CODEWITHSUNDEEP
nettytls1.3
Arthur Xu
Arthur Xu

Reputation: 449

how to enable TLSv1.3 in netty?

As all the requirements mentioned in https://netty.io/news/2018/10/30/4-1-31-Final.html are met:

That said TLSv1.3 is not enabled by default so if you want to use it you will need to explicit enable it by using TLSv1.3 when configure your SslContextBuilder (like for example): SslContextBuilder.forClient().protocols("TLSv1.3") ....

but I run into exception as follows:

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:100000f0:SSL routines:OPENSSL_internal:UNSUPPORTED_PROTOCOL
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at com.taobao.hsf.io.netty.common.tls.NettyHandShakeHandler.channelRead0(NettyHandShakeHandler.java:80)
        at com.taobao.hsf.io.netty.common.tls.NettyHandShakeHandler.channelRead0(NettyHandShakeHandler.java:24)
        at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:648)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:583)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:500)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:454)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
        at com.taobao.hsf.io.netty.util.PooledThreadFactory$PooledByteBufRunnable.run(PooledThreadFactory.java:37)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: error:100000f0:SSL routines:OPENSSL_internal:UNSUPPORTED_PROTOCOL
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1194)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1155)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1226)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1269)
        at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:216)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297)
        at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1211)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1245)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
        ... 22 more

any ideas about this?

Upvotes: 1

Views: 8000

Answers (2)

0xTang
0xTang

Reputation: 886

Netty 4.1.52-Final version has supported TLSv1.3 as default, refer here for more info.

Upvotes: 1

Norman Maurer
Norman Maurer

Reputation: 23567

This is the right way to do it but in this case you enable TLSv1.3 only which means that the handshake will fail if the server only supports for example TLSv1.2. Usually you don't want to only support TLSv1.3 but support also another protocol like TLSV1.2.

SslContextBuilder.forClient().protocols("TLSv1.3", "TLSv.1.2");

Upvotes: 2

Related Questions