledCipherSuites,//
             AsyncHttpProviderConfig<?, ?> providerConfig,//
             boolean spdyEnabled, //
             int spdyInitialWindowSize, //
@@ -179,6 +183,8 @@ private AsyncHttpClientConfig(int connectTimeout,//
         this.disableUrlEncodingForBoundRequests = disableUrlEncodingForBoundRequests;
         this.ioThreadMultiplier = ioThreadMultiplier;
         this.timeConverter = timeConverter;
+        this.enabledProtocols = enabledProtocols;
+        this.enabledCipherSuites = enabledCipherSuites;
         this.providerConfig = providerConfig;
         this.spdyEnabled = spdyEnabled;
         this.spdyInitialWindowSize = spdyInitialWindowSize;
@@ -514,7 +520,7 @@ public int getConnectionTTL() {
     /**
      * @return the TimeConverter used for converting RFC2616Dates into time
      *
-     * @since 2.0.0
+     * since 1.9.0
      */
     public TimeConverter getTimeConverter() {
         return timeConverter;
@@ -524,6 +530,20 @@ public boolean isAcceptAnyCertificate() {
         return acceptAnyCertificate;
     }
 
+    /**
+     * since 1.9.0
+     */
+    public String[] getEnabledProtocols() {
+        return enabledProtocols;
+    }
+
+    /**
+     * since 1.9.0
+     */
+    public String[] getEnabledCipherSuites() {
+        return enabledCipherSuites;
+    }
+
     /**
      * Builder for an {@link AsyncHttpClient}
      */
@@ -560,6 +580,8 @@ public static class Builder {
         private boolean disableUrlEncodingForBoundRequests = defaultDisableUrlEncodingForBoundRequests();
         private int ioThreadMultiplier = defaultIoThreadMultiplier();
         private TimeConverter timeConverter;
+        private String[] enabledProtocols;
+        private String[] enabledCipherSuites;
         private AsyncHttpProviderConfig<?, ?> providerConfig;
 
         // AHC 2
@@ -1028,7 +1050,17 @@ public Builder setAcceptAnyCertificate(boolean acceptAnyCertificate) {
             this.acceptAnyCertificate = acceptAnyCertificate;
             return this;
         }
-        
+
+        public Builder setEnabledProtocols(String[] enabledProtocols) {
+            this.enabledProtocols = enabledProtocols;
+            return this;
+        }
+
+        public Builder setEnabledCipherSuites(String[] enabledCipherSuites) {
+            this.enabledCipherSuites = enabledCipherSuites;
+            return this;
+        }
+
         /**
          * Create a config builder with values taken from the given prototype configuration.
          *
@@ -1070,7 +1102,9 @@ public Builder(AsyncHttpClientConfig prototype) {
             strict302Handling = prototype.isStrict302Handling();
             timeConverter = prototype.timeConverter;
             acceptAnyCertificate = prototype.acceptAnyCertificate;
-            
+            enabledProtocols = prototype.enabledProtocols;
+            enabledCipherSuites = prototype.enabledCipherSuites;
+
             spdyEnabled = prototype.isSpdyEnabled();
             spdyInitialWindowSize = prototype.getSpdyInitialWindowSize();
             spdyMaxConcurrentStreams = prototype.getSpdyMaxConcurrentStreams();
@@ -1127,6 +1161,8 @@ else if (hostnameVerifier == null)
                     disableUrlEncodingForBoundRequests, //
                     ioThreadMultiplier, //
                     timeConverter,//
+                    enabledProtocols, //
+                    enabledCipherSuites, //
                     providerConfig, //
                     spdyEnabled, //
                     spdyInitialWindowSize, //

api/src/main/java/org/asynchttpclient/SSLEngineFactory.java

@@ -13,19 +13,51 @@
  */
 package org.asynchttpclient;
 
+import java.security.GeneralSecurityException;
+
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 
-import java.security.GeneralSecurityException;
+import org.asynchttpclient.util.SslUtils;
 
 /**
  * Factory that creates an {@link SSLEngine} to be used for a single SSL connection.
  */
 public interface SSLEngineFactory {
+
     /**
      * Creates new {@link SSLEngine}.
      *
      * @return new engine
      * @throws GeneralSecurityException if the SSLEngine cannot be created
      */
-    SSLEngine newSSLEngine() throws GeneralSecurityException;
+    SSLEngine newSSLEngine(String peerHost, int peerPort) throws GeneralSecurityException;
+
+    public static class DefaultSSLEngineFactory implements SSLEngineFactory {
+
+        private final AsyncHttpClientConfig config;
+
+        public DefaultSSLEngineFactory(AsyncHttpClientConfig config) {
+            this.config = config;
+        }
+
+        @Override
+        public SSLEngine newSSLEngine(String peerHost, int peerPort) throws GeneralSecurityException {
+            SSLContext sslContext = config.getSSLContext();
+
+            if (sslContext == null)
+                sslContext = SslUtils.getInstance().getSSLContext(config.isAcceptAnyCertificate());
+
+            SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort);
+            sslEngine.setUseClientMode(true);
+
+            if (config.getEnabledProtocols() != null)
+                sslEngine.setEnabledProtocols(config.getEnabledProtocols());
+
+            if (config.getEnabledCipherSuites() != null)
+                sslEngine.setEnabledCipherSuites(config.getEnabledCipherSuites());
+
+            return sslEngine;
+        }
+    }
 }

api/src/main/java/org/asynchttpclient/util/SslUtils.java

@@ -19,7 +19,6 @@
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
-import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
@@ -65,7 +64,7 @@ public static SslUtils getInstance() {
         return SingletonHolder.instance;
     }
 
-    public SSLContext getSSLContext(boolean acceptAnyCertificate) throws GeneralSecurityException, IOException {
+    public SSLContext getSSLContext(boolean acceptAnyCertificate) throws GeneralSecurityException {
         return acceptAnyCertificate? looseTrustManagerSSLContext: SSLContext.getDefault();
     }
 }

providers/netty/src/main/java/org/asynchttpclient/providers/netty/channel/ChannelManager.java

@@ -41,12 +41,12 @@
 import java.util.concurrent.Semaphore;
 import java.util.concurrent.atomic.AtomicBoolean;
 
-import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 
 import org.asynchttpclient.AsyncHttpClientConfig;
 import org.asynchttpclient.ConnectionPoolPartitioning;
 import org.asynchttpclient.ProxyServer;
+import org.asynchttpclient.SSLEngineFactory;
 import org.asynchttpclient.providers.netty.Callback;
 import org.asynchttpclient.providers.netty.NettyAsyncHttpProviderConfig;
 import org.asynchttpclient.providers.netty.channel.pool.ChannelPool;
@@ -59,7 +59,6 @@
 import org.asynchttpclient.providers.netty.handler.WebSocketProtocol;
 import org.asynchttpclient.providers.netty.request.NettyRequestSender;
 import org.asynchttpclient.uri.Uri;
-import org.asynchttpclient.util.SslUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -79,6 +78,7 @@ public class ChannelManager {
 
     private final AsyncHttpClientConfig config;
     private final NettyAsyncHttpProviderConfig nettyConfig;
+    private final SSLEngineFactory sslEngineFactory;
 
     private final EventLoopGroup eventLoopGroup;
     private final boolean allowReleaseEventLoopGroup;
@@ -104,6 +104,7 @@ public ChannelManager(AsyncHttpClientConfig config, NettyAsyncHttpProviderConfig
 
         this.config = config;
         this.nettyConfig = nettyConfig;
+        this.sslEngineFactory = nettyConfig.getSslEngineFactory() != null? nettyConfig.getSslEngineFactory() : new SSLEngineFactory.DefaultSSLEngineFactory(config);
 
         ChannelPool channelPool = nettyConfig.getChannelPool();
         if (channelPool == null && config.isAllowPoolingConnections()) {
@@ -343,18 +344,7 @@ private HttpClientCodec newHttpClientCodec() {
 
     public SslHandler createSslHandler(String peerHost, int peerPort) throws IOException, GeneralSecurityException {
 
-        SSLEngine sslEngine = null;
-        if (nettyConfig.getSslEngineFactory() != null) {
-            sslEngine = nettyConfig.getSslEngineFactory().newSSLEngine();
-
-        } else {
-            SSLContext sslContext = config.getSSLContext();
-            if (sslContext == null)
-                sslContext = SslUtils.getInstance().getSSLContext(config.isAcceptAnyCertificate());
-
-            sslEngine = sslContext.createSSLEngine(peerHost, peerPort);
-            sslEngine.setUseClientMode(true);
-        }
+        SSLEngine sslEngine = sslEngineFactory.newSSLEngine(peerHost, peerPort);
 
         SslHandler sslHandler = new SslHandler(sslEngine);
         if (handshakeTimeout > 0)