Update netty/remove tcnative+boringssl dependencies (logstash-plugins#126)

robbavey · web-flow · commit b215b4b8026b · 2020-06-03T14:13:18.000-04:00
This commit updates netty dependency to 4.1.49.final, and
additionally removes the dependency on tcnative +
boringssl

This commit also handles JCE restrictions

While it is been the default for Java since JDK 8u161 released in early 2018,
old versions of Java may not have the JCE unlimited strength jurisdiction policy
installed. This commit handles this case, warning the user that the policy is not
installed, and presenting a reduced set of default ciphers for use.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 3.3.5
+ - Updated jackson databind and Netty dependencies. Additionally, this release removes the dependency on `tcnative` +
+   `boringssl`, using JVM supplied ciphers instead. This may result in fewer ciphers being available if the JCE
+   unlimited strength jurisdiction policy is not installed. (This policy is installed by default on versions of the
+   JDK from u161 onwards)[#126](https://github.com/logstash-plugins/logstash-input-http/pull/126)
+
 ## 3.3.4
  - Refactor: scope (and avoid unused) java imports [#124](https://github.com/logstash-plugins/logstash-input-http/pull/124)
 
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.3.4
+3.3.5
diff --git a/build.gradle b/build.gradle
@@ -22,10 +22,8 @@ dependencies {
     testCompile 'org.hamcrest:hamcrest-library:1.3'
     testCompile 'org.apache.logging.log4j:log4j-core:2.11.1'
 
-    compile 'io.netty:netty-all:4.1.30.Final'
-    compile 'io.netty:netty-tcnative-boringssl-static:2.0.12.Final'
+    compile 'io.netty:netty-all:4.1.49.Final'
     compile 'org.apache.logging.log4j:log4j-api:2.11.1'
-
 }
 
 test {
diff --git a/lib/logstash/inputs/http.rb b/lib/logstash/inputs/http.rb
@@ -93,7 +93,7 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
   config :tls_max_version, :validate => :number, :default => TLS.max.version
 
   # The list of ciphers suite to use, listed by priorities.
-  config :cipher_suites, :validate => :array, :default => org.logstash.plugins.inputs.http.util.SslSimpleBuilder::DEFAULT_CIPHERS
+  config :cipher_suites, :validate => :array, :default => org.logstash.plugins.inputs.http.util.SslSimpleBuilder.getDefaultCiphers
 
   # Apply specific codecs for specific content types.
   # The default codec will be applied only after this list is checked
diff --git a/src/main/java/org/logstash/plugins/inputs/http/util/SslSimpleBuilder.java b/src/main/java/org/logstash/plugins/inputs/http/util/SslSimpleBuilder.java
@@ -1,6 +1,5 @@
 package org.logstash.plugins.inputs.http.util;
 
-import io.netty.handler.ssl.OpenSsl;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
 import org.apache.logging.log4j.LogManager;
@@ -18,6 +17,8 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import javax.crypto.Cipher;
+import javax.net.ssl.SSLServerSocketFactory;
 
 public class SslSimpleBuilder implements SslBuilder {
 
@@ -26,9 +27,8 @@ public class SslSimpleBuilder implements SslBuilder {
     /*
     Modern Ciphers Compatibility List from
     https://wiki.mozilla.org/Security/Server_Side_TLS
-    This list require the OpenSSl engine for netty.
     */
-    public final static String[] DEFAULT_CIPHERS = new String[] {
+    private final static String[] DEFAULT_CIPHERS = new String[] {
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
@@ -39,25 +39,40 @@ public class SslSimpleBuilder implements SslBuilder {
             "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
     };
 
-    private String[] ciphers = DEFAULT_CIPHERS;
+    private final static String[] DEFAULT_CIPHERS_LIMITED = new String[] {
+            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
+    };
+
+    private String[] ciphers = getDefaultCiphers();
     private File sslKeyFile;
     private File sslCertificateFile;
     private String[] certificateAuthorities;
     private String passPhrase;
+    private String[] supportedCiphers = ((SSLServerSocketFactory)SSLServerSocketFactory
+            .getDefault()).getSupportedCipherSuites();
 
     public SslSimpleBuilder(String sslCertificateFilePath, String sslKeyFilePath, String pass) throws FileNotFoundException {
         sslCertificateFile = new File(sslCertificateFilePath);
         sslKeyFile = new File(sslKeyFilePath);
         passPhrase = pass;
-        ciphers = DEFAULT_CIPHERS;
     }
 
     public SslSimpleBuilder setCipherSuites(String[] ciphersSuite) throws IllegalArgumentException {
         for(String cipher : ciphersSuite) {
-            if(!OpenSsl.isCipherSuiteAvailable(cipher)) {
+            if(Arrays.asList(supportedCiphers).contains(cipher)) {
+                logger.debug("Cipher is supported: {}", cipher);
+            }else{
+                if (!isUnlimitedJCEAvailable()) {
+                    logger.warn("JCE Unlimited Strength Jurisdiction Policy not installed");
+                }
                 throw new IllegalArgumentException("Cipher `" + cipher + "` is not available");
-            } else {
-                logger.debug("Cipher is supported: " + cipher);
             }
         }
 
@@ -74,7 +89,7 @@ public SslContext build() throws IOException, NoSuchAlgorithmException, Certific
         SslContextBuilder builder = SslContextBuilder.forServer(sslCertificateFile, sslKeyFile, passPhrase);
 
         if(logger.isDebugEnabled()) {
-            logger.debug("Available ciphers:" + Arrays.toString(OpenSsl.availableOpenSslCipherSuites().toArray()));
+            logger.debug("Available ciphers: " + Arrays.toString(supportedCiphers));
             logger.debug("Ciphers:  " + Arrays.toString(ciphers));
         }
 
@@ -116,4 +131,24 @@ private boolean requireClientAuth() {
 
         return false;
     }
+
+    public static String[] getDefaultCiphers(){
+        if (isUnlimitedJCEAvailable()){
+            return DEFAULT_CIPHERS;
+        } else {
+            logger.warn("JCE Unlimited Strength Jurisdiction Policy not installed - max key length is 128 bits");
+            return DEFAULT_CIPHERS_LIMITED;
+        }
+    }
+
+
+    public static boolean isUnlimitedJCEAvailable(){
+        try {
+            return (Cipher.getMaxAllowedKeyLength("AES") > 128);
+        } catch (NoSuchAlgorithmException e) {
+            logger.warn("AES not available", e);
+            return false;
+        }
+    }
+
 }
