Have a way to configure SslEngine enabled Protocols and CipherSuites, close #740

Author: Stephane Landelle

src/main/java/com/ning/http/client/AsyncHttpClientConfig.java

@@ -79,6 +79,8 @@ public class AsyncHttpClientConfig {
     protected boolean disableUrlEncodingForBoundRequests;
     protected int ioThreadMultiplier;
     protected TimeConverter timeConverter;
+    protected String[] enabledProtocols;
+    protected String[] enabledCipherSuites;
     protected AsyncHttpProviderConfig<?, ?> providerConfig;
 
     protected AsyncHttpClientConfig() {
@@ -114,6 +116,8 @@ private AsyncHttpClientConfig(int connectTimeout,//
             boolean disableUrlEncodingForBoundedRequests, //
             int ioThreadMultiplier, //
             TimeConverter timeConverter,//
+            String[] enabledProtocols,//
+            String[] enabledCipherSuites,//
             AsyncHttpProviderConfig<?, ?> providerConfig) {
 
         this.connectTimeout = connectTimeout;
@@ -146,6 +150,8 @@ private AsyncHttpClientConfig(int connectTimeout,//
         this.disableUrlEncodingForBoundRequests = disableUrlEncodingForBoundedRequests;
         this.ioThreadMultiplier = ioThreadMultiplier;
         this.timeConverter = timeConverter;
+        this.enabledProtocols = enabledProtocols;
+        this.enabledCipherSuites = enabledCipherSuites;
         this.providerConfig = providerConfig;
     }
 
@@ -449,6 +455,20 @@ public boolean isAcceptAnyCertificate() {
         return acceptAnyCertificate;
     }
 
+    /**
+     * since 1.9.0
+     */
+    public String[] getEnabledProtocols() {
+        return enabledProtocols;
+    }
+
+    /**
+     * since 1.9.0
+     */
+    public String[] getEnabledCipherSuites() {
+        return enabledCipherSuites;
+    }
+
     /**
      * Builder for an {@link AsyncHttpClient}
      */
@@ -484,6 +504,8 @@ public static class Builder {
         private int maxRequestRetry = defaultMaxRequestRetry();
         private boolean disableUrlEncodingForBoundedRequests = defaultDisableUrlEncodingForBoundRequests();
         private int ioThreadMultiplier = defaultIoThreadMultiplier();
+        private String[] enabledProtocols;
+        private String[] enabledCipherSuites;
         private TimeConverter timeConverter;
         private AsyncHttpProviderConfig<?, ?> providerConfig;
 
@@ -903,6 +925,16 @@ public Builder setAcceptAnyCertificate(boolean acceptAnyCertificate) {
             return this;
         }
 
+        public Builder setEnabledProtocols(String[] enabledProtocols) {
+            this.enabledProtocols = enabledProtocols;
+            return this;
+        }
+
+        public Builder setEnabledCipherSuites(String[] enabledCipherSuites) {
+            this.enabledCipherSuites = enabledCipherSuites;
+            return this;
+        }
+
         /**
          * Create a config builder with values taken from the given prototype configuration.
          *
@@ -943,6 +975,8 @@ public Builder(AsyncHttpClientConfig prototype) {
             hostnameVerifier = prototype.getHostnameVerifier();
             strict302Handling = prototype.isStrict302Handling();
             timeConverter = prototype.timeConverter;
+            enabledProtocols = prototype.enabledProtocols;
+            enabledCipherSuites = prototype.enabledCipherSuites;
             acceptAnyCertificate = prototype.acceptAnyCertificate;
         }
 
@@ -1006,6 +1040,8 @@ else if (hostnameVerifier == null)
                     disableUrlEncodingForBoundedRequests, //
                     ioThreadMultiplier, //
                     timeConverter,//
+                    enabledProtocols, //
+                    enabledCipherSuites, //
                     providerConfig);
         }
     }

src/main/java/com/ning/http/client/SSLEngineFactory.java

@@ -13,6 +13,9 @@
  */
 package com.ning.http.client;
 
+import com.ning.http.util.SslUtils;
+
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 
 import java.security.GeneralSecurityException;
@@ -21,11 +24,40 @@
  * Factory that creates an {@link SSLEngine} to be used for a single SSL connection.
  */
 public interface SSLEngineFactory {
+
     /**
      * Creates new {@link SSLEngine}.
      *
      * @return new engine
      * @throws GeneralSecurityException if the SSLEngine cannot be created
      */
-    SSLEngine newSSLEngine() throws GeneralSecurityException;
+    SSLEngine newSSLEngine(String peerHost, int peerPort) throws GeneralSecurityException;
+
+    public static class DefaultSSLEngineFactory implements SSLEngineFactory {
+
+        private final AsyncHttpClientConfig config;
+
+        public DefaultSSLEngineFactory(AsyncHttpClientConfig config) {
+            this.config = config;
+        }
+
+        @Override
+        public SSLEngine newSSLEngine(String peerHost, int peerPort) throws GeneralSecurityException {
+            SSLContext sslContext = config.getSSLContext();
+
+            if (sslContext == null)
+                sslContext = SslUtils.getInstance().getSSLContext(config.isAcceptAnyCertificate());
+
+            SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort);
+            sslEngine.setUseClientMode(true);
+
+            if (config.getEnabledProtocols() != null)
+                sslEngine.setEnabledProtocols(config.getEnabledProtocols());
+
+            if (config.getEnabledCipherSuites() != null)
+                sslEngine.setEnabledCipherSuites(config.getEnabledCipherSuites());
+
+            return sslEngine;
+        }
+    }
 }

src/main/java/com/ning/http/client/providers/netty/channel/ChannelManager.java

@@ -41,6 +41,7 @@
 import com.ning.http.client.AsyncHttpClientConfig;
 import com.ning.http.client.ConnectionPoolPartitioning;
 import com.ning.http.client.ProxyServer;
+import com.ning.http.client.SSLEngineFactory;
 import com.ning.http.client.providers.netty.Callback;
 import com.ning.http.client.providers.netty.NettyAsyncHttpProviderConfig;
 import com.ning.http.client.providers.netty.channel.pool.ChannelPool;
@@ -54,9 +55,7 @@
 import com.ning.http.client.providers.netty.handler.WebSocketProtocol;
 import com.ning.http.client.providers.netty.request.NettyRequestSender;
 import com.ning.http.client.uri.Uri;
-import com.ning.http.util.SslUtils;
 
-import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 
 import java.io.IOException;
@@ -85,6 +84,7 @@ public class ChannelManager {
 
     private final AsyncHttpClientConfig config;
     private final NettyAsyncHttpProviderConfig nettyConfig;
+    private final SSLEngineFactory sslEngineFactory;
     private final ChannelPool channelPool;
     private final boolean maxTotalConnectionsEnabled;
     private final Semaphore freeChannels;
@@ -109,6 +109,7 @@ public ChannelManager(AsyncHttpClientConfig config, NettyAsyncHttpProviderConfig
         this.config = config;
         this.nettyConfig = nettyConfig;
         this.nettyTimer = nettyTimer;
+        this.sslEngineFactory = nettyConfig.getSslEngineFactory() != null? nettyConfig.getSslEngineFactory() : new SSLEngineFactory.DefaultSSLEngineFactory(config);
 
         ChannelPool channelPool = nettyConfig.getChannelPool();
         if (channelPool == null && config.isAllowPoolingConnections()) {
@@ -376,19 +377,7 @@ private HttpClientCodec newHttpClientCodec() {
     }
 
     public SslHandler createSslHandler(String peerHost, int peerPort) throws GeneralSecurityException, IOException {
-        SSLEngine sslEngine = null;
-        if (nettyConfig.getSslEngineFactory() != null) {
-            sslEngine = nettyConfig.getSslEngineFactory().newSSLEngine();
-
-        } else {
-            SSLContext sslContext = config.getSSLContext();
-            if (sslContext == null)
-                sslContext = SslUtils.getInstance().getSSLContext(config.isAcceptAnyCertificate());
-
-            sslEngine = sslContext.createSSLEngine(peerHost, peerPort);
-            sslEngine.setUseClientMode(true);
-        }
-
+        SSLEngine sslEngine = sslEngineFactory.newSSLEngine(peerHost, peerPort);
         return handshakeTimeout > 0 ? new SslHandler(sslEngine, getDefaultBufferPool(), false, nettyTimer, handshakeTimeout)
                 : new SslHandler(sslEngine);
     }

src/main/java/com/ning/http/util/SslUtils.java

@@ -19,7 +19,6 @@
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
-import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
@@ -62,7 +61,7 @@ public static SslUtils getInstance() {
         return SingletonHolder.instance;
     }
 
-    public SSLContext getSSLContext(boolean acceptAnyCertificate) throws GeneralSecurityException, IOException {
+    public SSLContext getSSLContext(boolean acceptAnyCertificate) throws GeneralSecurityException {
         return acceptAnyCertificate ? looseTrustManagerSSLContext : SSLContext.getDefault();
     }
 }